Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Facing FTC Fine Over Safari Privacy Breach

Posted by Soulskill on from the really-expensive-cookies dept.

suraj.sun writes "Bloomberg is reporting on Google's negotiation with the U.S. Federal Trade Commission over 'how big a fine, which could amount to more than $10 million, it will have to pay for its breach of Apple's Safari browser. The fine would be the first by the FTC for a violation of Internet privacy as the agency steps up enforcement of the Web.' Last year, Google agreed to a settlement in which the FTC would monitor Google's privacy practices for an extended period of time. 'The 20-year settlement bars Google from misrepresenting how it handles user information and requires the company to follow policies that protect consumer data in new products.' This February, Google was found to be bypassing privacy controls in Safari by making the browser think a user was submitting a form, when they actually weren't. '(The code used by Google was part of its program to place the "+1" button in advertisements.) At the time, the company issued a statement saying that the circumvention wasn't intentional, but privacy groups were still quick to file complaints with the FTC over Google's actions. That was quickly followed by a class-action lawsuit and an investigation by European regulators.'"

6 of 73 comments (clear)

  1. Absolutely right! by gnasher719 · · Score: 4, Insightful

    Safari lets the user choose in which situations cookies are accepted from a website. One of those situations is when the user fills out a form on the website, so clearly the user has knowingly interacted with the website. Google subverted this by secretly creating a form and pretending that it was filled out by the user, tricking Safari into accepting cookies. That was no accident, that was a deliberate trick to get around the user's privacy settings.

    Since Google was on the hook for previous privacy violations, and had agreed to a settlement where they agreed that the FTC should check for further violations, a fine at this time is quite correct.

    1. Re:Absolutely right! by symbolset · · Score: 4, Interesting

      This is a fairly standard method. If Safari's design allows more disclosure than intended that's Safari's fault, not Google's. If this is not the intended functionality it's a browser bug and should be fixed.

      --
      Help stamp out iliturcy.
  2. Google has enemies. by Anonymous Coward · · Score: 5, Insightful

    Google gets big, makes powerful enemies. News at 11.
    Funny how we only really vague, trivial shit gets Google in to the court room.

    For all those with a clue, Google's actions are really a workaround to a broken, stupid browser privacy scheme that does nothing to protect users from the real bad guys. Just a way to fix web pages for a browser that's not standards compliant. Many times less harmless to the hackery you have to commit to get a web page to work properly in IE6.

  3. 20 years seems excessive by cpu6502 · · Score: 4, Insightful

    Microsoft only got 10 years, and they were not merely spying on people but also abusing their monopoly position to drive competitors out of business. (Kinda like what Comcast is doing now with Hulu, Amazon video streaming.) Google should receive a more-lenient settlement than 20 years.

    --
    My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
  4. Re:How about fix the browser by jo_ham · · Score: 4, Insightful

    That this comment got insightful mods shows just how poorly understood this whole mess is on slashdot (or perhaps that the prevailing wisdom is that "Google can do no wrong"?).

    Safari already blocks third party cookies by default, and to get around that "pesky" setting that prevents Google's ad tracking from working (and making them money), they designed a process that used an exploit to trick Safari into believing that user authorisation had been given to set the cookie anyway.

    No one is disputing that Safari needs to close that exploit (I'm sure it's being worked on, if it hasn't been closed already), but this certainly CAN NOT be described as "legitimate" use of a browser feature by any stretch of the imagination. It was an browser exploit designed to get around Safari's privacy settings.

    Put it this way, the user has the setting that says "do not accept third party cookies unless I specifically say so" and Google's response and direct action to that was "nah! that's really inconvenient to us, so we'll set that cookie anyway even though you have specifically said no"

    "Do No Evil (unless it interferes with the bottom line)".

  5. Re:How about fix the browser by VortexCortex · · Score: 4, Interesting

    Safari does block third-party cookies. Google fooled Safari into thinking they were first-party cookies so that they would be accepted by the browser. RTFA next time.

    Safari does NOT block third party cookies. Safari blocks SOME third party cookies -- You know, unless the user interacts with 3rd party assets, then they don't block the 3rd party cookies at all. The issue is caused by Safari's erroneous concept of what a user initiated event is. Which it damn sure knows how to tell the difference between a user initiated event! That's how pop up blocking has worked for over a decade. It's defective by design. Submitting a form to a hidden iframe is how we made Ajax work before XML HTTP Request was born, so it's not like Google did some magic mojo. I used to be able to pass JS variables across domains via iframe, but now browsers don't allow that -- Was I fooling the browsers by using their features before they disabled the feature?

    Oh I can hear the apple sauce sloshing already! But you're WRONG. You see -- There's this thing called JavaScript, and using it I can hover a 1px invisible iframe around under your gods damn mouse cursor -- And within that iframe: A 3rd party site. Now, just try and click anything. TADA Safari not blocking 3rd party cookies again. BECAUSE THEY DON'T. Well, actually yes... Safari does block a few 3rd party cookies -- But only if the 3rd party doesn't really want you to have the cookie. That you can't easily tell your browser WTF to do and have it just do what it says the option is Ridiculous. Here, I'll show you:

    if ( Third_Party_Cookies_Disabled && window.top.location != window.location ) return; // without setting the cookie.

    But NOOO! Safari has some other explicit BS logic that makes EXCEPTIONS to the rule. On Purpose! Google used such features that Apple devs made... And the dumb ass users got pissed off because their browser wasn't doing what they told it, but they couldn't blame Apple -- NO! Not Apple! So who? Google -- Protip: Google's not the only one bypassing your 3rd party cookie "blocking" system... Hey, doesn't Apple sells ads too? I bet they want them to "just work" too.

    Google was only serving up the form to people who were logged in to the service and had accepted their privacy policy stating that GOOGLE WOULD DO THIS.

    Also, if you disable all cookies in Safari -- It keeps sending my sites your cookies. You have to restart the browser before that setting takes effect. Why? Why doesn't that just work?! Every other browser just stops sending the cookies. Why? Because the names of the settings in Safari are specious. They're misinformative to say the least! "Disable 3rd party cookies unless you just recently changed the setting, or you accidentally click a 3rd party site, or the page submits a form or some Javascript puts a button under your cursor, or a bunch of other BS logic that we added to specifically ALLOW 3rd party cookies." -- THAT is what Safari does. RTFM next time, then test the software to be sure the manual's not lying. -- That's what I did.