Google accused of bypassing Safari to track web surfers

Google has been accused of tracking people using Safari on iPhones and computers by sneaking around the browser's privacy settings, allowing a site to deposit cookies even if the browser is set to prevent such tracking. But Google has responded, saying the accusations are "mischaracterised".

The Wall Street Journal published an article claiming that the search giant used a spot of code to get around Safari's security, allowing web surfers who had signed in to Google+ to then click the +1 button in adverts that belong to Google's DoubleClick network.

Ordinarily, Safari's security settings would prevent those ads from placing a tracking cookie to check whether a surfer had signed into Google+, because the browser normally blocks cookies used by ad networks.

But the code Google is accused of using reportedly tricked Safari into placing a tracking cookie, by making Apple's browser think the user was submitting a form to Google. Safari lets sites place tracking cookies if they've interacted with a website.

The exploit was spotted way back in 2010 by one Anant Garg, and Google's use of it was spied by Stanford University researcher Jonathan Mayer. Google isn't the only company accused of using this exploit -- the Wall Street Journal says advertisers Vibrant, Media Innovation Group and PointRoll have also been using it.

The Wall Street Journal says Google disabled the code after being contacted by the paper, and the Big G has defended itself against the accusations, telling the paper, "The Journal mischaracterizes what happened and why.

"We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information."

We've since been sent the same statement, which we've stuck in its complete form at the bottom of this article.

Apparently, though the cookies Google placed were set to expire after 12 to 24 hours, a quirk in Safari means companies can add more cookies to a computer once one cookie has been deposited.

Google says it hadn't anticipated the placing of additional cookies and has started removing these advertising cookies from Safari browers. Apple, meanwhile, told the Wall Street Journal that it's working to prevent its browser's security being side-stepped.

My able colleagues and I will do our best to keep you updated should this story develop. In the meantime let me know what you reckon in the comments box below, or over on our Facebook wall.

Google's statement follows:

"The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information.

"Unlike other major browsers, Apple's Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as 'Like' buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content -- such as the ability to '+1' things that interest them.

"To enable these features, we created a temporary communication link between Safari browsers and Google's servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user's Safari browser and Google's servers was anonymous -- effectively creating a barrier between their personal information and the web content they browse.

"However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser.  We didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It's important to stress that, just as on other browsers, these advertising cookies do not collect personal information.

"Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google's Ads Preferences Manager."