The lowdown on Google's Safari tracking cookies

A grad student has caught Google with its hand in the cookies jar.

Jonathan Mayer, a graduate student at Stanford, caused a major stir this morning when he published research showing how Google used loopholes within Apple's Safari browser cookie-blocking policy to place unexpected third-party cookies within the browser. In this article we'll detail Mayer's findings and their implications for Safari users.

ANALYSIS: 5 key points from Google's privacy policy letter to Congress 

GOOGLE REED-ER: Tech's original Great Satan calls out Google for being evil

What are cookies and why should I care?

For the uninitiated, cookies are HTTP headers that are used by websites to track users' behavior when visiting their sites. Some cookies, however, are not used by first-party websites that the user is visiting but by third-party websites such as advertisers who happen to have links embedded onto the website the user is visiting. Apple's cookie-blocking technology is intended to block the cookies employed by these third-party sites so that users don't find themselves tracked by every single advertiser they come across on the Web. What's more, Apple enables cookie blocking on its Safari browser as a default setting, meaning that Safari users have typically felt comfortable browsing the Web without fear of being tracked by third-party cookies.

So what has Google done to circumvent Safari's protections?

As Mayer notes, Safari's cookie-blocking policies are fairly lenient in certain key areas. For instance, Safari allows third-party advertisers to place cookies within Safari if their advertisement gets fully loaded onto an entire browser window; in other words, if a pop-up ad fully loads on your iOS device, Safari will allow it to place a tracking cookie.

Another way that Safari allows for third-party cookies is if a user interacts with an advertisement in a way that results in the user submitting an HTML form to the advertiser's domain that gives the ad permission to track. Google achieved this particular feat through the placement of its "+1" button in certain advertisements that allowed users to vote up advertisements that they liked. If a user is signed into their Google account and clicks the "+1" button on an advertisement, then Google submitted an invisible HTML form to the user though the advertisement's iframe, which is the HTML code used to embed a separate document, such as an advertisement, into a page's main HTML document. Unbeknown to users, the form would then automatically respond to Google's ad network and gives it permission to place a cookie within Safari that lasts 24 hours.

So it sounds like I'll get tracked by a Google ad for a day if I click +1 on it. What's the big deal?

Once you let one Google advertisement place cookies in your Safari browser, you're potentially letting all Google advertisements place cookies in your Safari browser, whether you interacted with them or not. This happens because Safari is designed to allow websites to add more cookies once the user has given them initial access. Or put another way, once you let one ad from Google's doubleclick.net domain name place cookies on your browser, Safari sees all ads from doubleclick.net as good to go as well.

"The next time Google advertising content attempts to install the 'id' tracking cookie for.doubleclick.net, it will successfully set," Mayer explains in his report. "The next attempt may not even require that the user visit another page: We noticed that many Google ads periodically send requests to doubleclick.net."