How Google is tracking Safari users on third party sites

A couple of weeks ago, google started to stop redirected users from Google.com to localized versions of the search engine. This rather innocuous change is likely to have effect on the way safari anti tracking protection copes with Google cookies. Indeed, Safari now deletes cookies of sites you have not interacted with over the last 24 hours [1]. If you type Google.com and then are redirected to google.fr, you actually don’t interact with google.com.  So Safari does not give Google a 24h permission to track you on other domains of the search engine.That won’t happen if Google stop redirecting users and just let them on google.com where they will interact with the search bar and other elements.

Why this is ironic

This is not the first change Google made to the way they handle localized domains. Google made an initial announcement, a couple of months ago, to tell users that localized domains would not be that relevant anymore [2]. Now Google seems to be deprecating local URLs to put everything under the google.com domain. This is quite ironic, because up to last year, they were arguing in a French Right to be forgotten case that google.fr and google.com were providing significantly different services [3]. The French court did not follow the reasoning. At that time Google was arguing that only 3% of European were searching on google.com while the remaining 97% were using localized version [4]. Today it seems that it’s actually 60-40 [5].

How Google is tracking Safari

Previously, Google advertising cookies on third party websites were only set from doubleclick.net. Users hardly interact with doubleclick.net so it was likely that Safari would block doubleclick cookies. Since September, Google has also started to set an advertising cookie from its Google.com domain. You can track the change of Google cookies explanation page via webarchive, and it seems that Google added the description of the ANID cookie in September [6]. However, you may not have noticed this new cookie in your browser. Indeed, I did a couple of tests to see this cookie but, oddly enough, Google is only setting this cookie on Safari browser. I did a couple of tests using Chrome and Edge developper tools, to emulate different mobile browsers: all iOS devices had the ANID cookie set, none of the other device did receive the ANID cookie.  Hence, Google is giving a special treat to Safari users, similarly to what Google did in 2012 in bypassing Safari tracking protection.

This may help other advertisers to track you

That being said, Google is only following Facebook here. Both are big first parties that – unlike mostly third party websites – were expected not to be impacted by Safari’s measure. It does not seem illegitimate for Google to take the same stance than its major competitor in the online advertising market. Yet, the ramifications of Google moves are more critical.

Unlike Facebook, Google is a major Web ad-exchange platform. It means that Google is hosting auctions where buyers get an opportunity to show an ad on your browser and to synchronize their cookies with those of Google. So if Google is in capicity to bypass Safari tracking protection and to keep cookies on user’s browsers, it’s likely that it will also benefit to all the ad-auction participants. Through Google cookies, third parties will be in capacity to recognize users even though their own cookies have been deleted by Safari. The stability of the Google cookie will technically allow third parties to track browsers over more than 24 hours.

In some sense, this is worse than before, when Safari was blocking all third party cookies and when Google was only serving ads and hosting auctions from the doubleclick.net domain. If Google is in capacity to leverage this advantage, it could be a significant blow to the competing ad-exchange marketplaces who are not in capacity to track Safari users over more than 24 hours.

 

Vincent Toubiana (@vtoubiana)

[1] “Intelligent Tracking Prevention”, https://webkit.org/blog/7675/intelligent-tracking-prevention/

[2] “Making search results more local and relevant” https://www.blog.google/products/search/making-search-results-more-local-and-relevant/

[3] “Au Conseil d’État, la portée territoriale du droit à l’oubli sur Google”, https://www.nextinpact.com/news/104691-au-conseil-detat-portee-territoriale-droit-a-loubli-sur-google.htm

[4]”Google says non to French demand to expand right to be forgotten worldwide “, https://www.theguardian.com/technology/2015/jul/30/google-rejects-france-expand-right-to-be-forgotten-worldwide

[5] “The end of google.{your country}?” ,https://whotracks.me/blog/google_domains.html

[6] “Types of cookies used by Google”, https://web.archive.org/web/20170909225414/http://www.google.com/policies/technologies/types/

[7] “Google Busted With Hand in Safari-Browser Cookie Jar”,  https://www.wired.com/2012/02/google-safari-browser-cookie/