Daring Fireball: Cookies and Privacy
A week ago, John Battelle wrote a curious response to this Wall Street Journal report about Google circumventing Safari’s (and, notably, Mobile Safari’s) default setting only to accept cookies from visited websites.
Long story short: Web cookies are small bits of saved data that websites can store in your browser. Cookies are restricted by domain; if example.com stores a cookie in your browser, the only website your browser sends that cookie back to is example.com. But, by default, most desktop web browsers allow “third-party” cookies. That means if a page on example.com loads JavaScript from a different domain, that JavaScript is able to use cookies too. One common use is by ad networks; an ad network can set a cookie and then access that same cookie from any website that uses the same ad network. Google makes use of such cookies to display its ads. Ad networks that use cookies in this manner do so in order to track users across websites.
All major browsers give the user control over cookie permissions. Usually, with three options:
Accept cookies from anywhere (i.e., allow third-party cookies)
Accept cookies only from visited websites (disallow third-party cookies)
Don’t accept any cookies at all
The difference with Safari is in the default for this setting. Most major browsers default to the first option, allowing all cookies. Safari and Mobile Safari default to the second, allowing only first-party cookies.
What the WSJ discovered is that Google (and a few other ad networks) found a way to store third-party cookies in Safari and Mobile Safari even when the option was set only to accept cookies from visited websites, as it is by default.
Read it all if you are interested. The reason that Google is getting heat over this is because they specifically wrote code to circumvent Safari and Mobile Safari’s default setting of disallowing third party cookies so that they could track users across websites. That should not have happened. That is Google at it’s worst.