Google and several other advertising companies are bypassing the privacy settings in Apple’s Safari browser, according to a report from a Stanford University researcher that set off a heated debate on Friday.
The Wall Street Journal first reported Thursday night that the Mountain View, Calif., search giant and others were “tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked.” The story prompted an outcry from privacy advocates and many tech and legal observers.
The group Consumer Watchdog and some lawmakers asked publicly whether Google had violated last year’s settlement agreement with the Federal Trade Commission over an unrelated privacy breach. Some tech watchers said that while the company’s actions were certainly questionable, the full extent of the breach likely exceeded what Google actually had intended to do, as Google itself maintains.
But a couple things are clear: First, whatever the motivations, the episode represents a huge privacy whiff for a company already facing growing regulatory scrutiny, public mistrust and mounting competition. Second, it’s another stark reminder that our nation’s largely voluntary digital privacy regime is woefully insufficient.
The Stanford study was written by Jonathan Mayer, a graduate student in law and computer science who has cranked out a growing body of headline-generating literature on online privacy. In his paper, he noted that unlike every other browser vendor, Apple’s Safari automatically blocks so-called tracking cookies generated by websites that users visit. Apple’s Safari is one of the most popular browsers for mobile devices, and the default browser on Macs.
Those cookies can collect information about where users go online and what they do — data that advertisers treasure for targeting ads.
There are various exceptions to Safari’s cookie blocking, however.
But it turns out there are a few ways for companies to get around the limitations Safari set up. The one that Mayer’s paper focused on involved inserting a special code to place tracking cookies within Safari. He found four companies doing this: Google, Vibrant Media, Media Innovation Group and PointRoll.
In a statement, Google spokeswoman Rachel Whetstone said the Journal “mischaracterizes what happened and why.”
She said the code was limited to users who are signed into Google on Safari, have not blocked behavioral advertising and have opted to use the Google social network on third-party sites. The implicit argument is that those users had agreed to the tracking necessary to allow them to “+1” content they liked online through Safari.
But in an interview, Mayer said Google unilaterally had decided that privacy permissions for its products superseded the privacy restrictions those users had enacted — implicitly or explicitly — by choosing to use Safari.
Meanwhile, an even bigger problem occurred. Once Google tweaked Safari’s functionality, suddenly other Google advertising cookies also could download onto the devices.
jtemple@sfchronicle.com