Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Safari Advertising Google Privacy The Internet Apple

Google Accused of Bypassing Safari's Privacy Controls 202

DJRumpy points out an article (based on a possibly paywalled WSJ report) describing how Google and other ad networks wrote code that would bypass the privacy settings of Apple's Safari web browser. 'The default settings of Safari block cookies "from third parties and advertisers," a setting that is supposed to only allow sites that the user is directly interacting with to save a cookie (client side data that remote web servers can later access in subsequent visits). ... The report notes that "Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.' Google says this mischaracterizes what the code does, claiming it simply enables 'features for signed-in Google users on Safari who had opted to see personalized ads and other content — such as the ability to “+1” things that interest them.' Google adds that the data transferred between Safari and Google's servers was anonymized. John Battelle writes that the WSJ's story is sensationalist, but that it raises good questions about the practices of ad networks as well as Apple's efforts to stymie industry-standard practices.
This discussion has been archived. No new comments can be posted.

Google Accused of Bypassing Safari's Privacy Controls

Comments Filter:
  • by elrous0 ( 869638 ) * on Friday February 17, 2012 @11:11AM (#39074407)

    I trust Google with way too much as it is. And practices like this only make me even more determined to avoid them as much as reasonably possible. It's bad enough that pretty much every website out there now is feeding them tracking data (seriously, use Firefox with NoScript and just look at all the sites using Google-analytics [wikipedia.org], it's *everywhere*). I certainly am *not* about to let them takeover my entire browser too.

    They'll have to content themselves with just reading my gmail.

    • by Anonymous Coward on Friday February 17, 2012 @11:17AM (#39074515)

      If you're running DNSmasq just add this line:


      and it won't bother you again.

    • by NeutronCowboy ( 896098 ) on Friday February 17, 2012 @11:18AM (#39074519)

      And that's why noscript is so important. Yes, with time, everyone is going to consolidate their scripts under the main domain. But there will be ways to control that as well. And ultimately, that's why Firefox, despite all its problems, is a super-important part of the open web.

      • by Pieroxy ( 222434 ) on Friday February 17, 2012 @11:27AM (#39074637) Homepage

        Yes, with time, everyone is going to consolidate their scripts under the main domain.

        And the situation will be fine. Because when people will consolidate their stuff on their own domain, they will be able to track you on their website (big deal, there's access_log anyways) but they won't be able to track you anywhere else.

        Which is fine with me.

        • Well, unless they choose to share that data, of course. Google can easily give you some server-side code that just forwards requests made by gStalker.js to their servers, rather than processing it locally. There's also nothing stopping Google from making Google Ads and Analytics users set a subdomain for these to come from.
          • by Pieroxy ( 222434 )

            But the cookies are domain dependent. They may share all the data in the world, they won't know how to match it with the other domain data. Google cannot do its job with analytics even if I forward all the requests server side to them. The cookie they dropped on xyz.com won't show up on my browsing data. They won't be able to correlate.

            Third party cookies: It should be only the cookies from the page you see the URL in the browser address bar that are allowed. None other.

      • by sakdoctor ( 1087155 ) on Friday February 17, 2012 @11:31AM (#39074687) Homepage

        with time, everyone is going to consolidate their scripts under the main domain

        No they won't. There simply isn't enough selection pressure to make that happen. noscript users are this tiny insignificant blip concealed in the statistical noise of web traffic.

        Secondly, you're right. All the superficial problems (which I can almost never reproduce anyway) with firefox are nothing compared to having a browser I can trust, from an organization that I'm ideologically aligned with.
        Google building a web browser is a conflict of interests; though I'm still glad they did for browser war / political reasons.

        • Google building a web browser is a conflict of interests

          its like playing a game of baseball and having the opposing team provide the mitts, bats and balls.

        • by forkfail ( 228161 ) on Friday February 17, 2012 @12:37PM (#39075589)

          Try Lynx.

          • Can someone explain why this is funny?
            I can see how it could be funny in a different context, but here it's like the punchline for the wrong joke.

            • I have not used Lynx in many years but have tried to use later browsers such as IE4 (as default install with old an OS) and simply put, most webpages were not readable. If I went to something that was pure basic html (and old website of mine), it was fine, but most web pages were broken to the point of not even displaying anything. I can imagine that this would be even worse with Lynx. You'd go to a web page and probably just not see anything as scripting, flash, etc has become so common that the web is nea
        • by SSpade ( 549608 )

          You do know who pays for Firefox development, right?

          • The majority of the Mozilla foundation's funding comes from a search royalties contract, currently with Google.

        • No they won't. There simply isn't enough selection pressure to make that happen. noscript users are this tiny insignificant blip concealed in the statistical noise of web traffic.

          I've been running across more and more sites which won't display their content until I allow Noscript to run all scripts on the page (including advertisers'), turn off Adblock, and disable Ghostery. I've been forced to set up a virtual machine with a clean snapshot of a browser without any extensions to view those sites. But rec

    • by MrKevvy ( 85565 ) on Friday February 17, 2012 @11:29AM (#39074665)

      I support a locked-down corporate image. I'm surprised at the number of people I support that I've found using Chrome.

      Yesterday I talked to someone and asked how she got it and she said that a site prompted her to install it so she did. I just tried this and was able to install it on the locked-down image, including setting it as default, etc. It may have put its settings in the user-writable area of the registry but it's very sneaky to do so whereas other browsers will refuse to install without admin. privileges. Hey, whatever leads to higher market share, right?

      • I use Komodo Dragon which is a free Chromium variant with a higher focus on security and privacy.

        I don't know if it really IS more secure and private- but Komodo claims it is; whether Google knows tricks to bypass Komodo's features I don't know.

      • by Xest ( 935314 ) on Friday February 17, 2012 @11:39AM (#39074801)

        I don't think Google have done anything wrong there, saving settings to a user section of the registry makes more sense than a browser needing me to give it admin priviliges to write wherever the fuck it wants. It's precisely that sort of behaviour that leads people to click okay each time windows notifies them a program wants admin rights without even stopping to consider why.

        It sounds more like your problem is that your lockdown policy isn't configured as you'd like it to be, yet you blame the software for not obeying how you wanted things setup, rather than how things actually are setup, other than that it sounds like Chrome is following correct and best practice behaviour in this respect whereas how you'd have liked it to respond is bad practice and not preferable.

      • Re: (Score:3, Interesting)

        by agentgonzo ( 1026204 )
        The installation of Chrome is one of the reasons that I hate it. You are given no choice as to where it installs. It doesn't install to a system-wide location, but installs (as you say) in user-writable profile space. That means that if you want to run chrome on your computer and you have many users, you need to install it for every user and it will be a separate place on the file-system with each separate installation. And separate settings in the user part of the registry. You *can't* do a system-wide ins
      • by GIL_Dude ( 850471 ) on Friday February 17, 2012 @12:10PM (#39075229) Homepage
        If you need to block Chrome installs in your locked down environment you can: http://support.google.com/installer/bin/answer.py?hl=en&answer=146164 [google.com]. At one point early in Chrome's life (before the policies existed) we had a desire to block Chrome as it was playing havoc with our authenticated proxy servers (it would just hammer them with failed authentication requests). It plays nice with proxies now, so we don't do anything to either enable or disable Chrome.
      • ... Yesterday I talked to someone and asked how she got it and she said that a site prompted her to install it so she did ...

        This scenario needs to be a job interview question.

      • This is why you shouldn't just rely on a "locked down" image. You should also have some asset inventory and / or application metering running if you want to keep it locked down.

        If a report runs, and all of a sudden you see chrome.exe showing up, you can have a chat with that user, and it doesn't come as a surprise when a bunch of people are using it.

      • Chrome runs with user-level privileges, no administration escalation needed. It even installs in user space, not in common Program Files. Though this is slightly annoying when you *want* chrome to be the default for all users though, it is actually plenty secure. If you don't want users to be able to execute code, you should lock things down better... There are NTFS privileges specifically geared towards being able to run executables in a directory, you should look into it. See: advanced settings. In w
      • by Sancho ( 17056 ) *

        Why should a browser need admin privileges? It's just code that executes.

        You might find that your "locked-down corporate image" can run any number of applications that don't require admin access, including apps at http://portableapps.com/ [portableapps.com]

        You have to get into SRP if you want to prevent users from running executables you don't know about. If you don't want to get into SRP (I wouldn't blame you--it's messy) then if they can write to a directory and execute from that directory, they can install software.

        It is n

    • Try Ghostery

      I first started using it because of facebook, but after using it and seeing all the stuff that everyone else is tracking, i'm hooked.

      https://addons.mozilla.org/en-US/firefox/addon/ghostery/ [mozilla.org]

    • by jdgeorge ( 18767 ) on Friday February 17, 2012 @11:41AM (#39074829)

      Interesting point. I've been on the publishing and browsing sides of this.

      As someone developing technical information, it's extremely valuable to know the information Google Analytics provides. It helps tell content creators how useful their content is to the intended audience, whether to invest in translation (and to which languages), and whether it's worth developing more information on a given subject.

      As a browser, I generally don't allow Google Analytics and other tracking mechanisms in NoScript, because of general paranoia about being tracked.

      For now, I have developed a two-browser web-use approach: I use Google Chrome (or Chromium, depending) for everything I do as a signed-in Google user. For general web-browsing, I use Firefox with NoScript.

      I'm somewhat conflicted about the fact that I'm hypocritical in my desire for Google Analytics data while I refuse to provide that useful data to web sites.

      Perhaps what I really should do it have a third browser (or configuration), so I have one where I'm promiscuous within Gmail, Google+, and Calendar, a second where I allow traffic analytics when I'm browsing work-related information, and a third, paranoid config for... um... recreational browsing.

    • by GameboyRMH ( 1153867 ) <gameboyrmh@gma i l .com> on Friday February 17, 2012 @11:57AM (#39075043) Journal

      Chrome is probably one of the few Google products you shouldn't have any privacy worries about. It doesn't behave differently to any other browser. Chromium is open source if you want some extra assurance.

      As for reducing your Google information footprint, do what I do::

      http://slashdot.org/journal/277383/making-google-keep-to-itself-with-multifox [slashdot.org]

    • by geekoid ( 135745 )

      A practice like what? Behaving as the user requested?

      Take over your browser. Yeah, you just stick with browsers then need admin rights, and don't put information you request into a sandbox, that's much better.

    • Try ghostery to diddle the site reporting.
      http://www.ghostery.com/download [ghostery.com]
    • Posted to a website where Ghostery tells me that Facebook, Google +1, Google Analytics, and the twitter button links are being blocked.

    • I'll ask you the same question I ask everyone else who seems to be highly concerned about companies knowing things about them. Why does it bother you?

      I use Google for pretty much everything. I'm a Google Apps for Business customer and have been very pleased with the services they provide. Their products work well and the uptime/cost ratio is excellent. I'm assuming their ads are still nonintrusive but honestly I wouldn't know as I use adblockers with rather strict rulesets so I never see any of them.

      Do they

  • by Sez Zero ( 586611 ) on Friday February 17, 2012 @11:14AM (#39074465) Journal

    the practices of ad networks as well as Apple's efforts to stymie industry-standard practices.

    If I were a company that made my money on hardware and my main competitor was a company that made their money on ads, I'd most definitely be trying to tweak my software to stymie "industry-standard" practices.

    • by inpher ( 1788434 )
      Apparently this is how Apple "stymie industry-standard practices":

      Now, from what I can tell, the first part of that story is true – Google and many others have figured out ways to get around Apple’s default settings on Safari in iOS – the only browser that comes with iOS, a browser that, in my experience, has never asked me what kind of privacy settings I wanted, nor did it ask if I wanted to share my data with anyone else (I do, it turns out, for any number of perfectly good reasons). App

      • Yeah, but when everyone else doing developing is ignoring the standards, what happens to the ones that stick with them?
  • by alen ( 225700 ) on Friday February 17, 2012 @11:18AM (#39074521)

    i have a few browsers on my iphone including a private browser. i've had it for years since before apple put the functionality into iOS. All it does is ride on top of stock safari on the iphone but creates a private browsing session.

    i've noticed that some searches i did in the private browser come up as past searches in stock safari and on my laptop. which means that google is probably reading the UIDID or whatever it's called and using it to correlate users across devices even if they don't log into google

    • Do you still use non-privacy browsing? Because if they're able to take your private session and correlate it with a non-private one (for instance, by ip address) then they will almost certainly do so. I'd be surprised if apple allowed people to get the UDID in the browser.
  • i rather use Linux

    http://duckduckgo.com/ [duckduckgo.com]
  • by Anonymous Coward

    Surely the 'invisible form' is not in itself new? I have always had the firefox/mozilla/etc 'security.warn_submit_insecure' set to 'true' and the warning pops up in all manner of places where you have done nothing but viewed a page.
    I always hit 'cancel' as a matter of principle since when it first appeared for no apparent reason I took it to be someone's way of getting my browser to do something which I would either probably not want it to do or that they did not want me to know about.

    On the other hand, it

  • by jameslore ( 219771 ) on Friday February 17, 2012 @11:26AM (#39074613) Homepage

    John Battelle's main thrust seems to be that Apple shouldn't be blocking advertisers from tracking users. Further, that he angry that Apple opted him out by default, rather than forcing him to opt-in to privacy.

    Regardless of your views on the evil of (Apple|Google|whoever) this seems an odd argument. Unless you're an advertiser, of course.

    • It's not that strange a view. If I'm going to see ads, I'd like to see target ads. Apple doesn't seem to give you the choice (or at least, the default is to block ... I don't know if you can change it later).

      • You can indeed. It's on the Privacy tab in Safari preferences on the Mac, and the Privacy section of Safari preferences on iOS.

        Personally, I've no objection as long as I'm *asked* to opt-in. If I'm not, the default should be opt-out.

      • by dzfoo ( 772245 )

        The setting in question is, from within the "Privacy" tab in the Safari Preferences window:

        Block cookies:

        • From third parties and advertisers
        • Always
        • Never

        By default, the first one is selected. What it does is make Safari reject any cookie not originating from the domain of the currently opened page URL. This includes requests from iframes, images, and any other resource requested from an external domain.

        That's it. By design, this should prevent, say, a cookie from "webtrendslive.com" or from "googleanalyti

    • In the Battelle article, he admits he was blogging after drinking. Don't expect much.

  • ... it's really a clever hack. ("Hack" as in "clever workaround", not "ZOMGbreaking and entering!!!11") RTFA (not paywalled at the moment) and click on the infographic to see what they did.

  • by VGPowerlord ( 621254 ) on Friday February 17, 2012 @11:31AM (#39074681)

    Google says this mischaracterizes what the code does, claiming it simply enables 'features for signed-in Google users on Safari who had opted to see personalized ads and other content â" such as the ability to âoe+1â things that interest them.'

    In other words: "We found the wall inconvenient, so we simply tunneled under it."

    Yes, Google, which part of "bypass" do you not understand?

    What you're doing now is going to result in an arms race between you and several of the major web browser authors, including, perhaps, your own Chromium project.

    What's next in this arms race, the inability for iframes to have forms? The inability for JavaScript to submit forms? The inability for JavaScript to run in iframes?

    • by geekoid ( 135745 )

      "In other words: "We found the wall inconvenient, so we simply tunneled under it.""
      In other words " We are giving the user what they asks us to give them, that can turn it off."
      This isn't an arms race, it isn't a war, it isn't..well anything of note.

      If you replaced Apple with MS, the story would be about how poor MS security is..and I would still be saying the same thing: NTSH

      • by Improv ( 2467 )

        The user's browser settings should take precedence over some web service.

      • In other words " We are giving the user what they asks us to give them, that can turn it off."
        This isn't an arms race, it isn't a war, it isn't..well anything of note.

        Except Google isn't giving the user what they ask for, they're attempting to make it so every site you visit transmits at least some data to Google for the sake of "convenience," which incidentally is something Facebook, another site well known for its "privacy" does.

        Having said that, assuming Safari for iOS has the same settings as Safari for Mac does, you can turn on third-party cookies on in the Safari Preferences under Security. I believe the setting is to set Cookies to "Always" instead of "Only from

    • Read your quote. "opted to see".

      Why is a wall blocking someones ability to opt in to a service? If I opt in for any service I would not normally expect a piece of software to use a different technique to add additional walls. Since Safari is the only browser that does that it's pretty obvious were the fault lies.
    • The retarded part of this whole thing is that Apple's Safari was allowing 3rd party cookies AT ALL when 3rd party cookies are disabled. Remember, Apple sells ads on its platforms too. Now, it's QUITE simple to detect if any action actually came from a user initiated event. This is how most pop-up blockers have worked since 2000, including the ones built into our browsers. The JS that creates a new window/tab is blocked unless the JavaScript is executed as the result of actual user interaction... Point being: Apple knows how to detect if its a user action or not.

      Additionally, when I was testing Safari a few years ago, any cookie that was already set would keep being sent to the server even after you disabled all cookies -- That option just disabled "new" cookies from being created. The old ones were still sent, not sure if this is still the behaviour because I stopped using their systems when their systems lied to -- or, at best, misled -- their users. Their settings have always been specious. Apple doesn't have a good track record when it comes to cookies.

      The fact that Safari assumed that form submittal was a user initiated event is a big problem here too. This "invisible form" submission is how we did "Ajax" like Web2.0 features before XML HTTP Request objects were around. JS populates a form in a hidden iframe, submits, then the JS on the page, or in the iframe from the server, changes the main page without reloading it. If Safari is confusing this with a user action, I'd be calling Apple programmers on the carpet, "Did you do this?!? BAD CodeMonkey! BAD! No Banana, or APPL!" (it's actually difficult for me to believe this isn't Apple's intended design)

      Don't get me wrong, I hate tracking more than the next guy, and instead prefer content based relevancy, but many users have Opted In to the Google Ad network. It's getting harder to opt out of parts of it w/ their new privacy policy. I keep separate accounts for G+, Gmail & Youtube because I don't want an action on one to ban me from the other. Point being, if you're logged in, you've logged in, and you agreed that it's fine for Google to target ads at you. They can't very well give you targeted ads in exchange for your privacy if they can't see if you're logged in or not via cookie...

      I don't blame just Google for finding a way to get opted-in Safari users the content they opted-in to, even if it's ads. I also blame Apple for saying "3rd party cookies are disabled", when in reality, 3rd party cookies ARE SLIGHTLY DISABLED, unless you interact with the Ad, or we think you might have done so... You know, because We (Apple) also want to use those 3rd party cookies.

      Here's an idea: SAFARI SHOULD BLOCK ALL 3RD PARTY COOKIES [PERIOD]! Otherwise, the "Block 3rd party Cookies" option actually doesn't.

      Cookies are the easy-mode tracking channel. Many other methods exist [samy.pl]. Hell, Mozilla removed the UI for 3rd party cookie disabling since it was so damn easy to work around. Had to use about:config for a while there, but now Firefox has the 3rd party cookies UI again. [mozilla.org] At the very base layer your IP address and time stamps are all the ad networks need. Blacklist the sites. Some Ad-block extensions actually make a request before not displaying the content -- Mission Failed.

      Posted to remove a bad mod... figured I'd contribute in the process.

  • by MrLint ( 519792 ) on Friday February 17, 2012 @11:36AM (#39074743) Journal

    IIRC the first 3 major versions of Safari on OS X totally ignored the setting for 'don't allow 3rd party cookies'. I had to file a bug that apple.com was setting these cookies w/ safari.

    These assertions are really empty for me personally, since apple's site has partners that set these cookies, and apple's devs couldn't bother to implement this feature right.

    And yes, my bitterness permeates everything:)

    • by MrLint ( 519792 )

      Actually I want to clarify. I recall better now that at least the first version of Safari did not have this feature. Later versions did, but it did not work.

  • another thing is: (Score:3, Insightful)

    by larry bagina ( 561269 ) on Friday February 17, 2012 @12:15PM (#39075281) Journal

    Google claims you can use the Ads Preferences Manager to disable this "feature". But wait! They previously claimed that it wasn't necessary to disable that feature because Safari defaulted to no 3rd party cookies.

    Fuck me with a greased up Yoda doll, if they're going to blatently lie, why would they respect your desire to pot out of it?

    Assuming they're not evil, they want to fill the web with their +1 buttons so they needed to turn on 3rd party cookies which unintentionally (not that they mind) enabled all their ad tracking.

    Which is to say Google isn't evil but Google+ is.

  • Articles like this make me think using Chrome is only moderately safer than using a web browser made by Facebook, if they made one.

  • Man, google used to be so cool. What happened?
  • by mmell ( 832646 ) on Friday February 17, 2012 @12:23PM (#39075395)
    Oh, wait . . .

    Google brings me porn, warez and pirate music/video. All Apple's ever done is prove themselves one of the biggest patent whores on the planet.

    Damn! That doesn't settle a thing. Guess I won't trust either of 'em.

  • ... stalks the corridors of Apple headquarters, inflicting great harm on anyone who quavers in their resolve to destroy Google.

  • by Animats ( 122034 ) on Friday February 17, 2012 @12:41PM (#39075641) Homepage

    This might violate the Computer Fraud and Abuse Act. [cornell.edu] The threshold phrase there is "exceeds authorized access". Explicitly bypassing a security measure is usually considered to satisfy that definition of criminal conduct.

    Attempts to use the Computer Fraud and Abuse act have failed with regard to "Flash cookies", because the plaintiff was unable to show $5000 in damages [scribd.com], even across a large number of users. But since then,. Google has offered a deal where users give up their privacy for $25 in gift cards. [google.com] Google has now put a price tag on privacy, which can be used as evidence against them in valuing future intrusions.

  • Every now and then, a story pops up on Slashdot describing how one company or other is getting around browser security features to invade people's privacy. A while back the story was about "supercookies" that couldn't be deleted but would let some companies know whether you have visited their website before, etc. The blame is always directed squarely at the company doing the "exploiting".

    I think the more important issue is the security problems in the browser itself, which enable these tactics to be emplo

UNIX is many things to many people, but it's never been everything to anybody.