Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Accused of Bypassing Safari's Privacy Controls

Posted by Soulskill on from the daily-dose-of-tech-giant-soap-opera dept.

DJRumpy points out an article (based on a possibly paywalled WSJ report) describing how Google and other ad networks wrote code that would bypass the privacy settings of Apple's Safari web browser. 'The default settings of Safari block cookies "from third parties and advertisers," a setting that is supposed to only allow sites that the user is directly interacting with to save a cookie (client side data that remote web servers can later access in subsequent visits). ... The report notes that "Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.' Google says this mischaracterizes what the code does, claiming it simply enables 'features for signed-in Google users on Safari who had opted to see personalized ads and other content — such as the ability to “+1” things that interest them.' Google adds that the data transferred between Safari and Google's servers was anonymized. John Battelle writes that the WSJ's story is sensationalist, but that it raises good questions about the practices of ad networks as well as Apple's efforts to stymie industry-standard practices.

60 of 202 comments (clear)

  1. And people ask me why I don't use Chrome by elrous0 · · Score: 5, Insightful

    I trust Google with way too much as it is. And practices like this only make me even more determined to avoid them as much as reasonably possible. It's bad enough that pretty much every website out there now is feeding them tracking data (seriously, use Firefox with NoScript and just look at all the sites using Google-analytics, it's *everywhere*). I certainly am *not* about to let them takeover my entire browser too.

    They'll have to content themselves with just reading my gmail.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:And people ask me why I don't use Chrome by Anonymous Coward · · Score: 5, Informative

      If you're running DNSmasq just add this line:

      address=/google-analytics.com/127.0.0.1

      and it won't bother you again.

    2. Re:And people ask me why I don't use Chrome by NeutronCowboy · · Score: 4, Insightful

      And that's why noscript is so important. Yes, with time, everyone is going to consolidate their scripts under the main domain. But there will be ways to control that as well. And ultimately, that's why Firefox, despite all its problems, is a super-important part of the open web.

      --
      Those who can, do. Those who can't, sue.
    3. Re:And people ask me why I don't use Chrome by Pieroxy · · Score: 3, Interesting

      Yes, with time, everyone is going to consolidate their scripts under the main domain.

      And the situation will be fine. Because when people will consolidate their stuff on their own domain, they will be able to track you on their website (big deal, there's access_log anyways) but they won't be able to track you anywhere else.

      Which is fine with me.

      --
      Write boring code, not shiny code!
    4. Re:And people ask me why I don't use Chrome by MrKevvy · · Score: 5, Interesting

      I support a locked-down corporate image. I'm surprised at the number of people I support that I've found using Chrome.

      Yesterday I talked to someone and asked how she got it and she said that a site prompted her to install it so she did. I just tried this and was able to install it on the locked-down image, including setting it as default, etc. It may have put its settings in the user-writable area of the registry but it's very sneaky to do so whereas other browsers will refuse to install without admin. privileges. Hey, whatever leads to higher market share, right?

      --
      -- Insert witty one-liner here. --
    5. Re:And people ask me why I don't use Chrome by sakdoctor · · Score: 4, Insightful

      with time, everyone is going to consolidate their scripts under the main domain

      No they won't. There simply isn't enough selection pressure to make that happen. noscript users are this tiny insignificant blip concealed in the statistical noise of web traffic.

      Secondly, you're right. All the superficial problems (which I can almost never reproduce anyway) with firefox are nothing compared to having a browser I can trust, from an organization that I'm ideologically aligned with.
      Google building a web browser is a conflict of interests; though I'm still glad they did for browser war / political reasons.

    6. Re:And people ask me why I don't use Chrome by phrostie · · Score: 2

      Try Ghostery

      I first started using it because of facebook, but after using it and seeing all the stuff that everyone else is tracking, i'm hooked.

      https://addons.mozilla.org/en-US/firefox/addon/ghostery/

    7. Re:And people ask me why I don't use Chrome by Xest · · Score: 5, Insightful

      I don't think Google have done anything wrong there, saving settings to a user section of the registry makes more sense than a browser needing me to give it admin priviliges to write wherever the fuck it wants. It's precisely that sort of behaviour that leads people to click okay each time windows notifies them a program wants admin rights without even stopping to consider why.

      It sounds more like your problem is that your lockdown policy isn't configured as you'd like it to be, yet you blame the software for not obeying how you wanted things setup, rather than how things actually are setup, other than that it sounds like Chrome is following correct and best practice behaviour in this respect whereas how you'd have liked it to respond is bad practice and not preferable.

    8. Re:And people ask me why I don't use Chrome by phrostie · · Score: 4, Informative

      another cool trick is to set up a host file.

      http://winhelp2002.mvps.org/hosts.htm

    9. Re:And people ask me why I don't use Chrome by jdgeorge · · Score: 3, Interesting

      Interesting point. I've been on the publishing and browsing sides of this.

      As someone developing technical information, it's extremely valuable to know the information Google Analytics provides. It helps tell content creators how useful their content is to the intended audience, whether to invest in translation (and to which languages), and whether it's worth developing more information on a given subject.

      As a browser, I generally don't allow Google Analytics and other tracking mechanisms in NoScript, because of general paranoia about being tracked.

      For now, I have developed a two-browser web-use approach: I use Google Chrome (or Chromium, depending) for everything I do as a signed-in Google user. For general web-browsing, I use Firefox with NoScript.

      I'm somewhat conflicted about the fact that I'm hypocritical in my desire for Google Analytics data while I refuse to provide that useful data to web sites.

      Perhaps what I really should do it have a third browser (or configuration), so I have one where I'm promiscuous within Gmail, Google+, and Calendar, a second where I allow traffic analytics when I'm browsing work-related information, and a third, paranoid config for... um... recreational browsing.

    10. Re:And people ask me why I don't use Chrome by agentgonzo · · Score: 2, Interesting

      The installation of Chrome is one of the reasons that I hate it. You are given no choice as to where it installs. It doesn't install to a system-wide location, but installs (as you say) in user-writable profile space. That means that if you want to run chrome on your computer and you have many users, you need to install it for every user and it will be a separate place on the file-system with each separate installation. And separate settings in the user part of the registry. You *can't* do a system-wide installation (even if you want to!). It's just absolutely idiotic.

    11. Re:And people ask me why I don't use Chrome by Anonymous Coward · · Score: 5, Informative

      You *can* do a system-wide installation, it's just not obvious.

    12. Re:And people ask me why I don't use Chrome by Anonymous Coward · · Score: 5, Funny

      Goddamn you. It is not acceptable to mention hosts files on slashdot. If you summon APK, I will find you, and there will be consequences, you bastard.

    13. Re:And people ask me why I don't use Chrome by GameboyRMH · · Score: 4, Interesting

      Chrome is probably one of the few Google products you shouldn't have any privacy worries about. It doesn't behave differently to any other browser. Chromium is open source if you want some extra assurance.

      As for reducing your Google information footprint, do what I do::

      http://slashdot.org/journal/277383/making-google-keep-to-itself-with-multifox

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    14. Re:And people ask me why I don't use Chrome by geekoid · · Score: 3, Funny

      "I dumb ass"? sigh.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    15. Re:And people ask me why I don't use Chrome by phrostie · · Score: 2

      ROTFL

      +1 funny

    16. Re:And people ask me why I don't use Chrome by GameboyRMH · · Score: 2

      Yep I use Ghostery and block all the known tracking services. Using a whitelist system like RequestPolicy would be technically better but it would be a massive PITA to browse that way.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    17. Re:And people ask me why I don't use Chrome by Xest · · Score: 5, Insightful

      "But on a locked down machine, nothing should be able to be installed without the admins knowing about it. Period. Google found a way around that."

      No they didn't, that's precisely the point, the issue isn't that Google found some way around the lock down, it's that the system wasn't locked down properly to facilitate that goal.

      Chrome is not some magical psychic piece of software that can tell what the system admin intended, it can only do what the OS allows it to do and is configured to allow it to do.

      If Chrome is able to do things you did not intend on your systems then you have much more serious problems and your systems are incompetently configured and managed. You can guarantee if Chrome is obtaining admin privileges as a legitimate peice of software then a peice of malware would have a hell of a time enjoying your poorly configured systems. The first step to solving your problem is get rid of the geek squad level of staff, and start hiring some proper admins.

    18. Re:And people ask me why I don't use Chrome by GIL_Dude · · Score: 4, Informative

      If you need to block Chrome installs in your locked down environment you can: http://support.google.com/installer/bin/answer.py?hl=en&answer=146164. At one point early in Chrome's life (before the policies existed) we had a desire to block Chrome as it was playing havoc with our authenticated proxy servers (it would just hammer them with failed authentication requests). It plays nice with proxies now, so we don't do anything to either enable or disable Chrome.

    19. Re:And people ask me why I don't use Chrome by Xest · · Score: 5, Insightful

      "That is a gigantic security hole just waiting to be exploited."

      Right, so a browser that isolates itself to userspace is a gigantic security hole waiting to be exploited, yet a browser that requires admin privileges to install is not?

      "Further, there's a reason corporate machines are locked down. We don't want people, especially IT people, installing every random piece of software that asks the user to install it."

      So why are you letting people run arbitrary executables in the first place if you need that level of control of your systems?

      "Rule #3 of IT that should never be broken: Never, ever, ever, EVER give a regular user administrative rights on their machine. Ever. Chrome breaks this rule with a wrecking ball."

      Er no, that's exactly what it DOESN'T do.

      "It's bad enough that as an admin I am constantly harassed by Windows 7, "Do you want to allow...?" Yes, I'm a fucking admin, just install the damn thing! Now we have to put up with companies making it so every user can install whatever they want and expect us to figure out what they did."

      Well at least now we know you're really not qualified for your own profession. Really, you have a degree of IT security responsibility yet you complain when an OS alerts you to a request by an application for (or if you're a user, blocks you from providing) admin access, and say you just blindly accept, but then you complain when an application doesn't try and obtain admin access that you previously suggested should never be given to a user?

      You haven't configured your network to limit what people can run and install, you've configured your network to only allow executables to work within the permissions defined for the currently active user account, Chrome is doing exactly that, thus the only problem is that how you've configured your network, isn't how you seem to beleive your network should be configured.

    20. Re:And people ask me why I don't use Chrome by EasyTarget · · Score: 3, Insightful

      Well said; just what I was thinking but more coherent :-)

      A security policy that still allows users to install software in the userland is not 'locked down'.

      --
      "Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
    21. Re:And people ask me why I don't use Chrome by icebraining · · Score: 4, Informative

      If it was properly locked down, the Chrome installer wouldn't be able to run at all. And if it able to run, then it doesn't need an exploit.

      --
      Dilbert RSS feed
    22. Re:And people ask me why I don't use Chrome by Xest · · Score: 3, Insightful

      What Google is doing in TFA is not an exploit, just because Apple didn't want people to write Javascript in that way, doesn't mean there's anything wrong with it per-se. This isn't to defend it as it's obviously not a particularly respectful thing to do, but it's not illegal, nor does it breach any standards, in contrast, abusing an operating system level exploit potentially falls foul of both these things and opens Google up to a lawsuit. Perhaps you or the GP could consider taking it to court and challenge it there if you genuinely believe it's the case? You'd be able to get a pretty hefty payout or settlement if true.

      Don't come crying when you actually get laughed out of court though because it turns out you just didn't know how to configure a network properly.

    23. Re:And people ask me why I don't use Chrome by forkfail · · Score: 4, Funny

      Try Lynx.

      --
      Check your premises.
    24. Re:And people ask me why I don't use Chrome by Xest · · Score: 4, Insightful

      It makes me despair as it's been some years since I left IT support behind, and I noticed at the time the profession was becoming more and more filled with people who simply have no idea what the fuck they're doing but coast by nonetheless, calling in consultants for a fortune when they don't know how to do something that any half competent IT support person should be able to do, or blaming the software, going off sick, hiding at a different office or whatever else when inevitably things go wrong and they'd otherwise have to face up to their responsibilities.

      It seems now that these numpties have found their way to Slashdot, extolling their blame on software to the world at large, rather than facing up to the fact that they just don't know what in the flying fuck they are actually doing.

      Of course, the worst part is, they then moan when their job gets outsourced to India - is it any fucking wonder why when they show such ineptitude? It's no wonder Chinese hackers are supposedly pillaging Western firms dry of IP when IT security means "blame the software when your incorrectly configured security policy lets the user do something they weren't meant to be able to do".

      This is why IT support has rapidly started to gain the same sort of disrespect as a profession that many manual trades like bricklaying long have, and why support has seen a deterioration in wages to boot - because there's so many IT staff out there who really can't be trusted to show a bit of intelligence and do a good job nowadays, and they drag it down for those who know what they're doing.

      I'm just glad I got the hell out of there seeing as it's only continued to deteriorate as a profession!

    25. Re:And people ask me why I don't use Chrome by icebraining · · Score: 3, Informative

      (Silly question, but I'm no Windows admin -- isn't there an equivalent of the "noexec" mount option, to prevent any binaries within certain subtree of the filesystem from being executed?)

      Yes. I don't know exactly how it's done, but I know it can be done, since the public computers on my university prevent it.

      Google tells me it's called a Software Restriction Policy.

      --
      Dilbert RSS feed
    26. Re:And people ask me why I don't use Chrome by Jeremiah+Cornelius · · Score: 4, Interesting

      I use Ghostery. Have for years.

      It's beginning to worry me. Who's all the captital behind this effort? I mean, Better Privacy and AdBlock are pretty grass-roots, got a bee-in-a-bonnet based efforts.

      But Ghostery is a small part of a well-funded startup - with well-paid developers. And graphic designers!
      http://www.ghostery.com/

      "© 2011 Ghostery, a service of Evidon, Inc. All rights reserved."

      http://www.evidon.com/faq

      7. Explain your relationship with Ghostery.

      Ghostery is the same service it used to be, only better, because now it has the resources of a substantial company to develop even better capabilities for helping consumers discover and control the entities that track them across the web. Moreover, Evidon is not an advertising company; we're an assurance company built to facilitate compliance with OBA regulations. Ghostery's founder, David Cancel, is a shareholder in, and advisor to, Evidon.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    27. Re:And people ask me why I don't use Chrome by TheRaven64 · · Score: 4, Insightful

      Your 'standard Windows corporate lockdown setup' allows end users to run untrusted code that they downloaded from the Internet. I can think of many reasons for calling Google evil, but in this case they are simply doing something that, since Vista, has been a requirement for the 'Designed for MS Windows' logo and part of the recommended practices: allowing non-admin user to install for their own user. It's only 'a nice little unpublicized exploit' if you don't count the articles on MSDN telling you 'this is what you must do in a UAC world'.

      It's not Google's fault that you think removing write access to C:\Program Files is the same as preventing users from running their code. Windows has fine-grained ACLs. Learn how to use them. Remove the user's ability to run programs that are installed in any location that they have write access to.

      And now I've defended Windows, I need to go and have a shower...

      --
      I am TheRaven on Soylent News
    28. Re:And people ask me why I don't use Chrome by aztracker1 · · Score: 2

      Chrome runs with user-level privileges, no administration escalation needed. It even installs in user space, not in common Program Files. Though this is slightly annoying when you *want* chrome to be the default for all users though, it is actually plenty secure. If you don't want users to be able to execute code, you should lock things down better... There are NTFS privileges specifically geared towards being able to run executables in a directory, you should look into it. See: advanced settings. In windows chrome will use whatever system settings are in place for firewall/proxy use as well... so it's not like they're really bypassing anything.

      --
      Michael J. Ryan - tracker1.info
    29. Re:And people ask me why I don't use Chrome by sakdoctor · · Score: 2

      Can someone explain why this is funny?
      I can see how it could be funny in a different context, but here it's like the punchline for the wrong joke.

    30. Re:And people ask me why I don't use Chrome by Solandri · · Score: 2

      No they won't. There simply isn't enough selection pressure to make that happen. noscript users are this tiny insignificant blip concealed in the statistical noise of web traffic.

      I've been running across more and more sites which won't display their content until I allow Noscript to run all scripts on the page (including advertisers'), turn off Adblock, and disable Ghostery. I've been forced to set up a virtual machine with a clean snapshot of a browser without any extensions to view those sites. But recently the sites of one of the banks and one credit card I use started doing this.

    31. Re:And people ask me why I don't use Chrome by elrous0 · · Score: 2

      This is /. so I'm going to need a car analogy.

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
    32. Re:And people ask me why I don't use Chrome by sexconker · · Score: 2

      I think he's case sensitive.

      No, you just have to stand in front of a RAID 1 mirror and say:
      hosts file apk.
      hosts file apk.
      HOSTS FILE APK!

    33. Re:And people ask me why I don't use Chrome by NotBorg · · Score: 4, Insightful

      Don't buy a car from Exxon Mobil and expect it to be fuel efficient.

      --
      I want this account deleted.
    34. Re:And people ask me why I don't use Chrome by glennpratt · · Score: 2

      It is unbelievable how completely backwards you and others get this situation.

      Chrome for Windows actually follows the correct model, you just aren't used to it because so many Windows applications are completely backwards in requiring admin privileges for no good reason.

      Windows allows users to execute arbitrary applications and install them as a regular user in isolated directories and registry space, that's a choice Microsoft made (and has frequently encouraged developers to support). If that's too open for you, you need to look to lock down software or get crafty with your Group Policy It's NOT Microsoft's or Google's fault, you just don't understand it.

    35. Re:And people ask me why I don't use Chrome by Ectospheno · · Score: 2

      I'll ask you the same question I ask everyone else who seems to be highly concerned about companies knowing things about them. Why does it bother you?

      I use Google for pretty much everything. I'm a Google Apps for Business customer and have been very pleased with the services they provide. Their products work well and the uptime/cost ratio is excellent. I'm assuming their ads are still nonintrusive but honestly I wouldn't know as I use adblockers with rather strict rulesets so I never see any of them.

      Do they know a metric crapton about who I am and what I do? Sure. Why should I care about this? How does Google knowing what videos games I play or what books I read matter to me in my day to day activities? So they know I played Skyrim a lot and which bands I listen to. Who cares? Everyone who matters in my life already knows all of that anyway. Why panic because Google knows it too?

    36. Re:And people ask me why I don't use Chrome by petsounds · · Score: 2

      It's a good point to bring up. I too have used Ghostery for a long time and put some amount of blind trust in what they're doing. But looking Evidon's site, I see that the main thrust of their revenue seems to be in selling compliance products to governments and corps. This app which manages browser trackers for compliance is likely based on the Ghostery codebase and likely why they scooped it up.

      And I see on Ghostery's blog that they blacked out their site during the SOPA Blackout day. So it's always good to question who's pulling the strings behind the curtain, but in this case I think both the company and the users of Ghostery win.

    37. Re:And people ask me why I don't use Chrome by Pieroxy · · Score: 2

      But the cookies are domain dependent. They may share all the data in the world, they won't know how to match it with the other domain data. Google cannot do its job with analytics even if I forward all the requests server side to them. The cookie they dropped on xyz.com won't show up on my browsing data. They won't be able to correlate.

      Third party cookies: It should be only the cookies from the page you see the URL in the browser address bar that are allowed. None other.

      --
      Write boring code, not shiny code!
    38. Re:And people ask me why I don't use Chrome by shutdown+-p+now · · Score: 2

      Rule #3 of IT that should never be broken [earthlink.net]: Never, ever, ever, EVER give a regular user administrative rights on their machine. Ever. Chrome breaks this rule with a wrecking ball.

      Chrome doesn't break this rule, since it doesn't give users administrative rights. It can install and run quite fine without them, that's the whole point.

      That you somehow think that users with admin rights can't install or run software on Windows just shows how badly you misunderstand the Windows security model. Guess what? It's not just Chrome they can run, it's also any app repackaged as "portable", so long as they extract it to %USERPROFILE% and run it from there. That means Firefox and many other things, too.

  2. Where's the money from? by Sez+Zero · · Score: 3, Insightful

    the practices of ad networks as well as Apple's efforts to stymie industry-standard practices.

    If I were a company that made my money on hardware and my main competitor was a company that made their money on ads, I'd most definitely be trying to tweak my software to stymie "industry-standard" practices.

  3. google does a lot more than that by alen · · Score: 4, Interesting

    i have a few browsers on my iphone including a private browser. i've had it for years since before apple put the functionality into iOS. All it does is ride on top of stock safari on the iphone but creates a private browsing session.

    i've noticed that some searches i did in the private browser come up as past searches in stock safari and on my laptop. which means that google is probably reading the UIDID or whatever it's called and using it to correlate users across devices even if they don't log into google

  4. Invisible forms all over the place by Anonymous Coward · · Score: 2, Interesting

    Surely the 'invisible form' is not in itself new? I have always had the firefox/mozilla/etc 'security.warn_submit_insecure' set to 'true' and the warning pops up in all manner of places where you have done nothing but viewed a page.
    I always hit 'cancel' as a matter of principle since when it first appeared for no apparent reason I took it to be someone's way of getting my browser to do something which I would either probably not want it to do or that they did not want me to know about.

    On the other hand, it is a technique used by at least one or two types of forum software to update DST settings, so it's not always nefarious.

  5. Advertisers of the world unite by jameslore · · Score: 3, Insightful

    John Battelle's main thrust seems to be that Apple shouldn't be blocking advertisers from tracking users. Further, that he angry that Apple opted him out by default, rather than forcing him to opt-in to privacy.

    Regardless of your views on the evil of (Apple|Google|whoever) this seems an odd argument. Unless you're an advertiser, of course.

  6. We found your privacy feature inconvenient. by VGPowerlord · · Score: 3, Insightful

    Google says this mischaracterizes what the code does, claiming it simply enables 'features for signed-in Google users on Safari who had opted to see personalized ads and other content â" such as the ability to âoe+1â things that interest them.'

    In other words: "We found the wall inconvenient, so we simply tunneled under it."

    Yes, Google, which part of "bypass" do you not understand?

    What you're doing now is going to result in an arms race between you and several of the major web browser authors, including, perhaps, your own Chromium project.

    What's next in this arms race, the inability for iframes to have forms? The inability for JavaScript to submit forms? The inability for JavaScript to run in iframes?

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    1. Re:We found your privacy feature inconvenient. by geekoid · · Score: 2

      "In other words: "We found the wall inconvenient, so we simply tunneled under it.""
      no.
      In other words " We are giving the user what they asks us to give them, that can turn it off."
      This isn't an arms race, it isn't a war, it isn't..well anything of note.

      If you replaced Apple with MS, the story would be about how poor MS security is..and I would still be saying the same thing: NTSH

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    2. Re:We found your privacy feature inconvenient. by VortexCortex · · Score: 4, Interesting

      The retarded part of this whole thing is that Apple's Safari was allowing 3rd party cookies AT ALL when 3rd party cookies are disabled. Remember, Apple sells ads on its platforms too. Now, it's QUITE simple to detect if any action actually came from a user initiated event. This is how most pop-up blockers have worked since 2000, including the ones built into our browsers. The JS that creates a new window/tab is blocked unless the JavaScript is executed as the result of actual user interaction... Point being: Apple knows how to detect if its a user action or not.

      Additionally, when I was testing Safari a few years ago, any cookie that was already set would keep being sent to the server even after you disabled all cookies -- That option just disabled "new" cookies from being created. The old ones were still sent, not sure if this is still the behaviour because I stopped using their systems when their systems lied to -- or, at best, misled -- their users. Their settings have always been specious. Apple doesn't have a good track record when it comes to cookies.

      The fact that Safari assumed that form submittal was a user initiated event is a big problem here too. This "invisible form" submission is how we did "Ajax" like Web2.0 features before XML HTTP Request objects were around. JS populates a form in a hidden iframe, submits, then the JS on the page, or in the iframe from the server, changes the main page without reloading it. If Safari is confusing this with a user action, I'd be calling Apple programmers on the carpet, "Did you do this?!? BAD CodeMonkey! BAD! No Banana, or APPL!" (it's actually difficult for me to believe this isn't Apple's intended design)

      Don't get me wrong, I hate tracking more than the next guy, and instead prefer content based relevancy, but many users have Opted In to the Google Ad network. It's getting harder to opt out of parts of it w/ their new privacy policy. I keep separate accounts for G+, Gmail & Youtube because I don't want an action on one to ban me from the other. Point being, if you're logged in, you've logged in, and you agreed that it's fine for Google to target ads at you. They can't very well give you targeted ads in exchange for your privacy if they can't see if you're logged in or not via cookie...

      I don't blame just Google for finding a way to get opted-in Safari users the content they opted-in to, even if it's ads. I also blame Apple for saying "3rd party cookies are disabled", when in reality, 3rd party cookies ARE SLIGHTLY DISABLED, unless you interact with the Ad, or we think you might have done so... You know, because We (Apple) also want to use those 3rd party cookies.

      Here's an idea: SAFARI SHOULD BLOCK ALL 3RD PARTY COOKIES [PERIOD]! Otherwise, the "Block 3rd party Cookies" option actually doesn't.

      Cookies are the easy-mode tracking channel. Many other methods exist. Hell, Mozilla removed the UI for 3rd party cookie disabling since it was so damn easy to work around. Had to use about:config for a while there, but now Firefox has the 3rd party cookies UI again. At the very base layer your IP address and time stamps are all the ad networks need. Blacklist the sites. Some Ad-block extensions actually make a request before not displaying the content -- Mission Failed.

      Posted to remove a bad mod... figured I'd contribute in the process.

    3. Re:We found your privacy feature inconvenient. by VGPowerlord · · Score: 2

      In other words " We are giving the user what they asks us to give them, that can turn it off."
      This isn't an arms race, it isn't a war, it isn't..well anything of note.

      Except Google isn't giving the user what they ask for, they're attempting to make it so every site you visit transmits at least some data to Google for the sake of "convenience," which incidentally is something Facebook, another site well known for its "privacy" does.

      Having said that, assuming Safari for iOS has the same settings as Safari for Mac does, you can turn on third-party cookies on in the Safari Preferences under Security. I believe the setting is to set Cookies to "Always" instead of "Only from sites I visit."

      However, Google decided that wasn't good enough and wanted it to work despite the browser being set to disable cookies from sites other than the one you're visiting. Which, btw, is a hole in the Same Origin Policy that browsers are enforcing, but apparently not on form submissions.

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    4. Re:We found your privacy feature inconvenient. by DJRumpy · · Score: 2

      This deserves re-posting. Not sure why it was posted anonymously as it is very relevant:

      There is a setting in the browser "Accept 3rd party cookies" with a toggle on/off. It exists on Safari and Firefox.
      (not sure about Chrome) The only difference is the default setting - the user has control to opt-in or opt-out on both.
      It's just that since safari default it to no, more people don't accept cookies, so google and other advertisers put the
      clever hack to go against the users setting. And until this article (and the WSJ contacting google about it) Google's
          own "opt out" page says that safari already blocks this so you don't have to do anything      .

              If you opt in for a tracking service - it should NOT hack around privacy settings - it should alert you that
      you need to change your privacy settings. Because the hack was affecting every user, not just those that opted in.

      It should be noted that once Google was caught doing this, they quickly removed the information on their own site regarding this setting in Safari.

  7. Safari has a long history of cookie problems by MrLint · · Score: 5, Informative

    IIRC the first 3 major versions of Safari on OS X totally ignored the setting for 'don't allow 3rd party cookies'. I had to file a bug that apple.com was setting these cookies w/ safari.

    These assertions are really empty for me personally, since apple's site has partners that set these cookies, and apple's devs couldn't bother to implement this feature right.

    And yes, my bitterness permeates everything:)

    1. Re:Safari has a long history of cookie problems by MrLint · · Score: 2

      Actually I want to clarify. I recall better now that at least the first version of Safari did not have this feature. Later versions did, but it did not work.

  8. Re:haha by crmarvin42 · · Score: 5, Insightful

    How so?

    My cookie settings were as described "only accept from sites I visit". Google tricks my browser into thinking I've visited a site I did not, in fact, visit. They do this by submitting a form and intentionally making in invisible to me. At what point did I "Opt in" to this behavior??

    I'm not excusing Apple's complete security failure here, but how exactly is Google not also culpable for this violation of my trust?

    --
    Bureaucracy expands to meet the needs of the expanding bureaucracy.-Oscar Wilde
  9. another thing is: by larry+bagina · · Score: 3, Insightful

    Google claims you can use the Ads Preferences Manager to disable this "feature". But wait! They previously claimed that it wasn't necessary to disable that feature because Safari defaulted to no 3rd party cookies.

    Fuck me with a greased up Yoda doll, if they're going to blatently lie, why would they respect your desire to pot out of it?

    Assuming they're not evil, they want to fill the web with their +1 buttons so they needed to turn on 3rd party cookies which unintentionally (not that they mind) enabled all their ad tracking.

    Which is to say Google isn't evil but Google+ is.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  10. Uncool by dittbub · · Score: 2

    Man, google used to be so cool. What happened?

  11. I don't know who to trust less, Google or Apple. by mmell · · Score: 3, Interesting
    Oh, wait . . .

    Google brings me porn, warez and pirate music/video. All Apple's ever done is prove themselves one of the biggest patent whores on the planet.

    Damn! That doesn't settle a thing. Guess I won't trust either of 'em.

  12. Re:Right or wrong... by sunderland56 · · Score: 4, Insightful

    The headline of the article should really be "Safari's privacy controls are weak and ineffective".

    If someone leaves your front door wide open, and a skunk wanders in, do you blame the skunk, or do you blame whoever left the door open?

  13. Might come under the Computer Fraud and Abuse Act by Animats · · Score: 3, Interesting

    This might violate the Computer Fraud and Abuse Act. The threshold phrase there is "exceeds authorized access". Explicitly bypassing a security measure is usually considered to satisfy that definition of criminal conduct.

    Attempts to use the Computer Fraud and Abuse act have failed with regard to "Flash cookies", because the plaintiff was unable to show $5000 in damages, even across a large number of users. But since then,. Google has offered a deal where users give up their privacy for $25 in gift cards. Google has now put a price tag on privacy, which can be used as evidence against them in valuing future intrusions.

  14. A site prompted her to install it so she did ... by perpenso · · Score: 2

    ... Yesterday I talked to someone and asked how she got it and she said that a site prompted her to install it so she did ...

    This scenario needs to be a job interview question.

  15. Re:haha by thomst · · Score: 2

    geekoid commented:

    Man. if this is the stretch people have to go through to blame Google for something, Google must be doing pretty damn good.

    Seriously, this is, yet again, another NTSH article about Google. They are doing what the user opted in for them to do.

    I think it's worth noting that, although I allow scripts and cookies directly from Google, I disallow them from google-analytics.com (via Cookiesafe and NoScript), and that choice does NOT appear to disable ANY Google function that I can determine.

    As evil behavior goes, I'm with geekoid: this is pretty weak beer.

    --
    Check out my novel.
  16. Re:Sounds to me... by larry+bagina · · Score: 2

    You couldn't be more wrong if you tried. Google detects and serves up different ads for Safari users, adding a hidden form in an iframe that auto-submits to make themselves a first-party. They don't do that on other browsers (which default to accepting third party cookies)

    If that's not knowing the inner workings and manufacturing a back door, what is?

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  17. Fight back with surrogates by Giorgio+Maone · · Score: 3, Informative

    sites which won't display their content until I allow Noscript to run all scripts on the page (including advertisers'), turn off Adblock, and disable Ghostery

    Surrogate Scripts are meant to deal with this kind of crap.

    Could you please show me some URLs to check?

    --
    There's a browser safer than Firefox, it is Firefox, with NoScript