For example, if a user filled out some information on a form in a website and hit submit, and that data is submitted (legitimately or otherwise) to a third-party website, it makes sense to keep some track of it to make sure it is submitted only once.
"But it turns out that a form on a website can be submitted not only when a user clicks 'submit,' but also when a bit of code on a website submits the form. It was a known issue that a website could create an invisible form and use a little bit of code and submit and set cookies in response to that form so that the user never sees anything, but third-party cookies can be set," says Mayer.
Despite this known bug, the majority of companies nevertheless complied with the spirit of Safari's privacy settings and very few cookies were in place on devices that had Safari's privacy feature turned on, which it does by default, which ought to wipe out all cookies.
"But we found a couple of companies had placed an inordinate number of cookies - one of which was Google," says Mayer. "Roughly 85 percent of the browsers with this privacy mechanism in place had a Doubleclick cookie."
Doubleclick is the advertising network that Google acquired for $3.1 billion in March 2008 - after overcoming both monopoly and privacy objections.
Further investigation by Mayer revealed three other major offenders in addition to Google: Vibrant Media, Media Innovation Group, and PointRoll.
The case - partly because it clearly demonstrated intent on Google's part to circumvent people's privacy settings - caused a storm of protest, with many arguing that the penalty was not nearly enough to hurt a company with revenues of $37.9 billion in 2011.
"Google has demonstrated an ability to out-manoeuvre government regulators repeatedly and ride roughshod over the privacy rights of consumers. Google continues to be disingenuous about its practices," says John Simpson, privacy project director at Consumer Watchdog.
Google, he adds, has a history of "failing to either respect the privacy of its users or even to comply with prior privacy undertakings." Consumer Watchdog has called for tougher sanctions against the Internet giant.
The issue of third-party web tracking can be dated back to the first popularization of the Internet in the mid-1990s, says Mayer. This is when web browsers were starting to integrate more sophisticated capabilities than merely displaying static text. "There was a recognition at the time that with this sophisticated functionality came the ability to learn an awful lot about what users were doing on the web," says Mayer.
Browser makers, though, ultimately chose not to implement counter-measures. "Meanwhile, companies started to be founded based on the notion that they could follow individual consumers round the web, learn what their interests are, and make predictions on what could be relevant to them and sell that information for targeted advertising," says Mayer.
Google's breach of Safari's privacy settings is not the first time that companies have creatively tried to evade them to build their databases of people's browsing history.
Some marketing networks even devised ways to exploit a bug in older browsers, enabling them to uncover a web user's history by serving up invisible links and then interrogating the browser to find out what "color" the link was: if a link had been clicked, then it would typically be displayed by the browser in purple rather than blue.
"We found these guys [a company called Epic Marketing] were doing this for over 15,000 URLs, including the National Institute for Health website," says Mayer.
Many web-tracking companies build their information databases almost without discrimination. Health websites, for example, are a particularly sensitive issue given that they can betray deeply personal information - but information that could be highly valuable to advertisers.
Furthermore, if the "first-party" website wraps a user name into a URL - which isn't uncommon - that can be passed on to a third party and associated with the user's browsing history.
"It only takes a little bit of identifying information 'leakage' to make web tracking identifiable. We found that it was going on all over the place," says Mayer.
This article was originally published on http://www.computing.co.uk/ctg/feature/2214593/-you-have-no-privacy-get-over-it.
Last Week to Save on SES London Tickets!
SES London takes place February 10-13, 2014. Learn to engage customers and increase ROI by distributing your online marketing efforts across paid, owned & earned media. Join the leaders of today's digital marketing & advertising industry. Find out more ››
*Saver Rates expire this Friday, Dec 13.
Graeme Burton is Chief Reporter at Computing.
He has 15 years of experience in news and magazine journalism, and has edited such titles as Trade & Forfaiting Review, Inside Knowledge and Managing Information & Documents.
December 12, 2013
1:00pm ET / 10:00am PT