If you plug the phrase remove tracking cookies into Google Search, a post I wrote nearly seven years ago comes up as one of the top results.
That 2005 post, titled How to completely eliminate tracking cookies, is woefully out of date. (How outdated is it? It contains instructions for Firefox 1.0.)
And yet that post is still one of the most popular I’ve ever written.
The gist of those instructions, which I have also included in every Windows book I have written for the past decade, is the recommendation that Internet users allow first-party cookies and block third-party cookies, making exceptions where necessary. This is an industry-standard, well-known method for expressing your privacy preferences, and it has worked for years and years.
The fact that so many people search for and find this page is a testament to the desire of so many people to have some control over their online privacy. They believe—rightly, in my opinion—that they should have a say in whether and how they are tracked as they move around the Internet.
And yet that task has become more difficult in recent years, when it should be getting easier.
Today’s case in point is Google’s transparent attempt to do an end run around user privacy concerns for customers who browse the web on Apple-branded devices running iOS and mobile Safari.
You can read all about the issue in this post by Peter Eckersley, Rainey Reitman, and Lee Tien at the Electronic Frontier Foundation:
Google Circumvents Safari Privacy Protections – This is Why We Need Do Not Track
The Safari and iOS browsers have a useful privacy feature: they automatically reject third-party tracking cookies unless a user actively interacts with a widget or clicks on the third party’s ads. This is a big step up from the default settings on most browsers. Advertisers typically use tracking cookies to create an invisible record of your online browsing habits, and large advertisers can track you across huge swaths of the web. Safari offers some protection against this type of passive tracking: it specifically prevents a site from setting cookies unless those cookies are from a domain name that you have visited or interacted with directly.
As Google engineers were building the system for passing facts like "your friend Suzy +1’ed this ad" from google.com to doubleclick.net, they would have likely realized that Safari was stopping them from linking this data using third-party DoubleClick cookies. So it appears they added special JavaScript code that tricked Safari into thinking the user was interacting with DoubleClick,2 causing Safari to allow the cookies that would facilitate social personalization (and perhaps, at some point, other forms of pseudonymous behavioral targeting). This was a small hole in Safari’s privacy protections.
Unfortunately, that had the side effect of completely undoing all of Safari’s protections against doubleclick.net. It caused Safari to allow other DoubleClick cookies, and especially the main "id" tracking cookie that Safari normally blocked. Like a balloon popped with a pinprick, all of Safari’s protections against DoubleClick were gone.
This was not just some random “oops” moment. As a footnote in the EFF post notes, “The code was … a ‘hidden form submission’, contained in a DoubleClick iframe.” In effect, Google coded its ads so that it appeared as though the person visiting that page had submitted an invisible form to Google. “This code was only sent to Apple’s browsers,” the EFF continues. Security researcher Jonathan Mayer, who identified the issue first, “tested 400 user-agent strings, and found that only Safari received the JavaScript that performed hidden form submissions.”
In other words, this was deliberate.
And as if to make itself look even more guilty, Google has tried to erase some incriminating language it posted online. As CNET’s Elinor Mills notes:
Meanwhile, Google’s Chrome team offers an Advertising Cookie Opt-Out Plugin that lets people do exactly what Safari’s default setting provides – block third-party cookies. Oddly, the instructions for confirming the default settings in Safari on that page were removed as the Wall Street Journal was preparing its news report. This is at the core of a Consumer Watchdog complaint filed with the FTC today that accuses Google of unfair and deceptive practices.
This is why major advertising and tracking companies—and Google is the biggest of them all—cannot and should not be trusted to regulate themselves.
Now, if you’ll excuse me, I have an old blog post to update.
Update: Google is employing a different, equally underhanded tactic to work around default privacy protections in Internet Explorer as well. I have removed Google’s tracking pixel from this site.
Ed Bott (@ wordpress.com) 
I was interested to see Google say that they were following Apple’s guidelines for achieving what they wanted and didn’t understand what the impact would be. That’s a worrying level of ignorance about what your tracking code does…
Indeed, Mary. Perhaps they need to adjust their development processes accordingly, to emphasize security.
Neat way to block tracking cookies available here:
http://www.abine.com/dntdetail.php?
Works like a charm and uses little resources.
thebluejay
Does anyone have a good article on what the negative affects of tracking are? A real article, not just a tin foil hat garbage article?
I’m working on just such an article, Scott.
@Scott : Some negative effects are not being able to comment on certain sites. On other sites , not been able to see videos. I’m sure Ed has a lot more info about this. I do not agree with Leo Laporte – the Apple Guy from Twit – that we all pay a price for free content..
There are some nice browsers extensions like Ghostery. But i’ve noticed it does not work 100% in Chrome. As for now : Firefox is the browser with the best extensions. IE does stop tracking but it’s all rather complicated for the ordinary user.
Where can I see evidence of the google tracking when I use IE to search on google. I’m looking in my temp internet files and also run an httpwatch trace on the browser. I can’t see any evidence of doubleclick.net in the trace and can’t identify said cookie in the temp files.