Photo: Bob Lee via Flickr
Earlier, we described how the Wall Street Journal caught Google using another questionable online tracking tactic, one that Google has since stopped using.The tactic consisted of Google creating a way to secretly circumvent privacy settings that Apple put into its web browser, Safari.
The workaround allowed Google to enable some Google features that would otherwise have been inaccessible to Safari users, such as the ability to use Google’s “+ 1” button (Google’s version of Facebook’s “Like” button) to “like” ads served by Google.
Other companies also took advantage of this Safari workaround as well, including ad networks Vibrant Media and PointRoll.*
Google says that the WSJ “mischaracterized” its intentions and behaviour here.
And Google’s frustration with the WSJ article is understandable, at least with respect to Google’s intentions.
But it’s also no surprise that people are once again stunned by Google’s behaviour here. And Google’s statement will not set everyone at ease.
The facts are that:
- Google secretly developed a way to circumvent default privacy settings established by a hated competitor, Apple
- Google enabled this workaround to further its own advertising (revenue) and social-networking goals.
- Google then used the workaround to drop ad-tracking cookies on the Safari users, which is exactly the sort of practice that Apple was trying to prevent
Given the scrutiny around Google’s power and privacy practices, Google’s decision to do this can charitably be described as tone-deaf. More accurately, it can be described as idiotic. But, as usual, there’s a backstory.
Based on a lengthy discussion with a source, here’s an explanation of what we think Google was trying to do, followed by a full statement from Google.
WHAT GOOGLE WAS THINKING
We spoke with an industry source who we believe understands Google’s perspective on this matter.
According to this source, here’s what Google may have been thinking:
The default privacy settings for Apple’s Safari web browser, which is included on all Apple products, do not allow random web sites to drop “tracking cookies” on users’ computers.
Such cookies, which are used by most web sites and web services, can be used for both helpful and creepy purposes, depending on who is using them.
Our source says that Apple’s Safari browser does allow these sorts of cookies to be dropped on users’ computers, even with the default privacy settings turned on.
Once a Safari user signs into a web site like Facebook or Google, our source says, Safari concludes that the site is a trusted site and, thereafter, allows that site to place as many cookies as it likes on the users’ computer.
This is how Safari users can stay signed in to Facebook, Gmail, Twitter, and other services, even when they are using Safari’s default privacy settings. (If Safari did now allow this, most users would conclude that something was broken because they wouldn’t stay “signed in” anywhere).
What Safari does NOT allow, by default, is for third-party advertisers and advertising networks to drop cookies on users’ computers without their permission. It is these ad-tracking cookies that cause lots of Internet users to freak out that their privacy is being violated, so it’s understandable that Apple decided to block them by default.
But these default settings have created a problem for Google, at least with respect to its goals for its advertising business.
Google serves its Google services and its display advertising services from two different web domains.
Google’s web services, like Gmail and Google +, are served from the Google domain. Google’s brand ads, meanwhile, are served from the Doubleclick domain.
Because of Safari’s cookie restrictions, Google can drop “cookies” on Google users who sign into Google services, but it cannot drop “cookies” from the Doubleclick domain.
And this created a problem because Google wants its users to be able to use its “+1” button to “like” advertisements that it serves them.
Why does Google want its users to be able to “+1” advertisements?
So Google can assess the relevancy and effectiveness of those ads.
Because Google’s ads are served from the Doubleclick domain rather than the Google domain, Google cannot put cookie necessary to enable the “+1” button on Safari users’ computers.
So Google decided to develop a Safari workaround that allowed it to put the “+1” button on its ads.
This workaround was a “known” Safari workaround, meaning that Google wasn’t the first company to discover or use it. The workaround allowed Google to fool Safari into thinking that Google’s Doubleclick domain was a trusted site from which Safari should accept cookies.
To make matters worse, Google then took advantage of this Safari workaround to drop cookies on Safari users’s computers for advertising clients–the exact sort of behaviour that Apple’s privacy settings were designed to prevent.
THE BOTTOM LINE
It seems likely that Google’s secret Safari workaround was devised by a small team of engineers who were seeking to solve a narrow problem and who did not view their actions from the perspective of an outside public that already suspects that Google constantly abuses privacy to further its own nefarious goals.
In other words, it does not seem likely that Google management would have been stupid and tone-deaf enough to approve a hack like this.
It also seems likely that the team that devised this “solution” to Google’s problem is now being suitably educated on the larger ramifications of its decision.
But, of course, from the public’s perspective, the effect is the same:
Google has once again put its foot in it.
And this latest scandal will likely increase government and public scrutiny of the company’s power and privacy practices.
Here’s Google’s full statement on the matter:
The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.
Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalised ads and other content–such as the ability to “+1” things that interest them.
To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalisation. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous–effectively creating a barrier between their personal information and the web content they browse.
However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.
Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager.
* CORRECTION: In the original version of this article, I reported that it was Google’s workaround that enabled Vibrant and other ad networks to drop their own ad-tracking cookies on Safari users. This was wrong. The other companies simply used the same workaround to track Safari users. I apologise for the error.
Business Insider Emails & Alerts
Site highlights each day to your inbox.