
Google Tracked iPhones, Bypassing Apple Browser Privacy Settings - mjfern
http://online.wsj.com/article_email/SB10001424052970204880404577225380456599176-lMyQjAxMTAyMDEwNjExNDYyWj.html
======
patio11
Given that the Geek2English translation obscured useful detail: Safari blocks
third party cookies by default. You can work around this default setting by
using an iframe to submit a vestigial form, which will convince Safari that
the domain doing the submitting is a first party, not a third party. After you
have any cookie on the machine, broadening the scope to include e.g. cookies
from your house advertising network is easy. Google says "Whoopsie, we didn't
plan on that happening." Cookies are still just cookies and their newfound
relevance to the WSJ is still refighting something the Internet largely
settled back in 1996.

~~~
chubot
Thanks for the explanation, but it's hardly "settled".

I don't use an iPhone, but I imagine if it's like other browsers, there's some
setting that says:

[x] Accept cookies from sites [ ] Accept third party cookies

When I don't check the second box, it doesn't mean "Don't accept cookies,
unless condition X is true", e.g. the web site implemented a popular hack. It
means __really __don't accept third party cookies, and I don't give a shit if
the +1 button breaks.

It doesn't sound like Safari's behavior on the hidden forms is intentional. It
sounds like a bug, but it's irrelevant either way. I hope Apple patches this
soon and forces people to opt in to third party cookies.

I'm glad that they actually set the default to reject them (a funny contrast
to the address book policy). Firefox allows third party cookies by default
because I always have to turn it off when setting up the browser on a new PC.

~~~
stanleydrew
> I hope Apple patches this soon and forces people to opt in to third party
> cookies.

The WSJ also ran a blog post about this which says (at the very end):

"An update to the software that underlies Safari has closed the loophole that
allows cookies to be set after the automatic submission of invisible forms.
Future public versions of Safari could incorporate that update. The people who
handled the proposed change, according to software documents: two engineers at
Google."

"software documents" is linked to <http://trac.webkit.org/changeset/92142>

So it appears that Google engineers have already closed this loophole.

~~~
chubot
Wow, that's amazing.

This somehow reminds me of the time when Chrome marketing ended up paying for
links to their site, and then the Web search group had to punish them with a
demotion.

~~~
myko
Well, except that this change was made by Google engineers in August (well
before the big deal this has become today).

------
ashishgandhi
Lately I've been reading quite a few articles that arguably show Google not
following the "Don't Be Evil" moto. But I've always found people having an
explanation for the behavior where the benefit of the doubt can be given to
Google. (E.g. Social results from SPYW, etc.)

I wonder if anyone can throw some light on this matter if there's a way they
could be doing this "by mistake", or "unintentionally" or something else. For
example could the +1 button be a cause? I don't know but I'm curious.

~~~
bishnu
It's a lot more nuanced than the WSJ article made it seem. Google and other
web advertisers engaged in what most would consider normal activity, but that
Apple had specifically disabled in Mobile Safari. Here's a good explanation
from John Battelle: [http://battellemedia.com/archives/2012/02/a-sad-state-of-
int...](http://battellemedia.com/archives/2012/02/a-sad-state-of-internet-
affairs-the-journal-on-google-apple-and-privacy.php)

~~~
jdq
The Battelle link is a horrible explanation. His position is that user
tracking for ads is a normal function of the web people want and therefore it
is Apple's fault for blocking it by default. Unreal.

------
greyman
> Google itself issued a statement saying the Wall Street Journal
> "mischaracterizes what happened and why. We used known Safari functionality
> to provide features that signed-in Google users had enabled. It's important
> to stress that these advertising cookies do not collect personal
> information."

Just asking: Isn't it a kind of a subtle lie to say that advertising cookies
do not collect personal information? Of course, there isn't a personal
information in the cookie itself, but that cookie is used to identify my
profile in those third party databases, so they know who I am, and that
profile already can contain anything they collected about me in the past,
including personal information.

UPDATE: This article seems to confirm that the Google's spokesman statement is
indeed misleading -> <http://cyberlaw.stanford.edu/node/6701>

------
gyardley
DoubleClick is owned by Google - it _is_ a first-party.

If you're on a Google property, Google has every right to serve all the
DoubleClick cookies it likes. All the WSJ's witch-hunt + Safari's pain-in-the-
ass non-standard defaults mean is that Google will have to do the work to
serve its DoubleClick cookies off the google.com domain - which, as people
switch more and more to mobile, they will inevitably do.

------
zaroth
Safari's default behavior is to Accept Cookies: 'From visited'. This prevents
3rd party iframes from saving cookies without a workaround. However, Chrome,
Firefox, Opera, and IE (with proper P3P) all allow 3rd party iframes to save
cookies by DEFAULT.

This leaves us with the choice of either using the workaround, or not
providing a consistent experience that users expect.

If Safari worked like every other major browser in this regard-- allowing
users to OPT-IN to the stricter cookie policy--then WSJ would be right in
nailing Google for working around it.

I think Google did nothing wrong. They worked around a browser's non-standard
default behavior, which is something we all do multiple times a day. Only when
non-standard behavior is OPT-IN is there willful disregard for the user's
intent in employing a work-around.

~~~
chubot
OK, so how do I opt out of their hacky workarounds?

This is worse because I turn off third party cookies in Firefox. On an iPhone,
I would have no way to turn off third party cookies (the ones that are
submitted using the hack).

~~~
zaroth
1) Apple should make the default be the more permissive policy that all other
major browsers have adopted. 2) They should lock down their implementation of
the 'Sites I visit' policy to prevent the workaround 3) Users who opt-in for
the stricter policy actually get it, but they should realize when their CHOICE
breaks any features which rely on 3rd party cookies.

~~~
d5tryr
Ads are features?

------
Tichy
So much bullshit in one article. I mean the technical issue of tracking is
probably correct, but it is not a Google vs Apple thing. Every website you
visit on the web does it's utmost to track the hell out of you. That is an
issue, but Google is not doing anything else than everybody else. I still
don't like it, but this article just distorts the issue into something
completely different.

------
calciphus
Sounds to me like they have some pretty sloppy security then. But that's
pretty much the iPhone all over.

~~~
doe88
Yeah you're right if Path or others transmit your AddressBook data it's
Apple's fault, if Google Inc. or others track Safari's browsers it's Apple's
fault.

Shame on Apple.

~~~
calciphus
Yeah, pretty much, actually. If I've checked off a box that says "don't let
this happen" and then it happens? Can't really say I blame anyone but the
device maker.

Since you clearly can't trust app developers or websites to not try and
exploit your information, you HAVE to trust your device to do what it says.
The fact that this was exposed by the standard +1 button doesn't exactly mean
it was difficult to do. It wasn't some 0-day exploit that they're using, it's
a failure of the browser.

------
sravfeyn
But, Google already does the same thing on the devices using Chrome browser.
Isn't it?

~~~
rsynnott
Safari's default policy on handling of third-party cookies in iFrames is
somewhat stricter than that of most other browsers (this is frequently a
problem for Facebook games); Google almost certainly didn't _need_ to do this
on Chrome.

------
nl
People should note that removing this "hack " removes arguably useful user
functionality such as the facebook like button (or at least the social
recommendations part) too.

------
drivebyacct2
Where is the "We are Sorry" post? That's what it takes to apologize for taking
advantage of platforms that accidentally allow access to more data than they
should, right?

------
yanw
A thorough hatchet job by the WSJ, "Google" mentioned 44 times in that piece.

