Slashdot Mirror
Google Facing FTC Fine Over Safari Privacy Breach
suraj.sun writes "Bloomberg is reporting on Google's negotiation with the U.S. Federal Trade Commission over 'how big a fine, which could amount to more than $10 million, it will have to pay for its breach of Apple's Safari browser. The fine would be the first by the FTC for a violation of Internet privacy as the agency steps up enforcement of the Web.' Last year, Google agreed to a settlement in which the FTC would monitor Google's privacy practices for an extended period of time. 'The 20-year settlement bars Google from misrepresenting how it handles user information and requires the company to follow policies that protect consumer data in new products.' This February, Google was found to be bypassing privacy controls in Safari by making the browser think a user was submitting a form, when they actually weren't. '(The code used by Google was part of its program to place the "+1" button in advertisements.) At the time, the company issued a statement saying that the circumvention wasn't intentional, but privacy groups were still quick to file complaints with the FTC over Google's actions. That was quickly followed by a class-action lawsuit and an investigation by European regulators.'"
Safari lets the user choose in which situations cookies are accepted from a website. One of those situations is when the user fills out a form on the website, so clearly the user has knowingly interacted with the website. Google subverted this by secretly creating a form and pretending that it was filled out by the user, tricking Safari into accepting cookies. That was no accident, that was a deliberate trick to get around the user's privacy settings.
Since Google was on the hook for previous privacy violations, and had agreed to a settlement where they agreed that the FTC should check for further violations, a fine at this time is quite correct.
Google gets big, makes powerful enemies. News at 11.
Funny how we only really vague, trivial shit gets Google in to the court room.
For all those with a clue, Google's actions are really a workaround to a broken, stupid browser privacy scheme that does nothing to protect users from the real bad guys. Just a way to fix web pages for a browser that's not standards compliant. Many times less harmless to the hackery you have to commit to get a web page to work properly in IE6.
Safari does block third-party cookies. Google fooled Safari into thinking they were first-party cookies so that they would be accepted by the browser. RTFA next time.
Microsoft only got 10 years, and they were not merely spying on people but also abusing their monopoly position to drive competitors out of business. (Kinda like what Comcast is doing now with Hulu, Amazon video streaming.) Google should receive a more-lenient settlement than 20 years.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
If you forget to lock your car door and someone steals your car, should you be arrested as an accessory to grand theft?
Poor car analogy, not least because your insurance company might not be very sympathetic, and also because it isn't the end user's fault in the Safari case. Better analogy:
If your car manufacturer builds a faulty door lock, and the car gets stolen, should the manufacturer have liability (i.e. should you be able sue them for loss of your car when you had some expectation of security)? Probably, the answer is "yes" (but probably you can leave the insurance guys to take them to task instead, since they're the ones losing more than CDs and fluffy dice that you got from Auntie Mavis).
There is no expectation of privacy on the internet, irrelevant of the browser you use or the site you visit. I would LOVE for the government to pass a law specifically stating there were such an expectation... but to do so would mean they would have to obey the law as well. For the government to fine a business for privacy violations when the government itself is collecting far more sensitive information about us, for much more nefarious purposes than profits, is just silly.
Pfft whatever... If Google broke the law, they should be fined. It will be a slap on the wrist anyway. If not, write a nasty press release about them, and let god sort it out. This is like the senate wasting an infinite amount of time on steroids in professional sports.
“He’s not deformed, he’s just drunk!”
That this comment got insightful mods shows just how poorly understood this whole mess is on slashdot (or perhaps that the prevailing wisdom is that "Google can do no wrong"?).
Safari already blocks third party cookies by default, and to get around that "pesky" setting that prevents Google's ad tracking from working (and making them money), they designed a process that used an exploit to trick Safari into believing that user authorisation had been given to set the cookie anyway.
No one is disputing that Safari needs to close that exploit (I'm sure it's being worked on, if it hasn't been closed already), but this certainly CAN NOT be described as "legitimate" use of a browser feature by any stretch of the imagination. It was an browser exploit designed to get around Safari's privacy settings.
Put it this way, the user has the setting that says "do not accept third party cookies unless I specifically say so" and Google's response and direct action to that was "nah! that's really inconvenient to us, so we'll set that cookie anyway even though you have specifically said no"
"Do No Evil (unless it interferes with the bottom line)".
Last year, Google agreed to a settlement in which the FTC would monitor Google's privacy practices for an extended period of time
Does facebook have a similar agreement? This safari thing seems like peanuts compared to some of the stuff they pull. If I am wrong please feel free to explain to me how, I am not claiming to be an expert merely asking a question.
But there have been a lot- and I mean a lot- of recent reports about Google failing to live up to the whole "do no evil" thing. To sum up some recent stories about Google: Google paid $500 million to the government for aiding illegal sales of online pharmaceuticals, Google has come under fire for capturing information from people's Wifi networks using Street View, Google has intentionally worked around Safari privacy settings, Google deliberately turned a blind eye to copyright violations on Youtube because they wanted to build the site's popularity...
I think Sergei Brin needs to stop bitching about how Apple and Facebook are threats to our online freedom, and take a long hard look at his own damn company. Lately, their philosophy seems a lot less like "Google should do no evil" than "Google can do no evil". One or two stories I would be willing to write off as honest mistakes, but there's a clear pattern here. The common theme to all of these stories about Google is an attitude of arrogance, a lack of accountability, and the idea that they can just ignore the rules everyone else has to play by. There's an element of trust involved in allowing a company to host your email and your documents, and to see what you're searching for online. If they go too far and people lose faith in the company, then they're going to suffer for it.
While I don't totally disagree that this is a good idea, I can think of quite a lot of companies that should be higher up the list for this kind of intervention. For example, almost every telecoms or energy company...
I am TheRaven on Soylent News
No, more accurately –if the manufacturer builds a faulty lock, and bill steals the car, should bill still go to jail for theft ;)
That this comment got insightful mods shows just how poorly understood this whole mess is on slashdot (or perhaps that the prevailing wisdom is that "Google is evil"?).
First, blocking third party cookies is the browser's job. The site has *zero* way of knowing what that setting is. Google literally cannot respect that setting by itself, they don't have that information.
Second, the issue isn't remotely what you think it was, nor is it an "exploit" at all. Go read the actual webkit bug: https://bugs.webkit.org/show_bug.cgi?id=35824 Google didn't bypass anything - webkit has a special case for if you already had a cookie from the 3rd party, it would enable 3rd party cookies under the assumption that the site wouldn't set any "tracking" cookies. The whole "privacy breach" bullshit stems from the bug where if you already had a G+ cookie but not an ad cookie and you had ad tracking enabled on your account, when you encountered embedded G+ on a site the ad cookie would get set as well. This only worked because you *already* had cookies from Google, which is why Safari would accept the cookie in the first place.
Of course, anyone with any clue how cookies works knows that removing the ad cookie doesn't actually change anything - it doesn't affect the data Google gets (they already know who you are with the legitimately set cookies that triggers webkit's special case in the first place - aka, the user being logged in), and it doesn't do anything by itself. No privacy implications whatsoever, no exploits, nothing. A story was made over nothing because the people that fueled the story had no clue what they were reporting on.
Safari does block third-party cookies. Google fooled Safari into thinking they were first-party cookies so that they would be accepted by the browser. RTFA next time.
Safari does NOT block third party cookies. Safari blocks SOME third party cookies -- You know, unless the user interacts with 3rd party assets, then they don't block the 3rd party cookies at all. The issue is caused by Safari's erroneous concept of what a user initiated event is. Which it damn sure knows how to tell the difference between a user initiated event! That's how pop up blocking has worked for over a decade. It's defective by design. Submitting a form to a hidden iframe is how we made Ajax work before XML HTTP Request was born, so it's not like Google did some magic mojo. I used to be able to pass JS variables across domains via iframe, but now browsers don't allow that -- Was I fooling the browsers by using their features before they disabled the feature?
Oh I can hear the apple sauce sloshing already! But you're WRONG. You see -- There's this thing called JavaScript, and using it I can hover a 1px invisible iframe around under your gods damn mouse cursor -- And within that iframe: A 3rd party site. Now, just try and click anything. TADA Safari not blocking 3rd party cookies again. BECAUSE THEY DON'T. Well, actually yes... Safari does block a few 3rd party cookies -- But only if the 3rd party doesn't really want you to have the cookie. That you can't easily tell your browser WTF to do and have it just do what it says the option is Ridiculous. Here, I'll show you:
if ( Third_Party_Cookies_Disabled && window.top.location != window.location ) return; // without setting the cookie.
But NOOO! Safari has some other explicit BS logic that makes EXCEPTIONS to the rule. On Purpose! Google used such features that Apple devs made... And the dumb ass users got pissed off because their browser wasn't doing what they told it, but they couldn't blame Apple -- NO! Not Apple! So who? Google -- Protip: Google's not the only one bypassing your 3rd party cookie "blocking" system... Hey, doesn't Apple sells ads too? I bet they want them to "just work" too.
Google was only serving up the form to people who were logged in to the service and had accepted their privacy policy stating that GOOGLE WOULD DO THIS.
Also, if you disable all cookies in Safari -- It keeps sending my sites your cookies. You have to restart the browser before that setting takes effect. Why? Why doesn't that just work?! Every other browser just stops sending the cookies. Why? Because the names of the settings in Safari are specious. They're misinformative to say the least! "Disable 3rd party cookies unless you just recently changed the setting, or you accidentally click a 3rd party site, or the page submits a form or some Javascript puts a button under your cursor, or a bunch of other BS logic that we added to specifically ALLOW 3rd party cookies." -- THAT is what Safari does. RTFM next time, then test the software to be sure the manual's not lying. -- That's what I did.