Setting the Record Straight on Google’s Safari Tracking

Our recent research on Google’s circumvention of the Safari cookie blocking feature has led to some confusion, in part owing to the company’s statement in response (reproduced in its entirety below). This post is an attempt to elucidate the central issues. As with the original writeup, I aim for a neutral viewpoint in the interest of establishing a common factual understanding.

To begin, I’d like to lend some structure to ongoing policy discussions by unpacking the four business practices that are at issue.

  1. Social advertising. Google is leveraging user account information to personalize its advertising on non-Google websites. To do that, Google now identifies its users when they view ads on non-Google websites.
  2. Social advertising circumvention. Google intentionally bypassed Safari’s cookie blocking feature to place an identifying cookie that it uses for social advertising.
  3. Ordinary advertising circumvention. Google’s social circumvention had a collateral effect: it enabled Google to place its ordinary advertising tracking cookie.
  4. Representation. A Google instructional webpage claimed that Safari’s cookie blocking feature “effectively accomplishes the same thing” as opting out of Google’s advertising cookies.

    Safari Advertising Cookie Opt-Out Instructions

I’d next like to clarify some key points about our findings.

  • No account, login, or user preference was required for circumvention. The circumvention behaviors affected all users, independent of whether they had a Google account, were logged into a Google account, or had made a choice about social advertising.
  • Identifying and identifiable information was collected. Google’s social advertising technology is designed to identify the user—that’s how it shows your friends’ pictures! Google’s design document provides additional detail on the feature. For discussion of how third-party web tracking is in general not anonymous, see Arvind Narayanan‘s explanation “There is no such thing as anonymous web tracking” and our research on identifying information leakage.
  • Circumvention is not a commonly accepted business practice. We only identified four advertising companies that deployed technology for circumventing Safari’s cookie blocking, and all have since stopped the practice. Furthermore, a self-regulatory organization for the online advertising industry cites Safari’s cookie blocking feature as a way to stop cookies from advertising companies: “[Safari’s] default setting will block all third-party cookies, including those of our member ad networks and those of other, non-member ad networks.”
  • Apple’s intent was to block advertising-related tracking. The language in Safari’s preferences menu, Apple’s promotional materials, and developer discussions all indicate that advertising-related tracking was a central motivation for the cookie blocking feature.
  • Apple’s purpose was not messing with Google. The default cookie blocking feature that Google circumvented was implemented in Safari 1.0, which shipped in 2003—long before Google was in the third-party display advertising business, and long before relations between the companies soured over smartphones. Furthermore, Safari has repeatedly been a pioneer in browser privacy. Safari 1.0 included a simple “privacy reset” choice for clearing browser settings; the other major browsers followed with similar features. Safari 2.0, released in 2005, was the first browser to provide a “private browsing” mode; again, all the other major browsers followed.
  • No +1 button was visible on circumvention ads. We never saw an ad with the +1 button in our testing. The circumvention behaviors occurred in ordinary-looking ads. In the special case of YouTube’s homepage, there was no visible ad at all.
  • Circumvention was not needed for social sharing. Google’s circumvention was not necessary to make the +1 button clickable. (For the geeks in the audience: Google could have trivially routed clicks through google.com.) The circumvention was only needed1 to personalize ads—for example, to show friends’ pictures near the +1 button, or in future to target ads based on Google+ social networking data.
  • Users likely did not understand their social advertising setting. New users are by default opted into social advertising on signup.

    Social Advertising Default on Account Signup

    My understanding is that users with accounts predating the +1 button have social advertising disabled, but are eventually prompted about the setting with “Enable” selected by default. Disabling the feature requires going to Accounts → Google+, locating the buried “+1 on non-Google sites” setting, then toggling it to “Disable”. Google’s description of the feature does not clearly communicate that it allows Google to identify the user on non-Google websites. The description also does not indicate that the feature would override a browser privacy setting.

    Social Advertising Opt-Out Location

    Social Advertising Opt-Out Page

  • Google’s circumvention only affected Google services. It did not allow other advertising companies to track the user.

Finally, I’d like to note a couple questions that remain open for Google.

  • Users impacted. Our measurement data suggests a great number of Safari users may have been affected by Google’s circumvention. Google has not yet indicated how many users were impacted.
  • Profit. Google held an advantage over its advertising competitors that did not track Safari browsers. That advantage may have resulted in profit. Google has not yet publicized an estimate of its income from tracking Safari browsers.

Google circulated the following statement to media outlets and policymakers on Friday. The company did not post the statement on its website, and my understanding is that Google representatives declined to answer questions about the statement.

The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.

Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content–such as the ability to “+1” things that interest them.

To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous–effectively creating a barrier between their personal information and the web content they browse.

However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.

Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager.


Thanks to Arvind Narayanan, Ashkan Soltani, Lee Tien, and ★★★★★ for valuable input.

1. This discussion presumes Google would host its social advertising from doubleclick.net instead of google.com. If Google hosted social advertising from google.com there would have been no need to circumvent Safari’s cookie blocking.