Apple, Google, Facebook caught up in Safari privacy imbroglio

The Wall Street Journal engaged in a bit of gotcha journalism this morning, in a piece that accuses Google and other advertisers of “bypassing mobile Safari’s privacy settings.” This accusation comes despite the fact that the functionality they are using has been in widespread use for over two years. Confused? So, apparently, is the WSJ.

When you surf the web in Safari, by default websites cannot add cookies to your browser. Safari doesn’t tell you this, nor ask you what your preference is, they simply turn them off, and to turn them on you have to discover the right page in the settings menu, which of course most customers don’t do. Apple claims that this protects user privacy, although of course it also cuts off all forms of personalized advertising and many web services.

Of course web-based advertising and services are competing with Apple’s services. Which explains why they “protect” you from cookies that don’t collect personal information, but (until recent events shamed them into it) Apple didn’t protect you against iOS app manufacturers that wanted to upload your entire contacts list to their servers.

Apple’s privacy policy also breaks many other popular web services, like many Facebook apps, Google +1 buttons, etc. Well, it would break them, except that those types of interactions use a work-around. It turns out that Safari will accept a cookie, even when cookies are turned off, if the user submits an internet form. So those services are enable by making it appear to Safari that an invisible form is being submitted when you “+1” something.

The WSJ journal has gone apoplectic on the issue, framing it as if these companies are trying to engage in data theft, even though the practice has existed for two years and is so common that Facebook shows app developers how to do this as part of their “best practices” guide on their website. Indeed, Google referred to it as “existing functionality” in Safari to enable those services, and Apple has apparently been in no rush to fix this work around.

The problem has become magnified, however, because there’s a bug in Safari that allows advertising and other cookies to be saved once the first “list-based” cookie is saved. In other words, once the fairly innocuous web-service cookie is installed, the floodgates are opened to advertising services and other cookies that can piggy-back in. Which is not good if you purposely want to avoid those sorts of cookies.

While Facebook and Google aren’t trying to engage in the tracking of personal information in their work around (Google representatives emphasized that no personal information is gathered, even by the cookies that sneak in), it’s still a bad solution. Even if the loophole for other cookies is fixed, leaving the work-around for Facebook and Google in essence turns on a type of cookie, even for customers who don’t use Facebook or Google services (or other web-based services). And any service that places a cookie of any sort should give you the option to opt-in to it the first time, not "sneak it by" your browser.

The underlying problem seems to be that consumers simply don’t understand the different forms of “tracking” and how cookies enable web services. Most users would be unhappy if their favorite Facebook apps stopped working on iOS devices, but at the same time many of them think that Apple blocking all forms of “tracking” is good for them, even though these are diametrically opposed concepts.

What is needed is for someone to come up with a better interface so that ordinary customers can understand the tradeoffs between privacy and services. If people only use Apple services, they should be able to choose to accept no cookies at all, and not have that choice undermined by code that tricks their browser. At the same time, people who want to use services from Google, Facebook, and others shouldn’t have those settings hidden away from them by Apple. There needs to be more granular privacy controls that are presented in a clear and straight-forward manner.

In the short term, Google has apologized for the "unanticipated" bug that allowed other cookies to piggy back on top of their Google+ sign in. Apple has stated that it will “address the issue”, but it will be interesting to see if this makes the situation with web services better or worse for users. Either way, consumers deserve an intelligent discussion about these subjects in the press, rather than a histrionic stroll down Yellow Journalism Lane. The Wall Street Journal should be ashamed at the alarmist tone of their article.

In conclusion, there’s plenty of blame to go around here for everyone.

sources: WSJ, Jeff Battelle's searchblog, The Verge

Grab the Pixel 10 at Mint Mobile for $450 off

$349

$799

$450 off (56%)

Mint Mobile now sells the Google Pixel 10 with a massive $450 discount. The promo is available on select color variants with 128GB of storage. You also get a 12-month unlimited data plan for $180 instead of $360.

Buy at Mint Mobile

Pixel 10 Pro: now $475 off at Mint

$524

$999

$475 off (48%)

Grab the pro-grade, compact Pixel 10 Pro at Mint Mobile with a 12-month unlimited plan, and you can save a huge $475. The data plan comes with a discount, too: 50% off, to be exact.

Buy at Mint Mobile

The Pixel 10 Pro XL is $700 off at Mint right now

$499

$1199

$700 off (58%)

The high-end Gemini AI-enhanced Pixel 10 Pro XL is now available with a mind-blowing discount. You can now save $700 on the phone, plus 50% off unlimited 12-month plans.

Buy at Mint Mobile

The Pixel 10 Pro Fold is now $400 off

$1399

$1799

$400 off (22%)

The foldable Pixel 10 Pro Fold is another standout holiday offer. Right now, you can get the device for $400 off at Mint Mobile. On top of that, you save $180 on 12-month unlimited data plans.

Buy at Mint Mobile