Google Tracked Users Online by Circumventing Apple Safari Browser's Blocking of Third Party Cookies

February 17, 2012. Jonathan Mayer, a graduate student at Stanford University, published a paper on February 17, 2012, that explains how Google and three other companies used surreptitious code to circumvent the block third party cookies feature of Apple's web browser, Safari, thereby enabling these companies to track the web browsing of users of Apple iPhones and iPads, without their permission or knowledge, and contrary to Apple's and users' efforts to protect their privacy.

Google owns DoubleClick, whose cookies are placed on users' browsers when visiting Google AdSense partner web sites.

The Wall Street Journal (WSJ) also published a story on February 17 that that offers a short vernacular version of the disclosures contained Mayer's paper. It is titled "Google's iPhone Tracking: Web Giant, Others Bypassed Apple Browser Settings for Guarding Privacy", and is authored by Julia Angwin and Jennifer DeVries.

The WSJ story states that "Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.'s Web browser on their iPhones and computers -- tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked."

It adds that "The companies used special computer code that tricks Apple's Safari Web-browsing software into letting them monitor many users".

Mayer concluded that "When Apple's developers implemented Safariís cookie blocking feature, they were balancing several conflicting design priorities. But one decision was clear: it should prevent advertising companies from tracking the user. ... Four advertising companies circumvented Apple's protection."

The Center for Democracy and Technology's (CDT) Justin Brookman stated in a release on February 17 that "technological workarounds to evade browser privacy settings are unacceptable ... We are severely disappointed that Google and others choose to place tracking cookies on Safari browsers using invisible form submission."

Sen. John Rockefeller (D-WV), the Chairman of the Senate Commerce Committee (SCC), promptly issued a release in which he stated that he would look into this matter. See, related story in this issue titled "Sen. Rockefeller to Look Into Google's Safari Circumvention".

Rep. Ed Markey (D-MA), Rep. Joe Barton (R-MA), and Rep. Cliff Stearns (R-FL) promptly sent a letter [PDF] to the FTC urging it to investigate. See, related story in this issue titled "Representatives Urge FTC to Investigate Google's Safari Hack".

Four Companies. Mayer's paper identified three companies other than Google (owner of DoubleClick) that are tracking users in a similar manner: Vibrant Media, Media Innovation Group and PointRoll. All four comanies are involved in online advertising.

These companies do not disclose in their web sites that they have circumvented Safari's third party cookie blocking in order to track users across web sites, and develop profiles to use for the purpose of delivering targeted advertising. However, their cryptic descriptions of their methods are not inconsistent with this.

Vibrant Media states in its web site that it provides "marketers the opportunity to deliver highly targeted advertisements".

Media Innovation Group calls itself a digital "delta force" that provides "data-driven marketing", with " "tweezer-like precision in targeting, timing, and placement".

It states the "soul of the enterprise is an enormously powerful data management system that understands how your brand users are responding to a myriad of digital experiences".

It boasts that its "One-of-a-kind data engines anonymously collect every click, filter out the noise, and produce what amounts to an MRI scan of an advertiser's entire marketplace as it is right now".

PointRoll touts advertising campaigns directed at iPhone and iPad users. It adds that "mobile executions must provide in-depth engagement metrics and analytics that allow marketers to track consumer actions".

Google's Circumvention Method. Mayer wrote that "Apple's Safari web browser is configured to block third-party cookies by default". However, four companies are employing a procedure that enables them to circumvent Safari's blocking of third party cookies.

He stated that the four ad companies "surreptitiously submit a form in an invisible iframe and place trackable cookies in Safari".

He wrote that "If an HTTP request to a third-party domain is caused by the submission of an HTML form, Safari allows the response to write cookies. This component of the policy was removed from WebKit, the open source browser behind Safari, seven months ago by Google engineers. Their rationale is not public; the bug is marked as a security problem. The change has not yet landed in Safari."

By using this procedure, Mayer wrote, "all content is now immunized from Safari's cookie blocking policy".