If you thought privacy settings on your iPhone, iPad or Apple desktop were keeping others from tracking your travels across the Web, think again.
Google Inc. and some advertising companies have been bypassing the privacy settings of millions of people using Safari, the default Apple-supplied browser, The Wall Street Journal reports.
In a story today by Julia Angwin and Jennifer Valentino-Devries, the WSJ said:
[Google and others] used special computer code that tricks Apple's Safari Web-browsing software into letting them monitor many users. Safari, the most widely used browser on mobile devices, is designed to block such tracking by default.
In a separate blog post, Valentino-Devries explains:
By default, Apple's Safari browser accepts cookies only from sites that a user visits; these cookies can help the site retain logins or other information. Safari generally blocks cookies that come from elsewhere – such as advertising networks or other trackers. But there are exceptions to this rule, including that if you interact with an advertisement or form in certain ways, it's allowed to set a cookie even if you aren't technically visiting the site.
Google's code, which was placed on certain ads that used the company's DoubleClick ad technology and was uncovered by Stanford researcher Jonathan Mayer, took advantage of this loophole, as did the code used by the other companies.
News of the security breach comes just days after Apple said it would crack down on third-party suppliers of its App Store who were reportedly their applications to collect user information sans permission.
Ryan Gavin, Microsoft's General Manager, Internet Explorer Business and Marketing, couldn't resist getting in a dig of his own against Google for the fiasco, as well as casting a less-than-subtle aspersion at Apple and its browser:
This type of tracking by Google is not new. The novelty here is that Google apparently circumvented the privacy protections built into Apple's Safari browser in a deliberate, and ultimately, successful fashion.
If you find this type of behavior alarming and want to protect your confidential information and privacy while you're online, there are alternatives for you. Windows Internet Explorer is the browser that respects your privacy.
Update at 10:50am EST:
Rachel Whetstone, Google's senior vice president for communications, offered NPR this explanation, saying the Journal story "mischaracterises what happened and why."
We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information.
Unlike other major browsers, Apple's Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as "Like" buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content—such as the ability to "+1" things that interest them.
To enable these features, we created a temporary communication link between Safari browsers and Google's servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user's Safari browser and Google's servers was anonymous—effectively creating a barrier between their personal information and the web content they browse.
However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers.