Google Accused of Bypassing Safari's Privacy Controls

DJRumpy points out an article (based on a possibly paywalled WSJ report) describing how Google and other ad networks wrote code that would bypass the privacy settings of Apple's Safari web browser. 'The default settings of Safari block cookies "from third parties and advertisers," a setting that is supposed to only allow sites that the user is directly interacting with to save a cookie (client side data that remote web servers can later access in subsequent visits). ... The report notes that "Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.' Google says this mischaracterizes what the code does, claiming it simply enables 'features for signed-in Google users on Safari who had opted to see personalized ads and other content — such as the ability to “+1” things that interest them.' Google adds that the data transferred between Safari and Google's servers was anonymized. John Battelle writes that the WSJ's story is sensationalist, but that it raises good questions about the practices of ad networks as well as Apple's efforts to stymie industry-standard practices.

And people ask me why I don't use Chrome

[elrous0]

I trust Google with way too much as it is. And practices like this only make me even more determined to avoid them as much as reasonably possible. It's bad enough that pretty much every website out there now is feeding them tracking data (seriously, use Firefox with NoScript and just look at all the sites using Google-analytics, it's *everywhere*). I certainly am *not* about to let them takeover my entire browser too.

They'll have to content themselves with just reading my gmail.

Re:And people ask me why I don't use Chrome

[NeutronCowboy]

And that's why noscript is so important. Yes, with time, everyone is going to consolidate their scripts under the main domain. But there will be ways to control that as well. And ultimately, that's why Firefox, despite all its problems, is a super-important part of the open web.

Re:And people ask me why I don't use Chrome

[sakdoctor]

with time, everyone is going to consolidate their scripts under the main domain

No they won't. There simply isn't enough selection pressure to make that happen. noscript users are this tiny insignificant blip concealed in the statistical noise of web traffic.

Secondly, you're right. All the superficial problems (which I can almost never reproduce anyway) with firefox are nothing compared to having a browser I can trust, from an organization that I'm ideologically aligned with.
Google building a web browser is a conflict of interests; though I'm still glad they did for browser war / political reasons.

Re:And people ask me why I don't use Chrome

[Xest]

I don't think Google have done anything wrong there, saving settings to a user section of the registry makes more sense than a browser needing me to give it admin priviliges to write wherever the fuck it wants. It's precisely that sort of behaviour that leads people to click okay each time windows notifies them a program wants admin rights without even stopping to consider why.

It sounds more like your problem is that your lockdown policy isn't configured as you'd like it to be, yet you blame the software for not obeying how you wanted things setup, rather than how things actually are setup, other than that it sounds like Chrome is following correct and best practice behaviour in this respect whereas how you'd have liked it to respond is bad practice and not preferable.

Re:And people ask me why I don't use Chrome

[Xest]

"But on a locked down machine, nothing should be able to be installed without the admins knowing about it. Period. Google found a way around that."

No they didn't, that's precisely the point, the issue isn't that Google found some way around the lock down, it's that the system wasn't locked down properly to facilitate that goal.

Chrome is not some magical psychic piece of software that can tell what the system admin intended, it can only do what the OS allows it to do and is configured to allow it to do.

If Chrome is able to do things you did not intend on your systems then you have much more serious problems and your systems are incompetently configured and managed. You can guarantee if Chrome is obtaining admin privileges as a legitimate peice of software then a peice of malware would have a hell of a time enjoying your poorly configured systems. The first step to solving your problem is get rid of the geek squad level of staff, and start hiring some proper admins.

Re:And people ask me why I don't use Chrome

[Xest]

"That is a gigantic security hole just waiting to be exploited."

Right, so a browser that isolates itself to userspace is a gigantic security hole waiting to be exploited, yet a browser that requires admin privileges to install is not?

"Further, there's a reason corporate machines are locked down. We don't want people, especially IT people, installing every random piece of software that asks the user to install it."

So why are you letting people run arbitrary executables in the first place if you need that level of control of your systems?

"Rule #3 of IT that should never be broken: Never, ever, ever, EVER give a regular user administrative rights on their machine. Ever. Chrome breaks this rule with a wrecking ball."

Er no, that's exactly what it DOESN'T do.

"It's bad enough that as an admin I am constantly harassed by Windows 7, "Do you want to allow...?" Yes, I'm a fucking admin, just install the damn thing! Now we have to put up with companies making it so every user can install whatever they want and expect us to figure out what they did."

Well at least now we know you're really not qualified for your own profession. Really, you have a degree of IT security responsibility yet you complain when an OS alerts you to a request by an application for (or if you're a user, blocks you from providing) admin access, and say you just blindly accept, but then you complain when an application doesn't try and obtain admin access that you previously suggested should never be given to a user?

You haven't configured your network to limit what people can run and install, you've configured your network to only allow executables to work within the permissions defined for the currently active user account, Chrome is doing exactly that, thus the only problem is that how you've configured your network, isn't how you seem to beleive your network should be configured.

Re:And people ask me why I don't use Chrome

[EasyTarget]

Well said; just what I was thinking but more coherent :-)

A security policy that still allows users to install software in the userland is not 'locked down'.

Re:And people ask me why I don't use Chrome

[Xest]

What Google is doing in TFA is not an exploit, just because Apple didn't want people to write Javascript in that way, doesn't mean there's anything wrong with it per-se. This isn't to defend it as it's obviously not a particularly respectful thing to do, but it's not illegal, nor does it breach any standards, in contrast, abusing an operating system level exploit potentially falls foul of both these things and opens Google up to a lawsuit. Perhaps you or the GP could consider taking it to court and challenge it there if you genuinely believe it's the case? You'd be able to get a pretty hefty payout or settlement if true.

Don't come crying when you actually get laughed out of court though because it turns out you just didn't know how to configure a network properly.

Re:And people ask me why I don't use Chrome

[Xest]

It makes me despair as it's been some years since I left IT support behind, and I noticed at the time the profession was becoming more and more filled with people who simply have no idea what the fuck they're doing but coast by nonetheless, calling in consultants for a fortune when they don't know how to do something that any half competent IT support person should be able to do, or blaming the software, going off sick, hiding at a different office or whatever else when inevitably things go wrong and they'd otherwise have to face up to their responsibilities.

It seems now that these numpties have found their way to Slashdot, extolling their blame on software to the world at large, rather than facing up to the fact that they just don't know what in the flying fuck they are actually doing.

Of course, the worst part is, they then moan when their job gets outsourced to India - is it any fucking wonder why when they show such ineptitude? It's no wonder Chinese hackers are supposedly pillaging Western firms dry of IP when IT security means "blame the software when your incorrectly configured security policy lets the user do something they weren't meant to be able to do".

This is why IT support has rapidly started to gain the same sort of disrespect as a profession that many manual trades like bricklaying long have, and why support has seen a deterioration in wages to boot - because there's so many IT staff out there who really can't be trusted to show a bit of intelligence and do a good job nowadays, and they drag it down for those who know what they're doing.

I'm just glad I got the hell out of there seeing as it's only continued to deteriorate as a profession!

Re:And people ask me why I don't use Chrome

[TheRaven64]

Your 'standard Windows corporate lockdown setup' allows end users to run untrusted code that they downloaded from the Internet. I can think of many reasons for calling Google evil, but in this case they are simply doing something that, since Vista, has been a requirement for the 'Designed for MS Windows' logo and part of the recommended practices: allowing non-admin user to install for their own user. It's only 'a nice little unpublicized exploit' if you don't count the articles on MSDN telling you 'this is what you must do in a UAC world'.

It's not Google's fault that you think removing write access to C:\Program Files is the same as preventing users from running their code. Windows has fine-grained ACLs. Learn how to use them. Remove the user's ability to run programs that are installed in any location that they have write access to.

And now I've defended Windows, I need to go and have a shower...

Re:And people ask me why I don't use Chrome

[NotBorg]

Don't buy a car from Exxon Mobil and expect it to be fuel efficient.

Where's the money from?

[Sez+Zero]

the practices of ad networks as well as Apple's efforts to stymie industry-standard practices.

If I were a company that made my money on hardware and my main competitor was a company that made their money on ads, I'd most definitely be trying to tweak my software to stymie "industry-standard" practices.

Advertisers of the world unite

[jameslore]

John Battelle's main thrust seems to be that Apple shouldn't be blocking advertisers from tracking users. Further, that he angry that Apple opted him out by default, rather than forcing him to opt-in to privacy.

Regardless of your views on the evil of (Apple|Google|whoever) this seems an odd argument. Unless you're an advertiser, of course.

We found your privacy feature inconvenient.

[VGPowerlord]

Google says this mischaracterizes what the code does, claiming it simply enables 'features for signed-in Google users on Safari who had opted to see personalized ads and other content â" such as the ability to âoe+1â things that interest them.'

In other words: "We found the wall inconvenient, so we simply tunneled under it."

Yes, Google, which part of "bypass" do you not understand?

What you're doing now is going to result in an arms race between you and several of the major web browser authors, including, perhaps, your own Chromium project.

What's next in this arms race, the inability for iframes to have forms? The inability for JavaScript to submit forms? The inability for JavaScript to run in iframes?

Re:haha

[crmarvin42]

How so?

My cookie settings were as described "only accept from sites I visit". Google tricks my browser into thinking I've visited a site I did not, in fact, visit. They do this by submitting a form and intentionally making in invisible to me. At what point did I "Opt in" to this behavior??

I'm not excusing Apple's complete security failure here, but how exactly is Google not also culpable for this violation of my trust?

another thing is:

[larry+bagina]

Google claims you can use the Ads Preferences Manager to disable this "feature". But wait! They previously claimed that it wasn't necessary to disable that feature because Safari defaulted to no 3rd party cookies.

Fuck me with a greased up Yoda doll, if they're going to blatently lie, why would they respect your desire to pot out of it?

Assuming they're not evil, they want to fill the web with their +1 buttons so they needed to turn on 3rd party cookies which unintentionally (not that they mind) enabled all their ad tracking.

Which is to say Google isn't evil but Google+ is.

Re:Right or wrong...

[sunderland56]

The headline of the article should really be "Safari's privacy controls are weak and ineffective".

If someone leaves your front door wide open, and a skunk wanders in, do you blame the skunk, or do you blame whoever left the door open?