

Stanford researcher: Google Circumvents iOS Privacy protection in AdSense ads - achille
http://www.eff.org/deeplinks/2012/02/time-make-amends-google-circumvents-privacy-settings-safari-users

======
Tyrannosaurs
The whole is "Don't be Evil" history thing is asked too often, frequently
around things which probably aren't even borderline but this feels a valid
case of calling them on it.

Deliberately exploiting a loophole to circumvent privacy controls is scummy
behaviour, the sort of thing you expect from the industry's bottom feeders,
not from one of the biggest companies in the game and certainly on that
professes some sort of conscience.

You can argue its not really evil but it's hard to say its not another step
towards that, and this time it seems hard to suggest that it's contractors or
some peripheral part of the company.

~~~
brudgers
> _"Deliberately exploiting a loophole to circumvent privacy controls is
> scummy behaviour"_
    
    
      If (scummy < creepy){console.log("film@11")};
      else google = evil;
    

Tracking users is Google's core business. I'd be surprised if they were the
only people who have figured out how to do this sort of thing.

Holding Google to some higher standard than other companies is naive at best.
Its management has the same duties to the stockholders as any other company.

~~~
Tyrannosaurs
You're missing the point.

Don't be evil isn't the standard I set for them, it's the standard they set
for themselves.

------
drunkenmasta
I'd like to thank Jonathan Mayer and others like him that go through code and
find these secrets and then release them for the public good. You make a great
difference.

------
cpeterso
If Google uses security holes in Apple's browser to "enhance" user tracking,
what might Google do if they had their own browser?

~~~
emehrkay
Yeah, I dont understand the Chrome love from the typical "hacker." I
personally use Webkit Nightly.

~~~
jrockway
I use Chromium. That way, I can read the code and still get a really good
browser. My analysis is: they only send information back to Google when you
explicitly request it.

(But what if Debian ships me a version of gcc that embeds secret tracking code
into any version of Chromium I compile? Oh the fear, uncertainty, and doubt!)

~~~
160162172
Unfortunately Chromium connects to Google just as frequently as Chrome does,
vide - [http://www.freesmug.org/forum/t-433541/chromium-chrome-
and-m...](http://www.freesmug.org/forum/t-433541/chromium-chrome-and-
mysterious-server-connections)

~~~
jrockway
Sure, but you can easily delete the code that does that. The point of Chromium
is not that it doesn't talk to Google. The point is that you can read the
source code to determine exactly when it does, and you can edit the source
code to ensure that it doesn't do anything you don't want it to.

Yes, that's hard, but that's the price of freedom. I appreciate that Google at
least lets me choose how I want to use their code, where Apple and Microsoft
make the decisions for me and never let me double-check them. (As it stands, I
trust Google with my personal information and I think the places where
Chrome/Chromium communicate with Google are appropriate and make my browsing
experience better. But it's 100% fine if you don't feel the same way.)

~~~
cpeterso
Full disclosure: jrockway is a Google employee.

~~~
jrockway
Yes. I had originally mentioned, "I don't care because Google pays for my
Internet connection and could spy on me anyway," but I edited it out because
Google does not spy. :)

I think, rationally, I should be more afraid of what Google knows about me
than a random person. I've used Google to search for things I wouldn't exactly
want to bring up in a meeting with my coworkers. But I know what the
procedures are for accessing personal information, and I trust my employer
with my most private searches. (It takes a leap of faith to trust me on this,
so I don't expect you to. But really, Google cares about privacy.)

When I worked at Bank of America, I always felt weird buying stuff with my
Bank of America credit card because I knew someone at the company would have
access to that information. But I don't feel that way when using Google
Checkout / Google Wallet at all. I don't know why it is, but that's how I
feel.

------
emehrkay
This makes me think that Google had ulterior motives when bundling flash with
Chrome. Having the latest, most-secure version of flash is a win for Google,
its users, and the web in general, but having flash installed allows for usage
of flash cookies which can read your info across browser sessions -- info that
they'd probably want.

To Chrome's credit, I believe it is the only browser that allows users to
delete flash cookies.

* removes tin foil hat

~~~
Nick_C
I've said this before, but for others who missed it, here's one of my crontab
entries:

    
    
      # Remove Flash cookies and everything to do with Flash, 
      # including left-over Flash files in /tmp
      15  13 * * Wed  /usr/bin/rm -rf /home/nick/.macromedia/Flash_Player/*
      16  13 * * Wed  /usr/bin/rm -rf /tmp/Flash*

~~~
emehrkay
Thank you

------
drp4929
Google, what's wrong with you? Do what Path did.

~~~
Bud
Too late to do that. Apple is patching it in the next iOS update.

~~~
myko
You mean they're updating Safari with a patch created by Google engineers
months ago to fix the issue: <http://trac.webkit.org/changeset/92142>

~~~
YooLi
Whether the bug is fixed by the Chromium team or not, Google should not have
been exploiting it to track users.

~~~
magicalist
"This tracking, discovered by Stanford researcher Jonathan Mayer, was a
technical side-effect — probably an unintended side-effect — of a system that
Google built to pass social personalization information (like, “your friend
Suzy +1'ed this ad about candy”) from the google.com domain to the
doubleclick.net domain."

edit: to be clear, whether or not is was an intended side effect, it is a side
effect of a (potentially) legitimate use case (setting the value of +1-ing an
ad aside).

------
shareme
a question why is no one concerned about the Safari hole in context of Apple?

Seems tome that you have more to worry about in Apple than Google as there
many others using the same exact hole.

