Congressmen Ask FTC To Investigate Google Over Safari Tracking

Google says it is working to remove cookies “inadvertently” set on Safari users’ systems

US Congressmen have expressed concern that Google has reportedly exploited a loophole in Apple’s Safari Web browser to track Internet users’ activities.

They have asked the Federal Trade Commission to see whether Google has violated its consent agreement, the second time in a month that US politicians have questioned the search giant over its approach to data privacy.

Safari Loophole

Google and a few other advertising companies have secretly tracked the Web browsing habits of millions of people using Apple’s Mac computers, iPhones and iPad tablets. Apple’s Safari browser is designed to prevent such monitoring to preserve user privacy, but Google and others have figured out a way to trick the browser into allowing the tracking via advertising cookies.

Google, which said the tracking was inadvertent and that the ad cookies did not collect personal information, disabled its code on 16 February after being contacted by The Wall Street Journal, which first learned of the code from Jonathan Mayer, a graduate student at Stanford University.

The issue came to light three weeks after Senators expressed concern about Google’s forthcoming privacy policy changes, in which the company is lumping privacy rules for 60 products under one umbrella policy, and enabling those Web services to share data. Google was very forthcoming about these changes.

That was not the case in this Safari instance. As a result, Congressmen Edward J. Markey and Joe Barton co-chairmen of the bi-partisan Congressional Privacy Caucus, and Cliff Sterns, chairman of the subcommittee on oversight and investigations, have asked the FTC if this browser issue violates Google’s consent agreement not to misrepresent how and why it collects user information.

Congressional Concern

“Google’s practices could have a wide sweeping impact because Safari is a major Web browser used by millions of Americans,” wrote Markey, Barton, and Stearns to the FTC. “As members of the Congressional Bi-Partisan Privacy Caucus, we are interested in any actions the FTC has taken or plans to take to investigate whether Google has violated the terms of its consent agreement.”

Google struck that consent agreement with the FTC last year to settle privacy infringement concerns over its now defunct Google Buzz social service. The company could incur fines of $16,000 (£10,000) per violation per day.

Here’s what happened to draw the attention of the Congressmen, according to the Journal. Google and online ad providers Vibrant Media , WPP’s Media Innovation Group and Gannett’s PointRoll essentially exploited a loophole in Safari’s privacy settings that let them place a cookie on a user’s iPhone, iPad or Mac.

Google’s reason for exploiting the loophole is tied to its new +1 button, essentially the answer to Facebook’s ubiquitous Like button. Google wanted to add the +1 button in its DoubleClick display ads across the Web. However, because Safari blocks such third-party tracking by default Google couldn’t use its typical cookie file approach to divine whether or not Safari users were using Google.

Safari has a loophole in its privacy settings that allows tracking for Websites with which a user has previously interacted, such as a Web form or online ad. Google tweaked the code in its ads to trick Safari into thinking that a user was submitting a form to Google.

Apple bites back

This enabled Google to install cookies on iPhones, iPads and Macs, tracking those users’ browsing activities for 12 to 24 hours per cookie. The interesting detail is that once Safari accepts cookies from one company, that company, such as Google, can install multiple cookies on users’ machines for extensive tracking.

For its part, Google said it merely leveraged existing Safari functionality to enable the +1 button to work for signed-in Google+ users on Safari. Google created a temporary link between its servers and Safari browsers to see whether Safari users were also signed into Google.

“However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser,” Rachel Whetstone, Google’s senior vice president of communications and public policy. “We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers.”

Apple is taking no chances, and is working to stop the enablement of such cookies. The Journal meanwhile explained how users can opt out of the cookie tracking.

Google’s latest gambit with Safari opens a potentially damaging avenue for the company, which is already being investigated by the FTC for potential antitrust concerns related to its search and advertising business practices.

It also will inject some new bad blood in Google’s growing competition with Apple, with whom the search engine has had an increasingly contentious relationship since it launched Android and began competing with Apple in the mobile computing market.