"It's time for Google to acknowledge that it can do a better job of respecting the privacy of web users," the EFF said in a statement, in which it warned: "Google, the time has finally come. You need to make a pro-privacy offering to restore your user's trust … it's time for a new chapter in Google's policy regarding privacy. It's time to commit to giving users a voice about tracking and then respecting those wishes."
The company may also be tracking people without their knowledge on other browsers, including those on its own Android phones, because those do not implement the same security restrictions as Apple does.
The circumvention, carried out by a small piece of code, meant that people could see messages indicating whether their associates in Google "Circles" on its Google+ social network had clicked on ads – but it also let Google and other advertisers see which websites people landed on.
Mayer
told the Guardian that his team had been looking into what was being
done for two months, and was sure it had been used by Google certainly
since December – though it could have been running since July 2011.Google declined to answer a Guardian request to say when it had begun the tracking.
The search giant insisted that a report in the Wall Street Journal, which first revealed the tracking, mischaracterised its actions, and that the users' identities had remained anonymous throughout – although they were signed in to Google's systems.
To get around Safari's blocking, the Wall Street Journal explains, Google put code onto some of its ads served by DoubleClick's servers at doubleclick.net to fool the Safari browser into thinking the user was interacting with DoubleClick.
But, the EFF notes: "That had the side effect of completely undoing all of Safari's protections against doubleclick.net."
That meant that other DoubleClick cookies, including the principal tracking one which Safari would normally block, were allowed.
"Like a balloon popped with a pinprick, all of Safari's protections against DoubleClick were gone," the EFF said.
In a statement, Google said: "We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information.
"Unlike other major browsers, Apple's Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as [Facebook's] 'Like' buttons.
"To enable these features, we created a temporary communication link between Safari browsers and Google's servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalisation.
"But we designed this so that the information passing between the user's Safari browser and Google's servers was anonymous – effectively creating a barrier between their personal information and the web content they browse.
"However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser [by other advertising companies using the DoubleClick network].
While the data collected by the cookies would not contain the user's name or personal details, privacy campaigners have long pointed out that the pattern of a user's web browsing allows a picture of them to be built up which can led to direct identification or profiling so precise that it leave little doubt about their identity.
Google's use of such systems in defiance of the settings of the user's browser is the first time the company has been found doing so.
Google said: "Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google's Ads Preferences Manager.
Source:guardian.co.uk