The WSJ Exposes Google’s Tracking Hack

The Wall Street Journal has a big scoop this morning on how Google and other companies overrode Apple privacy settings in order aid their products and ads, a move that also allowed third-party advertisers to track users on the Web.

Julia Angwin and Jennifer Valentino-DeVries, continuing the paper’s What They Know series, report that Google designed code to “trick” Apple’s Safari browser, which works on both iPhones and computers, into accepting cookies that it blocks by default. Google says it did this so its +1 feature wouldn’t be blocked. Of course, if users wanted that +1 feature (and does anybody, really?), they could go into Safari’s settings and allow it:

Which raises another point: While most Safari users probably never bothered with their cookies settings, surely a significant minority consciously left that setting to block third-party cookies. So Google not only circumvented Apple’s choice, which is bad enough, but it also overrode users’ explicit desires not to be tracked.

To top it off, Google itself told users that if they didn’t want to be tracked, they should leave Safari’s default settings alone. Here’s a cached screenshot (Google removed this language late Tuesday, the Journal says) which says “Safari is set by default to block all third-party cookies. If you have not changed those settings, this option effectively accomplishes the same thing as setting the opt-out cookie.”

And Google’s move—unintentionally, apparently—ended up allowing full-fledged ad tracking by Google’s DoubleClick:

Unfortunately, that had the side effect of completely undoing all of Safari’s protections against It caused Safari to allow other DoubleClick cookies, and especially the main “id” tracking cookie that Safari normally blocked. Like a balloon popped with a pinprick, all of Safari’s protections against DoubleClick were gone.

Google disabled its tracking hack after the Journal started asking questions, but it tells the paper, defiantly, that “The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.”

Google can spin it all it wants, but we’ll side with the Journal on this one, as I imagine most folks would. Google’s “work-around” was arrogant to begin with. The company’s statement just exacerbates that.

Boing Boing’s Cory Doctorow says this:

In the iPhone case, it’s likely that Google has gone beyond lowering the quality of its service for its users and customers, and has now started to violate the law, and certainly to undermine the trust that the company depends on. This is much more invasive than the time Google accidentally captured some WiFi traffic and didn’t do anything with it, much more invasive than Google taking pictures of publicly visible buildings — both practices that drew enormous and enduring criticism at the expense of the company’s global credibility.

Search Engine Land’s Danny Sullivan quibbles with the Journal’s tracking language, which I don’t have a problem with, but writes that “Privacy Settings Were Bypassed, And That’s Bad”:

While I’d guess most people had no idea that Safari was blocking third-party cookies by default, it was still doing that — and I doubt most people would be happy to hear that Google deliberately worked around this, even if it was only intended for a limited use of enabling +1 buttons on ads.

It also potentially opens Google up to a violation of its agreement with the FTC over privacy. As the WSJ points out, Google isn’t supposed to misrepresent its privacy practices.

Excellent reporting by the Journal.

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Ryan Chittum is a former Wall Street Journal reporter, and deputy editor of The Audit, CJR's business section. If you see notable business journalism, give him a heads-up at Follow him on Twitter at @ryanchittum. Tags: , , , ,