The news alert from the Wall St. Journal hit my phone about an hour ago, pulling me away from tasting “Texas Bourbon” in San Antonio to sit down and grok this headline: Google’s iPhone Tracking.
Now, the headline certainly is attention-grabbing, but the news alert email had a more sinister headline: “Google Circumvented Web-Privacy Safeguards.”
Wow! What’s going on here?
Turns out, no one looks good in this story, but certainly the Journal feels like they’ve got Google in a “gotcha” moment. As usual, I think there’s a lot more to the story, and while I’m Thinking Out Loud right now, and pretty sure there’s a lot more than I can currently grok, there’s something I just gotta say.
First, the details. Here’s the lead in the Journal’s story, which requires a login/registration:
“Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.’s Web browser on their iPhones and computers—tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked.”
Now, from what I can tell, the first part of that story is true – Google and many others have figured out ways to get around Apple’s default settings on Safari in iOS – the only browser that comes with iOS, a browser that, in my experience, has never asked me what kind of privacy settings I wanted, nor did it ask if I wanted to share my data with anyone else (I do, it turns out, for any number of perfectly good reasons). Apple assumes that I agree with Apple’s point of view on “privacy,” which, I must say, is ridiculous on its face, because the idea of a large corporation (Apple is the largest, in fact) determining in advance what I might want to do with my data is pretty much the opposite of “privacy.”
Then again, Apple decided I hated Flash, too, so I shouldn’t be that surprised, right?
But to the point, Google circumvented Safari’s default settings by using some trickery described in this WSJ blog post, which reports the main reason Google did what it did was so that it could know if a user was a Google+ member, and if so (or even if not so), it could show that user Google+ enhanced ads via AdSense.
In short, Apple’s mobile version of Safari broke with common web practice, and as a result, it broke Google’s normal approach to engaging with consumers. Was Google’s “normal approach” wrong? Well, I suppose that’s a debate worth having – it’s currently standard practice and the backbone of the entire web advertising ecosystem – but the Journal doesn’t bother to go into those details. One can debate whether setting cookies should happen by default – but the fact is, that’s how it’s done on the open web.
The Journal article does later acknowledge, though not in a way that a reasonable reader would interpret as meaningful, that the mobile version of Safari has “default” (ie not user activated) settings that prevent Google and others (like ad giant WPP) to track user behavior the way they do on the “normal” Web. That’s a far cry from the Journal’s lead paragraph, which again, states Google bypassed the “the privacy settings of millions of people.” So when is a privacy setting really a privacy setting, I wonder? When Apple makes it so?
Since this story has broken, Google has discontinued its practice, making it look even worse, of course.
But let’s step back a second here and ask: why do you think Apple has made it impossible for advertising-driven companies like Google to execute what are industry standard practices on the open web (dropping cookies and tracking behavior so as to provide relevant services and advertising)? Do you think it’s because Apple cares deeply about your privacy?
Really?
Or perhaps it’s because Apple considers anyone using iOS, even if they’re browsing the web, as “Apple’s customer,” and wants to throttle potential competitors, insuring that it’s impossible to access to “Apple’s” audiences using iOS in any sophisticated fashion? Might it be possible that Apple is using data as its weapon, dressed up in the PR friendly clothing of “privacy protection” for users?
That’s at least a credible idea, I’d argue.
I don’t know, but when I bought an iPhone, I didn’t think I was singing up as an active recruit in Apple’s war on the open web. I just thought I was getting “the Internet in my pocket” – which was Apple’s initial marketing pitch for the device. What I didn’t realize was that it was “the Internet, as Apple wishes to understand it, in my pocket.”
It’d be nice if the Journal wasn’t so caught up in its own “privacy scoop” that it paused to wonder if perhaps Apple has an agenda here as well. I’m not arguing Google doesn’t have an agenda – it clearly does. I’m as saddened as the next guy about how Google has broken search in its relentless pursuit of beating Facebook, among others.
In this case, what Google and others have done sure sounds wrong – if you’ve going to resort to tricking a browser into offering up information designated by default as private, you need to somehow message the user and explain what’s going on. Then again, in the open web, you don’t have to – most browsers let you set cookies by default. In iOS within Safari, perhaps such messaging is technically impossible, I don’t know. But these shenanigans are predictable, given the dynamic of the current food fight between Google, Apple, Facebook, and others. It’s one more example of the sad state of the Internet given the war between the Internet Big Five. And it’s only going to get worse, before, I hope, it gets better again.
Now, here’s my caveat: I haven’t been able to do any reporting on this, given it’s 11 pm in Texas and I’ve got meetings in the morning. But I’m sure curious as to the real story here. I don’t think the sensational headlines from the Journal get to the core of it. I’ll depend on you, fair readers, to enlighten us all on what you think is really going on.
Apple shipped Safari 2.0 with OS X 10.4 Tiger in April 2005. The default “Accept Cookies” setting was “only from sites you navigate to – For example, not from advertisers on those sites” as documented in screenshots here bit.ly/zxD5D3 (also attached). This is the same setting as current day multiple platforms Safari’s “Block cookies: From third parties and advertisers”
Apple has been defaulting their browsers to this setting for a very long time. Long before they owned an ad network, long before Google shipped Chrome, and long before Google & Apple were battling for smartphone market share.
Thanks. I knew Apple was unfairly being blamed for what is clearly Google (and other websites) underhanded tricks. This is a definite proof that Apple truly cares about its user’s privacy!
Yeah, they care so much! Takes years to fix this backdoor… (is it fixed now even?) Either they don’t care or they are just flat out incompetent.
Read the comment from Dave Murdock above, check out the screenshot and then tell me what was Apple’s motivation to prevent third party cookies from the beginning? Attack from Germany? Aliens? Any conspiracy theory you can think of? Did Apple touch you in a bad way when you were a baby?
Again, they hacked IE too. Google has smart engineers. As IE shown, this wasn’t because a backdoor. It was non-perfect security they found a way to hack. All systems are hackable with the right talent and motivation, as shown by the fact google was also able to hack Microsoft. They just found a different hole for IE.
http://www.technewsworld.com/story/74474.html
So Apple is damned because the mobile browser defaults in favor of privacy and damned because iOS defaults in favor of not keeping contacts private from apps? I give up!
The anti-Apple bullshit never ends.
This is not about Apple vs. Google. I purchase the iPhone. I pay the monthly data bill. I performed the search. I will also decide if I can believe Google; should I curtail my usage of Google products?
P.S. google is the company that lied to me!
Frankly, one of my reasons for choosing Safari over other browsers is the privacy settings. Tho far from perfect, and despite Scott McNeally’s claim “Forget privacy,” it is my choice to maintain as an anonymous presence as possible. And I regularly delete cookies and browsing history from every browser I use, every 30 minutes at the least often. I have no obligation to Google or any other advertiser, advertising agency or anyone else for that matter to provide any information I choose not to provide.
Your perception of how things are done on the WEB are irrelevant to any discussion of this matter. Simply because something is done, doesn’t make it right. And keep in mind, it is only a question of time before some bright young programmer finds a method for using the doors opened by cookies to gather which will harm many. Hopefully, you will be that young programmer’s first target and empties your bank accounts online.
One more thing. Think about it. Chrome is a Google product and it is to Google’s advantage to not maintain privacy standards which inhibits Google’s phishing. Very perceptive on your part to not see the obvious.
Again I am not defending Google, I am raising questions about Apple’s motivations, which always bring out the haters, alas. I love a lot of what Apple does. Same for Google. But i question all of them.
John, this is so wrong. Google is the clear offender here, even if the topic of privacy, and what’s kosher/not, is an unfinished debate.
Apple offers a curated platform. We know this, this is their primary strategy, and it’s proven pretty effective for developers, customers and the company alike. They’re not saints, but they are true to their mission.
And you have to admit, the company exercises pretty good technology judgment, STILL offering the best mobile web browser (how is that anti-web?), not to mention having the cajones to get away from a Flash offering that has repeatedly proven to be a drain on system performance.
More to the point, history has shown their call on Flash to be the right one. Despite absence of Flash being a theoretical competitive vulnerability, there STILL is no non-Apple mobile device that offers top-flight Flash performance. How many years after Adobe touted their mobile readiness are we? Six years, seven years?
My point is that what you are doing by elevating Apple as a peer in this story is distorting the hard truth; namely, that this is like the fourth or fifth of these stories in the past few months where Google is caught acting in a manner that tarnishes their ‘Do No Evil’ legacy.
At some point, someone has to say that Google has officially “Jumped the Shark.”
You just said it. And I think you’re right. Google has indeed jumped the shark.
Google has seriously broken with standard web practice by denying publishers referral data unless they are buying ads, primarily to prevent competing ad networks from personalizing their results and defended this enormously destructive break with web standards as protecting search privacy. Do they hack around my Safari desktop setting to disallow 3rd party cookies?
Meanwhile, you assert that Apple is deciding for me if I take 3rd party cookies. Regardless of whether that setting is by default or I have to tinker with the UI to find it, Google is at minimum violating my intent and my privacy and is likely the law when they hack around my stated preferences.
Wilhelm Reuch, sorry but your a true Apple fan boy. Want to know why you cant get flash on your apple products … its because Adobe stopped supporting Apple OS’s. So pulling flash support was apple’s way of getting back at Adobe. Its actually childish of apple to set out to break how things work out on the internet, Flash being the first and this being the second one we’ve found out about. And I really doubt that apple cares about you seeing that they resort to virtual slave labor via foxxcon to produce their products, 30+hr work shifts at .31 cents a hour if you were wondering.
I am surprised that nobody mentions Path here. Come on … it was 2 days ago, it was again about the “default” Apple privacy settings, it was about your whole private address book silently loaded on a remote corporate server.
For me these are parts of the same corporate battle led on multiple fronts – patents, privacy, labor conditions …
And this “shocking discovery” of something which existed and was used by the ad networks since the beginning of the iPhones is coming exactly 2 days after the “shocking discovery” about Path.
Well done WSJ!
Speaking as a web developer, if sites like Google, Twitter, and Facebook didn’t take advantage of these “exploits” in Safari, then the web wouldn’t work in Safari as its users expect it to (which is to work like it does in all the other browsers). Things such as the Like buttons, etc wouldn’t work, and most users would have no idea why. The users NEVER chose this “privacy setting”, it is the default.
Worse is Safari doesn’t offer a white list option (like all the other major browsers do) so a user could specifically allow sites they utilize/trust to set the cookies in this 3rd party situation.
I feel Google’s use of this “exploit” for Google+ is acceptable, however I do think their using it for their advertising cookies is more questionable. I just hope that Apple doesn’t further break the web for PRs sake to deal with uninformed user outcry from this hyped up story.
That’s why I said in my post I wanted to to more :reporting” I was wondering if other companies like Facebook used this “exploit”. Sounds like from your experience they do.
As I understood it, if someone had already visited a site, they got automatically whitelisted?
I’ve been trying to chase that down as well, and it’s unclear. As WSJ mentioned, Facebook definitely included this in a ‘best practices’ guide for workarounds to common problems. But I haven’t been able to sort out the claims ‘all Like buttons rely on this to work’ — it seems like for Facebook developers the key thing was using it to get around problems with apps being served in iframes.
You are a moron and I stopped reading the article right after “Apple decided I hated flash”. You suck and should not be allowed to post your thoughts anywhere expect to you silly gods. In private!
Perhaps slightly off-point here, but my thought on this is the following: what would have been wonderful is if back in 2004 or so would-be entrepeneurs such as Mr. Zuckerberg had had one iota of business acumen to go along with their high levels of technical acumen. Had this been the case, it might’ve saved the internet from this ridiculous business model of “don’t charge anything for a product, just use users’ information to sell ads” / “hey, cool, the user can be the actual product we sell”!!! Granted this probably wouldn’t have applied in the case of Google’s search product. But good lord, Facebook and probably hundreds of other companies now have taken to this business model, as opposed to (*gasp*) actually charging real dollars to use their sites. It’s a huge shame to those of us who have been in the software development field for a couple decades now, before the internet was even around…Yes, there were actual ethical norms in software that simply were not bent no matter what the hollow argument. Remember the phrase that popped up during the install process for every single piece of software you installed? “We respect your privacy”.
Apple simply controls its own product offerings.
Google monopolizes Big_Data Copororate-Silos filled with our public interconnect semantics meta-data. They have a lock on search, video, and maps.
This is what happens when you mix Texas Bourbon, an 11:00PM post and a barn door discussion on privacy! I’m giving you a hall pass on this one! Is this about a point to pick with Apple? Come on, isn’t this simply Google just gripping hard because their toolbox is shrinking? How do you change that? Change the parameters, right?
Cheers!
I honestly don’t know. I had far less bourbon that I would have liked! This is complex and will need further exploration
For those who don’t subscribe to the WSJ, a bit more about who looks bad in this story, and why:
“In Google’s case, the findings appeared to contradict some of Google’s own instructions to Safari users on how to avoid tracking. Until recently, one Google site told Safari users they could rely on Safari’s privacy settings to prevent tracking by Google. Google removed that language from the site Tuesday night.
…
Last year, as part of a far-reaching legal settlement with the U.S. Federal Trade Commission the company pledged not to “misrepresent” its privacy practices to consumers.”
So according to the WSJ, Google has pledged to represent its privacy practices accurately, but did not. The particular back door that it found is of course interesting to security issues, but is a good notch down from our concern about how well Google’s employees understand their company’s obligations to the public.
These two paras were hardly inaccessible; they bracketed the quote that JBAT read, in which the WSJ gave Google the forum in which to refute the concerns. In otherwise, your friendly blogger is trying to spin the story as an “everybody looks bad” thing when Google works counter to its express promise to regulators.
Of course, those who regularly follow tech issues in the press, remember another article about Google explicitly violating its promise to rein in non-US drug advertisers, explicitly helping a criminal bypass the monitoring it had installed.