Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Facing New Privacy Probe Over Safari Incident

Posted by Soulskill on from the hand-in-the-cookie-jar dept.

An anonymous reader writes "Last month we discussed news of a controversial method Google was using to bypass Safari's privacy settings in order to enable certain features for users who were logged in to Google. Now, U.S. regulators are investigating Google's actions to see whether the search giant has violated the privacy protection agreement they signed last year that includes a clause prohibiting Google from misrepresenting how users control the collection of their data. 'The fine for violating the agreement is $16,000 per violation, per day. Because millions of people were affected, any fine could add up quickly, depending on how it is calculated. ... A group of state attorneys general, including New York's Eric Schneiderman and Connecticut's George Jepsen, are also investigating Google's circumvention of Safari's privacy settings, according to people familiar with the investigation. State attorneys general can have the ability to levy fines of up to $5,000 per violation.' European regulators are adding the Safari investigation to their review of Google's consolidated privacy policy."

20 of 134 comments (clear)

  1. Slashdot Groupthink by cpu6502 · · Score: 3, Insightful

    "Google did no wrong. Google is awesome."

    Realthink:
    I don't trust Google anymore than I trust Microsoft or Apple or any other megacorp. I hate corporations. (But I fear government.)

    --
    My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    1. Re:Slashdot Groupthink by Anonymous Coward · · Score: 3, Funny

      But but but, if people can't build their identity over corporate cheerleaderism, what will they do? You mean I'm really a middle-class IT drone and not a proud member of TEAM GOOGLE or TEAM APPLE? Impossible!

      Ra ra my mega corp can beat up your mega corp! Apple is evil, Google loves me!

  2. Do no Evil out the door! by stupor · · Score: 4, Insightful

    If my boss asked me to do something like this, I'd fight it kicking and screaming. I'd probably quit too if the software was significant like a google.

    --
    Do you inspect a roller coaster everytime you ride it?
    1. Re:Do no Evil out the door! by Anonymous Coward · · Score: 2, Interesting

      It's always been 'Do know evil'

  3. Re:Bug? by Dak+RIT · · Score: 4, Informative

    It is a bug, and also seems very likely to be a (granted rather trivial) exploit. Google seems to be the primary target here, even though multiple sites have been identified using the workaround, because of previous agreements it has made regarding privacy.

  4. Investigate Apple by haystor · · Score: 2, Insightful

    Isn't Safari the one misrepresenting what the security settings do?

    While I'm as shocked as the next person that google knows I've been buying windshield wipers, how is it that google is being held to the promises Safari has made to its users?

    --
    t
    1. Re:Investigate Apple by Richard_at_work · · Score: 4, Insightful

      Google isn't being held to the promises Safari has made, Google is being held to the agreement it had with the DoJ because in the course of collecting data about the user they deliberately circumvented, admittedly fairly weak, restrictions the user placed on their actions within the browser.

      There are two entirely different issues at hand here - Safari needs to be fixed somehow (although someone further down the thread suggests this isnt an easy fix) and Google got caught with its hand in the cookie jar when it probably shouldn't have had it there.

      Just because your window is open doesn't mean people are allowed to climb through it to circumvent the locked door.

    2. Re:Investigate Apple by TheRaven64 · · Score: 4, Insightful

      Apple released a browser that had a security hole. Google exploited the security hole. If OpenSSH ships with a vulnerability that allows someone to get root access on my server, should the OpenSSH team or the attacker be prosecuted?

      --
      I am TheRaven on Soylent News
    3. Re:Investigate Apple by Americano · · Score: 5, Insightful

      Isn't Safari the one misrepresenting what the security settings do?

      It's an unintended side effect of how Safari handles third-party cookies: Safari blocks third party cookies, but makes an exception for sites the user interacts with (i.e., if you click on an ad, it will allow that ad to install a cookie). So what Google is doing is basically loading a no-op form element in an iframe and automatically submitting it - this tricks Safari into behaving as if the USER submitted the form (thus interacting with the ad), allowing Google to set the cookie.

      Safari WOULD block setting of the cookie without this workaround being coded & inserted into the ads being served up by DoubleClick... so it's not a case of Google being held to account for promises Safari makes, it's that Google is being held to account for intentionally exploiting a loophole in the software to abuse users. People keep trying to turn this into an "Google vs. Apple" issue, and the real issue (and where it's eroding trust in Google) is that it's a "Google vs. Users" issue. I can't trust Google to honor those settings in my browser, can I trust them to honor any other settings and preferences I set in my browser, or register with them?

      There's no reason Google couldn't have instead put up a page saying "We notice you don't allow third party cookies... this will mean you can't +1 things, blah blah blah," and include instructions on changing the setting if the user wishes to enable +1's and other tracking, rather than simply disregarding the users' settings and exploiting the loophole.

    4. Re:Investigate Apple by Rasperin · · Score: 2, Interesting

      I love Google as much as the next /. tard (and hate Apple to boot, I mean comeon, look at the evil deeds of each company and apple has so much more on it.) But Google purposely exploiting a security flaw in Safari is wrong. Plain and simple, however honestly I would like to wager Apple put it there on purpose to see if they could catch Google doing this. The reason I say this is, in chess (and corporate strategy is akin to Chess at times) one might allow themselves to lose a piece (reputation loss for Apple for having a security hole, def no more than a pawn) in exchange to turn the tables or even do substantial damage to ones opponent. We all heard they were doing this with IE before safari and all of a sudden Safari now has this exploit. Millions of users (lets say 10million) + let's say a year @ 16k each = $5,840,000,000. Also, even the slashdot community is turning on Google huge reputation loss.

      A pawn for a queen, I'll take that any day. And if Apple did do this on purpose, I'm not saying they are evil, I'm saying they are smart. What I'm hoping is after this incident Google get's back on track to their 'Don't be Evil' motto. Google has been innovative, using there money to constantly make the world a better place, I can't think of the last time Apple did something truly good, but I can talk all day about Foxconn (cheapest vendor) and writing a 1500% markup on there devices with money just sitting in the bank and not really doing anything. When was the last time you heard of Apple Space, Apple with free anything, people are claiming they are contributing to the OS community but it's just ports so products work on there OS. So comparing the two, I always vote Google, even with this one evil truly evil deed. (I also don't think Microsoft was evil for forcing people to have IE, OH GOD NO... Oh wait you have to get Safari on apple, what's with that?). Googles really just a target because they don't pay off the right people it seems, and I really hope they start doing it or they're going to end up sinking the ship. I mean for gods sake Sony put a rootkit and your computer and they didn't get fined $5billion.

      --
      WTF Slashdot, why do I have to login 50 times to post?
  5. Look at the monkey! by betterunixthanunix · · Score: 4, Insightful

    Why fix security problems when you can just prosecute people?

    --
    Palm trees and 8
    1. Re:Look at the monkey! by Anthony+Mouse · · Score: 4, Informative

      The thing people are continuously forgetting about all of this is that the bug in question was in the open source Webkit, which both Safari and Chrome are based on, and Google had already submitted a patch to fix the bug before any of this even became an issue.

      This all seems a lot more about this than any sort of legitimate complaint the government has about what Google is doing. If the government had literally done nothing, the problem had already been solved before they became involved -- but now we have a big dog and pony show. Cui bono? Microsoft.

    2. Re:Look at the monkey! by Anthony+Mouse · · Score: 2, Insightful

      Exploiting privacy vulnerabilities is bad, bad, bad.

      That word...I don't think it means what you think it means.

      Let me give you an example. If you want to jailbreak an iPhone, you have to find a security vulnerability. Like, a real one, not this "well if you submit a form then it isn't considered a third party cookie" grey area nonsense, a real root shell "exploit." Is the company that makes the jailbreak website then "exploiting privacy vulnerabilities" because having rooted the phone, the software could in theory then send all the user's pictures and web history to the jailbreak author and so on? No, not until they do something that actually impairs the user's privacy.

      Adding a +1 button to a third party website doesn't exactly fall into the same category as stealing credit card numbers or turning on one's webcam without authorization.

    3. Re:Look at the monkey! by Anthony+Mouse · · Score: 4, Insightful

      The question becomes what happens after Google reported it, and seemingly kept using that pump until it was properly calibrated.

      You're making the "corporations are people" fallacy. Corporations are not actually, literally people. The people who work on Chrome and Webkit are almost certainly not the same people who work on Google+ and the like. They probably don't have any idea what the other is doing. It's not like every time anyone submits a patch to anything, they go running around to all the other departments to tell them about it.

      On top of that, calling this a "vulnerability" or "exploit" is really pushing it. There is no obvious hard line between first and third party cookies. They have no obvious or official definition. Safari drew the line in a way that classified a lot of the borderline cases as "first party" cookies -- which actually makes a certain amount of sense, since they block third party cookies by default and over-blocking would break too many things.

      So along comes, I don't know, everybody who uses cookies that would be blocked by Safari's defaults, and when they encounter Safari, they take steps to restore the original functionality. And since some (but not all) of those people are the sort of ad networks who track you in a way that made browser vendors consider an option to block third party cookies in the first place, Google submitted a patch to classify more of them as third party. Which breaks more legitimate stuff, because it's a trade off. It's not that the original default is bad, broken, or a vulnerability...it's that the line is a silly, ambiguous one to draw in the first place. What it's trying to accomplish is Do Not Track, but as a hack and consequently with a lot of collateral damage to legitimate features that everyone then scrambles to mitigate with work arounds like the one Google had been using.

      So that happens, and along comes the Microsoft propaganda machine to point out that because Google is both a social network and an ad network, wouldn't it be nice to accuse the ad network of privacy violation as a result of a borderline cookie feature shared by all social networks? Give me a break.

    4. Re:Look at the monkey! by hairyfeet · · Score: 2

      So if I submit a patch and they don't jump to it fast enough to suit me i can then pwn them consequence free? Don't think that is how it works friend. I would link to the former Google employee's "Why i quit Google" over on OSNews but since they guy took a job at MSFT nobody would read it anyway, but it is looking more and more like what he posted was correct. he said in the beginning they were an engineering company that made cool stuff that you could then sell ads on, he likened it to making a top rated show which then lets you make good money off its advertising because it is a quality show. but according to him the whole mood at google changed after FB showed up and started cutting into their business, suddenly all the cool engineering stuff was dropped unless it had the magical word "social" attached and it went from "How can we make this cool thing?" to "How can we monetize this and/or tie this in with our social schema". He said after trying to get his kid to use Google+ she finally told him "Its not about a product, its about people and the people just aren't there" and that was the cluebat that smacked him that the current direction was full of fail.

      Sadly we have seen this happen time and time again, where a company gets tunnel vision and all the things that made them great go right down the shitter for this all consuming obsession with some market they can't seem to penetrate. We are seeing the same thing with MSFT at this very moment with mobile, as MSFT literally wastes billions of dollars chasing a market where none of their strengths come into play and its obvious they are going nowhere. Expect to see more dirty plays like this from Google as they get more and more desperate to get a footing into the social market because they feel threatened by FB just as MSFT feels threatened by Apple. Again sad to see, both companies were great in the niches they had but instead of focusing on what made them great, Google on the cloud and making cool ways to access it and MSFT on the desktop and business server roles instead they will alienate customers chasing a market that simply doesn't fit. i wonder how many have walked away from Google after the privacy changes? Bet its not a trivial number as there are a lot of geeks that care about privacy and influence those around them, just as i saw google recommend years ago so too am i seeing sites like duckduckgo recommended now. again its a shame but once a company develops tunnel vision it seems like its damned near impossible to get them to just stop.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  6. Re:Bug? by Anonymous Coward · · Score: 3, Funny

    If I leave my car door unlocked it's still illegal to steal it.

    LOL the CAPTCHA for this post is "burglar".

  7. What Google did by Animats · · Score: 5, Informative

    Google created an invisible form on a web page and then simulated a click on to bypass Safari's privacy controls. That didn't happen by accident. That's hostile code.

    Safari treated a "submit" action as permission for the site to plant a cookie. It's hard to stop that in the browser without breaking some legitimate forms. As a result of this, all web forms which want to trigger a cookie event may have to have explicit "submit" buttons.

  8. Re:Bug? by bkaul01 · · Score: 3, Insightful

    Of course, but patching the hole and going after people who create malware that takes advantage of it is not an either/or choice: both are necessary, generally speaking. Google, in taking advantage of a browser exploit, is essentially stooping to the tactics used by malware authors, even though unlike them it has signed agreements and generated official privacy policies saying it'd do no such thing.

  9. Re:Bug? by TheRaven64 · · Score: 2

    It's a browser vulnerability, yes. Apple should fix it, absolutely. However, the existence of security holes has never been a valid defence for exploiting them. If it were, then there would be almost no computer-related crimes...

    --
    I am TheRaven on Soylent News
  10. Alert W3C posting exploit code! by Lexx+Greatrex · · Score: 3, Funny

    I visited this rogue site that posts hostile code exploits and learned how to circumvent user privacy....

    http://www.w3schools.com/jsref/met_form_submit.asp

    Even worse, this malware generating site makes exploit code even easier...

    http://api.jquery.com/submit/

    And yes, I used the most evil and corrupt search engine ever invented (past and future) to locate these hacker havens