Google Secretly Bypassing Safari Privacy Settings

by Zack Kaldveer, CFC Communications Director, Privacy Revolt

The global tech giant Google, a company becoming an increasingly giant information control monopoly, has done it again. I speak of course of its long, sordid, and adversarial relationship with privacy, and this weekends news that it, and several other advertising companies have been bypassing the privacy settings in Apple’s Safari browser. This is of particular concern and importance because that system, and those users, are specifically INTENDING that such monitoring to be BLOCKED.

Let’s remember, it was just two weeks ago that a bit of a firestorm was sparked by Google changing its privacy policies rather abruptly, while making opt-ing out of the massive amount of data sharing that will take place if their proposed folding 60 of its 70 existing product privacy policies under one blanket policy and breaking down the identity barriers between (to accommodate its new Google+ social network software) nearly impossible.

Let us also remember that we know for instance, and they have been sued for it, companies like Google, Yahoo, Microsoft and other Internet companies track and profile users and then auction off ads targeted at individual consumers in the fractions of a second before a Web page loads.

We should also consider that sordid history of privacy and Google I mentioned at the start from Google Books to the loss of "Locational Privacy" to the company’s lobbying efforts in Congress, to its cloud computing, to its increasing usage and expansion of behavioral marketing techniques, to Google StreetView cars gathering private information from unaware local residents, to the company teaming with the National Security Agency (the agency responsible for such privacy violation greatest hits as warrantless wiretapping) "for technical assistance" to the infamous Google Buzz to the company’s recent admittance that it gets THOUSANDS of requests from the government for information about its users to claims that the company manipulates its search results to favor its own products.

Before I get to some obvious solutions and responses to this latest Google controversy (like data retention limits and Do Not Track options), let me get to the story:

The Stanford study was written by Jonathan Mayer, a graduate student in law and computer science who has cranked out a growing body of headline-generating literature on online privacy. In his paper, he noted that unlike every other browser vendor, Apple’s Safari automatically blocks tracking cookies generated by websites that users visit. Apple’s Safari is one of the most popular browsers for mobile devices, and the default browser on Macs.

These cookies can collect information about where users go online and what they do – data that advertisers treasure.There are exceptions to Safari’s cookie blocking, however. For instance, it allows what are known as "first-party cookies," those that sites like Facebook or Google drop onto devices so users don’t have to sign in every time they visit. Certain carve-outs also allow Facebook users to "like" things on third-party sites.

Unlike Facebook, the problem for Google was that its social and ad networks run on different domains from its main one, That prevents it from allowing a user of the Google+ social network to give a virtual thumbs up (or "+1") to an ad on another site, a step that makes such ads more valuable. That would require a "third-party cookie" that is blocked by Safari.

But it turns out there are a few ways for companies to get around these limitations. The one that Mayer’s paper focused on involved inserting code to place tracking cookies within Safari. He found four companies doing this: Google, Vibrant Media, Media Innovation Group and PointRoll.

But in an interview, Mayer said Google had unilaterally decided that privacy permissions for its products superseded the privacy restrictions those users had enacted – implicitly or explicitly – by choosing to use Safari."The user is giving up some privacy in exchange for lining Google’s pockets," he said.

Meanwhile, an even bigger problem occurred. Once Google tweaked the way Safari functions, other Google advertising cookies could be installed on the devices. "We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers," Whetstone said. Why this problem was spotted by a Stanford graduate student and not by a major corporation that’s been under continual privacy scrutiny is a fair question that Google has yet to answer.

"I think that’s a pretty big ‘oops,’ and it raises pretty big questions," Mayer said. Chris Hoofnagle, a digital privacy expert at UC Berkeley’s law school, said there’s a corporate tone-deafness within the engineering-centric culture of Google that leads to these sorts of mistakes. "To the engineer, cookie blocking appears to be a technical error that they should try to solve," he said. "It’s very difficult for them to accept the frame that some people do not want this tracking."

Click here to read more.

Let me say, I don’t know whether Google is telling the truth or not – my instincts say they aren’t because of their track record on this issue. Regardless, this latest privacy breach, and violation of consumer desires and expectations proves yet again our regulations and rights have not caught up with technological advancements in the digital realm.

As I have often written here, once again, an issue like this raises some particularly important questions: What kind of control should we have over our own data? And, what kind of tools should be available for us to protect it? What about ownership of our data? Should we be compensated for the billions of dollars being made by corporations from their tracking of us? And of course, what of the government’s access to this new world of data storage?

The argument from privacy advocates has largely been that this massive and stealth data collection apparatus threatens user privacy and regulators should compel (not hope that) companies to obtain express consent from consumers before serving up "behavioral" ads based on their online history.

More to the point is the simple, unavoidable fact that consumers should have MORE control, not less, over what information of ours is used, shared, and profited off.

Again, for first time, or rare readers of this blog, I would also point to the consistent dichotomy between the now proven HIGH LEVEL of concern about privacy on the internet among users with the fact they tend to do very little to actually protect it (which of course is related to how hard and complicated it can be to do so). Which in my mind, makes easy to use, clear options to protect privacy so paramount. Once people are given such a choice, not only will more people choose to "not be tracked", I think more people will become more AWARE of just how all pervasive such monitoring of nearly everything we do has become.

So, let’s get to some OBVIOUS solutions to this growing online tracking problem, magnified by Google’s latest violation of consumer trust. We CLEARLY have next to no privacy standards as related to these technological innovations and trends is disturbing, and more than enough of a reason for legislation like California’s SB 761 (Do Not Track).

The Do Not Track flag is a rather simple concept that’s already been built into Firefox and IE9. If users choose to turn on the option, every time they visit a web page the browser will send a message to the site, saying ‘do not track.’

SB 761 (Lowenthal) would offer consumers such a mechanism, something the bill’s sponsor describe as "one of the most powerful tools available to protect consumers’ privacy." The mechanism will allow anyone online to send Websites the message that they do not want their online activity monitored.

Obviously, this legislation happens to be something I’ll be working on here in Sacramento this year – but a federal version would be most useful.

To be sure, there is no magic bullet when it comes to digital tracking protecting privacy. Another solution advocated by such privacy experts as Chris Hoofnagle, is data-retention limits. As he recently stated in an interview in the San Francisco Chronicle, "We know from behavioral economics that most people won’t turn on do-not-track features, so if you’re serious about protecting privacy, if you think there’s a value here, you should protect it by default. It would require no user intervention. You would impair the ability of companies and law enforcement to create long-term profiles about people."

Similarly, as Hoofnagle points out, there are limitations to the "opt out" option alone, stating, "Under self-regulatory programs, they allowed people to opt out of targeted advertising if they wanted. But people figured out that what that meant is these companies could still track you, they just couldn’t show you online behavioral advertising. They could still choose to target you in another channel (like direct-mail marketing or telemarketing.) And if you look at all the tracking they do, they can identify you in a fairly trivial way. Our study also found over 600 third-party hosts of cookies, most of which are not members of any self-regulatory organization (and thus aren’t bound to the rules of opt-out programs). They’re not even necessarily advertisers, they could be governments. We really don’t know who they are."

The need for such consumer friendly and empowering solutions to this exploding data mining industry and tracking capabilities is clear because we KNOW marketers will stop at NOTHING to ensure they can monitor online behavior…so we can be better profiled by the government and marketed to by advertisers.

As a recent Berkeley study found, "Seven of the top 100 sites appeared to be using what’s known as HTML5 local storage to back up standard cookies, and two were found to be respawning cookies….Third-party advertisers on the site were still employing the flash cookies, along with another type that takes advantage of the browser’s cache, where online data is stored on the computer so it can be delivered faster. This ETag tracking allows advertisers to monitor users, even when they block all cookies and use a private browsing mode."

In other words, its time consumers regain control of our privacy and our personal information, through law, not through hope and polite requests to industry’s that don’t care about you or your privacy – only the bottom line.