Apple, Google, Facebook caught up in Safari privacy imbroglio

This article may contain personal views and opinion from the author.
Apple, Google, Facebook caught up in Safari privacy imbroglio
The Wall Street Journal engaged in a bit of gotcha journalism this morning, in a piece that accuses Google and other advertisers of “bypassing mobile Safari’s privacy settings.” This accusation comes despite the fact that the functionality they are using has been in widespread use for over two years. Confused? So, apparently, is the WSJ.

When you surf the web in Safari, by default websites cannot add cookies to your browser. Safari doesn’t tell you this, nor ask you what your preference is, they simply turn them off, and to turn them on you have to discover the right page in the settings menu, which of course most customers don’t do. Apple claims that this protects user privacy, although of course it also cuts off all forms of personalized advertising and many web services.

Of course web-based advertising and services are competing with Apple’s services. Which explains why they “protect” you from cookies that don’t collect personal information, but (until recent events shamed them into it) Apple didn’t protect you against iOS app manufacturers that wanted to upload your entire contacts list to their servers.

Apple’s privacy policy also breaks many other popular web services, like many Facebook apps, Google +1 buttons, etc. Well, it would break them, except that those types of interactions use a work-around. It turns out that Safari will accept a cookie, even when cookies are turned off, if the user submits an internet form. So those services are enable by making it appear to Safari that an invisible form is being submitted when you “+1” something.

The WSJ journal has gone apoplectic on the issue, framing it as if these companies are trying to engage in data theft, even though the practice has existed for two years and is so common that Facebook shows app developers how to do this as part of their “best practices” guide on their website. Indeed, Google referred to it as “existing functionality” in Safari to enable those services, and Apple has apparently been in no rush to fix this work around.

The problem has become magnified, however, because there’s a bug in Safari that allows advertising and other cookies to be saved once the first “list-based” cookie is saved. In other words, once the fairly innocuous web-service cookie is installed, the floodgates are opened to advertising services and other cookies that can piggy-back in. Which is not good if you purposely want to avoid those sorts of cookies.

While Facebook and Google aren’t trying to engage in the tracking of personal information in their work around (Google representatives emphasized that no personal information is gathered, even by the cookies that sneak in), it’s still a bad solution. Even if the loophole for other cookies is fixed, leaving the work-around for Facebook and Google in essence turns on a type of cookie, even for customers who don’t use Facebook or Google services (or other web-based services). And any service that places a cookie of any sort should give you the option to opt-in to it the first time, not "sneak it by" your browser.

The underlying problem seems to be that consumers simply don’t understand the different forms of “tracking” and how cookies enable web services. Most users would be unhappy if their favorite Facebook apps stopped working on iOS devices, but at the same time many of them think that Apple blocking all forms of “tracking” is good for them, even though these are diametrically opposed concepts.

What is needed is for someone to come up with a better interface so that ordinary customers can understand the tradeoffs between privacy and services. If people only use Apple services, they should be able to choose to accept no cookies at all, and not have that choice undermined by code that tricks their browser. At the same time, people who want to use services from Google, Facebook, and others shouldn’t have those settings hidden away from them by Apple. There needs to be more granular privacy controls that are presented in a clear and straight-forward manner.

In the short term, Google has apologized for the "unanticipated" bug that allowed other cookies to piggy back on top of their Google+ sign in. Apple has stated that it will “address the issue”, but it will be interesting to see if this makes the situation with web services better or worse for users. Either way, consumers deserve an intelligent discussion about these subjects in the press, rather than a histrionic stroll down Yellow Journalism Lane. The Wall Street Journal should be ashamed at the alarmist tone of their article.

In conclusion, there’s plenty of blame to go around here for everyone.

sources: WSJ, Jeff Battelle's searchblog, The Verge



1. dreammixer

Posts: 81; Member since: Feb 10, 2012

Google stealing people's information is nothing new and you being apologetic about it doesn't help the fact.

3. roscuthiii

Posts: 2383; Member since: Jul 18, 2010

It's a fallacy in Safari that was exploited, not something Google or Facebook has engineered. Most likely Twitter, LinkedIn, Stumbleupon, Digg, Reddit, and any number of other companies were doing exactly the same thing to Safari. You can't really claim any kind of invasion of privacy when first you had to sign in to Google, and then went and clicked the +1 button. (Or sign in to Facebook and click the "Like" button.) Those are voluntary actions. That kind of denotes the intention of sharing, or do people really not understand how the social networking buttons work? It's really just a matter of semantics and perception. Safari lets sites place tracking cookies if a user interacts with the site, such as by filling out a form. Technically, that's exactly what happened. Not even technically, that IS what happened. The user chose to interact with Google and by clicking the +1 was requesting Google take their data. The situation reminds me of the kids sitting in the backseat saying, "You can't touch me, I have a shield!" But then go ahead and poke their little brother.

8. LoneShaolin

Posts: 307; Member since: Jan 14, 2012

Truth. The second you sign in and hit Like/+1 is PERMISSION.

17. solidsnakeduds013

Posts: 221; Member since: Oct 20, 2010

Thank you. You comment gets thumbs up

5. MorePhonesThanNeeded

Posts: 645; Member since: Oct 23, 2011

Perhaps you should learn to read iDiot! Said nothing about Google or anyone stealing your info, just says that they bypass the no cookie thing on safari to allow Google and FB things to save a cookie from their site in your browser. I hate stupidity and not the stupid people that use it. It's ok you will learn more if you read :)

2. cj100570

Posts: 204; Member since: May 12, 2009

So telling the truth about the situation is being apologetic? And since you seem to be privy to info that no one is aware of, what info has Google "stolen" from anyone?

22. sprockkets

Posts: 1612; Member since: Jan 16, 2012

ap·o·plec·tic/ˌapəˈplektik/ Adjective: Overcome with anger; extremely indignant. Relating to or denoting apoplexy (stroke): "an apoplectic attack". If you thought it said apologetic, you were wrong. And, btw, the WSJ hates google with a passion; they are diametrically oppossed in their political beliefs, and it shows. Example, the WSJ didn't like the fact of how Google treated the situation of Bill Clinton's search results vs. Rick Santorum's.

23. cj100570

Posts: 204; Member since: May 12, 2009

Your comment has me slightly confused. The 1st comment, to which I replied, claimed that the OP was being "apologetic" to Google. You're referencing the word "apoplectic", in a reply to my comment. I fail to see the connection. Please enlighten me.

4. remixfa

Posts: 14605; Member since: Dec 19, 2008

tell me all the things google has stolen from you please. a nice list would be great. i love the little semi-zinger at the end about apple's refusal to allow competing browsers. how do u guys live with being (mostly) adults and told how you can use every facet of your device? geesh.

6. dreammixer

Posts: 81; Member since: Feb 10, 2012

Shows the author is ignorant as there are plenty of 3rd party browsers available in the app store. Google is known worldwide for stealing information. I'm not going to waste my time. Do a GOOGLE search :)

9. Scott_H

Posts: 167; Member since: Oct 28, 2011

Dream is right in a way - there are lots of browsers that reskin the Safari code to provide differences in the basic UI. Apple generally restricts the sort of drastic changes that would allow for the type of competition I was referring to, but that's more detail than is necessary for this topic, so I removed it rather than expanding it. The article, however, does not apologize for companies that used the work-around - we condemn the solution. But the reality is that everyone, including Apple (who ignored it for two years) was basically treating it as an open secret until the WSJ discovered that it also allowed for ad tracking. Consumers deserve a better solution. As for Google "stealing" information - that's just hyperbole.

13. dreammixer

Posts: 81; Member since: Feb 10, 2012

Google has gotten in trouble lots of times for taking information without permission.

15. 14545

Posts: 1835; Member since: Nov 22, 2011

WTF are you talking about? The only thing that they have ever gotten a slap on the wrist for was the "wifi snooping" incident in Europe. Please cite specific examples are STFU.

7. tward291

Posts: 559; Member since: Feb 14, 2012

dame safari my porn never works

10. Droid800

Posts: 22; Member since: Jan 23, 2012

God Phone Arena is getting as bad as Droid-life with their irrational iHate. Google did something wrong, and they got pinged for it. Stop trying to excuse their mistake.

11. Scott_H

Posts: 167; Member since: Oct 28, 2011

We're apparently in the same boat as "iHaters" like MG Siegler? No one is saying that the companies doing this (it's not just Google) were using the right solution, it's just that the issue is more complicated than the simplistic "oh noes, Google is evil!" sort of story that the WSJ wrote.

12. MichaelHeller

Posts: 2734; Member since: May 26, 2011

It isn't iHate to say that Apple has a hand in this mess. However, it is fanboyism to ignore Apple's responsibility and and target Google in this case. Google, Facebook and the rest probably shouldn't have used the workaround, but Apple should have given users the choice in accepting cookies in the first place.

14. dreammixer

Posts: 81; Member since: Feb 10, 2012

Apple does give choice in accepting cookies although I agree it should be a more obvious choice. Still doesn't make what google is doing ok.

16. 14545

Posts: 1835; Member since: Nov 22, 2011

DID YOU MISS THE FACEBOOK PART? Geez, take your iCrap somewhere else.

18. Retro-touch unregistered

I've been wondering the same thing seeing his repetitve post, there are probably more sites that use this trick but for simplicity sake they concentrated on Facebook and Google

21. Stuticus

Posts: 26; Member since: Feb 05, 2012

The problem with that is the average iDiot doesn't know what they would need to do on their own to make it work, much less that they could look up how to do it.


Posts: 81; Member since: Feb 17, 2012

We beleive apple is losing market to android

20. squallz506

Posts: 1075; Member since: Oct 19, 2011

i dislike this article. the source is a much better read. the source explains that the security breach is a tracking cookie dropped in by google or advent or other advertisers. the cookie collects no personal information; it is invasive but harmless. i think its a fair trade to give up a little information in exchange for better services.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit for samples and additional information.