Google Caught Bypassing Mobile Safari Privacy

iPhone Privacy
Google and many other advertising companies were caught bypassing privacy settings in Mobile Safari. The Wall Street Journal published an exposé on Friday that accused the firms of inserting code into online ads that allowed them to circumvent privacy settings on Safari and track people online, even on sites outside of where the ad was originally run.

The code was originally discovered by Jonathan Mayer, a researcher out of Stanford University, and then verified for the newspaper by an independent researcher named Ashkan Soltani. They found that the code was inserted on ads on 23 out of the top 100 websites on a test iPhone.

In a statement released by Google, the search giant defended its practice by saying, “The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.”

It doesn’t take a careful reading of that statement, however, to note that while Google may have been using “known functionality” in Mobile Safari, it was using that functionality to bypass privacy settings. Some may quibble over that, but the company still deactivated the code after it was exposed by The Journal.

Apple also commented on the news, saying that it was, “working to put a stop” to the ability to circumvent the privacy settings in question.

Vibrant Media, one of the third party advertising firms that was using similar code, also took an aggressive stance on its practice by saying that the code was merely a “workaround [to] make Safari work like all the other browsers.” In other words, the desire for privacy by users was an inconvenience the company was merely correcting.

What Google was doing, according to the report, was inserting code into its ads that made it look as if the user had filled out a form on a webpage, even though they hadn’t. This flipped a switch on Mobile Safari that allowed a tracking cookie to be initiated on the iPhone, something that isn’t otherwise allowed by default on Safari.

That cookie was then used to power Google’s +1 button and other Google-related tracking, some of which may be quite desirable by many users, but it was all done on the down-low. Also, once the cookie was set, tracking was made possible across other sites, as well.

Some advertising networks, including PointRoll, Vibrant Media , Media Innovation Group were also using the technique to do their own tracking, and according to WSJ sources, the “workaround” was well known in the industry.

Adding possible insult to injury, the practice of using this functionality ran contrary to Google’s own policies on privacy. The company had been advising Web denizens that they could reply on the privacy settings within Mobile Safari to disable tracking. That language is longer on Google’s site, and the Journal said it was removed on Tuesday after The Journal contacted Google about the story, just as the code in question was disabled.

Microsoft also took the opportunity to attack both Apple and Google, the former for allowing this kind of situation to happen, and the latter for being an awful, greedy, Interwebs company. Ryan Gavin, General Manager for Internet Explorer Business and Marketing, issued a statement to CNet that said:

“Apparently, Google has been able to track users of Apple’s Safari browser while they surf the web on their Apple iPhones, iPads and Macs. This type of tracking by Google is not new. The novelty here is that Google apparently circumvented the privacy protections built into Apple’s Safari browser in a deliberate, and ultimately, successful fashion.”