Slashdot Mirror
Google Accused of Bypassing Safari's Privacy Controls
DJRumpy points out an article (based on a possibly paywalled WSJ report) describing how Google and other ad networks wrote code that would bypass the privacy settings of Apple's Safari web browser. 'The default settings of Safari block cookies "from third parties and advertisers," a setting that is supposed to only allow sites that the user is directly interacting with to save a cookie (client side data that remote web servers can later access in subsequent visits). ... The report notes that "Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.' Google says this mischaracterizes what the code does, claiming it simply enables 'features for signed-in Google users on Safari who had opted to see personalized ads and other content — such as the ability to “+1” things that interest them.' Google adds that the data transferred between Safari and Google's servers was anonymized. John Battelle writes that the WSJ's story is sensationalist, but that it raises good questions about the practices of ad networks as well as Apple's efforts to stymie industry-standard practices.
I trust Google with way too much as it is. And practices like this only make me even more determined to avoid them as much as reasonably possible. It's bad enough that pretty much every website out there now is feeding them tracking data (seriously, use Firefox with NoScript and just look at all the sites using Google-analytics, it's *everywhere*). I certainly am *not* about to let them takeover my entire browser too.
They'll have to content themselves with just reading my gmail.
SJW: Someone who has run out of real oppression, and has to fake it.
the practices of ad networks as well as Apple's efforts to stymie industry-standard practices.
If I were a company that made my money on hardware and my main competitor was a company that made their money on ads, I'd most definitely be trying to tweak my software to stymie "industry-standard" practices.
i have a few browsers on my iphone including a private browser. i've had it for years since before apple put the functionality into iOS. All it does is ride on top of stock safari on the iphone but creates a private browsing session.
i've noticed that some searches i did in the private browser come up as past searches in stock safari and on my laptop. which means that google is probably reading the UIDID or whatever it's called and using it to correlate users across devices even if they don't log into google
i rather use Linux
http://duckduckgo.com/
Politics is Treachery, Religion is Brainwashing
Surely the 'invisible form' is not in itself new? I have always had the firefox/mozilla/etc 'security.warn_submit_insecure' set to 'true' and the warning pops up in all manner of places where you have done nothing but viewed a page.
I always hit 'cancel' as a matter of principle since when it first appeared for no apparent reason I took it to be someone's way of getting my browser to do something which I would either probably not want it to do or that they did not want me to know about.
On the other hand, it is a technique used by at least one or two types of forum software to update DST settings, so it's not always nefarious.
John Battelle's main thrust seems to be that Apple shouldn't be blocking advertisers from tracking users. Further, that he angry that Apple opted him out by default, rather than forcing him to opt-in to privacy.
Regardless of your views on the evil of (Apple|Google|whoever) this seems an odd argument. Unless you're an advertiser, of course.
... it's really a clever hack. ("Hack" as in "clever workaround", not "ZOMGbreaking and entering!!!11") RTFA (not paywalled at the moment) and click on the infographic to see what they did.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Google says this mischaracterizes what the code does, claiming it simply enables 'features for signed-in Google users on Safari who had opted to see personalized ads and other content â" such as the ability to âoe+1â things that interest them.'
In other words: "We found the wall inconvenient, so we simply tunneled under it."
Yes, Google, which part of "bypass" do you not understand?
What you're doing now is going to result in an arms race between you and several of the major web browser authors, including, perhaps, your own Chromium project.
What's next in this arms race, the inability for iframes to have forms? The inability for JavaScript to submit forms? The inability for JavaScript to run in iframes?
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
IIRC the first 3 major versions of Safari on OS X totally ignored the setting for 'don't allow 3rd party cookies'. I had to file a bug that apple.com was setting these cookies w/ safari.
These assertions are really empty for me personally, since apple's site has partners that set these cookies, and apple's devs couldn't bother to implement this feature right.
And yes, my bitterness permeates everything:)
This sounds to me more like a defect in Safari's cookie handling than a problem on Google's part. Sure it's a dicey practice anyway to overtly try to circumvent those security and privacy features, but if the browser in question had implemented them properly in the first place this would be a non-issue.
A few days ago I also noticed they started doing redirect links for search results. They used to do this for ads, but not it includes the links you are really looking for. The real link is still in the URL which I have started extracting by hand, but it makes google a lot more painful to use.
This is hardly the first time this has happened. Its been pretty much common practice since day one in the web advertising industry to pretty much assualt every single client-level security barrier as far as trackability and domain encapsulation in any browser with the full force of their research budgets. What is surprising to me is that in all these years this is the first time anyone else has figured it out apparently.
"When I was back there in seminary school, there was a person there who put forth the proposition of 'Don't be evil'..."
But I was taught in school that sharing my private stuff openly can result in STDs... Now I must pick between AIDS or Cancer? ACK!!!
How so?
My cookie settings were as described "only accept from sites I visit". Google tricks my browser into thinking I've visited a site I did not, in fact, visit. They do this by submitting a form and intentionally making in invisible to me. At what point did I "Opt in" to this behavior??
I'm not excusing Apple's complete security failure here, but how exactly is Google not also culpable for this violation of my trust?
Bureaucracy expands to meet the needs of the expanding bureaucracy.-Oscar Wilde
Google claims you can use the Ads Preferences Manager to disable this "feature". But wait! They previously claimed that it wasn't necessary to disable that feature because Safari defaulted to no 3rd party cookies.
Fuck me with a greased up Yoda doll, if they're going to blatently lie, why would they respect your desire to pot out of it?
Assuming they're not evil, they want to fill the web with their +1 buttons so they needed to turn on 3rd party cookies which unintentionally (not that they mind) enabled all their ad tracking.
Which is to say Google isn't evil but Google+ is.
Do you even lift?
These aren't the 'roids you're looking for.
Articles like this make me think using Chrome is only moderately safer than using a web browser made by Facebook, if they made one.
Man, google used to be so cool. What happened?
Google brings me porn, warez and pirate music/video. All Apple's ever done is prove themselves one of the biggest patent whores on the planet.
Damn! That doesn't settle a thing. Guess I won't trust either of 'em.
In the Battelle article, he admits he was blogging after drinking. Don't expect much.
... stalks the corridors of Apple headquarters, inflicting great harm on anyone who quavers in their resolve to destroy Google.
Check your premises.
This might violate the Computer Fraud and Abuse Act. The threshold phrase there is "exceeds authorized access". Explicitly bypassing a security measure is usually considered to satisfy that definition of criminal conduct.
Attempts to use the Computer Fraud and Abuse act have failed with regard to "Flash cookies", because the plaintiff was unable to show $5000 in damages, even across a large number of users. But since then,. Google has offered a deal where users give up their privacy for $25 in gift cards. Google has now put a price tag on privacy, which can be used as evidence against them in valuing future intrusions.
... Yesterday I talked to someone and asked how she got it and she said that a site prompted her to install it so she did ...
This scenario needs to be a job interview question.
we lose"
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
geekoid commented:
Man. if this is the stretch people have to go through to blame Google for something, Google must be doing pretty damn good.
Seriously, this is, yet again, another NTSH article about Google. They are doing what the user opted in for them to do.
I think it's worth noting that, although I allow scripts and cookies directly from Google, I disallow them from google-analytics.com (via Cookiesafe and NoScript), and that choice does NOT appear to disable ANY Google function that I can determine.
As evil behavior goes, I'm with geekoid: this is pretty weak beer.
Check out my novel.
Every now and then, a story pops up on Slashdot describing how one company or other is getting around browser security features to invade people's privacy. A while back the story was about "supercookies" that couldn't be deleted but would let some companies know whether you have visited their website before, etc. The blame is always directed squarely at the company doing the "exploiting".
I think the more important issue is the security problems in the browser itself, which enable these tactics to be employed. If large companies like Google are exploiting these vulnerabilities, then we can only assume that smaller scale but potentially much more malicious hackers are employing similar tricks. Companies like Google, when they do such things are pointing out serious vulnerabilities that need to be addressed. The problem won't go away just because big companies like Google voluntarily decide to stop exploiting browser vulnerabilities. The problem will only go away when the browsers (and possibly plugins) are fixed and patched so the exploits are impossible.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
I have a profile that I keep for private browsing only. I only login to facebook and other nefarious sites in this profile and always in private mode. My search bar is set to either scroogle or (b/c google is blocking them) duckduckgo. Yet somehow I find google cookies "leaking" out of private mode. Upon launch but b/f going private I periodically check the cookie list and I find google there. :((
"Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
Surrogate Scripts are meant to deal with this kind of crap.
Could you please show me some URLs to check?
There's a browser safer than Firefox, it is Firefox, with NoScript
If Google could write the code to bypass the security restriction, then so could someone with more nefarious purposes.
Thank them, then fix your flaw.
You can easily opt out from behavioral advertising of google ads and 100+ other add networks by simply going to http://www.networkadvertising.org/managing/opt_out.asp . This site is a tool provided by those advertisers, its just not too many ppl know about it.
I'm not sure how much longer I will keep using Google.