[Updated (4:35pm EDT, August 9, 2012): Added to the description of the HTML file quoted in this post, to say when I recorded it.]
Today the FTC announced a settlement with Google, in which the company agreed to pay $22.5 Million to settle charges that it misled consumers about its use of tracking cookies on the Safari browser. The Complaint and Order, which were approved by the Commission, are the official statement of the FTC’s position on the case. In this post I’ll explain some of the technical background in more detail–speaking just for myself.
Google’s DoubleClick ad network uses tracking cookies to record a history of a user’s activities across different web sites. A DoubleClick tracking cookie looks like this:
If you have the opt-out cookie, Google won’t place a tracking cookie on your computer. On most browsers this all works as described.
Safari allows a site to deposit a cookie onto your computer whenever at least one of the following things is true:
- you are visiting the site directly–that is, it is the “first party” site whose URL appears in the browser’s address bar, or
- the site already has a cookie present in your browser, or
- the site is responding to a form that you submitted.
One consequence of this design is that Google’s opt-out cookie mechanism doesn’t work for Safari users–Google’s attempt to deliver the opt-out cookie will fail because none of the three conditions hold.
The FTC alleged that Google told Safari users that they didn’t need to worry about the unavailability of opt-out, because Safari’s cookie controls would provide the same protection as the opt-out.
Unfortunately, according to the FTC, this promise wasn’t kept. Google ended up placing tracking cookies in many Safari users’ browsers despite its promise to give those users the same treatment as opted-out users.
Google placed the tracking cookies in two different ways.
First, if you went to the doubleclick.net website, perhaps by typing in the URL but more likely by clicking an ad placed by DoubleClick, then you would be given a DoubleClick tracking cookie. Safari allowed this because it treated DoubleClick as playing a first-party role in this interaction–but no cookie would have been given to an opted-out user of another browser.
(An important detail here: Though people sometimes talk about “first-party cookies” versus “third-party cookies,” there is nothing about the cookie itself that is marked as either first-party or third-party. Instead, first-party and third-party are roles that a site can play in a particular interaction–in the same way that “home team” is not a permanent attribute of a sports team but merely a role that the team might occupy in today’s game. When somebody says “first-party cookie,” you should read that as “cookie associated with a site that is playing a first-party role at the moment.” )
The second way that Safari users got DoubleClick tracking cookies was more complicated–and this is the one that has gotten the most attention. This part of the story starts with Google wanting to put a “social advertising” cookie onto users’ computers. “Social advertising” is a feature that lets you click a “+1″ button on an ad you like–and then shows the same ad to your friends with an indication that you liked it. If implemented in a straightforward way, this wouldn’t work on Safari because Safari would block the placement of Google’s social advertising cookie.
So Google overrode Safari’s cookie controls. They sent Safari a file that looked like this:
<html> <head></head> <body> <form id="drt_form" method=post action="/pagead/drt/si?p=XXX&ut=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"> </form> <script> document.getElementById('drt_form').submit(); </script> </body> </html>
Once the first cookie was in place, Safari would then–according to condition number 2 above–allow Google to deliver additional cookies from doubleclick.net, including the DoubleClick tracking cookie. So the end result of Google’s form submission was to put DoubleClick tracking cookies on Safari users’ browsers, despite Google’s alleged promise not to do so.
If you use Safari, you probably received a DoubleClick tracking cookie from Google during the relevant time period. As part of the settlement, Google agreed to destroy as many as possible of the DoubleClick tracking cookies placed on Safari users’ computers during the relevant period. To its credit, Google started destroying those cookies early, without waiting for the settlement to be finalized, so virtually all of the relevant cookies should be gone by now.
[Note: I modified the HTML snippet above, putting 'X' characters in place of parts of the URL in the form tag. I am not disclosing any of the exact URLs that we saw in our experiments, as a precaution against the possibility that they might reveal something about our investigative procedure.]