Google Accused of Bypassing Safari's Privacy Controls 202
DJRumpy points out an article (based on a possibly paywalled WSJ report) describing how Google and other ad networks wrote code that would bypass the privacy settings of Apple's Safari web browser. 'The default settings of Safari block cookies "from third parties and advertisers," a setting that is supposed to only allow sites that the user is directly interacting with to save a cookie (client side data that remote web servers can later access in subsequent visits). ... The report notes that "Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.' Google says this mischaracterizes what the code does, claiming it simply enables 'features for signed-in Google users on Safari who had opted to see personalized ads and other content — such as the ability to “+1” things that interest them.' Google adds that the data transferred between Safari and Google's servers was anonymized. John Battelle writes that the WSJ's story is sensationalist, but that it raises good questions about the practices of ad networks as well as Apple's efforts to stymie industry-standard practices.
google does a lot more than that (Score:5, Interesting)
i have a few browsers on my iphone including a private browser. i've had it for years since before apple put the functionality into iOS. All it does is ride on top of stock safari on the iphone but creates a private browsing session.
i've noticed that some searches i did in the private browser come up as past searches in stock safari and on my laptop. which means that google is probably reading the UIDID or whatever it's called and using it to correlate users across devices even if they don't log into google
Invisible forms all over the place (Score:2, Interesting)
Surely the 'invisible form' is not in itself new? I have always had the firefox/mozilla/etc 'security.warn_submit_insecure' set to 'true' and the warning pops up in all manner of places where you have done nothing but viewed a page.
I always hit 'cancel' as a matter of principle since when it first appeared for no apparent reason I took it to be someone's way of getting my browser to do something which I would either probably not want it to do or that they did not want me to know about.
On the other hand, it is a technique used by at least one or two types of forum software to update DST settings, so it's not always nefarious.
Re:And people ask me why I don't use Chrome (Score:4, Interesting)
Yes, with time, everyone is going to consolidate their scripts under the main domain.
And the situation will be fine. Because when people will consolidate their stuff on their own domain, they will be able to track you on their website (big deal, there's access_log anyways) but they won't be able to track you anywhere else.
Which is fine with me.
Re:And people ask me why I don't use Chrome (Score:5, Interesting)
I support a locked-down corporate image. I'm surprised at the number of people I support that I've found using Chrome.
Yesterday I talked to someone and asked how she got it and she said that a site prompted her to install it so she did. I just tried this and was able to install it on the locked-down image, including setting it as default, etc. It may have put its settings in the user-writable area of the registry but it's very sneaky to do so whereas other browsers will refuse to install without admin. privileges. Hey, whatever leads to higher market share, right?
Re:And people ask me why I don't use Chrome (Score:4, Interesting)
Interesting point. I've been on the publishing and browsing sides of this.
As someone developing technical information, it's extremely valuable to know the information Google Analytics provides. It helps tell content creators how useful their content is to the intended audience, whether to invest in translation (and to which languages), and whether it's worth developing more information on a given subject.
As a browser, I generally don't allow Google Analytics and other tracking mechanisms in NoScript, because of general paranoia about being tracked.
For now, I have developed a two-browser web-use approach: I use Google Chrome (or Chromium, depending) for everything I do as a signed-in Google user. For general web-browsing, I use Firefox with NoScript.
I'm somewhat conflicted about the fact that I'm hypocritical in my desire for Google Analytics data while I refuse to provide that useful data to web sites.
Perhaps what I really should do it have a third browser (or configuration), so I have one where I'm promiscuous within Gmail, Google+, and Calendar, a second where I allow traffic analytics when I'm browsing work-related information, and a third, paranoid config for... um... recreational browsing.
Re:And people ask me why I don't use Chrome (Score:3, Interesting)
Re:And people ask me why I don't use Chrome (Score:5, Interesting)
Chrome is probably one of the few Google products you shouldn't have any privacy worries about. It doesn't behave differently to any other browser. Chromium is open source if you want some extra assurance.
As for reducing your Google information footprint, do what I do::
http://slashdot.org/journal/277383/making-google-keep-to-itself-with-multifox [slashdot.org]
Re:We found your privacy feature inconvenient. (Score:5, Interesting)
The retarded part of this whole thing is that Apple's Safari was allowing 3rd party cookies AT ALL when 3rd party cookies are disabled. Remember, Apple sells ads on its platforms too. Now, it's QUITE simple to detect if any action actually came from a user initiated event. This is how most pop-up blockers have worked since 2000, including the ones built into our browsers. The JS that creates a new window/tab is blocked unless the JavaScript is executed as the result of actual user interaction... Point being: Apple knows how to detect if its a user action or not.
Additionally, when I was testing Safari a few years ago, any cookie that was already set would keep being sent to the server even after you disabled all cookies -- That option just disabled "new" cookies from being created. The old ones were still sent, not sure if this is still the behaviour because I stopped using their systems when their systems lied to -- or, at best, misled -- their users. Their settings have always been specious. Apple doesn't have a good track record when it comes to cookies.
The fact that Safari assumed that form submittal was a user initiated event is a big problem here too. This "invisible form" submission is how we did "Ajax" like Web2.0 features before XML HTTP Request objects were around. JS populates a form in a hidden iframe, submits, then the JS on the page, or in the iframe from the server, changes the main page without reloading it. If Safari is confusing this with a user action, I'd be calling Apple programmers on the carpet, "Did you do this?!? BAD CodeMonkey! BAD! No Banana, or APPL!" (it's actually difficult for me to believe this isn't Apple's intended design)
Don't get me wrong, I hate tracking more than the next guy, and instead prefer content based relevancy, but many users have Opted In to the Google Ad network. It's getting harder to opt out of parts of it w/ their new privacy policy. I keep separate accounts for G+, Gmail & Youtube because I don't want an action on one to ban me from the other. Point being, if you're logged in, you've logged in, and you agreed that it's fine for Google to target ads at you. They can't very well give you targeted ads in exchange for your privacy if they can't see if you're logged in or not via cookie...
I don't blame just Google for finding a way to get opted-in Safari users the content they opted-in to, even if it's ads. I also blame Apple for saying "3rd party cookies are disabled", when in reality, 3rd party cookies ARE SLIGHTLY DISABLED, unless you interact with the Ad, or we think you might have done so... You know, because We (Apple) also want to use those 3rd party cookies.
Here's an idea: SAFARI SHOULD BLOCK ALL 3RD PARTY COOKIES [PERIOD]! Otherwise, the "Block 3rd party Cookies" option actually doesn't.
Cookies are the easy-mode tracking channel. Many other methods exist [samy.pl]. Hell, Mozilla removed the UI for 3rd party cookie disabling since it was so damn easy to work around. Had to use about:config for a while there, but now Firefox has the 3rd party cookies UI again. [mozilla.org] At the very base layer your IP address and time stamps are all the ad networks need. Blacklist the sites. Some Ad-block extensions actually make a request before not displaying the content -- Mission Failed.
Posted to remove a bad mod... figured I'd contribute in the process.
I don't know who to trust less, Google or Apple. (Score:4, Interesting)
Google brings me porn, warez and pirate music/video. All Apple's ever done is prove themselves one of the biggest patent whores on the planet.
Damn! That doesn't settle a thing. Guess I won't trust either of 'em.
Might come under the Computer Fraud and Abuse Act (Score:3, Interesting)
This might violate the Computer Fraud and Abuse Act. [cornell.edu] The threshold phrase there is "exceeds authorized access". Explicitly bypassing a security measure is usually considered to satisfy that definition of criminal conduct.
Attempts to use the Computer Fraud and Abuse act have failed with regard to "Flash cookies", because the plaintiff was unable to show $5000 in damages [scribd.com], even across a large number of users. But since then,. Google has offered a deal where users give up their privacy for $25 in gift cards. [google.com] Google has now put a price tag on privacy, which can be used as evidence against them in valuing future intrusions.
Re:And people ask me why I don't use Chrome (Score:5, Interesting)
I use Ghostery. Have for years.
It's beginning to worry me. Who's all the captital behind this effort? I mean, Better Privacy and AdBlock are pretty grass-roots, got a bee-in-a-bonnet based efforts.
But Ghostery is a small part of a well-funded startup - with well-paid developers. And graphic designers!
http://www.ghostery.com/ [ghostery.com]
"© 2011 Ghostery, a service of Evidon, Inc. All rights reserved."
http://www.evidon.com/faq [evidon.com]
7. Explain your relationship with Ghostery.
Ghostery is the same service it used to be, only better, because now it has the resources of a substantial company to develop even better capabilities for helping consumers discover and control the entities that track them across the web. Moreover, Evidon is not an advertising company; we're an assurance company built to facilitate compliance with OBA regulations. Ghostery's founder, David Cancel, is a shareholder in, and advisor to, Evidon.