Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Facing New Privacy Probe Over Safari Incident

Posted by Soulskill on from the hand-in-the-cookie-jar dept.

An anonymous reader writes "Last month we discussed news of a controversial method Google was using to bypass Safari's privacy settings in order to enable certain features for users who were logged in to Google. Now, U.S. regulators are investigating Google's actions to see whether the search giant has violated the privacy protection agreement they signed last year that includes a clause prohibiting Google from misrepresenting how users control the collection of their data. 'The fine for violating the agreement is $16,000 per violation, per day. Because millions of people were affected, any fine could add up quickly, depending on how it is calculated. ... A group of state attorneys general, including New York's Eric Schneiderman and Connecticut's George Jepsen, are also investigating Google's circumvention of Safari's privacy settings, according to people familiar with the investigation. State attorneys general can have the ability to levy fines of up to $5,000 per violation.' European regulators are adding the Safari investigation to their review of Google's consolidated privacy policy."

14 of 134 comments (clear)

  1. Slashdot Groupthink by cpu6502 · · Score: 3, Insightful

    "Google did no wrong. Google is awesome."

    Realthink:
    I don't trust Google anymore than I trust Microsoft or Apple or any other megacorp. I hate corporations. (But I fear government.)

    --
    My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    1. Re:Slashdot Groupthink by Anonymous Coward · · Score: 3, Funny

      But but but, if people can't build their identity over corporate cheerleaderism, what will they do? You mean I'm really a middle-class IT drone and not a proud member of TEAM GOOGLE or TEAM APPLE? Impossible!

      Ra ra my mega corp can beat up your mega corp! Apple is evil, Google loves me!

  2. Do no Evil out the door! by stupor · · Score: 4, Insightful

    If my boss asked me to do something like this, I'd fight it kicking and screaming. I'd probably quit too if the software was significant like a google.

    --
    Do you inspect a roller coaster everytime you ride it?
  3. Re:Bug? by Dak+RIT · · Score: 4, Informative

    It is a bug, and also seems very likely to be a (granted rather trivial) exploit. Google seems to be the primary target here, even though multiple sites have been identified using the workaround, because of previous agreements it has made regarding privacy.

  4. Look at the monkey! by betterunixthanunix · · Score: 4, Insightful

    Why fix security problems when you can just prosecute people?

    --
    Palm trees and 8
    1. Re:Look at the monkey! by Anthony+Mouse · · Score: 4, Informative

      The thing people are continuously forgetting about all of this is that the bug in question was in the open source Webkit, which both Safari and Chrome are based on, and Google had already submitted a patch to fix the bug before any of this even became an issue.

      This all seems a lot more about this than any sort of legitimate complaint the government has about what Google is doing. If the government had literally done nothing, the problem had already been solved before they became involved -- but now we have a big dog and pony show. Cui bono? Microsoft.

    2. Re:Look at the monkey! by Anthony+Mouse · · Score: 4, Insightful

      The question becomes what happens after Google reported it, and seemingly kept using that pump until it was properly calibrated.

      You're making the "corporations are people" fallacy. Corporations are not actually, literally people. The people who work on Chrome and Webkit are almost certainly not the same people who work on Google+ and the like. They probably don't have any idea what the other is doing. It's not like every time anyone submits a patch to anything, they go running around to all the other departments to tell them about it.

      On top of that, calling this a "vulnerability" or "exploit" is really pushing it. There is no obvious hard line between first and third party cookies. They have no obvious or official definition. Safari drew the line in a way that classified a lot of the borderline cases as "first party" cookies -- which actually makes a certain amount of sense, since they block third party cookies by default and over-blocking would break too many things.

      So along comes, I don't know, everybody who uses cookies that would be blocked by Safari's defaults, and when they encounter Safari, they take steps to restore the original functionality. And since some (but not all) of those people are the sort of ad networks who track you in a way that made browser vendors consider an option to block third party cookies in the first place, Google submitted a patch to classify more of them as third party. Which breaks more legitimate stuff, because it's a trade off. It's not that the original default is bad, broken, or a vulnerability...it's that the line is a silly, ambiguous one to draw in the first place. What it's trying to accomplish is Do Not Track, but as a hack and consequently with a lot of collateral damage to legitimate features that everyone then scrambles to mitigate with work arounds like the one Google had been using.

      So that happens, and along comes the Microsoft propaganda machine to point out that because Google is both a social network and an ad network, wouldn't it be nice to accuse the ad network of privacy violation as a result of a borderline cookie feature shared by all social networks? Give me a break.

  5. Re:Bug? by Anonymous Coward · · Score: 3, Funny

    If I leave my car door unlocked it's still illegal to steal it.

    LOL the CAPTCHA for this post is "burglar".

  6. What Google did by Animats · · Score: 5, Informative

    Google created an invisible form on a web page and then simulated a click on to bypass Safari's privacy controls. That didn't happen by accident. That's hostile code.

    Safari treated a "submit" action as permission for the site to plant a cookie. It's hard to stop that in the browser without breaking some legitimate forms. As a result of this, all web forms which want to trigger a cookie event may have to have explicit "submit" buttons.

  7. Re:Bug? by bkaul01 · · Score: 3, Insightful

    Of course, but patching the hole and going after people who create malware that takes advantage of it is not an either/or choice: both are necessary, generally speaking. Google, in taking advantage of a browser exploit, is essentially stooping to the tactics used by malware authors, even though unlike them it has signed agreements and generated official privacy policies saying it'd do no such thing.

  8. Re:Investigate Apple by Richard_at_work · · Score: 4, Insightful

    Google isn't being held to the promises Safari has made, Google is being held to the agreement it had with the DoJ because in the course of collecting data about the user they deliberately circumvented, admittedly fairly weak, restrictions the user placed on their actions within the browser.

    There are two entirely different issues at hand here - Safari needs to be fixed somehow (although someone further down the thread suggests this isnt an easy fix) and Google got caught with its hand in the cookie jar when it probably shouldn't have had it there.

    Just because your window is open doesn't mean people are allowed to climb through it to circumvent the locked door.

  9. Re:Investigate Apple by TheRaven64 · · Score: 4, Insightful

    Apple released a browser that had a security hole. Google exploited the security hole. If OpenSSH ships with a vulnerability that allows someone to get root access on my server, should the OpenSSH team or the attacker be prosecuted?

    --
    I am TheRaven on Soylent News
  10. Re:Investigate Apple by Americano · · Score: 5, Insightful

    Isn't Safari the one misrepresenting what the security settings do?

    It's an unintended side effect of how Safari handles third-party cookies: Safari blocks third party cookies, but makes an exception for sites the user interacts with (i.e., if you click on an ad, it will allow that ad to install a cookie). So what Google is doing is basically loading a no-op form element in an iframe and automatically submitting it - this tricks Safari into behaving as if the USER submitted the form (thus interacting with the ad), allowing Google to set the cookie.

    Safari WOULD block setting of the cookie without this workaround being coded & inserted into the ads being served up by DoubleClick... so it's not a case of Google being held to account for promises Safari makes, it's that Google is being held to account for intentionally exploiting a loophole in the software to abuse users. People keep trying to turn this into an "Google vs. Apple" issue, and the real issue (and where it's eroding trust in Google) is that it's a "Google vs. Users" issue. I can't trust Google to honor those settings in my browser, can I trust them to honor any other settings and preferences I set in my browser, or register with them?

    There's no reason Google couldn't have instead put up a page saying "We notice you don't allow third party cookies... this will mean you can't +1 things, blah blah blah," and include instructions on changing the setting if the user wishes to enable +1's and other tracking, rather than simply disregarding the users' settings and exploiting the loophole.

  11. Alert W3C posting exploit code! by Lexx+Greatrex · · Score: 3, Funny

    I visited this rogue site that posts hostile code exploits and learned how to circumvent user privacy....

    http://www.w3schools.com/jsref/met_form_submit.asp

    Even worse, this malware generating site makes exploit code even easier...

    http://api.jquery.com/submit/

    And yes, I used the most evil and corrupt search engine ever invented (past and future) to locate these hacker havens