Here are two other mighty convenient examples where Google made "innocent" mistakes by vacuuming more data to track users intrusively and show them ads. Not sure if they're evil or just incompetent.
Google Toolbar caught tracking users when 'disabled'
Google has updated its browser toolbar after the application was caught tracking urls even when specifically "disabled" by the user.
In a Monday blog post, Harvard professor and noted Google critic Ben Edelmen provided video evidence of the Google toolbar transmitting data back to the Mountain View Chocolate Factory after he chose to disable the application in the browser window he was currently using.
The Google toolbar offers two disable options: one is meant to disable the toolbar "permanently," and the other is meant to disable the app "only for this window."
In a statement passed to The Reg, Google has acknowledged the bug. According to the statement, the bug affects Google Toolbar versions 6.3.911.1819 through 6.4.1311.42 for Internet Explorer. An update that fixes the bug is now available here, and the company intends to automatically update users' toolbars sometime today.
The statement also says that the bug does not occur if you open a new tab after disabling the toolbar for a particular window. In the statement, Google goes on to say that the bug disappears if you restart your browser, but this doesn't quite make sense. If you're interested in disabling Google toolbar for a particular window, you aren't going to close that window.
"For that option to work as its name promises, Google Toolbar must cease transmissions immediately," Edelman says. "Fact is, the 'Disable Google Toolbar only for this window' option doesn't work at all: It does not actually disable Google Toolbar for the specified window."
It would appear that in saying the bug is fixed when the browser relaunches, Google is referring to a second bug Edelman uncovered. The Harvard prof also found that the toolbar continued to transmit data when he attempted to disable it through Internet Explorer's "Manage Add-ons" window.
With the Google toolbar, certain "enhanced features" require the transmission of data back to Google servers. These features include the ability to view a website's Google PageRank, essentially a measure of its importance on the web at large, and the new Sidewiki, a means of adding meta-comments to webpages. Using a network monitor, Edelman confirmed that if "enhanced features" are activated, Google collects domain names and associated directories, filenames, URL parameters, and search terms.
The user chooses whether to turn on "enhanced features," but Edelman argues that it's much too easy for a user to do so without completely realizing the consequences. The toolbar's standard installation routine launches a "bubble message" that pushes readers to turn on the features, he says, and it's less than clear about what data is being transmitted.
"The feature is described as 'enhanced' and 'helpful,' and Google chooses to tout it with a prominence that indicates Google views the feature as important," Edelman writes. "Moreover, the accept button features bold type plus a jumbo size (more than twice as large as the button to decline). And the accept button has the focus - so merely pressing Space or Enter (easy to do accidentally) serves to activate Enhanced Features without any further confirmation."
Yes, he continues, the message points out that the toolbar "tells us what site you're visiting by sending Google the url." But he argues this stops short of explaining that it collects everything from directories, filenames, and URL parameters to search keywords.
What's more, Edelman says, turning off "enhanced features" is more difficult than turning them on - especially for the average Joe. It appears that the features can't be turned off unless you uninstall the entire toolbar. Or "disable" it. But that doesn't always work. Or at least it didn't until Edelman noticed it didn't. ®
Google's iPhone Tracking
Google Inc. GOOG -1.14% and other advertising companies have been bypassing the
privacy settings of millions of people using Apple Inc.'s AAPL -1.90% Web browser
on their iPhones and computers—tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked.
he companies used special computer code that tricks Apple's Safari Web-browsing software into letting them monitor many users. Safari, the most widely used browser on mobile devices, is designed to block such tracking by default.
Google disabled its code after being contacted by The Wall Street Journal.
The Google code was spotted by Stanford researcher Jonathan Mayer and independently confirmed by a technical adviser to the Journal, Ashkan Soltani, who found that ads on 22 of the top 100 websites installed the Google tracking code on a test computer, and ads on 23 sites installed it on an iPhone browser.
The technique reaches far beyond those websites, however, because once the coding was activated, it could enable Google tracking across the vast majority of websites. Three other online-ad companies were found using similar techniques: Vibrant Media Inc., WPP WPPGY -1.34% PLC's Media Innovation Group LLC and
Gannett Co.'s GCI -0.38% PointRoll Inc.
In Google's case, the findings appeared to contradict some of Google's own instructions to Safari users on how to avoid tracking. Until recently, one Google site told Safari users they could rely on Safari's privacy settings to prevent tracking by Google. Google removed that language from the site Tuesday night.
In a statement, Google said: "The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information."
Google's privacy practices are under intense scrutiny. Last year, as part of a far-reaching legal settlement with the U.S. Federal Trade Commission the company pledged not to "misrepresent" its privacy practices to consumers. The fine for violating the agreement is $16,000 per violation, per day. The FTC declined to comment on the findings.
An Apple official said: "We are working to put a stop" to the circumvention of Safari privacy settings.
Of the ad companies found to be using the technique, Google has by far the largest reach. It delivers Internet ads that were viewed at least once by 93% of U.S. Web users in December, according to comScore Media Metrix.
A Vibrant Media spokesman called its use of the technique a "workaround" to "make Safari work like all the other browsers." Other major Web browsers don't block tracking by default. Vibrant, a top 25 ad network in the U.S. according to comScore Media Metrix, uses the technique "for unique user identification," the spokesman said, but doesn't collect personally identifiable information such as name or financial-account numbers.
WPP declined to comment. A spokeswoman for Gannett described its use of the code as part of a "limited test" to see how many Safari users visited advertisers' sites after seeing an ad.
PointRoll's coding was found in some ads on WSJ.com. "We were unaware this was happening on WSJ.com and are looking into it further," a Journal spokeswoman said.
To test the prevalence of Google's code, the Journal's technology adviser, Mr. Soltani, surveyed the top 100 most popular websites as ranked by Quantcast earlier this month. He found Google placed the code within ads displayed on major sites including movie site Fandango.com, dating site Match.com, AOL.com, TMZ.com and UrbanDictionary.com, among others. These companies either declined to comment or didn't respond. There is no indication that they or any other sites knew of the code.
"We were not aware of this behavior," said Michael Balmoris, AT&T Inc. T -0.54% spokesman. Google's code
was found on AT&T's YellowPages.com. "We would never condone it," he said.
Across the digital landscape, the issue of online privacy is taking center stage. In recent months, large institutions and tiny app-makers alike have been accused of mishandling personal data. Trying to reassure a worried public, lawmakers have introduced more than a dozen privacy bills in Congress. The Obama administration has called for a Privacy Bill of Rights to encourage companies to adopt better privacy practices.
Trade in personal data has emerged as a driver of the digital economy. Many tech companies offer products for free and get income from online ads that are customized using data about customers. These companies compete for ads, in part, based on the quality of the information they possess about users.
Google's tracking of Safari users traces its roots to Google's competition with social-network giant Facebook Inc. FB +0.75% After Facebook launched its "Like" button—
which gives people an easy way to indicate they like various things online—Google followed with a "+1" button offering similar functionality on its rival social network, known as Google+.
Last year, Google added a feature to put the +1 button in ads placed across the Web using Google's DoubleClick ad technology. The idea: If people like the ad, they could click "+1" and post their approval to their Google social-networking profile.
But Google faced a problem: Safari blocks most tracking by default. So Google couldn't use the most common technique—installation of a small file known as a "cookie"—to check if Safari users were logged in to Google.
To get around Safari's default blocking, Google exploited a loophole in the browser's privacy settings. While Safari does block most tracking, it makes an exception for websites with which a person interacts in some way—for instance, by filling out a form. So Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.
The cookie that Google installed on the computer was temporary; it expired in 12 to 24 hours. But it could sometimes result in extensive tracking of Safari users. This is because of a technical quirk in Safari that allows companies to easily add more cookies to a user's computer once the company has installed at least one cookie.
Google said it tried to design the +1 advertising system to protect people's privacy and that the placement of further tracking cookies on Safari browsers wasn't anticipated.
Among some Web programmers, the type of maneuver used by Google appears to have been an open secret for some time. Anant Garg, a 25-year-old Web developer in Mumbai, India, blogged about the technique two years ago.
Mr. Garg said when he developed the Safari workaround he didn't consider the privacy angle. He came up with the idea simply to "ensure a consistent experience" for a group of people accessing a chat system from different Web browsers, he said.
The coding also has a role in some Facebook games and "apps"—particularly if the app wants to store a user's login information or game scores. In fact, a corporate Facebook page for app developers called "Best Practices" includes a link to Mr. Garg's blog post.
"We work to educate our developers on how to deliver a consistent user experience across all browsers," said Facebook spokesman David Swain.
Mr. Mayer, who spotted Google using the code, also noticed variations of Mr. Garg's code at work in ads placed by Vibrant Media and WPP's Media Innovation Group. Mr. Soltani verified those findings, and also found code being used by Gannett's PointRoll. In a test, Mr. Soltani found the PointRoll code present in ads on 10 of the top 100 U.S. sites.