Story

Google code used to circumvent privacy protections … true or false?

 The Wall Street Journal in recent days has published a report on the activities of the Google company against Apple's users using the Safari browser installed on all products of the company (Mac, iPhone and iPad).

It was discovered a mechanism by which Google traced and memorized every online user's action through cookies, circumventing the privacy settings of the browser that by default prevents such storage systems. The Wall Street Journal reports that Google used special code to elude the privacy settings in the browser and track the users during their navigation.  Google disabled its code after being contacted by The Wall Street Journal,but it apparently was not the only company to use the clever ruse to track Apple's users, millions of Apple products and their owners exposed to potential spying action.  Three other online-ad companies were found using similar techniques: Vibrant Media Inc., WPP PLC's Media Innovation Group LLC and Gannett Co.'s PointRoll Inc.

Vibrant uses the technique "for unique user identification" but declares to not collect personally identifiable information, Gannett described its use as part of a "limited test" program to measure the efficiency of ad on Safari users.

What is the usefulness of the information acquired in this way? The information collected are vital for Google, in particular for its business and advertising model. The company is able to cover through its advertising model the needs of every web surfer, studying its navigation and offering products and information of high interest for the end user.

The report states that:

The Google code was spotted by Stanford researcher Jonathan Mayer and independently confirmed by a technical adviser to the Journal, Ashkan Soltani, who found that ads on 22 of the top 100 websites installed the Google tracking code on a test computer, and ads on 23 sites installed it on an iPhone browser.

The code allowed more cookies, which are perfectly legitimate mode of getting user information, to find the user who was accessing the Web via Safari.

Google has immediately provided clarification stating that the in the cookies are not stored personal information but another contradictory element is that  any of the sites tracked by Google during the user's navigation wasn't aware of the practices of the company.

“The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.”

It 's good to remember that Apple's Safari browser by default block third party cookies while enabling its users to interact with various web functions that rely on third-party cookies and third party, such as buttons "Like".
It all started last year to enable specific functions (such as the ability to "+1" of content of interest to you) for those Safari users that were logged into their Google account and that they had chosen to see personalized advertising and other content.

Google said that it has operated with the utmost care making the dialogue between the user browser and its services anonymous. Rachel Whetstone, Google Senior Vice President Communications and Public Policy declared :
"However, the Safari browser contained other features that have caused other Google advertising cookies were installed"

"We had expected that would happen and now we have started to remove these advertising cookies from the Safari browser. It 's important to note that, just as with other browsers, these advertising cookies do not collect personal information." 

The cookie that Google installed on the computer was temporary and normally expire within 24 hours, but it could result in extensive tracking of Safari users due a strange behaviour of the  browser that make possible to add more cookies to a user's computer once the company has installed at least one cookie, a sort of trusting relation between website and browser.

The technique seems to be know since long time, infact the indian developer Anant Garg described it two years ago. The coding also has a role in some Facebook games and "apps"—particularly if the app wants to store a user's login information or game scores. In fact, a corporate Facebook page for app developers called "Best Practices" includes a link to Mr. Garg's blog post. The Stanford researcher, Jonathan Mayer found that many large companies like Google and PointRoll used a variation of Garg's technique to by-pass Safari’s policy.

Google states that users of Internet Explorer, Firefox and Chrome were not affected. Is it true? From several side rumors say that the company has operated in similar way also with Internet Explore's users.

We’ve found that Google bypasses the P3P Privacy Protection feature in IE. The result is similar to the recent reports of Google’s circumvention of privacy protections in Apple’s Safari Web browser, even though the actual bypass mechanism Google uses is different.  Internet Explorer 9 has an additional privacy feature called Tracking Protection which is not susceptible to this type of bypass. Microsoft recommends that customers who want to protect themselves from Google’s bypass of P3P Privacy Protection use Internet Explorer 9 and click here to add a Tracking Protection List. Customers can find additional lists and information on this page.

How to protect users? 

Do not disable cookies altogether because most of visited web sites will not work correctly. Third-party cookies are infact used for several other purposes  like logging in users to third-party sites. They cannot steal users's data.  If you want, you can disable third-party cookies in browsers. Dennis O’Reilly has written a guide on how to disable third-party cookies for major browsers.
As always I try to close my articles with some of my personal reflections.
Google has always stood out as a company for its creativity and ability to deal with what are the strategic areas of contemporary society. At stake is the power of information and companies like Facebook share same ambitions. The war has intensified and every company is ready to take questionable methods for obtaining the power of knowledge. You, your digital identity,your customs are the new source of wealth. More you know, more power you have, but what is the price you are willing to pay to achieve the ultimate goal? Operations such as these in addition to damaging the image of companies like Google can induce governments around the world to apply severe sanctions against who violate the inalienable human right of, his privacy. As I wrote in the past the violated freedom is the worst cyber threat ... and the more I read news like this the more I am convinced of this.

I leave you with an aphorism of Johann Wolfgang von Goethe, which I find very appropriate:

"We do not get to know people When They Come to us, we must go to find out Them to What They are like."

Pierluigi Paganini

UPDATE

 Not just Google: Facebook also bypasses privacy settings in IE

References

http://securityaffairs.co/wordpress/2753/security/google-code-used-to-circumvent-privacy-protections-true-or-false.html