Just as we’re coming off news that several iPhone apps download contacts without permission — an action Apple has said is against its policy and will be fixing soon — the Wall Street Journal reports that Google and others have been ignoring privacy settings in tracking the online browsing habits of iPhone and Safari users.
Google has said that WSJ “mischaracterized” this tracking. WSJ reports that since being contacted by them Google disabled this code.
WSJ has more on the code and how it was discovered:
The Google code was spotted by Stanford researcher Jonathan Mayer and independently confirmed by a technical adviser to the Journal, Ashkan Soltani, who found that ads on 22 of the top 100 websites installed the Google tracking code on a test computer, and ads on 23 sites installed it on an iPhone browser.
In Google’s case, the findings appeared to contradict some of Google’s own instructions to Safari users on how to avoid tracking. Until recently, one Google site told Safari users they could rely on Safari’s privacy settings to prevent tracking by Google. Google removed that language from the site Tuesday night.
WSJ reports that three online-ad companies — Vibrant Media Inc., WPP PLC’s Media Innovation Group LLC and Gannett Co.’s PointRoll Inc. — were doing essentially the same thing.
According to WSJ, an Apple representative said it is working to stop this activity while Google said the following:
“The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.”
WSJ explains that Google’s tracking on Safari, a browser that blocks this action in most cases, capitalized on a loophole that allowed the company to install a cookie when the user visited a website that required filling out a form:
So Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.
Although this technique may seem like news to us, WSJ reports some Web programmers have considered it an “open secret” for some time. Anant Garg, a Web developer from India, used this technique on Safari himself, not considering privacy settings according to WSJ, in order to “ensure a consistent experience” among different Web browsers. Even Facebook recommends such a technique to “deliver a consistent user experience.”
The Center for Democracy and Technology has said these actions are “unacceptable”.
“We are severely disappointed that Google and others choose to place tracking cookies on Safari browsers using invisible form submission,” said Justin Brookman, CDT’s Director of Consumer Privacy, in a statement. “While we take Google’s assertion at face value that it was not their intent to track users in this way, we are perplexed how this decision evaded Google’s internal design and review process. After a several recent missteps–and two new reboots on privacy-by-design–this should never have happened.”
WSJ found that 22 of the top 100 websites ranked by Quantcast were being tracked using this method by Google. Find that complete list here.