Google code breaks Apple iOS privacy

Advertising cookies added to Safari browsers.

Google is again facing criticism for ignoring privacy, this time over allegations it "intentionally" circumvented the default privacy settings for Apple's Safari browser in Mac OS X and iOS. 

Jonathon Mayer, the Stanford University graduate student who discovered Google's special approach to Safari, alleged that the search giant wrote code specifically to bypass the browser's default privacy settings in a way that supported its advertising business, Doubleclick.

The Safari settings were meant to protect, by default, users who did not want to be tracked by third-party advertisers when using a browser to search the internet. 

"Apple’s Safari web browser is configured to block third-party cookies by default. We identified four advertising companies that unexpectedly place trackable cookies in Safari. Google and Vibrant Media intentionally circumvent Safari’s privacy feature," Mayer alleged in a blog post.

Google and three other online marketing companies "surreptitiously submit a form in an invisible iframe" in order to support user tracking, Mayer claimed.

Google disabled the offending code after it was contacted by the Wall Street Journal, which reported the practice first last Thursday.

Mayer discovered that ads on 22 of the top 100 websites installed Google's tracking code and 23 installed it on iOS devices. 

The researcher honed in on Google's "cookie syncing", where the company synchronises information from Google.com with a third-party domain -- an approach Mayer points out that Google uses for YouTube and DoubleClick.

Google's code "immunised" it from Safari's cookie blocking policy by manipulating the browser's "Set-Cookie" header field.

The Safari and iOS privacy feature that Google circumvented should automatically reject third-party tracking cookies unless a user actively interacts with a widget or clicks on the third party's ads, according to the Electronic Frontiers Foundation. 

Mayer speculated that the way Google wrote its code was to gain efficiencies as opposed to intentionally being intrusive.

Google said in a statement to the Financial Times that it "didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers".

Regardless of Google's intent, the latest mistake came as regulators in the US and Europe intensify pressure on Google to stall its March 1 privacy overhaul.

Google's latest privacy gaffe has nothing to do with its Chrome browser, however Microsoft was quick to remind people that "Windows Internet Exploer (IE) is the browser that respects your privacy". 

Microsoft has capitalised on Google's current privacy challenges with an advertising campaign in the US aimed at repatriating former Microsoft customers. 

"Through unique built in features like Tracking Protection and other privacy features in IE9, you are in control of who is tracking your actions online. Not Google. Not advertisers. Just you," wrote Ryan Gavin, Microsoft's global director for IE.