Home Gudgeon and gist Tech @ FTC FTC Settles with Google over Cookie Control Override

FTC Settles with Google over Cookie Control Override

Tech @ FTC 2013-03-15

[Updated (4:35pm EDT, August 9, 2012): Added to the description of the HTML file quoted in this post, to say when I recorded it.]

Today the FTC announced a settlement with Google, in which the company agreed to pay $22.5 Million to settle charges that it  misled consumers about its use of tracking cookies on the Safari browser.   The Complaint and Order, which were approved by the Commission, are the official statement of the FTC’s position on the case.  In this post I’ll explain some of the technical background in more detail–speaking just for myself.

Google’s DoubleClick ad network uses tracking cookies to record a history of a user’s activities across different web sites.   A DoubleClick tracking cookie looks like this:

id: c5bffdc4700000c||t=1343680985|et=730|cs=002213fd484b7cb9af91248086

Google also uses cookies to offer an opt-out.  If a consumer clicks the opt-out button, Google creates an opt-out cookie, which clobbers any tracking cookie that was in place before.  The opt-out cookie looks like this:

id: OPT_OUT

If you have the opt-out cookie, Google won’t place a tracking cookie on your computer.   On most browsers this all works as described.

But Apple’s Safari browser–the default browser on Macs, iPhones, and iPads–puts more stringent limits on how sites can use cookies.  In its default setting (“Block cookies: From third parties and advertisers”) Safari blocks most cookies coming from third parties.    Users can change this setting, but very few do change it, so from here on, let’s assume that Safari is in its default configuration.

Safari allows a site to deposit a cookie onto your computer whenever at least one of the following things is true:

  1. you are visiting the site directly–that is, it is the “first party” site whose URL appears in the browser’s address bar, or
  2. the site already has a cookie present in your browser, or
  3. the site is responding to a form that you submitted.

One consequence of this design is that Google’s opt-out cookie mechanism doesn’t work for Safari users–Google’s attempt to deliver the opt-out cookie will fail because none of the three conditions hold.

The FTC alleged that Google told Safari users that they didn’t need to worry about the unavailability of opt-out, because Safari’s cookie controls would provide the same protection as the opt-out.

Unfortunately, according to the FTC, this promise wasn’t kept.  Google ended up placing tracking cookies in many Safari users’ browsers despite its promise to give those users the same treatment as opted-out users.

Google placed the tracking cookies in two different ways.

First, if you went to the doubleclick.net website, perhaps by typing in the URL but more likely by clicking an ad placed by DoubleClick, then you would be given a DoubleClick tracking cookie.  Safari allowed this because it treated DoubleClick as playing a first-party role in this interaction–but no cookie would have been given to an opted-out user of another browser.

(An important detail here: Though people sometimes talk about “first-party cookies” versus “third-party cookies,” there is nothing about the cookie itself that is marked as either first-party or third-party.   Instead, first-party and third-party are roles that a site can play in a particular interaction–in the same way that “home team” is not a permanent attribute of a sports team but merely a role that the team might occupy in today’s game.    When somebody says “first-party cookie,” you should read that as “cookie associated with a site that is playing a first-party role at the moment.” )

The second way that Safari users got DoubleClick tracking cookies was more complicated–and this is the one that has gotten the most attention.   This part of the story starts with Google wanting to put a “social advertising” cookie onto users’ computers.  “Social advertising” is a feature that lets you click a “+1″ button on an ad you like–and then shows the same ad to your friends with an indication that you liked it.   If implemented in a straightforward way, this wouldn’t work on Safari because Safari would block the placement of Google’s social advertising cookie.

So Google overrode Safari’s cookie controls.   They sent Safari a file that looked like this:

<html><head></head><body>     <form id="drt_form" method=post action="/pagead/drt/si?p=XXX&ut=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX">    </form>     <script>         document.getElementById('drt_form').submit();     </script> </body> </html>

I recorded this file in mid-December, 2011.  The line that starts with “document….” is Javascript code that told the browser that the user had submitted a form–even though the user had done no such thing.   (The “form” was invisible and had neither content nor a Submit button,  so the user could not actually submit it.)   Safari, believing that the user had chosen to submit a form, would then allow Google to put a DoubleClick cookie on the user’s computer.   This was allowed under condition number 3 above.

Once the first cookie was in place, Safari would then–according to condition number 2 above–allow Google to deliver additional cookies from doubleclick.net, including the DoubleClick tracking cookie.   So the end result of Google’s form submission was to put DoubleClick tracking cookies on Safari users’ browsers, despite Google’s alleged promise not to do so.

If you use Safari, you probably received a DoubleClick tracking cookie from Google during the relevant time period.  As part of the settlement, Google agreed to destroy as many as possible of the DoubleClick tracking cookies placed on Safari users’ computers during the relevant period.   To its credit, Google started destroying those cookies early, without waiting for the settlement to be finalized, so virtually all of the relevant cookies should be gone by now.

[Note:  I modified the HTML snippet above, putting 'X' characters in place of parts of the URL in the form tag.   I am not disclosing any of the exact URLs that we saw in our experiments, as a precaution against the possibility that they might reveal something about our investigative procedure.]