KQED's Joshua Johnson today got a hold of Jonathan Mayer. Here's an edited transcript of their conversation about what he characterizes as Google's cookie shenanigans:
Joshua Johnson
First off, explain what a cookie is.
Jonathan Mayer
A cookie is code that stores information that a web site sends to a user's browser. Legitimate uses include saving your preferences, saving your login, and saving your shopping cart. They're actually great; they're what makes the web what it is today.
Joshua Johnson
So your research shows that this cookie does something similar but in a way that users have not consented to…
Jonathan Mayer
Right. Some cookies are set by other web sites, like advertising networks, for example. These so-called third-party cookies can give rise to privacy concerns because they can let a company figure out what you do on the web sites you visit.
Joshua Johnson
And what is the problem with that?
Jonathan Mayer
Well, do you trust a company with your web browsing history? I think the problem is that some company you've never heard of has a copy of what you've looked at online sitting on its server.
Joshua Johnson
How did you discover this particular cookie from Google?
Jonathan Mayer
We started by running ads of our own. We knew that this loophole existed, and to see which advertising networks had set cookies in Safari browsers we ran ads targeted to that browser's users. Then we we had some code that reported back whether the user had a cookie from each of a number of advertising networks.
The overwhelming majority of some 200,000 Safari browsers in our measurement sample, Google had set cookies on its DoubleClick domain -- that's its advertising domain. Around half of the users had cookies from a company called Vibrant Media. We also saw a number of cookies from a company called Media Innovation Group. These companies aren't nearly the size of Google.
Joshua Johnson
What was your reaction to these results?
Jonathan Mayer
I was a little bit skeptical at first; I ran it by several colleagues to get it verified. I also made sure to test with a bunch of different browsers to see if it was a Safari-specific thing. And we found that it was.
Joshua Johnson
What are the potential implications of these cookies?
Jonathan Mayer
They makes it really easy for Google to have a copy of your web-browsing history sitting on their server. One cookie is linked to your specific Google account. They use that to do social personalization of advertising. Google's response is that there's no personal information at play, which seems odd to me because we have this design document that Google sent us indicating this social-targeting cookie is supposed to have the user's Google account ID on it.
Google claims we mischaracterized what they're doing. When they're talking about mischaracterization, they've left the world of computer science and entered the world of spin. I've tried not to put too much stock in that statement.
And I certainly disagree with a few claims they made. They suggest what they did is okay because this was related to a social feature. [Note: Google said they began using the cookies to "enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to “+1” things that interest them."]
I don't think that's quite right. This was not a social feature purely for the user's benefit. It was a social feature on online ads for Google's benefit. It's not much of a stretch to imagine this was the tip of the iceberg in the social personalization of ads Google wanted to do. In fact the design document on this personal socialization feature has a couple of suggestions that the button on ads was just the starting point.
Joshua Johnson
How did your research make it to the Wall Street Journal?
Jonathan Mayer
My team worked with the Wall Street Journal last summer on a story related to super cookies. It turns out there are lots of alternatives to cookies you can use to track the users. The Journal has several reporters who work nearly full- time on these issues, and it has a top-notch collaborating technologist.
Joshua Johnson
Are there still some open questions around this issue?
Jonathan Mayer
I think the No. 1 question is how many users were caught up in this. It's quite possible we're talking about millions or even over 10 million people. Google hasn't suggested this was some sort of limited trial. It's quite possible we're talking about most iPhone owners in America who had their privacy undermined by Google.
Joshua Johnson
How can users gets rid of this cookie on their iPhones, iPads or desktops?
Jonathan Mayer
Google has said they're trying to go back and delete these cookies. And if you go into your Safari settings, you can clear out your DoubleClick cookies if you have them. And Google has stopped the practice and so have other companies.
That said, Google gave users the idea that if you were a Safari user, you didn't need to do anything. The default setting was enough. We know that was clearly not the case. They've since pulled that language; I think it's quite possible they're going to have a problem with the FTC for that possibly being a deceptive business practice.
Second, because they signed a deal with the FTC after the Google Buzz debacle, where they promised under possible sanction of money damages that they wouldn’t misrepresent the extent to which users can control the information they're sharing with Google, I think this pretty plainly falls within that language they agreed to.
In my view, this is just another reason why it's time to build a technology that actually puts users in control over third-party web tracking. For a number of years there's been this phrasing among people who work on third-party web- tracking issues that there's an arms race or a cat-and-mouse game going on. And I think these research findings really reify that, quite possibly for millions of users.
So it's time to start thinking about how Google and other players in the online ad industry can work to provide users with a real choice. We've been working on a technology policy proposal called Do Not Track, intended to give users that choice. The World Wide Web Consortium has moved ahead and is trying to standardize it.
The Electronic Frontier Foundation has suggested that one way Google can try to make things right with its users would be to take the lead on Do Not Track, to go ahead and get it implemented in its Chrome browser. That's the only major browser that does not implement Do Not Track.
The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.
Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to “+1” things that interest them.
To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous--effectively creating a barrier between their personal information and the web content they browse.
However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.
Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager.