The Trouble with Tribbles: Beyond Google’s Cookiegate Browser Settings Hype

Google found themselves in the center of another PR quagmire this week, when the WSJ reported they’d been caught circumventing user settings in both the OS X and iOS versions of the Safari browser. The search giant used a bit of code to “trick” Safari into thinking users had interacted with Google by submitting a form, which allowed Google to set a tracking cookie.

Google responded to the WSJ’s article by saying it “mischaracterizes what happened and why.” In a sense, that’s true. Google doesn’t get off the hook for using an invisible web form to trick Safari. However, there’s a lot more to the issue of user privacy settings workarounds and cookies. The bigger picture is one that users and marketers alike should be aware of and keeping an eye on.

The “quirk” that contributed to the perhaps unexpectedly larger scope of the Google tracking cookie in Safari problem is the result of a Safari bug fix back in March 2010. At that time, there was no Facebook Open Graph; no Google Plus network. No one knew Google would one day amalgamate data across all their services by merging them all under one privacy policy.

On the open web, he who owns the data rules the advertising world.

How Google’s Tracking Cookie Went Rogue within Safari

the-trouble-with-tribblesIn much the same way as those cute, furry Tribbles who took over the Enterprise, advertisers seem relatively harmless. People just don’t seem to realize how deeply they are infiltrating our personal lives until it seems like they’re everywhere.

While you could argue that ads are annoying and bothersome – and some do, hence the need for ad blockers – targeting also helps improve the user experience by bringing more relevant information to users. People interact with brands on Facebook and Google+ because they choose to. Many expect a certain level of interaction and personalization; this requires tracking.

Like it or not, advertising isn’t going away. As search marketers, we’re constantly trying to find the right balance, to say, “Here we are!” without pushing it too far and driving people away. The same people who complain about ads and then buy from the stores they’ve become familiar with through advertising are the ones who would complain about celebrities being hounded by photogs, then buy a tabloid magazine. You just can’t have it both ways.

According to their published statements, Google’s intent was to determine whether Safari users were signed in to Google. Safari, unlike most other browsers, blocks third-party cookies by default. As an aside, IE does the same, but using a different mechanism: in Internet Explorer, getting around user settings is even easier, from a technical standpoint. Microsoft discovered Google and Facebook have also been circumventing their browser settings, though due to the ineffectiveness of a system called P3P. You can learn more about that here.

Google wanted to determine whether Safari users were signed in to Google because signed in users may have opted for personalized search, which requires tracking to ascertain their interests. The workaround Google used to do this isn’t new; in fact, it was first blogged about by developer Anant Garg in 2010. The other companies “caught” in the WSJ article were also using variations of this technique.

The third party cookie set by Google had a life span, as cookies do; after 12 to 24 hours, it was to die off and stop tracking. According to the WSJ, “…it could sometimes result in extensive tracking of Safari users. This is because of a technical quirk in Safari that allows companies to easily add more cookies to a user’s computer once the company has installed at least one cookie.”

And so began the trouble with Tribbles.

Safari’s “Technical Quirk” a Systemic and Pervasive Balancing Act for Browsers


Cartoon from Rob Cottingham

In March 2010, Apple was working on a Safari fix. In the bug’s documentation, Apple software engineer Brady Eidson described the purpose of the fix: “Currently the default WebKit + CFNetwork 3rd party cookie policy prevents any changes to non-1st party cookies. This is to prevent undesirable user tracking from 3rd parties. We should relax this policy a tad to allow setting 3rd party cookies when the 3rd party in question already has a cookie set. This shouldn’t actually open up any new tracking vectors but will fix certain real world compatibility issues.”

Further on in the documentation, Apple engineers and others discuss the potential side effects of changing the third-party cookie policy. The problem was that users were experiencing reduced functionality, specifically in relation to Facebook and Windows Live, because Safari wouldn’t accept their third-party cookies. This meant the browser wouldn’t remember events like the user signing in, so they were logged out on each subsequent visit; there was some loss of ease of usability.

Essentially, Apple engineers were trying to make Safari work as seamlessly as IE, Firefox, and Opera in this regard. Safari wouldn’t recognize that a user had interacted with Facebook by signing in because it blocked the third-party cookie by default, so when the user then visited a Facebook-connected site, Safari didn’t know they’d interacted already with Facebook. Because of how the other browsers work, users expected Safari to work in the same way.

However, browsers can’t selectively choose or cherrypick to which websites or companies this functionality would apply. If your browser interprets one interaction as a signal that all cookies from that entity be accepted, that applies for all entities. As long as the user accepts that first cookie, regardless of how it got thereor even whether they understand they accepted it, the others are allowed by default.

This issue isn’t unique to Apple. Browsers must constantly balance usability and functionality with privacy and security. The issues are conflicting; you could lock the browser down tightly, but it could “break” features and make the user experience miserable.

The browser market is also competitive. No one player owns the space. As of January 2012, five browsers split the majority of the market: Mozilla’s Firefox 37.1 percent Google Chrome 35.3 percent Internet Explorer 20.1 percent Safari 4.3 percent Opera 2.4 percent

Apple made the decision in 2010 to change the way Safari accepted third-party cookies to improve usability by allowing all cookies from a website after the user had accepted one. This improved functionality sacrificed some privacy; there was really no clear way for the average user to know that when they clicked the Like button, for example, they were actually making Facebook a first party as far as cookies go. This meant they had chosen to allow cookies that would track them around the web, across any Facebook or Facebook-connected property. With that came the increased compatibility and usability, which Apple engineers decided users would prefer (and I don’t fault them for making that decision).

We asked Apple which departments were consulted in this decision making process, but hadn’t heard back by press time. We will update you if we do.

Instead of just telling Google whether the Safari user was signed in to Google, Safari’s quirk meant the user had inadvertently opened the door to cookies sending information on every Google property they visited.

In 2010, though, there was no Google+. There was no +1 button. This is an incredibly important distinction, especially in light of Google’s plan to amalgamate their privacy policies and pool data across all services.

What Is Really at Stake? Just a Few Tens of Billions of Dollars

A second Apple software engineer points to an important concern: “By the way, it may be that the weakened third-party cookie blocking is too weak to have at all. I do think it would typically stop, say, from tracking you (assuming we fix the Flash loophole), but not sites that most users also interact with as a first party, such as of [sic] That’s more or less the same as the current default policy, though.”

At that time, though, who could have predicted that Facebook’s Open Graph might mean a user’s interaction with one site implies permission for cookies and therefore tracking across hundreds?

Who could have predicted that Google would start a social network with a +1 social plugin of their own, meaning interaction with that element could imply permission for cookies and tracking across millions of sites within the Google ad network? Could activating a +1 button on your website to help increase social presence result in site visitors unwittingly giving permission to be tracked across millions of sites using the plugin? Does searching for information on Google imply permission for them to set cookies on all Google network sites you visit in the next 24 hours?

U.S. online advertising spend is expected to top $39.5 billion this year, according to eMarketer. Some of the same companies operating the web browsers constantly trying to balance compatibility, usability, privacy and security also stand to gain a bigger piece of that pie through their advertising businesses if they master data tracking.

Right now, browsers have their work cut our for them in shaping the user experience while trying to accommodate privacy expectations. Advertising companies are largely unpoliced and working on a sort of honour system. Tools designed to assist users in protecting their privacy just aren’t working.


The trouble with Tribbles is that they appear relatively harmless, but no one had any idea how fast they would reproduce. They entered the Enterprise’s systems, interfering with essential functions and eating up everything in sight. Their appetites were insatiable, much the same as advertisers’ appetites for data.

No one saw the threat Tribbles posed until they had taken over. They see privacy watchdogs as Klingons, threatening the way of life of the seemingly harmless Tribbles. However, all of these groups are going to have to work together to find a better balance between privacy and the data collection required to offer the user experience people have come to expect.

This also means the big players in the browser world are going to have to stop pretending the other guys are the problemand come to grips with the fact that there is an industry-wide problem. Everyone is working within the same limitations.

My next article will look at initiatives and debates happening now that will define first and third parties as far as user tracking goes. New privacy standards will shape not only the privacy landscape, but the online advertising space as a result.

Related reading

How to lead SEO teams and track its performance effectively: Experts tips
SEO is a team sport: How brands and agencies organize work
How to pitch to top online publishers: 10 exclusive survey insights
search reports for ecommerce to pull now for Q4 plan