Google is in hot water again over its privacy policies -- or lack thereof. And the upshot could affect the company's cloud services.
Three other online advertising entities -- Vibrant Media Inc., WPP PLC's Media Innovation Group LLC, and Gannett Co.'s PointRoll Inc. -- were also named alongside Google as using the same technique. The workaround is credited to a young Web developer in India named Anant Garg, who created it a couple of years ago.
The technique Google and the three other companies are using was revealed by a Stanford University graduate student Jonathan Mayer in a paper detailing how Google code manages to bypass the default blocking of third-party cookies that's built into Safari. Mayer's paper includes the following chilling conclusions:
When Apple's developers implemented Safari's cookie blocking feature, they were balancing several conflicting design priorities. But one decision was clear: it should prevent advertising companies from tracking the user...
Four advertising companies circumvented Apple's protection. Some privacy researchers and advocates have characterized the interplay between third-party web trackers and browser privacy measures as a "cat and mouse game" or "arms race." This research result regrettably affirms that view as reality—for, quite possibly, millions of users.
Reaction to today's news was swift. By midday Friday, the public research group, Electronic Privacy Information Center
(EPIC), had filed a lawsuit requesting that the US Federal Trade Commission enforce a consent order that agency issued in October 2011 that, according to EPIC, "bars Google from misrepresenting the company's privacy practices, requires the company to obtain users' consent before disclosing personal data, and requires the company to develop and comply with a comprehensive privacy program."
Google says it is innocent of wrongdoing. In a statement, Rachel Whetstone, SVP of communications and public policy at Google, asserted:
The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.
Unlike other major browsers, Apple's Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as "Like" buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content -- such as the ability to "+1" things that interest them.
To enable these features, we created a temporary communication link between Safari browsers and Google's servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous--effectively creating a barrier between their personal information and the web content they browse.
However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.
The statement may or may not satisfy the millions of users whose privacy settings were bypassed. It also may not pass muster with the FTC and various watchdog groups.
All of which raises questions about how reliant Google has been on the privacy data it obtained this way, and what the potential impact of not using it might have on its services.
One thing is clear, though: Google has a heck of a fight on its hands this time.
— Mary Jander , Managing Editor, Internet Evolution