So supposedly safari had a nice security setup so google wouldn't track you through doubleclick cookies. Then google decided "fuck that" and has been following you anyway.
http://blogs.wsj.com/digits/2012/02/16/how-google-tracked-safari-users/
" February 16, 2012, 10:44 PM How Google Tracked Safari UsersArticle
Comments (29)
+ More
Send Like
Email Print
By Jennifer Valentino-DeVries Google and other advertising companies have been following iPhone and Apple users as they browse the Web, even though Apple’s Safari Web browser is set to block such tracking by default.
How have they been able to do it? Well, first they made Safari think the user was submitting an invisible form associated with the ad.
That technique allowed the companies to then place a “cookie” – a small text file that is stored on the user’s computer and can be used to track online activities. Google disabled its code after being contacted by The Wall Street Journal.
By default, Apple’s Safari browser accepts cookies only from sites that a user visits; these cookies can help the site retain logins or other information. Safari generally blocks cookies that come from elsewhere – such as advertising networks or other trackers. But there are exceptions to this rule, including that if you interact with an advertisement or form in certain ways, it’s allowed to set a cookie even if you aren’t technically visiting the site.
Google’s code, which was placed on certain ads that used the company’s DoubleClick ad technology and was uncovered by Stanford researcher Jonathan Mayer, took advantage of this loophole, as did the code used by the other companies.
In Google’s case, the code was part of a Google feature that allows its “+1” button to be embedded in advertisements. Wall Street Journal technologist Ashkan Soltani analyzed the code further and found that 22 of the top 100 most popular websites installed the Google code on a test computer.
Google said the company tried to design the +1 ad system to protect people’s privacy and did not anticipate that it would enable tracking cookies to be placed on user’s computers.
To put cookies onto Safari, Google’s ads used something called an “iframe,” an invisible container that allows content from one website to be embedded within another site, such as an ad on a blog.
Through this “iframe” window, Google received data from the user’s browser and was able to tell whether the person was using Safari. If he was, Google then inserted an invisible form into the container. The user didn’t see or fill out the form – in fact, there was nothing to “fill out” – but nevertheless, the Google code “submitted” it automatically.
Once the form was sent, Safari behaved as though the user had filled something out intentionally, and the browser allowed Google to put a cookie on the user’s machine.
The cookie Google was placing through this method was associated with the company’s Google+ social network. Last year, Google announced a system that would allow users to click the company’s “+1” buttons on advertisements to indicate that they liked the ad.
But Google faced a problem: Apple’s Web browser Safari blocks most tracking by default and is the most popular browser on mobile devices. That meant that Google wouldn’t be able to check if a user was logged into Google, using a small text file called a cookie.
So Google set up an elaborate system. If the person was logged in to Google+ and had agreed to see the +1 button on ads, the cookie would contain encoded information about that account. If the person wasn’t logged in or hadn’t agreed to see the button, the cookie would still be placed on the computer, but it would be blank.
The cookies were temporary; the blank one was set to expire in 12 hours, and the cookie for logged-in users was set to expire in 24.
Google’s Rachel Whetstone said the temporary cookie served to create a “temporary communication link between Safari browsers and Google’s servers.” She said the goal was to ensure that the information passing between the user’s Safari browser and Google’s servers was anonymous–effectively creating a barrier between a user’s personal information and the web content they browse.
But even the blank cookie could then result in extensive tracking of Safari users. This is because of a technical quirk in Safari that allows websites to easily add more cookies to a user’s computer once the site has installed at least one cookie. Safari allows this so that sites such as the Facebook and Google+ social networks can install cookies in widgets they place around the Web, as long as the user has visited the original site.
But it also meant that if a person received any of the temporary cookies , other Google advertising cookies could be placed as soon as the user saw another Google ad.
Ms. Whetstone said Google did not anticipate that further tracking cookies would be placed. “We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers,” she said. “It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.”
Stanford’s Mr. Mayer, who spotted Google’s technique, said, “There are zero legitimate-use cases” for advertisers to use an invisible form to enable tracking that Safari would have otherwise blocked.
An Apple spokesman said: “We are aware that some third parties are circumventing Safari’s privacy features and we are working to put a stop to it.”
An update to the software that underlies Safari has closed the loophole that allows cookies to be set after the automatic submission of invisible forms. Future public versions of Safari could incorporate that update. The people who handled the proposed change, according to software documents: two engineers at Google.
http://blogs.wsj.com/digits/2012/02/16/how-google-tracked-safari-users/
" February 16, 2012, 10:44 PM How Google Tracked Safari UsersArticle
Comments (29)
+ More
Send Like
Email Print
By Jennifer Valentino-DeVries Google and other advertising companies have been following iPhone and Apple users as they browse the Web, even though Apple’s Safari Web browser is set to block such tracking by default.
How have they been able to do it? Well, first they made Safari think the user was submitting an invisible form associated with the ad.
That technique allowed the companies to then place a “cookie” – a small text file that is stored on the user’s computer and can be used to track online activities. Google disabled its code after being contacted by The Wall Street Journal.
By default, Apple’s Safari browser accepts cookies only from sites that a user visits; these cookies can help the site retain logins or other information. Safari generally blocks cookies that come from elsewhere – such as advertising networks or other trackers. But there are exceptions to this rule, including that if you interact with an advertisement or form in certain ways, it’s allowed to set a cookie even if you aren’t technically visiting the site.
Google’s code, which was placed on certain ads that used the company’s DoubleClick ad technology and was uncovered by Stanford researcher Jonathan Mayer, took advantage of this loophole, as did the code used by the other companies.
In Google’s case, the code was part of a Google feature that allows its “+1” button to be embedded in advertisements. Wall Street Journal technologist Ashkan Soltani analyzed the code further and found that 22 of the top 100 most popular websites installed the Google code on a test computer.
Google said the company tried to design the +1 ad system to protect people’s privacy and did not anticipate that it would enable tracking cookies to be placed on user’s computers.
To put cookies onto Safari, Google’s ads used something called an “iframe,” an invisible container that allows content from one website to be embedded within another site, such as an ad on a blog.
Through this “iframe” window, Google received data from the user’s browser and was able to tell whether the person was using Safari. If he was, Google then inserted an invisible form into the container. The user didn’t see or fill out the form – in fact, there was nothing to “fill out” – but nevertheless, the Google code “submitted” it automatically.
Once the form was sent, Safari behaved as though the user had filled something out intentionally, and the browser allowed Google to put a cookie on the user’s machine.
The cookie Google was placing through this method was associated with the company’s Google+ social network. Last year, Google announced a system that would allow users to click the company’s “+1” buttons on advertisements to indicate that they liked the ad.
But Google faced a problem: Apple’s Web browser Safari blocks most tracking by default and is the most popular browser on mobile devices. That meant that Google wouldn’t be able to check if a user was logged into Google, using a small text file called a cookie.
So Google set up an elaborate system. If the person was logged in to Google+ and had agreed to see the +1 button on ads, the cookie would contain encoded information about that account. If the person wasn’t logged in or hadn’t agreed to see the button, the cookie would still be placed on the computer, but it would be blank.
The cookies were temporary; the blank one was set to expire in 12 hours, and the cookie for logged-in users was set to expire in 24.
Google’s Rachel Whetstone said the temporary cookie served to create a “temporary communication link between Safari browsers and Google’s servers.” She said the goal was to ensure that the information passing between the user’s Safari browser and Google’s servers was anonymous–effectively creating a barrier between a user’s personal information and the web content they browse.
But even the blank cookie could then result in extensive tracking of Safari users. This is because of a technical quirk in Safari that allows websites to easily add more cookies to a user’s computer once the site has installed at least one cookie. Safari allows this so that sites such as the Facebook and Google+ social networks can install cookies in widgets they place around the Web, as long as the user has visited the original site.
But it also meant that if a person received any of the temporary cookies , other Google advertising cookies could be placed as soon as the user saw another Google ad.
Ms. Whetstone said Google did not anticipate that further tracking cookies would be placed. “We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers,” she said. “It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.”
Stanford’s Mr. Mayer, who spotted Google’s technique, said, “There are zero legitimate-use cases” for advertisers to use an invisible form to enable tracking that Safari would have otherwise blocked.
An Apple spokesman said: “We are aware that some third parties are circumventing Safari’s privacy features and we are working to put a stop to it.”
An update to the software that underlies Safari has closed the loophole that allows cookies to be set after the automatic submission of invisible forms. Future public versions of Safari could incorporate that update. The people who handled the proposed change, according to software documents: two engineers at Google.
yea, you may be on the spectrum.....but, no yer right. except you could dispense with the aphabet soup and just say .GOV
