Is Google Tracking Your iPhone?

If you’re using Safari on your iPhone, you probably appreciate the browser’s long list of options and protections. These include one that prevents websites from tracking your behavior. It turns out, however, that you’re not as safe from Google’s and other websites’ prying eyes as you might think – even when that control is turned on.

Todd Wasserman covered the story for Mashable. It was also covered by none other than the Wall Street Journal. According to the Journal, advertising companies have been using “special computer code that tricks Apple’s Safari Web-browsing software into letting them monitor many users. Safari, the most widely used browser on mobile devices, is designed to block such tracking by default.”

Stanford researcher Jonathan Mayer broke the story on his blog earlier this month. He stated that “Google and Vibrant Media intentionally circumvent Safari’s privacy feature. Media Innovation Group and PointRoll serve scripts that appear to be derived from circumvention example code.” Mayer provides substantial technical data to support his explanation.

In response to the Journal’s picking up Mayer’s report and independently confirming it with one of their own technical advisors, Google disabled the code. Ashkan Soltani, the Journal’s advisor, “found that 23 of the top 100 websites installed Google’s tracking code on Safari,” Wasserman noted in his Mashable piece.

Also in response to WSJ’s piece, Google issued a statement. I’m including the full statement here, to avoid anyone saying that it’s being quoted out of context:

“The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.
“Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content–such as the ability to “+1” things that interest them.
“To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous–effectively creating a barrier between their personal information and the web content they browse.
“However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.
“Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager.”

What’s particularly interesting about this statement is what it implies – and how completely Mayer refutes those implications in a blog  post on the subject. “We used known Safari functionality to provide features that signed-in Google users had enabled,” the statement says. In fact, noted Mayer, the circumvention behaviors occurred regardless of whether users were signed in, or even owned a Google account.

“It’s important to stress that these advertising cookies do not collect personal information,” says the statement. But that’s not actually true, according to Mayer. As he points out, “Google’s social advertising technology is designed to identify the user – that’s how it shows your friends’ pictures!”

“Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default,” Google’s statement notes. It may possibly be true that Safari is the only major browser that blocks third-party cookies by default, but all other major browsers include a “private browsing” mode that blocks cookies. And by the way, Apple did not set up Safari this way as a “dig” at Google; the browser’s record as a privacy pioneer dates back to Safari version 1.0, released back in 2003. This is “long before Google was in the third-party advertising business, and long before relations between the companies soured over smartphones.”

And that comment about enabling features such as “Like” and “+1” buttons? According to Mayer, “We never saw an ad with the +1 button in our testing. The circumvention behaviors occurred in ordinary-looking ads.”

What Mayer seems to be saying is that the computer code circumventing the blocks for third-party ad cookies seems to be unnecessary. In fact, it looks as though Google and the other advertisers could have accomplished their stated goals without trying to get around those settings. So what are these advertising companies really trying to accomplish? Well, as Mayer notes, Google and the other advertisers gained an advantage over their competitors who did not track Safari browsers. “That advantage may have resulted in profit,” Mayer observed. So it all comes down to money – something that apparently can make even Google turn evil.

[gp-comments width="770" linklove="off" ]