Google Facing New Privacy Probe Over Safari Incident

← Back to Stories (view on slashdot.org)

Google Facing New Privacy Probe Over Safari Incident

Posted by Soulskill on Friday March 16, 2012 @04:22AM from the hand-in-the-cookie-jar dept.

An anonymous reader writes "Last month we discussed news of a controversial method Google was using to bypass Safari's privacy settings in order to enable certain features for users who were logged in to Google. Now, U.S. regulators are investigating Google's actions to see whether the search giant has violated the privacy protection agreement they signed last year that includes a clause prohibiting Google from misrepresenting how users control the collection of their data. 'The fine for violating the agreement is $16,000 per violation, per day. Because millions of people were affected, any fine could add up quickly, depending on how it is calculated. ... A group of state attorneys general, including New York's Eric Schneiderman and Connecticut's George Jepsen, are also investigating Google's circumvention of Safari's privacy settings, according to people familiar with the investigation. State attorneys general can have the ability to levy fines of up to $5,000 per violation.' European regulators are adding the Safari investigation to their review of Google's consolidated privacy policy."

89 of 134 comments (clear)

Bug? by Rik+Sweeney · 2012-03-16 04:26 · Score: 1

I still don't understand, isn't this a browser exploit that needs to be fixed? What's stopping another website from doing exactly the same thing?

--
Summation 2
1. Re:Bug? by Dak+RIT · 2012-03-16 04:31 · Score: 4, Informative
  
  It is a bug, and also seems very likely to be a (granted rather trivial) exploit. Google seems to be the primary target here, even though multiple sites have been identified using the workaround, because of previous agreements it has made regarding privacy.
2. Re:Bug? by Anonymous Coward · 2012-03-16 04:32 · Score: 1
  
  Yes, Apple announced they will be patching this. It still doesn't look good for Google to be exploiting a browser vulnerability, they are supposedly a reputable corporation.
3. Re:Bug? by Dexter+Herbivore · 2012-03-16 04:42 · Score: 1
  
  Do No... errr, never mind.
4. Re:Bug? by Anonymous Coward · 2012-03-16 04:43 · Score: 3, Funny
  
  If I leave my car door unlocked it's still illegal to steal it.
  LOL the CAPTCHA for this post is "burglar".
5. Re:Bug? by bkaul01 · 2012-03-16 04:47 · Score: 3, Insightful
  
  Of course, but patching the hole and going after people who create malware that takes advantage of it is not an either/or choice: both are necessary, generally speaking. Google, in taking advantage of a browser exploit, is essentially stooping to the tactics used by malware authors, even though unlike them it has signed agreements and generated official privacy policies saying it'd do no such thing.
6. Re:Bug? by alen · 2012-03-16 04:49 · Score: 1
  
  yes it's a bug but in the end the user said dont do this to my computer and google still did it
  my computer is my property and google shouldn't have the right to install software/files on it if i say don't do it
7. Re:Bug? by TheRaven64 · 2012-03-16 05:01 · Score: 2
  
  It's a browser vulnerability, yes. Apple should fix it, absolutely. However, the existence of security holes has never been a valid defence for exploiting them. If it were, then there would be almost no computer-related crimes...
  
  --
  I am TheRaven on Soylent News
8. Re:Bug? by larry+bagina · 2012-03-16 06:13 · Score: 1
  
  Let's say you lock your car door. Someone comes along, unlocks your car door, and takes a shit on your front seat. Well, locks can be picked and people can shit in inappropriate places (cf Occupy Wall Street), so you can't prevent someone from breaking into your care and taking a shit. But that doesn't excuse anyone who does that. In fact, you could say that they, not the door lock, is the problem.
  
  --
  Do you even lift?
  These aren't the 'roids you're looking for.
Slashdot Groupthink by cpu6502 · 2012-03-16 04:28 · Score: 3, Insightful

"Google did no wrong. Google is awesome."
Realthink:
I don't trust Google anymore than I trust Microsoft or Apple or any other megacorp. I hate corporations. (But I fear government.)

--
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
1. Re:Slashdot Groupthink by Anonymous Coward · 2012-03-16 04:38 · Score: 3, Funny
  
  But but but, if people can't build their identity over corporate cheerleaderism, what will they do? You mean I'm really a middle-class IT drone and not a proud member of TEAM GOOGLE or TEAM APPLE? Impossible!
  Ra ra my mega corp can beat up your mega corp! Apple is evil, Google loves me!
2. Re:Slashdot Groupthink by jdgeorge · 2012-03-16 04:57 · Score: 1
  
  Looks to me as if the Slashdot Groupthink is currently a rant against Google posted from new iPads.
3. Re:Slashdot Groupthink by the+eric+conspiracy · 2012-03-16 04:58 · Score: 1
  
  Hating corporations is a bit strong. They are a necessary part of an economy that is no government owned.
  I'd say just realize that they are out after their own interests and you'll be on sound footing.
4. Re:Slashdot Groupthink by schnikies79 · 2012-03-16 07:17 · Score: 1
  
  No, businesses are a necessity. Corporations are not.
  
  --
  Gone!
5. Re:Slashdot Groupthink by datavirtue · 2012-03-16 07:28 · Score: 1
  
  You are getting the two confused. Corporations morph into the acting governmental force. How is this eluding you? Google has not morphed into a governmental force, yet.
  
  --
  I object to power without constructive purpose. --Spock
6. Re:Slashdot Groupthink by datavirtue · 2012-03-16 07:30 · Score: 1
  
  I hearby declare your post a sucker-punch. AC + bitchslap + dive back into the shadows = (sucker punch)
  
  --
  I object to power without constructive purpose. --Spock
7. Re:Slashdot Groupthink by cpu6502 · 2012-03-16 07:37 · Score: 1
  
  Exactly.
  The ideal U.S. would not have an corporations..... just private-owned proprietorships or partnerships where the owners(s) are directly responsible for the actions of their company and managers/employees.
  
  --
  My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
8. Re:Slashdot Groupthink by the+eric+conspiracy · 2012-03-16 12:37 · Score: 1
  
  Nope. Corporations are necessary. Single proprietorships cannot reach the scale needed to undertake large scale economic activities such as building the world-scale infrastructure needed for say, building a modern airliner or a transcontinental railway system.
Do no Evil out the door! by stupor · 2012-03-16 04:29 · Score: 4, Insightful

If my boss asked me to do something like this, I'd fight it kicking and screaming. I'd probably quit too if the software was significant like a google.

--
Do you inspect a roller coaster everytime you ride it?
1. Re:Do no Evil out the door! by Anonymous Coward · 2012-03-16 04:34 · Score: 2, Interesting
  
  It's always been 'Do know evil'
2. Re:Do no Evil out the door! by datavirtue · 2012-03-16 07:32 · Score: 1
  
  Considering the recent productivity, they need to downsize.
  
  --
  I object to power without constructive purpose. --Spock
Investigate Apple by haystor · 2012-03-16 04:31 · Score: 2, Insightful

Isn't Safari the one misrepresenting what the security settings do?
While I'm as shocked as the next person that google knows I've been buying windshield wipers, how is it that google is being held to the promises Safari has made to its users?

--
t
1. Re:Investigate Apple by haystor · 2012-03-16 04:54 · Score: 1
  
  I'm being facetious about investigating Apple. If it's not the way it should be, close the hole.
  Google has code that raises its presence on a page to the level where it can then attach a cookie to the browser.
  I'm unfamiliar with the exact nature of this problem, but is it a matter of:
  if (BLOCKED) { circumvent() }
  or just:
  doSomething(); # Safari should have blocked this
  It is my understanding that it does something of the latter. It submits a form in order to set a cookie so that things like the +1 button can be set. In my mind this is part and parcel of using Google's services. The code works the same regardless of the privacy settings.
  
  --
  t
2. Re:Investigate Apple by Anonymous Coward · 2012-03-16 04:58 · Score: 1
  
  Google imitated a legit form click. Blocking it in Safari will require a great deal of care to not break actual forms. This is why it's such a shit move on Googles part.
3. Re:Investigate Apple by Richard_at_work · 2012-03-16 05:02 · Score: 4, Insightful
  
  Google isn't being held to the promises Safari has made, Google is being held to the agreement it had with the DoJ because in the course of collecting data about the user they deliberately circumvented, admittedly fairly weak, restrictions the user placed on their actions within the browser.
  There are two entirely different issues at hand here - Safari needs to be fixed somehow (although someone further down the thread suggests this isnt an easy fix) and Google got caught with its hand in the cookie jar when it probably shouldn't have had it there.
  Just because your window is open doesn't mean people are allowed to climb through it to circumvent the locked door.
4. Re:Investigate Apple by TheRaven64 · 2012-03-16 05:05 · Score: 4, Insightful
  
  Apple released a browser that had a security hole. Google exploited the security hole. If OpenSSH ships with a vulnerability that allows someone to get root access on my server, should the OpenSSH team or the attacker be prosecuted?
  
  --
  I am TheRaven on Soylent News
5. Re:Investigate Apple by gnasher719 · 2012-03-16 05:11 · Score: 1
  
  It is my understanding that it does something of the latter. It submits a form in order to set a cookie so that things like the +1 button can be set. In my mind this is part and parcel of using Google's services. The code works the same regardless of the privacy settings.
  The only reason to submit this form is to circumvent Safari's security settings. If the user allowed cookies to be set without user interaction, then the form is not needed. It is needed because it tricks Safari into believing that there was some user action, when there actually wasn't one.
  
  Your argument is basically "if they check whether the door is locked and climb through the window if it is locked, but go through the front door if it's not locked, that's bad. But if they always climb through the window, then it's fine". Well, that's nonsense.
6. Re:Investigate Apple by Americano · 2012-03-16 05:25 · Score: 5, Insightful
  
  Isn't Safari the one misrepresenting what the security settings do?
  It's an unintended side effect of how Safari handles third-party cookies: Safari blocks third party cookies, but makes an exception for sites the user interacts with (i.e., if you click on an ad, it will allow that ad to install a cookie). So what Google is doing is basically loading a no-op form element in an iframe and automatically submitting it - this tricks Safari into behaving as if the USER submitted the form (thus interacting with the ad), allowing Google to set the cookie.
  Safari WOULD block setting of the cookie without this workaround being coded & inserted into the ads being served up by DoubleClick... so it's not a case of Google being held to account for promises Safari makes, it's that Google is being held to account for intentionally exploiting a loophole in the software to abuse users. People keep trying to turn this into an "Google vs. Apple" issue, and the real issue (and where it's eroding trust in Google) is that it's a "Google vs. Users" issue. I can't trust Google to honor those settings in my browser, can I trust them to honor any other settings and preferences I set in my browser, or register with them?
  There's no reason Google couldn't have instead put up a page saying "We notice you don't allow third party cookies... this will mean you can't +1 things, blah blah blah," and include instructions on changing the setting if the user wishes to enable +1's and other tracking, rather than simply disregarding the users' settings and exploiting the loophole.
7. Re:Investigate Apple by Anthony+Mouse · 2012-03-16 05:37 · Score: 1, Informative
  
  restrictions Apple claimed to have placed on their actions within the browser.
  The user never decided anything. That's really half the problem: Apple created a stupid default that would have impaired significant functionality, and for the users who don't understand how to or are afraid to change browser settings, this was the only way to make that user-desired functionality actually work.
  This would be a completely different thing if the default had been what it is in every other browser and it was being circumvented when the user had explicitly changed it, because in that case you have proof that the user knows how to change it and made a conscious decision. As it is they're just working around a bug in Safari that would otherwise break the functionality that users actually want.
  Incidentally, do you see the damned-if-you-do-damned-if-you-don't problem here? Suppose they hadn't done this. So the functionality is broken in Safari, and for users who don't understand why or how to fix it, the easiest solution is to download Chrome. And the next thing you know they've got the antitrust authorities breathing down their necks because their service doesn't work with their competitor's web browser, even though there is a "standard" method of fixing it (namely the one they actually used) which is employed by various other similar websites.
8. Re:Investigate Apple by DJRumpy · 2012-03-16 05:40 · Score: 1
  
  Perfectly stated. +1
9. Re:Investigate Apple by gnasher719 · 2012-03-16 05:42 · Score: 1
  
  The user never decided anything. That's really half the problem: Apple created a stupid default that would have impaired significant functionality, and for the users who don't understand how to or are afraid to change browser settings, this was the only way to make that user-desired functionality actually work.
  The problem is: Apple created a default that protects the privacy of its users. Google wanted functionality that could only be implemented by either a breach of the user's privacy or by getting the consent of the user, so they decided to exploit a loophole and breach the user's privacy.
10. Re:Investigate Apple by Rasperin · 2012-03-16 05:46 · Score: 2, Interesting
  
  I love Google as much as the next /. tard (and hate Apple to boot, I mean comeon, look at the evil deeds of each company and apple has so much more on it.) But Google purposely exploiting a security flaw in Safari is wrong. Plain and simple, however honestly I would like to wager Apple put it there on purpose to see if they could catch Google doing this. The reason I say this is, in chess (and corporate strategy is akin to Chess at times) one might allow themselves to lose a piece (reputation loss for Apple for having a security hole, def no more than a pawn) in exchange to turn the tables or even do substantial damage to ones opponent. We all heard they were doing this with IE before safari and all of a sudden Safari now has this exploit. Millions of users (lets say 10million) + let's say a year @ 16k each = $5,840,000,000. Also, even the slashdot community is turning on Google huge reputation loss.
  A pawn for a queen, I'll take that any day. And if Apple did do this on purpose, I'm not saying they are evil, I'm saying they are smart. What I'm hoping is after this incident Google get's back on track to their 'Don't be Evil' motto. Google has been innovative, using there money to constantly make the world a better place, I can't think of the last time Apple did something truly good, but I can talk all day about Foxconn (cheapest vendor) and writing a 1500% markup on there devices with money just sitting in the bank and not really doing anything. When was the last time you heard of Apple Space, Apple with free anything, people are claiming they are contributing to the OS community but it's just ports so products work on there OS. So comparing the two, I always vote Google, even with this one evil truly evil deed. (I also don't think Microsoft was evil for forcing people to have IE, OH GOD NO... Oh wait you have to get Safari on apple, what's with that?). Googles really just a target because they don't pay off the right people it seems, and I really hope they start doing it or they're going to end up sinking the ship. I mean for gods sake Sony put a rootkit and your computer and they didn't get fined $5billion.
  
  --
  WTF Slashdot, why do I have to login 50 times to post?
11. Re:Investigate Apple by Anthony+Mouse · 2012-03-16 06:29 · Score: 1
  
  The problem is: Apple created a default that protects the privacy of its users. Google wanted functionality that could only be implemented by either a breach of the user's privacy or by getting the consent of the user, so they decided to exploit a loophole and breach the user's privacy.
  You're begging the question. The assumption you're making is that every possible use of third party cookies is inherently a privacy violation. If all they're using them to do is to see if you're logged into Google+ (so that they can give you a +1 button), how is that a privacy violation?
12. Re:Investigate Apple by Anthony+Mouse · 2012-03-16 06:37 · Score: 1
  
  It didn't break any Google functionality. This is just for ad tracking purposes.
  Try Ghostery and see for yourself
  You can't try it anymore because they've turned it off. But what had happened was that if you were signed into Google+, on third party websites it would check for that cookie and give you a +1 button. That doesn't inherently involve any tracking at all. The possibility exists that they were using the same cookies to also track you, but that happens on the server side, so there is no real way to know that -- all this noise about privacy violations is pure speculation.
13. Re:Investigate Apple by datavirtue · 2012-03-16 07:34 · Score: 1
  
  gotta love hackers
  
  --
  I object to power without constructive purpose. --Spock
14. Re:Investigate Apple by datavirtue · 2012-03-16 07:42 · Score: 1
  
  I'm not saying they are evil, I'm saying they are smart.
  
  You can be both.
  
  --
  I object to power without constructive purpose. --Spock
15. Re:Investigate Apple by Fahrvergnuugen · 2012-03-16 07:51 · Score: 1
  
  If you leave your front door unlocked and I let myself in, do you file a lawsuit against Kwikset or do you have me arrested?
  
  --
  Kiteboarding Gear Mention slashdot and get 10% off!
16. Re:Investigate Apple by Rasperin · 2012-03-16 07:58 · Score: 1
  
  That is true, also I screwed up my multiplier (missed a 0) it's $58billion not $5.8billion.
  
  --
  WTF Slashdot, why do I have to login 50 times to post?
17. Re:Investigate Apple by Richard_at_work · 2012-03-16 09:18 · Score: 1
  
  Uhm, it is tracking because Google, by virtue of accessing that cookie, gets to know you visited that website - they get passed the unique cookie associated with your account and they also get the referrer ID of the website. Tracking.
  If they didn't explicitly want to track you, they could implement a completely cookieless implementation of their Plus 1 button which only associates you with your account when you actually click it. But they didn't, because they want the info regardless of whether you clicked or not.
18. Re:Investigate Apple by Anthony+Mouse · 2012-03-16 09:27 · Score: 1
  
  Uhm, it is tracking because Google, by virtue of accessing that cookie, gets to know you visited that website - they get passed the unique cookie associated with your account and they also get the referrer ID of the website. Tracking.
  You're collapsing "can" and "do" when they aren't the same thing. The cookie could be used to track you, if every time you visit a website they record it in a database somewhere, but has anyone provided any evidence that they were intentionally doing that?
  
  If they didn't explicitly want to track you, they could implement a completely cookieless implementation of their Plus 1 button which only associates you with your account when you actually click it. But they didn't, because they want the info regardless of whether you clicked or not.
  Except that they would need to read your cookie to know if you're signed into Google+ to know whether to put the +1 there at all.
19. Re:Investigate Apple by haystor · 2012-03-16 10:38 · Score: 1
  
  Which browser is it that Apple made that protects the privacy of its users? It's not Safari. That's what this is all about.
  Did Google "circumvent" only for Safari, or is this how they set a cookie for all browsers and Apple claims it's an exploit because they mislead their Safari users into thinking they had privacy.
  
  --
  t
20. Re:Investigate Apple by haystor · 2012-03-16 10:48 · Score: 1
  
  I haven't seen evidence of "knowingly and willingly" other than they wrote the code. Setting cookies like that isn't exactly ground breaking. Does google set their cookies this way for all browsers?
  If they only set it for Safari, and only when blocked, then sure. I haven't seen anyone make that claim though.
  
  --
  t
21. Re:Investigate Apple by Richard_at_work · 2012-03-16 23:30 · Score: 1
  
  And what's so bad about putting the Plus 1 button on the page regardless? I get the Facebook Like button (and a load of others) and I don't even have an account, so what makes Google special?
  The entire way in which they did this screams "we want to track you", despite your protestations to the contrary. No one needs to provide evidence that there is an actual database behind it, the implementation they went out of their way to use specifically allows for it when they don't need to do it that way at all.
22. Re:Investigate Apple by Anthony+Mouse · 2012-03-17 02:09 · Score: 1
  
  And what's so bad about putting the Plus 1 button on the page regardless?
  They wanted you to be able to +1 ads if you like them. I kind of doubt the third party websites would be happy to see a redirect from their website to the Google+ sign in page in the event someone is not signed in.
  
  The entire way in which they did this screams "we want to track you", despite your protestations to the contrary. No one needs to provide evidence that there is an actual database behind it, the implementation they went out of their way to use specifically allows for it when they don't need to do it that way at all.
  You keep assuming that they "went out of their way" to do this somehow. More likely chain of events is that they designed it to use cookies in the first place, then someone realized it wasn't working properly on Safari and implemented a work around. Submitting a form is far, far, far less work than figuring out how to make the whole thing to not use cookies, adding a redirect to the sign in page and otherwise redesigning the UX.
23. Re:Investigate Apple by Richard_at_work · 2012-03-17 03:16 · Score: 1
  
  And what's so bad about putting the Plus 1 button on the page regardless?
  They wanted you to be able to +1 ads if you like them. I kind of doubt the third party websites would be happy to see a redirect from their website to the Google+ sign in page in the event someone is not signed in.
  I don't care what they want you to be able to do, your point is ludicrous.
  Taking a random page off of Autosport.com (a site I currently have open), gives me a Twitter button which redirects to a sign in page when clicked, a LinkedIn button which redirects when clicked, a Facebook button which redirects when clicked, and indeed a Google +1 button which, surprise surprise, redirects anyway because I'm logged into a Google+ account which is not my own (business account) and requests permission to continue.
  And all redirect in a new tab or window.
  So your claim that it is unacceptably disruptive to Google us just fanboyism, IMHO.
  
  You keep assuming that they "went out of their way" to do this somehow. More likely chain of events is that they designed it to use cookies in the first place, then someone realized it wasn't working properly on Safari and implemented a work around. Submitting a form is far, far, far less work than figuring out how to make the whole thing to not use cookies, adding a redirect to the sign in page and otherwise redesigning the UX.
  Come on, that's just a stupid justification - cookies are not required to allow someone to say "I like this" at all, you can do that based on the click itself.
  Google went out of their way to make it work,no matter how you try and justify it, that's what they did. And you can bet that this isn't an isolated developer going "that's odd, let's fix that".
  Google are in the wrong here, no matter how much you try to justify it.
24. Re:Investigate Apple by Anthony+Mouse · 2012-03-17 03:48 · Score: 1
  
  Taking a random page off of Autosport.com (a site I currently have open), gives me a Twitter button which redirects to a sign in page when clicked, a LinkedIn button which redirects when clicked, a Facebook button which redirects when clicked, and indeed a Google +1 button which, surprise surprise, redirects anyway because I'm logged into a Google+ account which is not my own (business account) and requests permission to continue.
  Those are somewhat different species of buttons. The third party website in those cases specifically inserted code for the buttons so that users would +1/like/whatever the website's own content, which directly benefits the website. What I'm talking about is putting the button on an ad, which only indirectly benefits the website it's actually on (by making ads more relevant/profitable), and which might be on websites that hadn't wanted or expected an ad that would spawn a new tab just for that. I could also see how the advertisers themselves would object, since you have a user who was interested enough in their ad to want to +1 it who is now distracted from actually buying the interesting thing advertised by a new tab that has them signing into Google+.
  There could also be a million other reasons. Maybe they didn't even think about it, and this was the just the first implementation that came to mind. Maybe they had some internal reasons based on existing infrastructure. We're both just speculating about their motives.
  My point is that when you have a competitor playing Cardinal Richelieu it doesn't make any sense to ascribe ulterior motives to ambiguous conduct, because there is no possible way to operate a large corporation such that no one will ever do anything that can't be painted in a bad light by assuming without evidence that their motives are impure.
I bet the gov by future+assassin · 2012-03-16 04:32 · Score: 1

would change their mind if Google gave them access to that info. THEN it would be ok because the online safety of every citizen and restoring the consumable media market is paramount.

--
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
1. Re:I bet the gov by oodaloop · 2012-03-16 04:36 · Score: 1
  
  Yes, because the United States government is one unified whole, and the NSA and the FCC sit in the same office and have the same goals.
  
  --
  Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
Safari Incident by necro81 · 2012-03-16 04:32 · Score: 1, Offtopic

Before the comprehension-side of the my brain caught up, for a moment I thought we were talking about Google going out for a hunt on the savanna.
Look at the monkey! by betterunixthanunix · 2012-03-16 04:33 · Score: 4, Insightful

Why fix security problems when you can just prosecute people?

--
Palm trees and 8
1. Re:Look at the monkey! by Anthony+Mouse · 2012-03-16 05:21 · Score: 4, Informative
  
  The thing people are continuously forgetting about all of this is that the bug in question was in the open source Webkit, which both Safari and Chrome are based on, and Google had already submitted a patch to fix the bug before any of this even became an issue.
  This all seems a lot more about this than any sort of legitimate complaint the government has about what Google is doing. If the government had literally done nothing, the problem had already been solved before they became involved -- but now we have a big dog and pony show. Cui bono? Microsoft.
2. Re:Look at the monkey! by Anonymous Coward · 2012-03-16 06:35 · Score: 1
  
  They submitted a patch and exploited it anyway. Exploiting privacy vulnerabilities is bad, bad, bad. I don't care if Joseph Kony funds the investigation.
3. Re:Look at the monkey! by Gideon+Wells · 2012-03-16 06:37 · Score: 1
  
  The thing is a bit deeper than that. Analogy time.
  Google had this agreement. According to Anthony Mouse below in the comments, Google knew of this problem. They submitted a bug fix. So the question for the prosecution and layperson is this, was there a way Google at this point could not abuse this bug?
  Let's say there is gas pump at the only gas station in town. The pump are calibrated wrong and providing 1.5 gallons of fuel for every gallon "measured". In a fair world this would never have happened. In a fair world, if it did happen by honest mistake, Google would not be blamed for the free gas before reporting it.
  The question becomes what happens after Google reported it, and seemingly kept using that pump until it was properly calibrated. Were there alternative means to not gather this data despite the bug (using a different, properly calibrated pump) or ways to weed out this data (performing the math to pay for the correct amount of gas)?
  
  --
  by Anonymous Coward: I, for one, welcome the shift from car analogies to pizza analogies. um.. overlords?
4. Re:Look at the monkey! by Anthony+Mouse · 2012-03-16 06:49 · Score: 2, Insightful
  
  Exploiting privacy vulnerabilities is bad, bad, bad.
  That word...I don't think it means what you think it means.
  Let me give you an example. If you want to jailbreak an iPhone, you have to find a security vulnerability. Like, a real one, not this "well if you submit a form then it isn't considered a third party cookie" grey area nonsense, a real root shell "exploit." Is the company that makes the jailbreak website then "exploiting privacy vulnerabilities" because having rooted the phone, the software could in theory then send all the user's pictures and web history to the jailbreak author and so on? No, not until they do something that actually impairs the user's privacy.
  Adding a +1 button to a third party website doesn't exactly fall into the same category as stealing credit card numbers or turning on one's webcam without authorization.
5. Re:Look at the monkey! by Your.Master · 2012-03-16 07:04 · Score: 1
  
  Who said anything about stealing credit card numbers? You're conflating issues radically. This isn't a grand theft trial, and nobody is talking about taking root access to your PC. This is a probe into whether Google is adhering to privacy agreements.
  My best guess is that you're objecting to the AC's use of the term "exploit" in the context of privacy (or maybe the term "vulnerability")? But what else do you call it if you say the hole is being used? It's a vulnerability, in the privacy field, which is being exploited.
  As for whether it's a grey area, if Google submitted a patch to end this behaviour as you say, presumably they thought the behaviour was wrong. Otherwise, why did they submit the patch?
  I expect this is a case where the left hand not knowing what the right hand is doing. But maybe the left hand was doing wrong, whether or not the right hand was doing right. So you slap the left wrist (or you don't, depending on the outcome of the probe).
6. Re:Look at the monkey! by datavirtue · 2012-03-16 07:18 · Score: 1
  
  Google refuses to play their little game so the "government" is always at their heels. Microsoft started sucking up to government a long time ago to make money. They now have a lot of pull because of this in Washington whereas Google has no political power--and it seems like they want to keep it that way. Yeah, I'm a Google fan boy, and I will be until they start playing the game. Maybe they want to track their user behavior, but the obvious treatment they receive from our Washington overlords makes it clear to me that they are not doing it for any overtly nefarious reason. I just wish Google would pull their head out of their ass and focus on core competencies. They need to prioritize and capitalize on the goodwill they have with users.
  
  --
  I object to power without constructive purpose. --Spock
7. Re:Look at the monkey! by Anthony+Mouse · 2012-03-16 07:21 · Score: 4, Insightful
  
  The question becomes what happens after Google reported it, and seemingly kept using that pump until it was properly calibrated.
  You're making the "corporations are people" fallacy. Corporations are not actually, literally people. The people who work on Chrome and Webkit are almost certainly not the same people who work on Google+ and the like. They probably don't have any idea what the other is doing. It's not like every time anyone submits a patch to anything, they go running around to all the other departments to tell them about it.
  On top of that, calling this a "vulnerability" or "exploit" is really pushing it. There is no obvious hard line between first and third party cookies. They have no obvious or official definition. Safari drew the line in a way that classified a lot of the borderline cases as "first party" cookies -- which actually makes a certain amount of sense, since they block third party cookies by default and over-blocking would break too many things.
  So along comes, I don't know, everybody who uses cookies that would be blocked by Safari's defaults, and when they encounter Safari, they take steps to restore the original functionality. And since some (but not all) of those people are the sort of ad networks who track you in a way that made browser vendors consider an option to block third party cookies in the first place, Google submitted a patch to classify more of them as third party. Which breaks more legitimate stuff, because it's a trade off. It's not that the original default is bad, broken, or a vulnerability...it's that the line is a silly, ambiguous one to draw in the first place. What it's trying to accomplish is Do Not Track, but as a hack and consequently with a lot of collateral damage to legitimate features that everyone then scrambles to mitigate with work arounds like the one Google had been using.
  So that happens, and along comes the Microsoft propaganda machine to point out that because Google is both a social network and an ad network, wouldn't it be nice to accuse the ad network of privacy violation as a result of a borderline cookie feature shared by all social networks? Give me a break.
8. Re:Look at the monkey! by datavirtue · 2012-03-16 07:24 · Score: 1
  
  I say the right to privacy is dead, antiquated, and probably never existed in the first place. If you want privacy then you need to consciously make an effort to protect your data. If you are not sure it is private, then assume it is not private. Don't be so beef-headed as to assume your life is private because you have not published it. I think the assholes are right, and we just don't want to admit it because of some ideological cognitive dissonance. There is no privacy on the internet. If information about you is travelling on wires all bets are off. If you want to keep something private do not send it over the wires. If you do, you must be diligent in obfuscating it.
  
  --
  I object to power without constructive purpose. --Spock
9. Re:Look at the monkey! by Anthony+Mouse · 2012-03-16 07:53 · Score: 1
  
  As for whether it's a grey area, if Google submitted a patch to end this behaviour as you say, presumably they thought the behaviour was wrong. Otherwise, why did they submit the patch?
  It's a pretty obvious false negatives vs. false positives trade off. There are a ton of legitimate uses for third party cookies, so over-blocking them breaks a lot of stuff. But they also get used by ad networks to track people between websites, which can be undesirable. The problem is that the dividing line between first and third party cookies is very blurry (e.g. is fbcdn.net 'third party' when you're on facebook.com?) and even trying to make the distinction is somewhat questionable. So you draw a line and everybody, both the providers of legitimate features and the ad network trackers, try to come in on the 'not blocked' side. Which is good when done to provide features and bad when done to track users. Then the browser vendors realize what happened and try to tighten things up against the tracking, hopefully in a way that makes it harder to track without breaking useful social network features etc.
  You can think of it like spam filtering. Imagine you have a company that makes a spam filter and operates a mailing list. Messages with certain characteristics get blocked by the spam filter. Both the evil spammers and the good mailing lists adjust their messages so that they don't get blocked, and the company consequently updates the spam filter to try to keep blocking the spam. At this point you want to haul the mailing list operator into court for taking measures to make sure their legitimate, user-requested messages don't get flagged as spam by the spam filter? Why?
10. Re:Look at the monkey! by hairyfeet · 2012-03-16 08:02 · Score: 2
  
  So if I submit a patch and they don't jump to it fast enough to suit me i can then pwn them consequence free? Don't think that is how it works friend. I would link to the former Google employee's "Why i quit Google" over on OSNews but since they guy took a job at MSFT nobody would read it anyway, but it is looking more and more like what he posted was correct. he said in the beginning they were an engineering company that made cool stuff that you could then sell ads on, he likened it to making a top rated show which then lets you make good money off its advertising because it is a quality show. but according to him the whole mood at google changed after FB showed up and started cutting into their business, suddenly all the cool engineering stuff was dropped unless it had the magical word "social" attached and it went from "How can we make this cool thing?" to "How can we monetize this and/or tie this in with our social schema". He said after trying to get his kid to use Google+ she finally told him "Its not about a product, its about people and the people just aren't there" and that was the cluebat that smacked him that the current direction was full of fail.
  Sadly we have seen this happen time and time again, where a company gets tunnel vision and all the things that made them great go right down the shitter for this all consuming obsession with some market they can't seem to penetrate. We are seeing the same thing with MSFT at this very moment with mobile, as MSFT literally wastes billions of dollars chasing a market where none of their strengths come into play and its obvious they are going nowhere. Expect to see more dirty plays like this from Google as they get more and more desperate to get a footing into the social market because they feel threatened by FB just as MSFT feels threatened by Apple. Again sad to see, both companies were great in the niches they had but instead of focusing on what made them great, Google on the cloud and making cool ways to access it and MSFT on the desktop and business server roles instead they will alienate customers chasing a market that simply doesn't fit. i wonder how many have walked away from Google after the privacy changes? Bet its not a trivial number as there are a lot of geeks that care about privacy and influence those around them, just as i saw google recommend years ago so too am i seeing sites like duckduckgo recommended now. again its a shame but once a company develops tunnel vision it seems like its damned near impossible to get them to just stop.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
11. Re:Look at the monkey! by znrt · 2012-03-16 08:49 · Score: 1
  
  There are a ton of legitimate uses for third party cookies, so over-blocking them breaks a lot of stuff.
  really easy: http://www.abine.com/dntdetail.php
12. Re:Look at the monkey! by Anthony+Mouse · 2012-03-16 09:30 · Score: 1
  
  And...? What does that have to do with Microsoft lobbying the government to harass Google about ambiguous cookie settings?
13. Re:Look at the monkey! by Anthony+Mouse · 2012-03-16 10:33 · Score: 1
  
  So if I submit a patch and they don't jump to it fast enough to suit me i can then pwn them consequence free?
  To be perfectly honest I do think that computer hacking laws are totally redundant and should all be repealed. If you don't secure your system, blackhats in Russia and China (and Americans with identity-concealing botnets) are going to pwn you anyway, so it doesn't really matter whether you can prosecute the stupid ones in America because you need good security in any event and once you have it then the law is useless. All the law does is allow overzealous prosecutors to harass people, many of which are really being prosecuted for political reasons. (See: Dimitry Sklyarov, Lori Drew, etc.)
  But that's really beside the point, because the thing in question is not a security vulnerability. I made the comparison above to spam filtering: You don't prosecute the operator of a mailing list that users have signed up for when they take measures to avoid being flagged by a spam filter.
  
  they guy took a job at MSFT nobody would read it anyway
  And for good reason.
  The man makes a couple of points, but it reads like propaganda -- and the most effective propaganda has a kernel of truth. Because it's a lot easier to make a mountain out of a mole hill than to convince people that white is black. But it's still a mole hill, not a mountain.
  
  the whole mood at google changed after FB showed up and started cutting into their business, suddenly all the cool engineering stuff was dropped unless it had the magical word "social" attached and it went from "How can we make this cool thing?" to "How can we monetize this and/or tie this in with our social schema".
  The thing is, Google isn't just tilting at windmills with social. They make their money from search. They have the best search engine. Even the asshats who are always running around spamming for duckduckgo admit that half the time they have to switch back to Google because Google is better. But to have the best search engine, you have to be able to search the stuff people want to see. And a very large part of the content people want to see these days is on social networks.
  The problem for Google is that Facebook is closed. They can't index the stuff your friends are posting because Facebook won't let them, or won't let them without charging an amount that consumes the large majority of the value Google gets out of being able to index those posts. They need the web to be open if they want to be able to keep making money searching it, which is a huge problem if Facebook becomes the new web.
  The thing is, you're making this assumption that this is going to be a permanent new fixation for them. But really it stops once they win. And they don't even have to win win -- Google doesn't have to monetize social in the same way that Facebook does. I'm not even sure they've realized this yet, but they can win in exactly the same way that the web won over AOL. They can be completely, entirely open. The consequence of that is to let third parties capture a significant chunk of the value of the network, but it makes the network bigger. It's the same way that Android is taking over the smartphone space. And winning that way is stable because instead of having a single, monolithic vested interest in the status quo who can be defeated if stupid or lazy, you have a million small and medium sized companies who benefit from an open network and will fight against any new middle man that comes in and tries to eat their lunch. The amount of work it takes to knock out an intrenched open standard is huge.
  Like I said, I'm not sure Google has even realized that yet. For example, I hear a lot of people complaining that the Google+ API is read only. They probably ought to fix that. They probably also ought to put some work behind promoting Google+ as the commenting system for third party websites the way Facebook has been doing and that so
14. Re:Look at the monkey! by Anthony+Mouse · 2012-03-16 10:34 · Score: 1
  
  Google was quite explicitly abusing this vulnerability, and they got caught after signing something that suggested they would never do it.
  So says Microsoft. But why would anyone ever believe anything Microsoft says about a competitor?
15. Re:Look at the monkey! by joocemann · 2012-03-16 12:02 · Score: 1
  
  I need evidence before I can accept the reality you just pretended *is* happening.
16. Re:Look at the monkey! by Anthony+Mouse · 2012-03-16 12:21 · Score: 1
  
  Is this the sort of thing you're looking for, or do you want something else?
17. Re:Look at the monkey! by drinkypoo · 2012-03-16 13:36 · Score: 1
  
  You're making the "corporations are people" fallacy. Corporations are not actually, literally people. The people who work on Chrome and Webkit are almost certainly not the same people who work on Google+ and the like. They probably don't have any idea what the other is doing. It's not like every time anyone submits a patch to anything, they go running around to all the other departments to tell them about it.
  On the other hand, Google clearly has an agenda. It includes access to as much of your data as they can manage. So it shouldn't be hard to imagine some sort of unifying goal when you read about something like this, and consider that notscripts still blows compared to noscript due to Chrome's architecture, and so on.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
18. Re:Look at the monkey! by Anthony+Mouse · 2012-03-16 14:15 · Score: 1
  
  That sounds suspiciously like a conspiracy theory.
19. Re:Look at the monkey! by drinkypoo · 2012-03-16 15:59 · Score: 1
  
  That sounds suspiciously like a conspiracy theory.
  Two people getting together to bone a third person out of something is a conspiracy. A small handful of people deciding to lead a few products in the direction that gives their company the greatest advantage is hardly worth implying that someone is some kind of wacko over. It's precisely the Microsoft story, why should a variation be unbelievable at Google? Has human nature changed overnight? How about tactics, are they all different now?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
20. Re:Look at the monkey! by SuperAlgae · 2012-03-16 23:27 · Score: 1
  
  Crap! and my mod points just expired. Someone mod the parent up! I think people fail to realize that 50% of web development involves "hacking" web browsers just to get legitimate functions to work consistently. (Well, maybe less than 50% now that IE6 is finally getting less support.)
  While it is possible that Google violated an agreement here, that has limited relation to this being an "exploit". The negative connotation and inaccuracy around the terminology is misleading.
  P.S. When Slashdot said my mod points would expire 2012-03-17, I didn't know it meant before 6AM in the morning!
21. Re:Look at the monkey! by Anthony+Mouse · 2012-03-17 02:00 · Score: 1
  
  The difference is that in the Microsoft case they actually had some, you know, evidence. The Halloween memos and so forth. So what I'm saying is, do you have any evidence, or is it just a conspiracy theory?
22. Re:Look at the monkey! by drinkypoo · 2012-03-17 02:05 · Score: 1
  
  So what I'm saying is, do you have any evidence, or is it just a conspiracy theory?
  Just a theory, but at least it's supported by what evidence there is. You should particularly note that I am not proposing a sinister conspiracy, just a conspiracy.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
23. Re:Look at the monkey! by Anthony+Mouse · 2012-03-17 03:30 · Score: 1
  
  Then I guess I don't really buy it. I mean Chrome and Safari are both based on Webkit, which was mostly not created by Google. (It was originally KDE and then Apple played a big role.) By the time Google entered the scene most of the major architectural decisions had already been made and implemented, so if anybody designed it in a way that makes plugins that block javascript harder, it was KDE or Apple.
  Likewise this thing with the cookies: I mean think about it. If it was this huge top down conspiracy then why is one department submitting a patch that prevents the work around the other department is allegedly being bad for using? The whole thing smells like standard issue human imperfection rather than some grand evil master plan.
24. Re:Look at the monkey! by drinkypoo · 2012-03-17 03:40 · Score: 1
  
  The whole thing smells like standard issue human imperfection rather than some grand evil master plan.
  There you go again, moving the goalposts, and attributing things to me that I didn't say or imply. You're a troll. Go away.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
25. Re:Look at the monkey! by Anthony+Mouse · 2012-03-17 04:02 · Score: 1
  
  If I understand your point correctly it's that Google as an institution has an incentive to prevent ad blocking and so forth, which is "supported by what evidence there is," and that therefore we should ascribe that intent to the actions of its individual software engineers without any further evidence.
  What I'm pointing out is that that doesn't make a lot of sense: They don't uniformly behave as though that is their goal, and in the instances where their actions are consistent with that theory (which, naturally, are the only ones you hear Microsoft publicizing), it doesn't make a lot of sense to infer causation rather than merely correlation based on nothing more than speculation about motivation.
26. Re:Look at the monkey! by drinkypoo · 2012-03-17 05:16 · Score: 1
  
  What I'm pointing out is that that doesn't make a lot of sense:
  No, you can point that out without all the hyperbole and false association. What you're doing is trolling, and now also being disingenuous. Or really stupid. And if that's a false dichotomy, please enlighten me as to what the third way might be.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
What Google did by Animats · 2012-03-16 04:43 · Score: 5, Informative

Google created an invisible form on a web page and then simulated a click on to bypass Safari's privacy controls. That didn't happen by accident. That's hostile code.
Safari treated a "submit" action as permission for the site to plant a cookie. It's hard to stop that in the browser without breaking some legitimate forms. As a result of this, all web forms which want to trigger a cookie event may have to have explicit "submit" buttons.
1. Re:What Google did by TheGratefulNet · 2012-03-16 04:55 · Score: 1, Redundant
  
  Why would you believe Apple over Google. Fanboy much?
  let me tell you a story about the pot that called the kettle 'black'.
  
  --
  
  --
  "It is now safe to switch off your computer."
2. Re:What Google did by wfolta · 2012-03-16 07:05 · Score: 1
  
  What a zealot. You may disagree with Apple's view of its customers, but at least it views us end users as its customers. Google has no such illusions: their customers are carriers, and secondarily manufacturers. You know, those same carriers and manufacturers who have been screwing us for years?
  So yes, when it comes to serving its customers, I believe Apple (me as a customer) over Google (my carrier as a customer, and my information as its asset) any day of the week. And twice on weekends.
3. Re:What Google did by cerberusss · 2012-03-16 20:18 · Score: 1
  
  Exactly. Firefox also allows you to uncheck the option "Accept third-party cookies", and doesn't have this problem.
  
  --
  8 of 13 people found this answer helpful. Did you?
Re:Don't be Evil by tripleevenfall · 2012-03-16 04:57 · Score: 1

It's okay for Google to do the same things Apple and Microsoft do, because Google has goodness in their hearts.
Alert W3C posting exploit code! by Lexx+Greatrex · 2012-03-16 05:49 · Score: 3, Funny

I visited this rogue site that posts hostile code exploits and learned how to circumvent user privacy....
http://www.w3schools.com/jsref/met_form_submit.asp
Even worse, this malware generating site makes exploit code even easier...
http://api.jquery.com/submit/
And yes, I used the most evil and corrupt search engine ever invented (past and future) to locate these hacker havens
1. Re:Alert W3C posting exploit code! by TheNinjaroach · 2012-03-16 06:05 · Score: 1, Informative
  
  Please don't confuse the World Wide Web Consortium with the shitty spam farm known as W3Schools.
  
  --
  I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
2. Re:Alert W3C posting exploit code! by Lexx+Greatrex · 2012-03-16 07:33 · Score: 1
  
  Please don't confuse the World Wide Web Consortium with the shitty spam farm known as W3Schools.
  There is no confusion. The satire benefits from the brevity of the w3schools and jquery links rather than the firehose of information at http://www.w3.org/Submission/web-forms2/#for-javascript, for example.
3. Re:Alert W3C posting exploit code! by TheNinjaroach · 2012-03-21 02:30 · Score: 1
  
  What are you, illiterate?
  That's a rather harsh assumption coming from someone who didn't bother to read the title of GP's post. If you are confused as to what "W3C" stands for, perhaps you should actually check out w3.org instead of asking stupid questions.
  
  --
  I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
The security mechanism suck by morbingoodkid · 2012-03-16 05:50 · Score: 1

It's like making a door without a key and a lock. Instead we post instructions on the door telling you when you are allowed to open the door and when not. We then sue people for by passing the security mechanism instead of simply adding a lock.
Very nice.
Comment removed by account_deleted · 2012-03-16 08:14 · Score: 1

Comment removed based on user account deletion
Why don't they sue themselves? by doston · 2012-03-16 09:51 · Score: 1

I love how one branch of the government is suing Google for privacy breach, while another is building a top secret domestic spy center (in Bluffdale Utah of all places), in absolute contempt of the US constitution. Is it that the right hand doesn't know what the left hand is doing or does the government think only it has the right to spy on us? And isn't Google hooked up to the NSA? How does that work? Boggles my fragile little mind. Maybe the whole thing's just a publicity stunt to keep the American Idol crowd feeling secure that they don't have to think and everything's being handled by their altruistic big brother. The whole thing stinks of deciet and snake-like corporate/government incestuous fu**ing. Blech.
Unbelievable by Pigskin-Referee · 2012-03-17 04:30 · Score: 1

I cannot believe that Google would ever do anything a nefarious as this. Only Microsoft is capable of this treachery.. Why next thing you know, they will be insinuating that there are security bugs in Firefox.

--
Pigskin-Referee
Linux: Yesterday's technology, tomorrow ...