Google Facing FTC Fine Over Safari Privacy Breach

suraj.sun writes "Bloomberg is reporting on Google's negotiation with the U.S. Federal Trade Commission over 'how big a fine, which could amount to more than $10 million, it will have to pay for its breach of Apple's Safari browser. The fine would be the first by the FTC for a violation of Internet privacy as the agency steps up enforcement of the Web.' Last year, Google agreed to a settlement in which the FTC would monitor Google's privacy practices for an extended period of time. 'The 20-year settlement bars Google from misrepresenting how it handles user information and requires the company to follow policies that protect consumer data in new products.' This February, Google was found to be bypassing privacy controls in Safari by making the browser think a user was submitting a form, when they actually weren't. '(The code used by Google was part of its program to place the "+1" button in advertisements.) At the time, the company issued a statement saying that the circumvention wasn't intentional, but privacy groups were still quick to file complaints with the FTC over Google's actions. That was quickly followed by a class-action lawsuit and an investigation by European regulators.'"

This is stupid

[fustakrakich]

Will Apple be fined for for the defects in their browser? This only gives Google more incentive to cover their tracks better.

Re:This is stupid

You admit that Google was being deceptive but that Apple is responsible for Google's having to be even more devious in the future. Nice.

Re:This is stupid

[larry+bagina]

If you forget to lock your car door and someone steals your car, should you be arrested as an accessory to grand theft?

Re:This is stupid

(Guy who thinks that copyright infringement is stealing)

Re:This is stupid

[Overly+Critical+Guy]

Posts like yours are why people think Slashdot's readers are biased in favor of Google.

Re:This is stupid

If you forget to lock your car door and someone steals your car, should you be arrested as an accessory to grand theft?

Poor car analogy, not least because your insurance company might not be very sympathetic, and also because it isn't the end user's fault in the Safari case. Better analogy:

If your car manufacturer builds a faulty door lock, and the car gets stolen, should the manufacturer have liability (i.e. should you be able sue them for loss of your car when you had some expectation of security)? Probably, the answer is "yes" (but probably you can leave the insurance guys to take them to task instead, since they're the ones losing more than CDs and fluffy dice that you got from Auntie Mavis).

Re:This is stupid

[fustakrakich]

Pfft whatever... If Google broke the law, they should be fined. It will be a slap on the wrist anyway. If not, write a nasty press release about them, and let god sort it out. This is like the senate wasting an infinite amount of time on steroids in professional sports.

Re:This is stupid

So where was the mega-billion dollar fine for Apple posting every wifi/cell enabled i-device clear-text location with contact details???

Hmmmm?

Fuck, company should have been driven into the grave with their asshole leader.

Re:This is stupid

You admit that Google was being deceptive but that Apple is responsible for Google's having to be even more devious in the future. Nice.

Hi, this is Rupert with Fox News. We love the spin you applied to the story, it's nearly unrecognizable! We'd really appreciate it if you sent us your resume, we could use more reports of your caliber.

Re:This is stupid

[Kotakee]

I think it would be time for law enforcement agencies to step in and do something about Google's constant abuse. They have shown their constant blatant abuse of the law for a long while already. Google has also got one of the largest fines government has put on any company when they were allowing rogue pharma ads on AdWords (500$ million fine).

The next step is to break up the company. Leave Google as search engine and remove their advertising business as separate one. Do the same for YouTube, Chrome and other parts. Monitor that they actually work independently and that they also work with other advertisers than the old Google advertising arm. Make it clear that if this shit continues, their whole operation will be shut down and the owners and CEO's jailed.

This is the only way that works and how we can stop Google's abuse.

Re:This is stupid

[TheRaven64]

While I don't totally disagree that this is a good idea, I can think of quite a lot of companies that should be higher up the list for this kind of intervention. For example, almost every telecoms or energy company...

Re:This is stupid

[beelsebob]

No, more accurately –if the manufacturer builds a faulty lock, and bill steals the car, should bill still go to jail for theft ;)

Re:This is stupid

Do they now?
Every story about Google has 85% of the posts bashing Google, even if you look back as far as 2006.

How about fix the browser

[Galestar]

They were using a legitimate feature of the browser. It's not as if they were hacking/etc.. anyone can do this and submitting forms has been around since the web was born. If Apple wants to block cookies on 3rd party form submissions they can go right ahead. Until they do the blame is on Apple not Google.

Re:How about fix the browser

[bonch]

That's ridiculous. It just so happens that Safari's default blocking of third-party cookies impacts Google's advertising business, and it just so happened that Google circumvented that setting? They were weaseling their way around user privacy settings by intentionally tricking Safari into thinking they were first-party cookies.

You have to hold the company some standard for moral behavior or else they're no better than the irritating, pop-under advertising companies of yore.

Re:How about fix the browser

Safari does block third-party cookies. Google fooled Safari into thinking they were first-party cookies so that they would be accepted by the browser. RTFA next time.

Re:How about fix the browser

[jo_ham]

That this comment got insightful mods shows just how poorly understood this whole mess is on slashdot (or perhaps that the prevailing wisdom is that "Google can do no wrong"?).

Safari already blocks third party cookies by default, and to get around that "pesky" setting that prevents Google's ad tracking from working (and making them money), they designed a process that used an exploit to trick Safari into believing that user authorisation had been given to set the cookie anyway.

No one is disputing that Safari needs to close that exploit (I'm sure it's being worked on, if it hasn't been closed already), but this certainly CAN NOT be described as "legitimate" use of a browser feature by any stretch of the imagination. It was an browser exploit designed to get around Safari's privacy settings.

Put it this way, the user has the setting that says "do not accept third party cookies unless I specifically say so" and Google's response and direct action to that was "nah! that's really inconvenient to us, so we'll set that cookie anyway even though you have specifically said no"

"Do No Evil (unless it interferes with the bottom line)".

Re:How about fix the browser

[flyingsquid]

Let me preface this by saying that I like Google. Google is my homepage, I use Google and Gmail on a daily basis, and I literally don't know how I could do my job without Google and Google Scholar. I liked the fact that they took a stand on the China issue, and I like the "do no evil" ethos.

But there have been a lot- and I mean a lot- of recent reports about Google failing to live up to the whole "do no evil" thing. To sum up some recent stories about Google: Google paid $500 million to the government for aiding illegal sales of online pharmaceuticals, Google has come under fire for capturing information from people's Wifi networks using Street View, Google has intentionally worked around Safari privacy settings, Google deliberately turned a blind eye to copyright violations on Youtube because they wanted to build the site's popularity...

I think Sergei Brin needs to stop bitching about how Apple and Facebook are threats to our online freedom, and take a long hard look at his own damn company. Lately, their philosophy seems a lot less like "Google should do no evil" than "Google can do no evil". One or two stories I would be willing to write off as honest mistakes, but there's a clear pattern here. The common theme to all of these stories about Google is an attitude of arrogance, a lack of accountability, and the idea that they can just ignore the rules everyone else has to play by. There's an element of trust involved in allowing a company to host your email and your documents, and to see what you're searching for online. If they go too far and people lose faith in the company, then they're going to suffer for it.

Re:How about fix the browser

I would like Google to continue turning a blind eye to copyright violations on YouTube. There are many things that I've watched on YouTube, like foreign television programs for example, that simply aren't available on cable and never got licensed.

Re:How about fix the browser

I don't know. Don't forget to distinguish between evil and illegal.

Some could argue that the only thing on your list of evil that's actually evil is the safari issue.

Facilitating selling "fake" prescriptions? That's evil because otherwise big pharma doesn't gets to charge 10 times the price?

Sticking up to **AA? I'm sorry but I hardly consider that evil. If that was legal, I would do that all day long.

Re:How about fix the browser

[kllrnohj]

That this comment got insightful mods shows just how poorly understood this whole mess is on slashdot (or perhaps that the prevailing wisdom is that "Google is evil"?).

First, blocking third party cookies is the browser's job. The site has *zero* way of knowing what that setting is. Google literally cannot respect that setting by itself, they don't have that information.

Second, the issue isn't remotely what you think it was, nor is it an "exploit" at all. Go read the actual webkit bug: https://bugs.webkit.org/show_bug.cgi?id=35824 Google didn't bypass anything - webkit has a special case for if you already had a cookie from the 3rd party, it would enable 3rd party cookies under the assumption that the site wouldn't set any "tracking" cookies. The whole "privacy breach" bullshit stems from the bug where if you already had a G+ cookie but not an ad cookie and you had ad tracking enabled on your account, when you encountered embedded G+ on a site the ad cookie would get set as well. This only worked because you *already* had cookies from Google, which is why Safari would accept the cookie in the first place.

Of course, anyone with any clue how cookies works knows that removing the ad cookie doesn't actually change anything - it doesn't affect the data Google gets (they already know who you are with the legitimately set cookies that triggers webkit's special case in the first place - aka, the user being logged in), and it doesn't do anything by itself. No privacy implications whatsoever, no exploits, nothing. A story was made over nothing because the people that fueled the story had no clue what they were reporting on.

Re:How about fix the browser

[VortexCortex]

Safari does block third-party cookies. Google fooled Safari into thinking they were first-party cookies so that they would be accepted by the browser. RTFA next time.

Safari does NOT block third party cookies. Safari blocks SOME third party cookies -- You know, unless the user interacts with 3rd party assets, then they don't block the 3rd party cookies at all. The issue is caused by Safari's erroneous concept of what a user initiated event is. Which it damn sure knows how to tell the difference between a user initiated event! That's how pop up blocking has worked for over a decade. It's defective by design. Submitting a form to a hidden iframe is how we made Ajax work before XML HTTP Request was born, so it's not like Google did some magic mojo. I used to be able to pass JS variables across domains via iframe, but now browsers don't allow that -- Was I fooling the browsers by using their features before they disabled the feature?

Oh I can hear the apple sauce sloshing already! But you're WRONG. You see -- There's this thing called JavaScript, and using it I can hover a 1px invisible iframe around under your gods damn mouse cursor -- And within that iframe: A 3rd party site. Now, just try and click anything. TADA Safari not blocking 3rd party cookies again. BECAUSE THEY DON'T. Well, actually yes... Safari does block a few 3rd party cookies -- But only if the 3rd party doesn't really want you to have the cookie. That you can't easily tell your browser WTF to do and have it just do what it says the option is Ridiculous. Here, I'll show you:

if ( Third_Party_Cookies_Disabled && window.top.location != window.location ) return; // without setting the cookie.

But NOOO! Safari has some other explicit BS logic that makes EXCEPTIONS to the rule. On Purpose! Google used such features that Apple devs made... And the dumb ass users got pissed off because their browser wasn't doing what they told it, but they couldn't blame Apple -- NO! Not Apple! So who? Google -- Protip: Google's not the only one bypassing your 3rd party cookie "blocking" system... Hey, doesn't Apple sells ads too? I bet they want them to "just work" too.

Google was only serving up the form to people who were logged in to the service and had accepted their privacy policy stating that GOOGLE WOULD DO THIS.

Also, if you disable all cookies in Safari -- It keeps sending my sites your cookies. You have to restart the browser before that setting takes effect. Why? Why doesn't that just work?! Every other browser just stops sending the cookies. Why? Because the names of the settings in Safari are specious. They're misinformative to say the least! "Disable 3rd party cookies unless you just recently changed the setting, or you accidentally click a 3rd party site, or the page submits a form or some Javascript puts a button under your cursor, or a bunch of other BS logic that we added to specifically ALLOW 3rd party cookies." -- THAT is what Safari does. RTFM next time, then test the software to be sure the manual's not lying. -- That's what I did.

Re:How about fix the browser

[VortexCortex]

Also there's this:

Blocks outgoing cookies
All web browsers (known bugs notwithstanding) are able to block incoming cookies and prevent them from being stored and used either temporarily or permanently. But only Firefox and Opera are designed to block the sending of any cookies they might have previously acquired but which the browser's cookie policy now blocks. If either Internet Explorer or Safari are set to block cookies, only newly arriving (incoming) cookies are blocked. They will both continue sending any (undesired) cookies outbound that they had previously acquired . . . which is almost certainly not what their user intends.

From GRC's cookie research pages -- Which is what I've also observed. You disable 3rd party cookies, and yet it continues sending out any 3rd party cookies they already have set. The page is a bit outdated, since FF3 is out, but the statement about Safari holds true.

Sure doesn't sound like it's Disabling 3rd Party Cookies to me....

The users need to smarten up, too.

While Google and Apple carry some of the blame for this incident, don't forget that the users of both their products are to blame, too.

Even stupid people know that there are some neighborhoods in every city that you just don't go into if you know what's good for you. The same goes for computers and the Internet. There are some companies and product that you should stay the fuck away from if you care about your money, your privacy, and the security of your computers and their data.

If you're going to use Apple products, especially their closed-source apps, you'll need to accept that you'll be using software with bugs, and you likely won't have the freedom or ability to fix the problems yourself.

Likewise, if you're using any of Google's products (this includes not actively blocking their ads and other analytics crap), then you're basically saying you don't give a fuck about your privacy.

We don't feel sorry when some dipshit goes walking up and down Martin Luther King Jr. Boulevard at night and gets robbed or even possibly killed. Similarly, we shouldn't feel sorry when some dipshit uses products from Apple and Google and gets screwed in some way for doing so.

All fines too extreme

Here's a case where the fines and costs were a couple of orders of magnitude in excess of the damages.

Michael Milken

http://en.wikipedia.org/wiki/Michael_Milken

"The estimated injury for all counts combined was, by the judge's account, $318,000 and by the U.S. Probation Office's account $685,000.[12]

As part of his plea, Milken agreed to pay $200 million in fines. At the same time, he agreed to a settlement with the SEC in which he paid $400 million to investors who had been hurt by his actions. He also accepted a lifetime ban from any involvement in the securities industry. In a related civil lawsuit against Drexel he agreed to pay $500 million to Drexel's investors.[13][14] In total this means that he paid $1.1 billion for all lawsuits related to his actions while working at Drexel.

Critics of the government charge that the government indicted Milken's brother Lowell in order to put pressure on Milken to settle, a tactic condemned as unethical by some legal scholars. "I am troubled by - and other scholars are troubled by - the notion of putting relatives on the bargaining table," said Vivian Berger, a professor at Columbia University Law School, in a 1990 interview with the New York Times.[15] As part of the deal, the case against Lowell was dropped. Federal investigators also questioned some of Milken's relatives—including his aging grandfather—about their investments.[6]"

Summary:
the judge's account, $318,000 and by the U.S. Probation Office's account $685,000
As part of his plea, Milken agreed to pay $200 million in fines
He also accepted a lifetime ban from any involvement in the securities industry.
Originally sentenced to 10 years in prison

That is not "equitable".

The FEDGOV treasury was not damaged yet received and kept $200m. None of that was given to victims, real or perceived.

JJ

Re:All fines too extreme

[sexconker]

Punitive fines are a thing. They are designed to discourage bad behavior.

If fines only made you pay back damages, then there is no disincentive to fuck people over.

WHILE(1){
Cheat();
IF(CAUGHT) Pay Fine();
}

With punitive damages:

WHILE(IsProfitable(totalFines, totalIllicitGains)){
Cheat();
IF(CAUGHT) Pay Fine();
}

Re:All fines too extreme

WHILE(IsProfitable(totalFines, totalIllicitGains)){
Cheat();
IF(CAUGHT) {
Pay Fine();
CONTINUE; ????
}
}

PROFIT?????

Re:All fines too extreme

Now why do you suppose he agreed to pay $1.1 billion in fines. You know nothing of what happened. From your own link he made over $1 billion in 4 years. he only had four losing months in 17 years of trading. Yeah all that insider trading and racketeering only caused less than half a million in damages. You'd have to be really dense to believe that. Plus you (and I) are off-topic.

Absolutely right!

[gnasher719]

Safari lets the user choose in which situations cookies are accepted from a website. One of those situations is when the user fills out a form on the website, so clearly the user has knowingly interacted with the website. Google subverted this by secretly creating a form and pretending that it was filled out by the user, tricking Safari into accepting cookies. That was no accident, that was a deliberate trick to get around the user's privacy settings.

Since Google was on the hook for previous privacy violations, and had agreed to a settlement where they agreed that the FTC should check for further violations, a fine at this time is quite correct.

Re:Absolutely right!

[Overly+Critical+Guy]

Well, according to some of the early posts, this is somehow Apple's fault, and they should be fined! Seriously. It's like, at what point do you hold Google accountable for anything? Because according to supporters, the Street View thing was okay, Google Search Plus Your World excluding other more popular social networks was okay, the bypassing of Safari privacy controls was okay...and so on. The constant defense of their actions is getting really silly.

Google really needs to do some soul-searching. 2012 has just been a year of controversy after controversy, and we're not even halfway through. Larry Page's attempt to force social networking throughout Google products, as well other initiatives that it's hard to imagine the old Google embarking on, have put a sour image on the company lately.

Re:Absolutely right!

[arose]

Is Google supposed to read Safari settings? You tell your software it should do X, it doesn't. Fine third party?

Re:Absolutely right!

[fustakrakich]

Oh please! I don't give a shit about Apple, who could simply patch the hole and be done with it, if they haven't already, or Google, who just happens to be the internet's official pen tester. I mean, what do you expect? They all just want to sell you shit (and track your every move). Just say no.

Re:Absolutely right!

[symbolset]

This is a fairly standard method. If Safari's design allows more disclosure than intended that's Safari's fault, not Google's. If this is not the intended functionality it's a browser bug and should be fixed.

Re:Absolutely right!

[jo_ham]

It's not quite that simple and you know it.

The default setting is "no third party cookies unless the user specifically says so" so Google can't just set a third party cookie. What they can do (and did do) is trick the browser into accepting a cookie by silently creating a form and auto-submitting it to get around the privacy setting.

It was a browser exploit, plain and simple. It needs to be fixed, obviously, but it's not the fault of Apple that Google used the exploit.

Re:Absolutely right!

[jo_ham]

Wow.

The level of Google apolgism on display here is astounding.

It is *absolutely* Google's fault that they deliberately exploited a browser flaw to get around the default privacy setting. The flaw needs fixing, yes, but that doesn't mean Google is in the right to exploit it while it exists.

Since when did the existence of software bugs provide immunity from bad behaviour for those who exploit them?

Re:Absolutely right!

Hi bonch.

Please stop spamming the input queue. Your karma will never recover. Your sockpuppets are lame, and everyone knows about them.

No one believes that the same few accounts are normal people who are simply absolutely livid about Google but who cannot fall over themselves fast enough to praise Apple. We know that you are a paid shill; there's no point pretending anymore.

Please stop wasting everyone's time.

Thanks, /.

Re:Absolutely right!

[jo_ham]

Not bonch, never been bonch, never will be bonch, but nice troll attempt. I thought all this nonsense ended a couple of months ago?

Re:Absolutely right!

Cool, so you just happen to post pro-Apple/anti-Apple-competitor comments on the same articles that bonch sockpuppets submit? Not just once, but every single time?

Well, there's nothing suspicious about that. Carry on, bonch. I mean "jo_ham". Who definitely was not paid to post that. I mean it. "jo_ham" said they weren't bonch, even if they post the same things in the same stories. "jo_ham" is definitely "jo_ham", a fanatical Apple fan who is definitely not paid to promote Apple and who definitely is not bonch despite commenting on bonch stories, maintaining the same Apple marketing-driven narrative as bonch, and posting the exact same text as bonch.

Nope, "jo_ham" is totally not bonch. Just like "Overly Critical Guy"! So many coincidences, isn't slashdot wonderful that we can find so many like minded people all in one place. Good on you "jo_ham", some day I bet you, bonch, and Overly Critical Guy will have a picnic together, and it definitely won't be just one person by himself.

http://hardware.slashdot.org/comments.pl?sid=2610238&cid=38633504

http://mobile.slashdot.org/comments.pl?sid=2603986&cid=38588330

http://slashdot.org/comments.pl?sid=2623956&cid=38725924

Re:Absolutely right!

[jo_ham]

So, what you're saying, GreatBunzinni, is that you have no evidence beyond "I post on the same website as bonch" and "I share similar opinions"?

I've got news for you, son, not everyone who disagrees with you is the same person, nor is everyone who disagrees with you paid to do so because otherwise how else can they justify posting "obviously incorrect" information. I've been on this site since registering this account from new, and I've been the same person (and never anyone else) in that time. I've posted AC on a handful of occasions, usually because I forget to login and I'm browsing on a public machine.

You can claim we're all the same person and really wish hard all you want, but it doesn't make it true. Of course, I've got no way to actually *prove* that I'm telling the truth, which is what makes an Anonymous Coward "calling me out" as a shill and sockpuppet such a brilliant tactic for you - you have no accountability or name, and no karma. You can simply spout your inaccurate information safely from the sidelines and I have no way to definitively prove you wrong, other than an appeal to common sense on the part of anyone reading this (and given we're a few posts deep in this now, who's really reading this, other than you - I assume you keep coming back to check on your "targets" since /. won't send you email notifications to an AC post. I'd wonder aloud "do you have a life?" but that's getting into ad hom territory.

I'm pro-Apple, yes - I use Apple stuff all the time. I'm also pro-Linux and pro-Open Source, and pro-Google, and even (shock horror!) pro-Android and occasionally pro-MS when they're not making my life annoying (I have some Vista machines knocking about). I use all of those things regularly (with the exception of Android - I don't use it regularly) It doesn't mean I can't criticise any one of those things without it being some sort of vast conspiracy of multiple accounts. I have criticisms and praise for all of those things listed (and more!). I thought that's what slashdot was all about? Y'know, discussion?

It's going to get awfully dull if only "approved" messages are allowed to be posted - all policed by ACs with no accountability of course!

Re:Absolutely right!

[pseudofrog]

Thankfully, we have companies like Microsoft and Apple -- true bastions of ethical business practice. It would be a shame if we lost their litiguous, anti-competitive behavior.

Re:Absolutely right!

[symbolset]

We've been working around browser features for a long time. We started learning how with IE 3.0. The foibles of browsers being what they are to claim some criminal intent on the methods of site designers for minor privacy issues with an individual browser devolves into everybody involved in Internet technologies being sent to the Gulag. That's going to impede progress.

Re:Absolutely right!

[jo_ham]

Like I say, major apoligism for Google here.

Look, I like them as much as the next guy (use Chrome, have gmail, use google maps all the time, use google search etc), but what they did here was wrong on a level that simply can't be handwaved away as "oh, it was a browser fault" or "oh, they didn't realise they were doing it" or "well, it's how it's always been done".

The setting is "no third party cookies unless allowed specifically by the user". Google exploited a flaw to get around that user setting to do it anyway for financial gain. They're also not "being sent to the Gulag" or any such equivalent punishment. They're getting a fine for being naughty.

Re:Absolutely right!

[symbolset]

You already pasted this objection into your response to the grandparent comment, so I don't know what additional you expected to get here.

Re:Absolutely right!

[TheRaven64]

Well, according to some of the early posts, this is somehow Apple's fault, and they should be fined

Well, it was only possible for Google to exploit this security hole because the security hole existed, and that was Apple's fault. If you check back in the archives, you'll see a lot of people suggesting that Microsoft should be held liable for security holes in Windows, Internet Explorer, and so on. The reason this is unlikely to happen is that making developers liable for every bug (and almost any bug is a potential security hole when you're talking about a browser) would push development costs to such a high level that only governments would be able to afford software. Companies writing software for aerospace are often held to this sort of level, and their development costs are hundreds of times higher than for commodity software - and even then they still have bugs, just not as many.

Re:Absolutely right!

[arose]

Id doesn't matter what the setting says. In this case the setting lied (no third party cookies... but we'll set them anyway) and the cookie owner is being blamed for not carefully follwing what the browser setting claims to do, not what it actually does. This is a design flaw, not an exploit. Google didn't inject code into Safari, didn't break into the user's machine and chaged the settings. I'm more worried about setting precedents that constrain third parties into doing what the first party understood a setting in the second parties product to mean. Currently we are free to deal with what software actually does and malicious activity is well understood. No reason to upset that balance by tryin to codiy who should behave like when to be morally clean.

Re:Absolutely right!

[jo_ham]

Again, this is not about the setting "lying". The setting works perfectly well - if you try to set a third party cookie the browser prevents it. That is why Google resorted to an exploit to get around it.

Again, the exploit needs to be fixed - that is not in question - but the use of the exploit is not in any way Safari's fault.

Your attempt to get Google off the hook here or somehow justify their choice to deliberately ignore user's settings and invade their privacy by tracking them is quite remarkable. I thought slashdot was all about user privacy and being able to stop companies from knowing your every move online. I guess only when it's not Google doing it, eh?

Re:Absolutely right!

[arose]

The setting works perfectly well - if you try to set a third party cookie the browser prevents it.

If that was the case then no cookies would be set and we wouldn't be having this discussion. Be it an exploit or not, the browser is what ignored the setting.

their choice to deliberately ignore user's settings

The browser is what ignored the setting, there can be no question about this as Google didn't modify its behaviour. The real question is where workarounds of software problems (this is very, very common in web programming, a point you are trying to ignore) becomes unacceptable. Remember that aside from tracking this does affect Google's infrastructure. Yes, they deliberately tied their tracking with their products, but that was a choice made independently of tricking Safari into accepting their cookies.

I thought slashdot was all about user privacy and being able to stop companies from knowing your every move online.

You forgot the part where slashdot is also all about innovation, rapid development and not placing undue burdens onto third parties. With that in mind respecting the users settings has always been up to the software presenting the settings just as fixing exploits has been up to the software's developers. If you want to make it illegal for Google (or anyone else) to track you online the way to do it is to mandate that you are not logged at all if a certain flag (that is not used for anything else is present, anything else is reading tea leaves. Is it to be illegal to store data through Flash or localstorage if it is inferred that cookies are blocked? What about fingerprinting? Pixel sized images? What if my webkit browser that pretends to be Safari randomly drops half of all third party cookies? What is Google obligated to infer from such a technical artifact. More importantly were does my obligation to read the users mind end if I set up a web service? Fuck Google, this kind of thinking affects everyone with a webserver and it would be good to know that the difference between workarounds and cracking is not one that changes while your back is turned.

I guess only when it's not Google doing it, eh?

No, avoiding kneejerk reactions and thinking things through applies in every case. That or me siding with Microsoft when Google accused them of "copying" search results was just Google fanboyism.

Re:Absolutely right!

[jo_ham]

The setting works perfectly well - if you try to set a third party cookie the browser prevents it.

If that was the case then no cookies would be set and we wouldn't be having this discussion. Be it an exploit or not, the browser is what ignored the setting.

Right - that's the point. The setting works in most cases, it just doesn't work when the exploit is used - that's how exploits work and why they're called that.
The setting says (I just checked the exact wording) "Block cookies from:" and then gives three options: third parties and advertisers (default), Always and Never.

As indicated, the default is "third parties and advertisers" and it does this effectively. It is because it does this effectively that Google decided to use an exploit to get around it (ie, tricking Safari into classing it's advertising cookie as a first party cookie). You can twist this around and try to justify it as "Safari allowing it" all you want to try and make Google out to be the good guy here, but quite simply they used an exploit to get around a browser privacy setting. Yes, I understand that Safari "allowed" it by having an exploitable flaw, but that's like saying I "allowed" my car to get stolen because the lock was easy to open with a screwdriver.

I'm not on some anti-Google rant here - I use Google products all the time and I think they are a great force for the web as a whole, but it doesn't mean I'm not going to call them out when they do something obnoxious like this.

Re:Absolutely right!

[arose]

The case against Google would be much stronger if it was not a default. It's much easier to believe that they went the technical workaround route to make multi service login work so as not to bother the user with changing a "broken" default. Had it been off by default the argument that Google deliberately ignored the users wishes would be more convincing as then the users actual wishes would be known, an obscure (in function, not location) default doesn't reflect deliberate user choice.

Not sure why you are so insistent on me making "Google out to be the good guy", I consider this one fairly neutral on the web development scale, workarounds and hacks are extremely common in the field. Correctly describing what happens on a technical level is just that, not some sort of white washing. People can still be outraged once they understand what happened, but it's important that they don't picture Google exploiting a security vulnerability (of the code execution kind) and installing spy-ware to track them or ignoring some sort of flag that Google promises not to ignore.

Yes, I understand that Safari "allowed" it by having an exploitable flaw, but that's like saying I "allowed" my car to get stolen because the lock was easy to open with a screwdriver.

Oh my, a car analogy... Let's try to get somewhat closer. It's like saying that you "allowed" the maintenance tech to leave a flier in the trunk by having a trunk that won't (by default) open with the door key fully inserted but (due to an oversight from the manufacturer) will work if it's one tooth short of being fully in. The techs discovered this by accident and have been using this ever since to check that mark on their checklist. They still have many other ways to advertise (in Google's case track) to you but this is how they do things and not only was it not necessarily a deliberate choice on your part to have mismatched keys (a default) but it certainly isn't a statement of not wanting a flier in the trunk, since on the technical level it's just a trunk that doesn't open with the door key.

As with most car analogies it gets complex when it is close to being a good analogue due to the complexity of the issue.

On the upside we now have actual settings that specifically express the wish to not be tracked, I know Google will half-heartedly half-honor them. I wish they did more (and don't expect to see it, sadly), but as it shows that they at least acknowledge the issue when it's divorced from merely inferring intentions.

Re:Absolutely right!

[jo_ham]

Again, you're trying to make this all about Google overcoming an "inconvenient"and "broken" default privacy setting.

Nothing about the default setting makes "multi service logins" fail to work since those are selected and approved by the user (for example, checking a box for "keep me logged in" or "remember me" or "keep me logged in across multiple sites". What it *does not* allow is setting a cookie from a third party site - for example, Google's tracking cookie set when you browse to someone else's page (as in, not a Google page) with a G+ button on it, or a google text ad. Google is not allowed to set a cookie in this instance unless the user clicks on the button or advert. They went against the setting by tricking the browser into accepting a first party cookie.

You're twisting and bending in the wind to make Google out to be some sort of innocent party here.

Not sure why you are so insistent on me making "Google out to be the good guy", I consider this one fairly neutral on the web development scale, workarounds and hacks are extremely common in the field. Correctly describing what happens on a technical level is just that, not some sort of white washing. People can still be outraged once they understand what happened, but it's important that they don't picture Google exploiting a security vulnerability (of the code execution kind) and installing spy-ware to track them or ignoring some sort of flag that Google promises not to ignore.

No, they're not installing spyware - I never said that, and no one is accusing them of that. What I am accusing them of, and what they've admitted to, is deliberately going against the privacy setting in Safari by exploiting the browser's behaviour. They didn't do this "accidentally" (and if you believe they did, you are very naive) - they worked out how to get around the setting and exploited it. This is not some harmless "workaround" like some code designed to make web pages display properly in IE or similar, this was purely for Google's financial gain.

Again, there is *nothing* that the user is affected by if they follow the privacy policy as set - by interacting with Google directly, Safari allows cookies to be set.

Look at it this way, I check all of my privacy settings when setting up a browser. I happened to agree with that default setting, so that is how I left it. Are you suggesting that Google "can't really know for sure" what my wishes are regarding privacy? That is a very, very stupid argument. I would suggest that Google *respect the setting that the browser is set to*. It's really not rocket science. The fact that it's the default setting and thus Google should be free to do whatever it likes, including doing the exact opposite of what the setting says via an exploit, is the most ridiculous argument and lame justification for despicable behaviour that I ever heard.

My setting choice was deliberate, and I was affected by this exploit, but according to you, that's fine because how could Google know what I really wanted? I want to be tracked by third party cookies, right? Doesn't everyone? Why wouldn't they want that?!

Re:Absolutely right!

[arose]

Again, you're trying to make this all about Google overcoming an "inconvenient"and "broken" default privacy setting.

No, I'm still consistently bringing it up as one of the aspects.

What it *does not* allow is setting a cookie from a third party site - for example, Google's tracking cookie set when you browse to someone else's page (as in, not a Google page) with a G+ button on it, or a google text ad. Google is not allowed to set a cookie in this instance unless the user clicks on the button or advert. They went against the setting by tricking the browser into accepting a first party cookie.

As far as a browser is concerned gmail.com is a different party than google.com (and mail.google.com can be different from plus.google.com, though I don't think that was the case with the Safari default). Technicalities. Do. Matter. And again, it's not that Google is "not allowed" to set a cookie, it's that said cookie is blackholed by the browser.

I would suggest that Google *respect the setting that the browser is set to*.

And I will still disagree with this particular suggestion in most strongest terms. Not because I love Google, but because I have a website and don't think I should be under any obligation to not only somehow infer your browsers settings but also ensure that the browser isn't violating it for you. No, just no. You used technical means to get around a technical problem, you could only visit sites not affiliated with Google, but no, you specifically used technical means to circumvent the wishes of the webmaster. Google exploited a flaw in Safari? You exploited a "flaw" in HTTP first, admittedly and intentionally I might add. But Google is evil and you are good, eh?

My setting choice was deliberate, and I was affected by this exploit, but according to you, that's fine because how could Google know what I really wanted?

Fine, not necessarily. Understandable from a web developers point of view? Absolutely. You did not give Mark Google a form with a "do-not-track" field checked. You told your computer to not store certain data but between your computer and Google's servers it was set anyway. Did it make it easier to track you? Kinda. Would it prevent you from being tracked even if it had worked properly? Absolutely not. Did it tell anyone that you don't want to be tracked? Not more than turning off your cell phone would tell that you didn't want to be triangulated. There is a correlation between a multipurpose technical action and any reason one might make it for, but they are not the same.

Google has enemies.

Google gets big, makes powerful enemies. News at 11.
Funny how we only really vague, trivial shit gets Google in to the court room.

For all those with a clue, Google's actions are really a workaround to a broken, stupid browser privacy scheme that does nothing to protect users from the real bad guys. Just a way to fix web pages for a browser that's not standards compliant. Many times less harmless to the hackery you have to commit to get a web page to work properly in IE6.

Re:Google has enemies.

[noh8rz3]

jebus dont know where to start.

stupid browser privacy scheme that does nothing to protect users from the real bad guys

since google was the one hacking cookies into the browser, i'd say goog qualifies as the "real bad guys" in this case.

Just a way to fix web pages for a browser that's not standards compliant

Are you implying that Safari's default privacy settings somehow violate a web standard? Which one, please? And that goog had to circumvent it in order to make the browser standards compliant?

It just goes to show how shitty browsers are.

While all software has bugs and suffers from poor design decisions in some way, web browsers (and web technologies in general) are utterly rife with some of the stupidest mistakes known to mankind. These aren't mild mistakes, either. They're mindbogglingly stupid boondoggles. JavaScript is the biggest, filthiest computing mistake of all time, for example. But others, like cookies, are close behind. While the security implications are usually less severe, CSS is yet another example of one stupid decision after another.

It's time for the browser developers to get their acts together. Stop adding useless new features that are riddled with security flaws. Fix some of the existing problems, for crying out loud!

20 years seems excessive

[cpu6502]

Microsoft only got 10 years, and they were not merely spying on people but also abusing their monopoly position to drive competitors out of business. (Kinda like what Comcast is doing now with Hulu, Amazon video streaming.) Google should receive a more-lenient settlement than 20 years.

Re:20 years seems excessive

[girlintraining]

According to Google, [cite], it made about $40 billion last year in income. How much is a $20 million dollar fine compared to that? Let's put it this way... if you earned the median income for 2011 for your personal income ($49,445), and you were fined an equivalent percentage, the fine would be $24.74.

In other words, Google is being fined less for violating your privacy than you would for a parking ticket.

Re:20 years seems excessive

[girlintraining]

Sorry, I re-read the article and realized the fine in my original post was double what was being suggested... It is instead about the price you would pay to buy you and your partner dinner at McDonald's. -_- Would you like to Supersize that privacy violation?

Re:20 years seems excessive

[markjhood2003]

Those were simpler times... Google has a lot more data acquisition capabilities, market power, and social influence now than Microsoft ever had. They practically defeated SOPA single-handedly with a single ad on their main web page (yes, Wikipedia helped a bit). Sure, they've pledged to "don't be evil", and for the moment I'm inclined to give their current leadership the benefit of the doubt, but ten years out and who knows who'll be in control of all their data...

Google still makes a ton of money, but clearly that advertising cash cow can't go on forever. If Google ever decided to turn evil in order to raise profits then the public could be in a lot of trouble without the oversight. I welcome it even though I don't necessarily trust the FTC either.

Re:20 years seems excessive

[hathinnyc]

Google should receive a more-lenient settlement than 20 years.

You must be joking / shilling!

From the summary: 'The 20-year settlement bars Google from misrepresenting how it handles user information and requires the company to follow policies that protect consumer data in new products.' .

You might also want to RTFA: http://idealab.talkingpointsmemo.com/2011/10/googles-privacy-practices-to-be-monitored-for-the-next-20-years.php

They're talking specifically about 'misrepresenting' user information and 'protect[ing] consumer data' ... by one of the most powerful companies on the planet FFS!

CH

Wait

[Charliemopps]

There is no expectation of privacy on the internet, irrelevant of the browser you use or the site you visit. I would LOVE for the government to pass a law specifically stating there were such an expectation... but to do so would mean they would have to obey the law as well. For the government to fine a business for privacy violations when the government itself is collecting far more sensitive information about us, for much more nefarious purposes than profits, is just silly.

Ehh, I think you're a bit off track here, so..

Please allow me to explain. First, submitting forms via javascript is NOT anything new. Many sites do this, and for a variety of legitimate reasons. Hell, half the API's which insert remote JS files use forms for one thing or another, and if it's multipart and you want a progress bar, hey, look at that, a legitimate reason for using javascript to submit the form!

Just because Google did this does not mean it was intentional. But, sure, go ahead, keep your tin foil hat on and keep hiking that pitchfork in the air.

Good.

[toddmbloom]

I wish it was more - Google deserves it. I don't get why they're allowed to NEGOTIATE their fine, though.

NOW will the tech community stop fawning over them? Google does NOTHING for the betterment of the web - it's all about money, data, and advertisers.

Oh, and, second..

Second,

Google subverted this by secretly creating a form and pretending that it was filled out by the user, tricking Safari into accepting cookies.

So.. you think it's acceptable for Apple software engineers to rely on poor trigger mechanisms, but it's not acceptable for Google engineers to make a mistake and possibly be publicly humiliated for what was an honest engineer's decision regarding a common and fairly legitimate implementation?

Re:Absolutely right -- almost

Yeah, but these were users with Google accounts. They presumably *also* wanted their Gmail to work. So, what happens when the user wants two incompatible things? No cookies, but web services that need cookies?

Nuke the FCC

What the fuck is this shit. When did they get authority over every fucking thing.

Hipocrisy

[chowdahhead]

Whatever privacy violation Google committed here is diminutive in comparison to what our government does. Ironic that I just finished perusing this: http://yro.slashdot.org/story/12/05/04/1935210/fbi-we-need-wiretap-ready-web-sites-now

Defective Products

[mschaffer]

So, what about the defective Safari?
Did Google actually violate the law any more so than Apple by expecting all websites to behave?

Re:Defective Products

[zuperduperman]

Good point. If Google is at fault here, why is Apple not also for offering a feature that claims to block 3rd party cookies and then actually allows them? Google can claim that they simply rely on the browser's stated features to actually work, and they can't be responsible for every possible bug in any browser in existence that might ignore the user's wishes and give Google more information than they should have. Personally, I think that if Google is investigated, so too should Apple be - they left this hole for a reason - presumably financially driven reasons just like Google. If Apple made the judgement that their user's convenience or their own tracking mechanisms were more important than privacy then why is Google blamed for making the same assumption?

The other question is, if this is actually prosecuted, what is going to happen to the hundreds or thousands of major web sites that are routinely doing this? Are we going to investigate them all?

In Good Faith?

[Luthair]

As someone who has spent quite a bit of time dealing with quirks between the different browsers, it seems (barring evidence to the contrary) entirely possible that the developer may not even have just assumed they were working around a quirk.

drop, meet bucket.

[sdnoob]

$10 million, even $50 or $100 million isn't going to phase a company with google's revenues. they'll pay, admit to nothing, "promise" to do better (but not really do it).. life will go on and google will continue to trample on its users' privacy.

Only google?

[Internetuser1248]

Last year, Google agreed to a settlement in which the FTC would monitor Google's privacy practices for an extended period of time

Does facebook have a similar agreement? This safari thing seems like peanuts compared to some of the stuff they pull. If I am wrong please feel free to explain to me how, I am not claiming to be an expert merely asking a question.

Fuck off any die FTC

Can we just kill all these old fucks who don't know anything about computers?

Fuck'em

I'm so tired of Google's arrogance that I will be very happy if they get fined 10million, even if that's pocket change for them. Bunch of arrogant assholes.

--

Sundar Pichai is the utter asshole whose incompetence has resulted in the shutdown of Google's Atlanta office.