The search giant wrote programming code that circumvented the Apple iPhone’s default privacy settings and allowed it to monitor iPhone behaviour just as it would on the mainstream internet.
Google has now modified its practices, which never involved any personal data, after it was confronted with the news by the Wall Street Journal.
Apple's privacy settings for its iPhone prevent companies from using the ‘cookies’ that routinely track user behaviour and enable web services across the internet on desktop sites. Google and other advertisers used a well-known 'workaround' to make Apple's Safari web browser behave differently, however.
Although an Apple official said: "We are working to put a stop" to the circumvention of Safari privacy settings, Google claims its practices have been “mischaracterised”.
Rachel Whetstone, Google’s head of communications and public policy, said that “The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.”
Stanford researcher Jonathan Mayer uncovered the breach, finding that adverts on 23 of the top 100 websites installed a tracking code on an iPhone browser, compared to 22 on a test computer. Once activated by the websites in question, the code then allows the tracking of user behaviour across the web.
The cookies, however, do not collect personal information and are essential to some of Google’s free services that are popular online.
Apple’s Safari web browser is the only version available for the popular iPhone device, and Apple imposes different default privacy settings on its users compared to those, say, using Internet Explorer or Chrome on a desktop PC. Microsoft says that its IE9 browser prevents the tracking of users in this way by default.
Apple's method works by preventing tracking cookies from being installed via Safari unless a user interacts directly with a website. Google’s code made Safari believe an invisible form had been submitted, and so it permitted tracking. The technique has been known about since at least 2009.
“Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content - such as the ability to “+1” things that interest them,” said Whetstone.
She stressed that no personal data had ever been collected because Google’s system was specifically designed to be anonymous, and added that the tracking would not affect anybody who had intentionally opted out of advertising.
Google is under scrutiny over its privacy policies, and the European Union has recently called on it to pause changes to its privacy policy which the search giant claims would simplify them to a single document. That change itself was earlier requested by the EU.
The Wall Street Journal also found that advertising firms Vibrant Media, Media Innovation Group and PointRoll used similar practices.