If you plug the phrase remove tracking cookies into Google Search, a post I wrote nearly seven years ago comes up as one of the top results.
That 2005 post, titled How to completely eliminate tracking cookies, is woefully out of date. (How outdated is it? It contains instructions for Firefox 1.0.)
And yet that post is still one of the most popular I’ve ever written.
The gist of those instructions, which I have also included in every Windows book I have written for the past decade, is the recommendation that Internet users allow first-party cookies and block third-party cookies, making exceptions where necessary. This is an industry-standard, well-known method for expressing your privacy preferences, and it has worked for years and years.
The fact that so many people search for and find this page is a testament to the desire of so many people to have some control over their online privacy. They believe—rightly, in my opinion—that they should have a say in whether and how they are tracked as they move around the Internet.
And yet that task has become more difficult in recent years, when it should be getting easier.
Today’s case in point is Google’s transparent attempt to do an end run around user privacy concerns for customers who browse the web on Apple-branded devices running iOS and mobile Safari.
You can read all about the issue in this post by Peter Eckersley, Rainey Reitman, and Lee Tien at the Electronic Frontier Foundation:
The Safari and iOS browsers have a useful privacy feature: they automatically reject third-party tracking cookies unless a user actively interacts with a widget or clicks on the third party’s ads. This is a big step up from the default settings on most browsers. Advertisers typically use tracking cookies to create an invisible record of your online browsing habits, and large advertisers can track you across huge swaths of the web. Safari offers some protection against this type of passive tracking: it specifically prevents a site from setting cookies unless those cookies are from a domain name that you have visited or interacted with directly.
Unfortunately, that had the side effect of completely undoing all of Safari’s protections against doubleclick.net. It caused Safari to allow other DoubleClick cookies, and especially the main "id" tracking cookie that Safari normally blocked. Like a balloon popped with a pinprick, all of Safari’s protections against DoubleClick were gone.
In other words, this was deliberate.
And as if to make itself look even more guilty, Google has tried to erase some incriminating language it posted online. As CNET’s Elinor Mills notes:
Meanwhile, Google’s Chrome team offers an Advertising Cookie Opt-Out Plugin that lets people do exactly what Safari’s default setting provides – block third-party cookies. Oddly, the instructions for confirming the default settings in Safari on that page were removed as the Wall Street Journal was preparing its news report. This is at the core of a Consumer Watchdog complaint filed with the FTC today that accuses Google of unfair and deceptive practices.
This is why major advertising and tracking companies—and Google is the biggest of them all—cannot and should not be trusted to regulate themselves.
Now, if you’ll excuse me, I have an old blog post to update.
Update: Google is employing a different, equally underhanded tactic to work around default privacy protections in Internet Explorer as well. I have removed Google’s tracking pixel from this site.