Given that the Geek2English translation obscured useful detail: Safari blocks third party cookies by default. You can work around this default setting by using an iframe to submit a vestigial form, which will convince Safari that the domain doing the submitting is a first party, not a third party. After you have any cookie on the machine, broadening the scope to include e.g. cookies from your house advertising network is easy. Google says "Whoopsie, we didn't plan on that happening." Cookies are still just cookies and their newfound relevance to the WSJ is still refighting something the Internet largely settled back in 1996.
Thanks for the explanation, but it's hardly "settled".
I don't use an iPhone, but I imagine if it's like other browsers, there's some setting that says:
[x] Accept cookies from sites
[ ] Accept third party cookies
When I don't check the second box, it doesn't mean "Don't accept cookies, unless condition X is true", e.g. the web site implemented a popular hack. It means really don't accept third party cookies, and I don't give a shit if the +1 button breaks.
It doesn't sound like Safari's behavior on the hidden forms is intentional. It sounds like a bug, but it's irrelevant either way. I hope Apple patches this soon and forces people to opt in to third party cookies.
I'm glad that they actually set the default to reject them (a funny contrast to the address book policy). Firefox allows third party cookies by default because I always have to turn it off when setting up the browser on a new PC.
> I hope Apple patches this soon and forces people to opt in to third party cookies.
The WSJ also ran a blog post about this which says (at the very end):
"An update to the software that underlies Safari has closed the loophole that allows cookies to be set after the automatic submission of invisible forms. Future public versions of Safari could incorporate that update. The people who handled the proposed change, according to software documents: two engineers at Google."
This somehow reminds me of the time when Chrome marketing ended up paying for links to their site, and then the Web search group had to punish them with a demotion.
I think there are two different issues here which you eliding by labeling this as "settled back in 1996." What I would say was "settled in 1996" was the fact that cookies are a useful technical measure to enable websites to save state, and users wanted features like login persistence across browser sessions, etc.
I don't think that "unlimited user tracking by advertising networks, regardless of good-faith user efforts to limit data tracking" was at all part of any tacit agreements reached by the internet community. The principle that communication networks should be transparent in how they operate, and allow users of the network to meaningfully control their interactions with them is a meta-principle that is pretty clearly implicit in the design of the internet, and I don't think the current widespread use of tracking technologies and data analysis without informed user consent is consistent with those principles.
Fighting against user tracking strikes me as about as futile as fighting against piracy. Computers are intrinsically designed to store, aggregate, analyze and share vast quantities of information in the hopes of deriving meaning from them. Trying to derive a legislative solution to a technological force of nature works as well as you would expect in both of these circumstances.
"It's a force of nature" is only a good argument against a policy when it is accompanied by other valid arguments. There are many things which are "only human nature" or "a force of nature" which for the sake of society and/or personal liberty we restrict.
Saying "it's only a force of nature" won't get you far with a judge. And telling people that they can't use the internet if they value their privacy is an unreasonable restriction on personal liberty. Period.
I agree that Google can user track, but only so far, and if they need to go to such extremes, we need rules, guidelines or even laws to draw the line very starkly.
Safari's default behavior is to Accept Cookies: 'From visited'. This prevents 3rd party iframes from saving cookies without a workaround. However, Chrome, Firefox, Opera, and IE (with proper P3P) all allow 3rd party iframes to save cookies by DEFAULT.
This leaves us with the choice of either using the workaround, or not providing a consistent experience that users expect.
If Safari worked like every other major browser in this regard-- allowing users to OPT-IN to the stricter cookie policy--then WSJ would be right in nailing Google for working around it.
I think Google did nothing wrong. They worked around a browser's non-standard default behavior, which is something we all do multiple times a day. Only when non-standard behavior is OPT-IN is there willful disregard for the user's intent in employing a work-around.
Exploiting a browser flaw to track users who had reason to believe they weren't being tracked is pretty clearly wrong in my book... Arguments like yours would seem to be analogous to condoning stealing from cars or houses if their owners had trusted weak/faulty locks.
Are you saying that you actually think my argument is analogous to condoning stealing from cars or houses if their owners had trusted weak/faulty locks?
If so, I strongly disagree. Cars have a "locked" and "unlocked" state. They provide a button, which anyone can locate, for the owner to toggle the state. When you try to open the door, and it won't budge, it's immediately obvious that the door is locked. This is nothing at all like what happens when Safari disables 3rd party cookies by default.
But if you want a CAR analogy... It's like making a car that ships without windshield wipers pre-installed. You justify this by saying it makes it harder for passers-by to put ads on your car. And 90% of the people who drive the car can't figure out WHY they can't see the fracking road when it's raining!
So "a consistent experience that users expect" == user tracking for ads?? I don't think so. That's quite some spin on Google exploiting a bug to track me.
OK, so how do I opt out of their hacky workarounds?
This is worse because I turn off third party cookies in Firefox. On an iPhone, I would have no way to turn off third party cookies (the ones that are submitted using the hack).
Ask Apple to patch their browser to not treat iframes the way they do now? And hope that weird things don't break, as that's how probably many different things operate.
1) Apple should make the default be the more permissive policy that all other major browsers have adopted.
2) They should lock down their implementation of the 'Sites I visit' policy to prevent the workaround
3) Users who opt-in for the stricter policy actually get it, but they should realize when their CHOICE breaks any features which rely on 3rd party cookies.
I opted-in to Safari's default policies when I chose to use Safari. I have also toggled that setting back and forth and now am quite satisfied with the default. Unless Google has information to the contrary, it should not circumvent the setting.
Should it start ignoring robots.txt files because some people may have inadvertently cut&pasted stricter ones than they might really want?
Lately I've been reading quite a few articles that arguably show Google not following the "Don't Be Evil" moto. But I've always found people having an explanation for the behavior where the benefit of the doubt can be given to Google. (E.g. Social results from SPYW, etc.)
I wonder if anyone can throw some light on this matter if there's a way they could be doing this "by mistake", or "unintentionally" or something else. For example could the +1 button be a cause? I don't know but I'm curious.
It's a lot more nuanced than the WSJ article made it seem. Google and other web advertisers engaged in what most would consider normal activity, but that Apple had specifically disabled in Mobile Safari. Here's a good explanation from John Battelle: http://battellemedia.com/archives/2012/02/a-sad-state-of-int...
Oh please, you know who else does not ask me about my choice regarding third party cookies?
Every other major browser vendor.
Just because everybody is making money selling user information and attention to the advertisers does not negate the fact that Apple's choice is sitting on the safer side for user privacy. And you know what's also common practice? Scrap user's address book and beam it up the cloud.
Apple is at fault in both cases for failing to safeguard users from the abusers.
Path and Google are the abusers.
And I think there might be a non subtle, non nuanced difference here.
The Battelle link is a horrible explanation. His position is that user tracking for ads is a normal function of the web people want and therefore it is Apple's fault for blocking it by default. Unreal.
Lately I've seen some people go whole hog on Google products. Usually they justify it by saying, "well Google's products are really good and I don't want to have to pay for email so it's okay if they read my email/track my browsing/target me with adds". It's just mind boggling how the Overton window on privacy gets more permissive.
Given the nature of the bug that was exploited, it's pretty unlikely this could have been done by accident. It would have to be deliberate.
The bug, to be specific, is to submit a form using POST in an iframe; the POST response is then able to set cookies. In this case they did the POST in a hidden iframe with no data.
Where is the "We are Sorry" post? That's what it takes to apologize for taking advantage of platforms that accidentally allow access to more data than they should, right?
Yeah you're right if Path or others transmit your AddressBook data it's Apple's fault, if Google Inc. or others track Safari's browsers it's Apple's fault.
Yeah, pretty much, actually. If I've checked off a box that says "don't let this happen" and then it happens? Can't really say I blame anyone but the device maker.
Since you clearly can't trust app developers or websites to not try and exploit your information, you HAVE to trust your device to do what it says. The fact that this was exposed by the standard +1 button doesn't exactly mean it was difficult to do. It wasn't some 0-day exploit that they're using, it's a failure of the browser.
Safari's default policy on handling of third-party cookies in iFrames is somewhat stricter than that of most other browsers (this is frequently a problem for Facebook games); Google almost certainly didn't _need_ to do this on Chrome.
> Google itself issued a statement saying the Wall Street Journal "mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information."
Just asking: Isn't it a kind of a subtle lie to say that advertising cookies do not collect personal information? Of course, there isn't a personal information in the cookie itself, but that cookie is used to identify my profile in those third party databases, so they know who I am, and that profile already can contain anything they collected about me in the past, including personal information.
DoubleClick is owned by Google - it is a first-party.
If you're on a Google property, Google has every right to serve all the DoubleClick cookies it likes. All the WSJ's witch-hunt + Safari's pain-in-the-ass non-standard defaults mean is that Google will have to do the work to serve its DoubleClick cookies off the google.com domain - which, as people switch more and more to mobile, they will inevitably do.
People should note that removing this "hack " removes arguably useful user functionality such as the facebook like button (or at least the social recommendations part) too.
So much bullshit in one article. I mean the technical issue of tracking is probably correct, but it is not a Google vs Apple thing. Every website you visit on the web does it's utmost to track the hell out of you. That is an issue, but Google is not doing anything else than everybody else. I still don't like it, but this article just distorts the issue into something completely different.
38 comments
[ 2.9 ms ] story [ 72.1 ms ] threadI don't use an iPhone, but I imagine if it's like other browsers, there's some setting that says:
[x] Accept cookies from sites [ ] Accept third party cookies
When I don't check the second box, it doesn't mean "Don't accept cookies, unless condition X is true", e.g. the web site implemented a popular hack. It means really don't accept third party cookies, and I don't give a shit if the +1 button breaks.
It doesn't sound like Safari's behavior on the hidden forms is intentional. It sounds like a bug, but it's irrelevant either way. I hope Apple patches this soon and forces people to opt in to third party cookies.
I'm glad that they actually set the default to reject them (a funny contrast to the address book policy). Firefox allows third party cookies by default because I always have to turn it off when setting up the browser on a new PC.
Not even the most rabid Google apologists can spin this one.
The WSJ also ran a blog post about this which says (at the very end):
"An update to the software that underlies Safari has closed the loophole that allows cookies to be set after the automatic submission of invisible forms. Future public versions of Safari could incorporate that update. The people who handled the proposed change, according to software documents: two engineers at Google."
"software documents" is linked to http://trac.webkit.org/changeset/92142
So it appears that Google engineers have already closed this loophole.
This somehow reminds me of the time when Chrome marketing ended up paying for links to their site, and then the Web search group had to punish them with a demotion.
I don't think that "unlimited user tracking by advertising networks, regardless of good-faith user efforts to limit data tracking" was at all part of any tacit agreements reached by the internet community. The principle that communication networks should be transparent in how they operate, and allow users of the network to meaningfully control their interactions with them is a meta-principle that is pretty clearly implicit in the design of the internet, and I don't think the current widespread use of tracking technologies and data analysis without informed user consent is consistent with those principles.
"It's a force of nature" is only a good argument against a policy when it is accompanied by other valid arguments. There are many things which are "only human nature" or "a force of nature" which for the sake of society and/or personal liberty we restrict.
Saying "it's only a force of nature" won't get you far with a judge. And telling people that they can't use the internet if they value their privacy is an unreasonable restriction on personal liberty. Period.
I agree that Google can user track, but only so far, and if they need to go to such extremes, we need rules, guidelines or even laws to draw the line very starkly.
special computer code is my favorite
This leaves us with the choice of either using the workaround, or not providing a consistent experience that users expect.
If Safari worked like every other major browser in this regard-- allowing users to OPT-IN to the stricter cookie policy--then WSJ would be right in nailing Google for working around it.
I think Google did nothing wrong. They worked around a browser's non-standard default behavior, which is something we all do multiple times a day. Only when non-standard behavior is OPT-IN is there willful disregard for the user's intent in employing a work-around.
If so, I strongly disagree. Cars have a "locked" and "unlocked" state. They provide a button, which anyone can locate, for the owner to toggle the state. When you try to open the door, and it won't budge, it's immediately obvious that the door is locked. This is nothing at all like what happens when Safari disables 3rd party cookies by default.
But if you want a CAR analogy... It's like making a car that ships without windshield wipers pre-installed. You justify this by saying it makes it harder for passers-by to put ads on your car. And 90% of the people who drive the car can't figure out WHY they can't see the fracking road when it's raining!
This is worse because I turn off third party cookies in Firefox. On an iPhone, I would have no way to turn off third party cookies (the ones that are submitted using the hack).
http://trac.webkit.org/changeset/92142
Should it start ignoring robots.txt files because some people may have inadvertently cut&pasted stricter ones than they might really want?
I wonder if anyone can throw some light on this matter if there's a way they could be doing this "by mistake", or "unintentionally" or something else. For example could the +1 button be a cause? I don't know but I'm curious.
Every other major browser vendor.
Just because everybody is making money selling user information and attention to the advertisers does not negate the fact that Apple's choice is sitting on the safer side for user privacy. And you know what's also common practice? Scrap user's address book and beam it up the cloud.
Apple is at fault in both cases for failing to safeguard users from the abusers.
Path and Google are the abusers.
And I think there might be a non subtle, non nuanced difference here.
The bug, to be specific, is to submit a form using POST in an iframe; the POST response is then able to set cookies. In this case they did the POST in a hidden iframe with no data.
Shame on Apple.
Since you clearly can't trust app developers or websites to not try and exploit your information, you HAVE to trust your device to do what it says. The fact that this was exposed by the standard +1 button doesn't exactly mean it was difficult to do. It wasn't some 0-day exploit that they're using, it's a failure of the browser.
Just asking: Isn't it a kind of a subtle lie to say that advertising cookies do not collect personal information? Of course, there isn't a personal information in the cookie itself, but that cookie is used to identify my profile in those third party databases, so they know who I am, and that profile already can contain anything they collected about me in the past, including personal information.
UPDATE: This article seems to confirm that the Google's spokesman statement is indeed misleading -> http://cyberlaw.stanford.edu/node/6701
If you're on a Google property, Google has every right to serve all the DoubleClick cookies it likes. All the WSJ's witch-hunt + Safari's pain-in-the-ass non-standard defaults mean is that Google will have to do the work to serve its DoubleClick cookies off the google.com domain - which, as people switch more and more to mobile, they will inevitably do.