Apple, Google, Facebook caught up in Safari privacy imbroglio

The Wall Street Journal engaged in a bit of gotcha journalism this morning, in a piece that accuses Google and other advertisers of “bypassing mobile Safari’s privacy settings.” This accusation comes despite the fact that the functionality they are using has been in widespread use for over two years. Confused? So, apparently, is the WSJ.

When you surf the web in Safari, by default websites cannot add cookies to your browser. Safari doesn’t tell you this, nor ask you what your preference is, they simply turn them off, and to turn them on you have to discover the right page in the settings menu, which of course most customers don’t do. Apple claims that this protects user privacy, although of course it also cuts off all forms of personalized advertising and many web services.

Of course web-based advertising and services are competing with Apple’s services. Which explains why they “protect” you from cookies that don’t collect personal information, but (until recent events shamed them into it) Apple didn’t protect you against iOS app manufacturers that wanted to upload your entire contacts list to their servers.

Apple’s privacy policy also breaks many other popular web services, like many Facebook apps, Google +1 buttons, etc. Well, it would break them, except that those types of interactions use a work-around. It turns out that Safari will accept a cookie, even when cookies are turned off, if the user submits an internet form. So those services are enable by making it appear to Safari that an invisible form is being submitted when you “+1” something.

The WSJ journal has gone apoplectic on the issue, framing it as if these companies are trying to engage in data theft, even though the practice has existed for two years and is so common that Facebook shows app developers how to do this as part of their “best practices” guide on their website. Indeed, Google referred to it as “existing functionality” in Safari to enable those services, and Apple has apparently been in no rush to fix this work around.

The problem has become magnified, however, because there’s a bug in Safari that allows advertising and other cookies to be saved once the first “list-based” cookie is saved. In other words, once the fairly innocuous web-service cookie is installed, the floodgates are opened to advertising services and other cookies that can piggy-back in. Which is not good if you purposely want to avoid those sorts of cookies.

While Facebook and Google aren’t trying to engage in the tracking of personal information in their work around (Google representatives emphasized that no personal information is gathered, even by the cookies that sneak in), it’s still a bad solution. Even if the loophole for other cookies is fixed, leaving the work-around for Facebook and Google in essence turns on a type of cookie, even for customers who don’t use Facebook or Google services (or other web-based services). And any service that places a cookie of any sort should give you the option to opt-in to it the first time, not "sneak it by" your browser.

The underlying problem seems to be that consumers simply don’t understand the different forms of “tracking” and how cookies enable web services. Most users would be unhappy if their favorite Facebook apps stopped working on iOS devices, but at the same time many of them think that Apple blocking all forms of “tracking” is good for them, even though these are diametrically opposed concepts.

What is needed is for someone to come up with a better interface so that ordinary customers can understand the tradeoffs between privacy and services. If people only use Apple services, they should be able to choose to accept no cookies at all, and not have that choice undermined by code that tricks their browser. At the same time, people who want to use services from Google, Facebook, and others shouldn’t have those settings hidden away from them by Apple. There needs to be more granular privacy controls that are presented in a clear and straight-forward manner.

In the short term, Google has apologized for the "unanticipated" bug that allowed other cookies to piggy back on top of their Google+ sign in. Apple has stated that it will “address the issue”, but it will be interesting to see if this makes the situation with web services better or worse for users. Either way, consumers deserve an intelligent discussion about these subjects in the press, rather than a histrionic stroll down Yellow Journalism Lane. The Wall Street Journal should be ashamed at the alarmist tone of their article.

In conclusion, there’s plenty of blame to go around here for everyone.

sources: WSJ, Jeff Battelle's searchblog, The Verge