Oops They Did It (and were caught doing it) Again …


The quote I have been seeing – and using a lot lately is critical in describing Google’s behavior working around browser security settings and the very desires of users in insinuating their advertising into Safari as they were caught doing last week:

Despite being thought of as a tech company, Google is actually an ad agency.

Last week Google was caught bypassing user settings and Safari security as noted here:

– Google secretly developed a way to circumvent default privacy settings established by a hated competitor, Apple
– Google enabled this workaround to further its own advertising (revenue) and social-networking goals.
– Google then used the workaround to drop ad-tracking cookies on the Safari users, which is exactly the sort of practice that Apple was trying to prevent

This allowed them to use cookies to put ‘+1’ buttons on advertisements which were served by their subsidiary DoubleClick. But predictably their quest for money, regardless of user privacy, couldn’t stop there:

Google then took advantage of this Safari workaround to drop cookies on Safari users’ computers for advertising clients–the exact sort of behavior that Apple’s privacy settings were designed to prevent.

Of course, as soon as they were caught with their hand in the cookie jar, Google plugged the hole, and has been churning out spin from it being unintended to ‘a known feature’ to a ‘limited workaround’. But one thing they made clear in a public statement:

Users of Internet Explorer, Firefox and Chrome were not affected.

Naturally, THAT was a lie as well. Is ANYONE surprised?

At MSDN blog today, we get this:

When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies. Below we spell out in more detail what we’ve discovered, as well as recommendations to IE users on how to protect their privacy from Google with the use of IE9’s Tracking Protection feature. We’ve also contacted Google and asked them to commit to honoring P3P privacy settings for users of all browsers.

We’ve found that Google bypasses the P3P Privacy Protection feature in IE. The result is similar to the recent reports of Google’s circumvention of privacy protections in Apple’s Safari Web browser, even though the actual bypass mechanism Google uses is different.

So we know that Google bypassed basic privacy settings … for money. And that they hid it and lied about it and wound out the spin machine – and the millions of Google-fanboys who will defend them regardless of what they do. And then we learned they did it AGAIN, even after getting caught once!

What is hilarious is that they don’t offer a ‘cookie opt-out’ for Safari, because …

While we don’t yet have a Safari version of the Google advertising cookie opt-out plugin, Safari is set by default to block all third-party cookies. If you have not changed those settings, this option effectively accomplished the same thing as setting the opt-out cookie.

Well, it would be hilarious if it wasn’t nefarious. And as MSDN says, it isn’t even clear that the cookie opt-out helps. And Google? Naturally a non-denial denial intended to cast Microsoft as the villain by having a “widely non-operational cookie system”, and saying that ‘Facebook does it too’ … since we all know that Facebook is that great bastion of privacy and security and personal accountability.

And again, there is a HUGE difference between ‘this isn’t a problem for IE’ and ‘everyone else is doing it’. Bottom line – they are like a little kid spinning lies so quickly they can’t even see how obvious those lies become when pieced together.

What I have been reading today is that this ‘isn’t a huge deal’. In and of itself – absolutely true. In general this is small potatoes, certainly not like a real hack of a data stream or stealing account info. But there is an inherent conflict of interest for Google that provides the tools to do things and then monetizes those actions.

Again, Google isn’t a tech company. They aren’t your friend. They are an ad agency, selling your eyeballs, and monetizing your actions to the highest bidder. They don’t care about you, they are using you. They don’t care about privacy or security or your settings – they have smarter programmers who can hack your settings and STILL get information you have told them NOT to collect.

They are a for-profit company selling YOU. The ends – their profits – justify whatever means are necessary, including compromising your security and personal information. The worst thing for a public company is what the constant expectation of MORE does to the way you run business. Again, 95% of their money comes from ads, and more and more companies want a chunk of that pie, and there is a finite amount advertisers will spend. The choices are to grow thee 5% or work to monopolize their other non-revenue products for the 95%. They get no money for Android, and it is established that Android users are a lousy revenue source, and their worst-in-class music service only gets noticed when they offer up loss-leader sales … not too many solid prospects.

But why not just use the normal methods of cookie tracking? Because they have their operations broken up into separate domains in order to maintain the appearance that things are truly separate. In other words, when appearing before government panels trying to explain actions, having DoubleClick separate from Google.com is important to avoid regulation. But when running their everyday business it is inconvenient because they actually WANT to do the stuff that they are accused of … so they hacked browsers as an end-run. This way they get to BE the nefarious company some people recognize them for while appearing much more compliant.

This past week we have also learned more about Google pushing their own brand of ‘search engine optimization’ that focuses very highly on ‘+1’ numbers. So if you run a site and get loads of hits but don’t have a ‘+1’ button to feed hits back to Google (read: kickbacks), your site will fall below others that have fewer hits but DO provide kickbacks to Google. And since they are already pushing their own so-called ‘social network’ over the established ones (I showed evidence before of how a Google + page with 2000 +1’s showed up instead of the Facebook page for the same person with >1,000,000 ‘Likes’), we also are learning that they are pushing ‘brand’ pages even more heavily. That makes sense – you and I provide indirect money … someone like Nike provides REAL money. Google search results become more ‘pay to play’ with each passing week.

Every time I point out something about Google, I immediately hear that it is unfair attention compared to other evil companies like Apple or Microsoft. I disagree – Apple and Microsoft are like the toddler going for that fragile item on the end table: obvious and slow.

For example, Apple wants you to come into their huge building and choose from the items on their shelves as if nothing else exists. People look for more nefarious stuff in EULAs and whatnot, but all they want to be sure of is that if you make something for their store using their tools you can’t sell that exact object elsewhere, and that if you are selling to someone in the building that they get a cut. That is pretty much it.

I have heard the tired arguments that their stuff is ‘free’, so ads are the price, and that you can simply opt out or use AdBlock. Guess what – time to wake up Google apologists, you’ve been fooled. Google is STILL tracking you. And if you believe that this actually stopped this week after we learn pretty much the same thing at least once a month … you are only fooling yourself.

About the Author

Michael Anderson
I have loved technology for as long as I can remember - and have been a computer gamer since the PDP-10! Mobile Technology has played a major role in my life - I have used an electronic companion since the HP95LX more than 20 years ago, and have been a 'Laptop First' person since my Compaq LTE Lite 3/20 and Powerbook 170 back in 1991! As an avid gamer and gadget-junkie I was constantly asked for my opinions on new technology, which led to writing small blurbs ... and eventually becoming a reviewer many years ago. My family is my biggest priority in life, and they alternate between loving and tolerating my gaming and gadget hobbies ... but ultimately benefits from the addition of technology to our lives!

5 Comments on "Oops They Did It (and were caught doing it) Again …"

  1. I’m glad I’m not using Chrome any more. So much for “don’t do evil”. Just another big, soulless, predatory, immoral corporation.

  2. How does this hurt me? Google’s adsense is now able to serve ads that are more relevant to me, rather than ads for tampons or makeup remover? (Ads that I ignore anyway. Just like TV). I seriously think this is mountain/mole hill material.

  3. By the way, do you know what happened when I blocked third party cookies in Google Chrome and then tried to log in with my Twitter account on Disqus to post the above comment? It would not allow me to log in to post the comment. I had to re-enable third party cookies to post the comment.

    Pot, kettle, black.

    • Actually … “World, Dan, Clueless” is more appropriate.

      You have shown the way things are SUPPOSED to work.  Chrome allows 3rd party cookies by default because Google depends on that because they are an ad-based company.  When you disallow them, you lose that cross-domain capability that allows such activity.  That is BY DESIGN.

      If that DIDN’T work that way, most people would call it ‘malware’ or a hack … and THAT is what Google was doing.  Imagine if you ONLY visited Google sites and were doing something about woodchucks … and then logged into Hotmail and suddenly found that Microsoft was sending ads and emails related to woodchucks despite never being on their sites.  That would be described pretty universally as unethical hacking, rootkits, tracking, or any of a number of insidious – but accurate – terms.

      People install antivirus software to avoid unwanted tracking, and get upset when their personal information is compromised.  What Google has done is no different.  So if you are not concerned about companies hacking your browser, compromising your security and privacy, and allowing external companies you don’t give permission to track you by paying Google a fee, fine.  But personally, most people want their security and privacy respected, and when they say ‘do not track’ they mean it.

      People have gone to jail for less. 

      • A few things:

        – this issue is about third-party cookies being set in Safari by the Google ad service doubleclick in particular. Since Safari is set by default to not allow third-party cookies, Safari people are not “saying” do not track. I would venture to guess that well over 90% of Mac users who use Safari do so because it is the default browser on the Mac (and, of course, on iOS), just as most IE users on Windows are using it because it is the default browser on Windows. I would venture to guess that well over 90% of them have no idea that third party cookies are disabled by default. (I would also venture to guess that a vast majority of them don’t even know what browser cookies are.) So let’s not pretend that everybody who uses Safari went to the trouble to protect their privacy by turning third party cookies off. Make no mistake – I think it’s great that Apple sets this default, and I think that all browsers should, though I’ll get to the drawback to this in a second.

        – This issue of doubleclick is actually an issue that was designed into webkit (and Safari) in 2010 to relax the third-party cookie restriction that allows some third-party cookies to be set if the user already had third party cookies from that site. Apple was concerned that this would cause problems for Facebook and Microsoft Live (according to the discussion in their buglist documentation: https://bugs.webkit.org/show_bug.cgi?id=35824 ) that they allowed this functionality. When Google released G+ and the +1 button in particular, they took advantage of this workaround, but apparently doubleclick was also doing so. Google says that this was inadvertent and will be fixed. This whole “Apple/Google” pretend war has gotten so out of hand that now people will never believe either company about any previous intentions, as you so clearly say. So it goes.

        – It’s a bit odd that geardiary.com is scolding Google about finding a workaround to Safari disabling third party cookies but uses a comment system that requires turning on the setting of third party cookies. I happen to know that WordPress has a very usable commentary system that wouldn’t require setting a third party cookie. If this privacy setting is so important, then why are you using Disqus for commentary? (Well, I can guess why – it’s better and more productive.) Will geardiary now stop using Disqus now so that readers can comment without allowing Disqus to track all of our movements?

        – It’s odder still that geardiary.com is so adamant that this doubleclick policy is evil while using doubleclick to provide ads on the site. If Google and doubleclick are so evil, why is geardiary.com participating in allowing Google to track all of our movements? Will geardiary stop the business relationship? I know that you are not the owner and cannot answer for her, but isn’t this hypocritical?

        – “People have gone to jail over less”. Really? Sorry, but that again seems over the top to me. Google has a very clear privacy policy and has gone crazy in recent weeks to get everybody to read it. There will be no jail time over this.

        – As for the Microsoft criticism of Google over this, I thought that the Google rebuttal was spot-on – it’s all PR spin, a bit of piling on of a very real issue in Safari and Mobile Safari. Microsoft’s P3P policy has allowed these types of exceptions since 2002. The podcast “Security Now” covered this issue very well last week, including the issue of Microsoft. You can read the transcript here: http://www.grc.com/sn/sn-341.htm , but, quoting Steve Gibson, the relevant bit:

        “Now, in this, I completely agree with Google. What happened was Microsoft, in an earlier version of IE, entertained disabling third-party cookies also by default. There was a version for a while in beta that had third-party cookies disabled by default. Microsoft generated so much flak from doing this by big business that just screamed. And this is years ago. This is 10 years ago or so, and I don’t know, maybe it was an early version of IE6. But Microsoft got so much flak that they backed off from turning off third-party cookies by default and came up with this bogus approach, where a website, in the query headers going to a server, can assert what their cookie policy is in a machine-readable header of little three-character tokens.

        And what really annoys me is that, if you, in IE today, all versions of IE, if you turn up your privacy to maximum, such that it says you are blocking third-party cookies, yet if a third-party website has a specially crafted P3P policy header, IE goes, oh, well, they say that they’re going to do good things with your cookie, so we’ll let third-party cookies work anyway. And so this is a complete override over IE’s clearly stated policies that the user can control, even on a per-site basis. If a site says, no, no, we’re nice people, then IE just says, oh, well, in that case, let me have your cookie. So that’s what Google is saying. They’re saying this is ridiculous. IE allows any site that wants to, to override the user’s and the browser’s preferences. So we’re doing it, yes, and so is Facebook and Amazon and 11,000 other sites. So that’s what that was. ”

        – For a really decently non-knee jerk read of this issue from a technical point of view, these posts by Lauren Weinstein are great (and not part of some vas Google-lover defense conspiracy):

        https://plus.google.com/u/0/114753028665775786510/posts/fuLZoEkJZNs (for a good look at the Microsoft response.)

Leave a comment