Submitted by Well, paint me red and call me a girl scout: Facebook, Google, and several other advertising networks are using a loophole to make sure third party cookies could still be installed on Safari and Mobile Safari, even though those two browsers technically shouldn’t allow such cookies. Google has already ceased the practice, and in fact, closed the loophole in WebKit itself months ago.
It’s a bit of a weird story, mostly because the Wall Street Journal story that launched all this has been dumbed down so much it’s barely readable. Basically, Safari and Mobile Safari have been designed to only accept cookies from sites users explicitly navigate to; in other words, cookies from other sources shouldn’t be able to find their way onto users’ machines.
However, there’s a workaround for this which has been implemented by Facebook, Google, and other advertising networks. It’s part of how the Like and +1 buttons work, for instance. The workaround consists of automatically submitting a vestigial form in an iframe, which Safari will then treat as if it comes from a first party domain.
The crazy thing here is that this loophole has already been fixed in WebKit itself. Over 7 months ago. By two Google engineers. In other words, while Google is one of the parties using the loophole, Google itself fixed it 7 months ago. The Wall Street Journal contacted Google about this, and Google immediately ceased using the loophole, claiming it was unintential (sure, Google, sure).
“The Journal mischaracterizes what happened and why,” Google said in a statement to the WSJ, “We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.”
Several other advertising networks also use the loophole, with the reasoning being that since other browsers allow third party cookies, Safari has to be worked around to create a consistent experience. Facebook goes a step further, and openly advocates the loophole on a corporate “Best Practices” Facebook page.
In case the point hasn’t been driven home yet – companies need to be monitored at all times. This was clearly intentional, and circumvents restrictions Apple has put in place to protect the privacy of its users. It doesn’t matter whether it’s Google and Facebook circumventing privacy restrictions, or Microsoft and Apple taking away ownership of our computers – this stuff needs to be questioned, challenged, and monitored at all times.
If we don’t, we could end up in a world of hurt.
…who’da thunk.
yeah, look what Apple has made us do
OK – you got me: what Apple has made us do?
Apple did’nt did not do anything.
I probably should have put a 😉 after that one.
Just parodying
Edited 2012-02-17 18:25 UTC
Apple didn’t do anything. The feature in question is so old it is inherited from the KHTML code which was quite paranoid about cookies (which were considered a new and dangerous feature at the time).
It is a shame that “invasion of privacy” is a feature, but we have ourselves to blame.
Please, people of the world, take it upon yourself to observe, pursue, and ultimately lean as much about the world around you as you can. Your ignorance is not helping anyone, least of all yourself.
Edited 2012-02-17 16:25 UTC
True.
Money > Privacy.
People don’t care about privacy if you ask around you and they forgive Google any time. I don’t see many users closing their Gmail account any time soon.
That’s because, for many people:
Convenience > Privacy
I’m thinking on closing my GMail account, not for this but for the sum of all things. I will miss googlecheck, because i already close my Paypal account.
I never oepned one for this exact reason. Well, I did once because of android apps, but i only access it on an anonymous proxy and gave out bs info to open it.
I know one can get too paranoid and see patterns and intent in a simple fuck up, I am not generally a conspiracy theorist, but episodes like this one with Google circumventing user privacy settings can reflect deeper truths about a company’s core dynamic. I do think this episode reveals something about Google and privacy and what the core dynamic of Google’s business is, about what drives Google. I don’t mean what are it’s professed ideals but rather what are the central dynamics and drives of its core business model.
The way Google makes money, the only way it makes money, it’s almost sole source of income, is to sell advertising. And Google can sell that advertising because it offers the buyers of the advertising the very special added benefit of targeting that advertising, of putting ads before people that are cleverly and effectively tailored to match the interests and concerns of the individual viewer. And Google does that by watching and recording what people do on the internet, what they search for, what they watch, what they read and receive and in their emails, who they network with, etc and then recording and storing that behaviour at the level of the individual so it can be interrogated by Google’s advertising distribution algorithms. Being able to watch what people do and record it at the level of an individual is absolutely central to the very core of Google’s corporate identity.
Without being able to watch and record what people do Google no longer has a product to sell. This means that Google will always view areas of activity on the internet which it cannot record and inspect and record as a threat, to be broken into or routed around. This is not about ethics or the simplistic and somewhat childish notions of good and bad, it is about basic business logic. For Google opening up, inspecting, recording information and behaviour is really just one big technical problem and all Google wants to do with this information is just make things better for the user, to make the search results and the advertising that each of us sees more relevant, better.
Google has to be able to watch enough of us enough of the time so that the adverts it places are accurately tailored to each of us. Then it has a product it can sell. If it cannot watch and record at the level of individuals Google has no business and nothing to sell.
Remember: if the product is free, You are the product.
Remember: if a greedy one has your data, you are a product.
Whether it’s a “gratis” service or not. 😐
But every major web based service provider either already does or aspires to do the same. Google is only ahead in the game.
Free products need to be supported by ads (which are generally determined algorithmically) but that does not necessarily mean that users are not being tracked in case of paid products/services. The service providers still have the same kind of data about the activities of paid users’. Only, in case of paid services, ads aren’t being served. But the user’s usage behaviour remains in the custody of the service provider whether you are paid user or a free user and it is likely to be used for purposes other than serving ads.
Company’s other than Google collect user data, often this is done as a way to add value (from the company’s point of view) and generate additional income alongside income generated by products or services they sell. In the case of Google user date is a core product, a product absolutely central to Google’s ability to make money. Collecting user data in order to target advertising is the basis on which Google makes all it’s money. This means that the drive to collect user data (and to surmount any obstacle to collecting user data) is very, very strong and fundamental in Google and will always be very active.
I generally try to avoid troll-baiting, but I’m dying to know how the pro-Apple trolls are going to twist this article into their “Thom is anti-Apple, pro-Google” mindset. I’m waiting…
Anyway, I could not agree more with the conclusion of the article:
Google the others did nothing wrong. Apple has been riding high on this, “We’re Safer than everyone else” bus, that they can no longer create a secure product.
They left the loop hole available, and now the fanboys are going to blame everyone else? Whatever… Just shows how Apple has truly given up on Security.
Wait, so it’s Apple’s fault that Google and FB purposely and willfully circumvented controls in Safari and said “F U” to the millions of Safari users privacy concerns so that they could continue to make money? Really?
So I guess if someone breaks into your home, by circumventing your alarm/locking mechanism, eats your food, cooks in your kitchen, and rapes your mom….its your fault for having circumventable locks…right?
Actually, everyone is guilty
Apple are guilty of keeping a known security hole in their browser opened for 7 months after it is fixed in the source. To follow your analogy : if you leave the key to your house under the doormat and your neighbour has publicly poked fun at the fact when he found out months ago, you should expect someone to break in and make copies of the embarrassing photos under your mattress at some point*.
Google and Facebook are guilty of violating standard security practices by not informing Apple in a direct way and giving them some time to fix the hole before beginning to exploit it. This kind of hacker ethics does not translate well to real-life situations, but it is the way things work in the realm of computer security.
* It seems we do not have the same view of what kind of offense online privacy violation represents.
Edited 2012-02-18 08:08 UTC
Anyway, this is the day where I try to setup Adblock with a custom filter for “like”, “share”, and other “+1” buttons.
These things have polluted my sight long enough, and AFAIK they are of no financial benefit to website owners. So if they also start to invade my privacy, they are out.
Edited 2012-02-18 09:18 UTC
No, but it is Apple’s fault that this security hole still exists in Safari when it has been fixed in the Webkit source months ago. They’re all pricks: Google and Facebook for giving us the finger where our privacy is concerned (though surely people aren’t actually surprised by that), and Apple for failing to keep their version of Webkit patched and in better sync with the current source tree. The real question is, now that this is out in the open, will Apple patch it promptly?
Looks like Google has also systematically and secretly bypassing Internet Explorer as well so your ‘it’s all Apple’s fault’ idea doesn’t work.
http://www.electronista.com/articles/12/02/20/microsoft.tries.to.pr…
An excerpt from the report
Microsoft’s Corporate VP for Internet Explorer, Dean Hachamovitch, made allegations Monday that Google was bypassing Internet Explorer’s privacy settings, not just Safari’s measures. After checks, he claimed that Google’s cookie text files, meant to allow +1 actions for those who were signed into Google, were skirting the P3P Privacy Protection standard as it was implemented in Internet Explorer 9. The technique supposedly made IE9 take third-party cookies that it would block by default while keeping the action a secret.
To honor P3P, Google was supposed to send a set of policy tokens indicating how the cookie’s information would be shared. Google was supposedly exploiting a P3P clause that skipped users’ preferences if the policies weren’t defined. Any browser that used P3P interpreted the message that the token was “not a P3P policy” as a sign to allow the cookie, letting Google have its intended +1 effect but also possibly allowing third-party ads despite the usual blocking settings.
The executive implied this wasn’t just a casual trick, since Google would have had to use “technically skilled” staff with “special tools” to see the P3P descriptions.
At some point Google saying ‘oops – a mistake – we are sorry‘ is going to wear a bit thin.
The article is not metioning Facebook, why are you including it?
But it does… why are you insisting it doesn’t?
So true, my bad, I confused the article.
I don’t know anything about Safari, I use Linux, but on both Google Chrome and Mozilla Firefox you can set it up so that all cookies are cleared when you exit the browser. You can also block all cookies all the time, but that probably isn’t a good idea since a lot of web sites will simply not work at all if you do that.
How to:
Chrome: click on the little “wrench” (upper right corner), Preferences, Under the Hood, Content Settings, Cookies, Clear cookies and other site and plug-in data when I close my browser
Firefox: Edit, Preferences, Privacy, History, Use custom settings for history, Clear history when Firefox closes
If that’s not sufficiently private enough, then Google Chrome lets you browse in “incognito mode.” That’s just a little inconvenient but if you’re a privacy buff, it may be worth it. The details on how to do that:
http://support.google.com/chrome/bin/answer.py?hl=en&answer=95464
————————
Clearing cookies only protects you from such things as targeted advertising. You should realize that even if you turn off cookies, that doesn’t stop governments from snooping on you. Absolutely everything you do online can be recorded by your ISP. Many governments require ISPs to keep such records of your online doings and turn that info over to the spooks. The USA is probably the worst offender with the Patriot Act.
Edited 2012-02-18 00:50 UTC
Samy Kamkar made a website where you can see the evercookie in action:
http://samy.pl/evercookie
Samy showed us there is no technical way to prevent every/the average user from being tracked.
In Firefox, under preferences->privacy->use custom settings for history->accept third party cookies, is on by default.
I read a bug report somewhere un-ticking this doesnt actually stop third party sites from setting cookies anyway. But it’s interesting that is this case it seems Firefox is less privacy concerned than other browsers.
As far as I know they have it enabled because otherwise it would breaks certain sites.
But this may be based on old information from years ago when third party cookies was enabled in every browser.
Edited 2012-02-19 11:46 UTC
I don’t trust them and that’s why I block them with every tool I can. I carve “like” buttons from webpages, stop scripts, whole domains, I clean cachesz, etc.
I don’t simply settle down on trusting “don’t trace me” flag in browsers.
The bad advertisers will always try to spy on us in unethical way, that’s why we should take every possible step to stop it.
I’d even suggest a fightback action where users would spy on corporate advertisers publishing their sensitive data, infos, etc.
LET THEM FEEL THE PAIN THEY’RE MAKING TO OTHERS.
The more I keep reading about Apple’s death grip on its hardware, from its iPods and iPhones to it’s Mac desktops long after they’re sold, I can’t help but wonder why anyone would own one? And I use the term “own” very loosely as it’s obvious who really owns an Apple product. Apple! Moreover, Apple’s aggressive assaults on Google, Samsung and other companies who attempt to bring an Apple-esque user experience to competing devices is yet another example of Apple’s intentions to keep a tight control over what it considers to be computing nirvana to the exclusion of anyone else getting in the game. Personally I think it’s a little scary.
While I agree with you, exactly what has this to do with the particular article under discussion?