Google to Pay $22.5 Million Settlement in Safari Privacy Circumvention Case

[jayducharme]

Pocket change.
According to WSJ calculations, Google generated that much in ad revenue every 5 hours last year.

That's the problem I have with many of the government's judgements against big companies. The fines amount to a slap on the wrist. What probably hurts the company more is the bad press from the judgement.

 

[batchtaster]

Adblock doesn't catch everything. I don't use any browser unless it has both Adblock and Ghostery installed. And when I need an extra browser (after Safari and Firefox), I use Chromium, not Chrome.

 

[faroZ06]

Those are voluntary, and they let you control the sending of them. It'd be like your indicating with a crash report, "No, don't send a report to Apple" and Apple sending the report anyway, along with a history of the sites you recently visited.

Actually, they are not always voluntary, and I heard that Mountain Lion sends them automatically. And what I mean is that complaining about mass data collection from Google is like refusing to send error reports to Apple (or whatever company you choose). It can't possibly do any harm. It's an irrational fear.

----------

Adblock doesn't catch everything. I don't use any browser unless it has both Adblock and Ghostery installed. And when I need an extra browser (after Safari and Firefox), I use Chromium, not Chrome.

Image

But this particular breach uses an ad to get in. Well, the blocking depends on what exactly AdBlock blocks, and I doubt they block the offending script, so nevermind. Disabling cookies would work for sure, and if you're paranoid about your safety, that's a way to go. Oh, and then you won't have stuff automatically log in for you, which might be important for your computer security.

 

[ArcaneDevice]

Safari has poor cookie and privacy settings anyway. One of the many reason I don't use Safari.

Block third party cookies? How about the option to block any cookies I want to?

In Firefox I use cookie prompting and choose which cookies I will accept and decline. That not only stops advertisers but also stat tracking, sites I visit that don't want to accept cookies from and plug-ins and other Web embedded elements that might exist under the domain's name.

 

[MacNut]

So Google is the only one getting ad data when you surf the web? I thought they all do it and make a profit off of it.

 

[faroZ06]

So Google is the only one getting ad data when you surf the web? I thought they all do it and make a profit off of it.

Google tracks you when you go to other sites, though. Or at least they DID.

 

[MacNut]

Google tracks you when you go to other sites, though. Or at least they DID.

Isn't that the purpose of cookies in general?

 

[macsmurf]

I think that the hole was fixed time ago

Yep. Google had actually already fixed it in WebKit ( http://trac.webkit.org/changeset/92142 ) many months before but Safari hadn't updated to a version that contained the fix.

Also, it wasn't really a hole. It was a feature implemented in Webkit in March 2010 - by Apple.

At the time they already knew that it would make third-party cookie blocking fairly useless. In fact, one of the commenters on the feature request suggests that it they relax privacy to this degree they might as well remove third-party blocking altogether as it would be completely toothless. ( https://bugs.webkit.org/show_bug.cgi?id=35824 )

It was implemented anyway.

However, Google should be blamed for saying they weren't tracking users that blocked third-party cookies when in fact they were.

 

[finalcut]

I only wish Safari had the option to block third party cookies and "ask" for every primary cookies just like other browsers do

 

[MacNut]

I only wish Safari had the option to block third party cookies and "ask" for every primary cookies just like other browsers do

That is the main reason I dropped Safari and moved to Chrome.

 

[flottenheimer]

Dear Google,

Everyone can ****** up once in a while.

I still love you.

Now go crank up that moral code of yours.
Don't be evil. Just don't.

 

[NewAnger]

Well, since their money is all from ads, using AdBlock seriously harms them. I haven't generated any revenue for Google in years, not because I'm boycotting them but because I just don't want to see/load ads. So if you want to boycott them, block the ads.

Been using adblockers for years.

 

[Dangerous Theory]

Why do people insist on seeing Google as the "Good Guys?"

Big Brother is here - and his name is Google.

There are no "Good Guys" in the corporate world, but there are good products. That's where both Google and Apple shine.

 

[Rodimus Prime]

hasn't this article been posted already multiple times. Really this just smells like pointless google bashing by mac rumors.

 

[KnightWRX]

Google tracks you when you go to other sites, though. Or at least they DID.

Google tracks you when you go to sites displaying their ads.

People are misunderstanding what actually happened here. DoubleClick presents ads on a page. To track sites where you see DoubleClick ads, DoubleClick requires that you send it a cookie each time you load ads so it recognizes who you are (well, your randomly generated profile number). Safari didn't allow 3rd party cookies. So to get the cookie, you have to click the ad in question. The cookie then gets placed because you land on DoubleClick sites before being redirected to the advertiser's website.

Let's take a concrete example of what this was, step by step.

- You browse the web, see tons of DoubleClick ads. DoubleClick doesn't know because you don't have their cookie. Since you don't visit their site directly, they can't set it. Safari has a protection in place. Let's keep it simple, but this is what it will look like in HTTP parlance :

GET / HTTP/1.1
Host: www.macrumors.com

HTTP/1.1 200 OK

<img src="http://ad.doubleclick.net/ad/ns.macrumors/homepage;ppos=btf;kw=;tile=1;sz=300x250,336x280;ord=123456789;ctx=noscript" border="0" alt="" />

You made your HTTP request to www.macrumors.com and in the returned HTML, there's an img tag asking the browser to load an image from ad.doubleclick.net (I'm not making this up, Macrumors uses Doubleclick through Netshelter, only simplifying).

When your browser sends its request to load that image, it gets the following :

GET /ad/ns.macrumors/homepage;ppos=btf;kw=;tile=1;sz=300x250,336x280;ord=123456789;ctx=noscript HTTP/1.1
Host: ad.doubleclick.net

HTTP/1.1 200 OK
[B]Set-Cookie: test_cookie=CheckForPermission; expires=Thu, 09-Aug-2012 21:17:57 GMT; path=/; domain=.doubleclick.net[/B]

The bolded line is important. That's the cookie DoubleClick is trying to set. Safari however knows that you visited www.macrumors.com and not ad.doubleclick.net. So it doesn't set this cookie. Up to now, everything is normal, DoubleClick has not circumvented anything, this is standard HTTP and Safari has a right to accept cookies or not based on user preferences.

- You finally see an ad from DoubleClick about something that interests you. You click it. Your browser makes a request to DoubleClick as the link informs it. DoubleClick is now a 1st party. You've now requested something directly from DoubleClick, so now Safari uses the Set-Cookie HTTP header and creates a cookie for DoubleClick on your hard drive. That's because IMG tags for ads are always encased in Anchor tags that link first to the ad agency (DoubleClick in this case) which then redirects you to the actual advertiser. That's how ads rotate.

- Next time you visit www.macrumors.com, you see an ad from DoubleClick. This time, your browser has a doubleclick cookie, so you send it to DoubleClick when you request the img tag :

GET /ad/ns.macrumors/homepage;ppos=btf;kw=;tile=1;sz=300x250,336x280;ord=123456789;ctx=noscript HTTP/1.1
Host: ad.doubleclick.net
Cookie: test_cookie=CheckForPermission; expires=Thu, 09-Aug-2012 21:17:57 GMT; path=/; domain=.doubleclick.net

And so now DoubleClick can track you and know which sites you visit with DoubleClick ads, so it knows what your interests are. It doesn't know however if you don't visit sites with DoubleClick ads, since you don't send it the cookie when there's no ressources from DoubleClick there.

And that's how it works basically.

Seems they now first send a "CheckForPermission" cookie (the one used in my examples). So when you click the ad and do a 1st party request for DoubleClick, it probably only sets its tracking cookie if you send back the "CheckForPermission" cookie first, whereas before it would just set the cookie regardless.

 

[Bubba Satori]

Good.
Let this be a lesson to galactic sized mega-corps that they are not above the law.

 

[faroZ06]

Google tracks you when you go to sites displaying their ads.

People are misunderstanding what actually happened here. DoubleClick presents ads on a page. To track sites where you see DoubleClick ads, DoubleClick requires that you send it a cookie each time you load ads so it recognizes who you are (well, your randomly generated profile number). Safari didn't allow 3rd party cookies. So to get the cookie, you have to click the ad in question. The cookie then gets placed because you land on DoubleClick sites before being redirected to the advertiser's website.

(cut off)

Thank you for that clarification! I thought they were somehow monitoring you on every site you go to. OK that is even less privacy-violating. It's not nice to do stuff like that secretly, but all they're doing is checking which sites you go to that have their ads? I don't see anything evil about their intentions. They just want the info for advertising.

----------

Isn't that the purpose of cookies in general?

I usually see them for sites that remember your login. I'm no expert with webpages, and I plan to make them pretty obsolete in many ways.

 

[WilliamLondon]

Really this just smells like pointless google bashing by mac rumors.

Or opportunities for Google apologists to declare their love of all things evil.

 

[KnightWRX]

Thank you for that clarification! I thought they were somehow monitoring you on every site you go to. OK that is even less privacy-violating. It's not nice to do stuff like that secretly, but all they're doing is checking which sites you go to that have their ads? I don't see anything evil about their intentions. They just want the info for advertising.

I don't know of any techniques which would allow them to track you on sites that do not link back to their service to force a request from your browser. Their only option would be log mining those sites (which would have to give them their logs) or an extension/plug-in in your browser that would accumulate such a list and send it at regular intervals.

However, with the coverage DoubleClick has on the web, I can pretty much guarantee they can track you on every site if you have their tracking cookie.

 

[devon2012]

What do we, the Safari Users get for our privacy being violated?

Well since they did it to everyone, we all get half a penny. Give me your address and I'll give you my half as well.

 

[rmwebs]

Stupid of them to do such a thing in the first place but the repercussions are also insignificantly small to a company like Google.

Has the loophole been closed by Apple in Safari yet or not or is it a difficult one to solve?

If its not closed then Apple deserve an even bigger fine. In fact, they deserve a fine anyway given that they knew the hole existed. You'll probably find others were exploiting the loophole, and that Google were the only ones caught.

 

[gregwyattjr]

One Google to rule them all.

 

[pubwvj]

Isn't Google just Evil spelled backwards?

 

[finalcut]

That is the main reason I dropped Safari and moved to Chrome.

Does Google Chrome has the setting option to ask every time to allow a cookie? Last time I've checked, no. But it's been a while so maybe it changed

 

[NewAnger]

Well since they did it to everyone, we all get half a penny. Give me your address and I'll give you my half as well.

It's ok. I let the cashier keep my change at the store last night. I hate change, especially pennies.

So, Apple gets to keep all the money, correct?