Google Accused of Tracking Safari Usage Without Permission

A Stanford University graduate student has released a report that accuses Google and three other ad networks of side-stepping the privacy settings on Apple's Safari browser to track usage on iPhones and Macs without permission.

Google said the report, which was picked up by the Wall Street Journal, "mischaracterizes" the search giant's efforts. But the company admitted that a glitch accidentally allowed Google cookies "to be set" on Safari and promised a fix.

The other companies named in Jonathan Mayer's report are Vibrant Media, Media Innovation Group, and PointRoll.

"Cookies" are little bits of data collected about your Internet activity. They can be useful - like remembering passwords and settings on sites that you surf to frequently - but there are also concerns about targeted advertising and how much data is really collected. As Mayer noted, popular Web browsers provide the option to block third-party cookies, but Apple's Safari browser is unique in that it blocks third-party cookies by default on the iPhone, iPad, iPod touch, and Macs.

According to the Journal, Google "used special computer code that tricks Apple's Safari Web-browsing software into letting them monitor many users."

A Google spokeswoman, however, said "we used known Safari functionality to provide features that signed-in Google users had enabled." She stressed that "these advertising cookies do not collect personal information."

The spokeswoman acknowledged that Safari blocks third-party cookies by default, but said "Safari enables many Web features for its users that rely on third parties and third-party cookies, such as 'Like' buttons." As a result, Google started using this functionality last year for Safari users who were signed in to Google and had opted to see personalized content - like Google's +1 button.

"To enable these features, we created a temporary communication link between Safari browsers and Google's servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization," the Google spokeswoman continued. "But we designed this so that the information passing between the user's Safari browser and Google's servers was anonymous – effectively creating a barrier between their personal information and the web content they browse."

Safari, however, "contained functionality that then enabled other Google advertising cookies to be set on the browser," Google said. "We didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers."

The search giant insisted that IE, Firefox, and Chrome users were not affected, nor were those who opted out of Internet-based ad targeting.

A spokesman from Vibrant Media said the company is "immediately addressing the issue."

"A prior implementation of our technology provided for a separate web page call from the Safari browser which permitted use of a generic user cookie," he continued. "Vibrant Media does not collect personally identifiable information from any users. We remain supportive of all industry privacy guidelines, requirements and best practices. We are a member of the NAI and DAA and adhere to all applicable compliance policies."

In a blog post, PointRoll said it "conducted a limited test within the Safari browser to determine the effectiveness of our mobile ads," but does not currently use the technique mentioned in Mayer's report.

"The test did not involve the collection, retention or resale of any specific user information," wrote Rob Gatto, PointRoll's CEO. "The limited test ended on February 8, 2012, and we made the decision not to employ this practice further."

Media Innovation Group declined comment. Apple did not immediately respond to a request for comment.

Privacy researcher Christopher Soghoian this morning tweeted screen shots of Google's advertising cookie opt-out plugin instructions from Monday and Tuesday. On Monday, they included an "instructions for Safari" section, but any mention of Safari was deleted the next day.

Privacy advocates were quick to criticize the misstep.

"Technological workarounds to evade browser privacy settings are unacceptable," said Justin Brookman, director of consumer privacy at the Center for Democracy & Technology (CDT). "We are severely disappointed that Google and others choose to place tracking cookies on Safari browsers using invisible form submission. While we take Google's assertion at face value that it was not their intent to track users in this way, we are perplexed how this decision evaded Google's internal design and review process. After a several recent missteps – and two new reboots on privacy-by-design – this should never have happened."

Microsoft, of course, used the controversy to push its own , which Redmond said is "the browser that respects your privacy."

Editor's Note: This story was updated Friday afternoon with further comments.