The Wall Street Journal has charged that Google, along with a number of other advertising agencies, have planted code on millions of iPhones that allows the companies to track user behavior.
Google has denied that the embedded code, or cookies, tracks users, and said that it is only activated when users opt-in to one of Google's services, such as Gmail. But the company also admitted that the code inadvertently allowed additional Google Web advertising cookies to be installed on users' phones, against users' wishes.
[ Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]
By default, Safari blocks tracking behavior though the browser. But Google's code "tricks" Apple's Safari browser into monitoring user behavior, the WSJ charged.
"The Journal mischaracterizes what happened and why," according to a statement from Rachel Whetstone, Google senior vice president for communications and public policy. "We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information."
Stanford University researcher Jonathan Mayer first discovered the code. A technical advisor to the WSJ, following Mayer's instruction, documented that the Google tracking code was installed on iPhones by 23 of the top 100 Web sites. The code was installed on ads from sites such as Fandango.com, Match.com, AOL.com, TMZ.com and UrbanDictionary.com. Once installed, Google then could track user movement across a wide number of Web sites, the WSJ charged.
In addition to Google, at least three other online advertising companies also circumnavigated Safari privacy settings with similar techniques, the WSJ found: Vibrant Media, WPP PLC's Media Innovation Group and Gannett Company's PointRoll.
Google offers instructions for users on how to opt-out of Safari tracking, though according to the WSJ, those instructions were removed from the Web site Tuesday, after the company was contacted by the WSJ on the matter.
Google argues that the cookies were necessary to provide users with personalized services, such as the ability to approve of content through Google's "+1" rating system.
"To enable these features, we created a temporary communication link between Safari browsers and Google's servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization," Whetstone stated. "But we designed this so that the information passing between the user's Safari browser and Google's servers was anonymous--effectively creating a barrier between their personal information and the Web content they browse."
"However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser," Whetstone added. "We didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers."
The news comes at a sensitive time for Google. Last year, the company reached a legal settlement with the U.S. Federal Trade Commission about its privacy practices, and agreed not to misrepresent its privacy practices. Last month, Google consolidated its polices for all its sites into one privacy setting.
In a blog item posted Friday, Microsoft criticized Google for purposefully evading the Safari privacy settings, and offered its own browser as an alternative.