In the latest example of Google’s public-facing privacy push turning out to be little more than a farce, it seems the tech giant was accidentally exempting some of its own sites from a feature meant to clear browser caches and cookies in its Chrome browser. Whoops!
This loophole first came to light when iOS dev Jeff Johnson noticed that after setting up his Chrome browser to clear his cookies and cache after every session, the feature worked perfectly for every site except two: Google and Youtube.
As Johnson documented on his personal blog, when closing Chrome these two Google services only cleared cookies, but retained data in what’s known as “local storage.” While cookies are meant to track your behaviour across the web and tie that data across multiple sites, the local storage data of a particular site is meant to only apply to that site so that it can be pulled up again the next time you visit. The difference, from a tracking perspective, becomes shrinkingly little when the site and browser happen to be owned by the same company. Using the Chrome extension LocalStorage Manager, data which Google and YouTube add to local storage appears to include things like device ID and GPS location.
While Google hasn’t yet responded to our request for comment on the loophole, a company spokesperson told The Register that the hiccup wasn’t the company attempting a covert data-grab, but was, in fact, a Chrome bug that was specific to “some first-party Google websites.”
“We are investigating the issue, and plan to roll out a fix in the coming days,” they added.
There’s no way to prove if this was simply a bug as Google has claimed, but this sort of mistake is very much in line with its years-long track record of ignoring user privacy requests. Some notable examples include:
- Tracking the location of users through Google’s Maps and Search functions even after those users deliberately made the choice to pause sharing their location history
- Chrome syncing sensitive data when those same users had specifically opted-out. This practice was the subject of a lawsuit this past July which claimed, among other things, that the practice violated Google’s own privacy policies
- Claiming one of its browser identifiers contained no personal information when, in fact, it did
I wouldn’t expect anything less from the company whose privacy practices are so convoluted that even its own employees don’t understand them.