Google ran afoul of yet another privacy problem on Friday, after a Stanford researcher contended that the company has been using cloaked code to bypass users’ cookies settings on their Web browsers—including Apple’s Safari—according to a report from the Wall Street Journal.
The issue was discovered by Stanford University researcher Jonathan Mayer, and confirmed by a technical advisor to the Wall Street Journal. Duplicating Mayer’s effort, the advisor documented that the Google tracking code was used by 23 of the top 100 websites, including in ads from sites such as Fandango.com, Match.com, AOL.com, TMZ.com and UrbanDictionary.com. Once installed, Google then could track user movement across a wide number of websites.
Google has denied that its embedded code—a type of Web cookie—tracks users, and said that it is only activated when users opt-in to one of Google’s services, such as Gmail. “The Journal mischaracterizes what happened and why,” according to a statement from Rachel Whetstone, Google senior vice president for communications and public policy. “We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.”
But the company also admitted that the code inadvertently allowed additional Google Web advertising cookies to be installed on users’ devices against their wishes; by default, Safari’s settings allow for no tracking behavior.
Google argues that these cookies were necessary to provide users with personalized services, such as the ability to approve of content through Google’s “+1” rating system. “To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization,” Whetstone stated. “But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous—effectively creating a barrier between their personal information and the Web content they browse.”
“However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser,” Whetstone added. “We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers.”
In addition to Google, the Journal discovered at least three other online advertising companies also circumnavigated Safari’s privacy settings using similar techniques: Vibrant Media, WPP PLC’s Media Innovation Group and Gannett Company’s PointRoll.
The news comes at a sensitive time for Google. Last year, the company reached a legal settlement with the U.S. Federal Trade Commission about its privacy practices, and agreed not to misrepresent its privacy practices. Last month, Google consolidated polices for all its sites into one privacy setting.
In a blog item posted Friday, Microsoft criticized Google for purposefully evading the Safari privacy settings, and offered its own browser as an alternative.