Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Apple Users Sue Google Over Safari Tracking

Posted by samzenpus on from the stop-tracking-me-bro dept.

Dupple writes "After settling with the FTC, Google is under pressure again regarding user privacy. From the BBC: 'A group of Apple's Safari web browser users has launched a campaign against Google over privacy concerns. They claim that Google bypassed Safari's security settings to install cookies which tracked their movements on the internet. Between summer 2011 and spring 2012 they were assured by Google this was not the case, and believed Safari's settings to be secure. Judith Vidal-Hall, former editor of Index On Censorship magazine, is the first person in the UK to begin legal action. 'Google claims it does not collect personal data but doesn't say who decides what information is "personal,"' she said. 'Whether something is private or not should be up to the internet surfer, not Google. We are best placed to decide, not them.'"

52 of 101 comments (clear)

  1. How is this news? by Anonymous Coward · · Score: 3, Interesting

    Have you seen those small "Share" and "Like" buttons all over the web?

    Thats right, Facebook, Google, and others, see every time a browser downloads those buttons and which URL it was loaded from. It the user happens to be logged on to their service, they also see the user's identity.

    In otherwords, Facebook, Google can track almost every user and page load on the web!

    1. Re:How is this news? by BasilBrush · · Score: 3, Informative

      The news is that in the EU it's illegal to track users with cookies without their consent. Google went out of their way to circumvent the security settings on Safari, such that they tracked users even when they's said no. And then on top of that Google lied about it, saying they weren't doing so.

      It's illegal. There is no "it's already happening" defence.

    2. Re:How is this news? by Stewie241 · · Score: 1

      So a website can override a browser's security settings? Nifty.

    3. Re:How is this news? by BasilBrush · · Score: 1

      The details were covered on Slashdot at the time, but here it is again: http://blogs.wsj.com/digits/2012/02/16/how-google-tracked-safari-users/

    4. Re:How is this news? by icebike · · Score: 1

      Have you seen those small "Share" and "Like" buttons all over the web?

      Thats right, Facebook, Google, and others, see every time a browser downloads those buttons and which URL it was loaded from. It the user happens to be logged on to their service, they also see the user's identity.

      In otherwords, Facebook, Google can track almost every user and page load on the web!

      "Apple users: Only Apple can track us! Not Google" was the headline that The Register used to describe this story in their usually thinly veiled laughing up their sleeve sort of way.

      Allegedly these clowns are suing for damages. Let them prove damages.

      --
      Sig Battery depleted. Reverting to safe mode.
    5. Re:How is this news? by toutankh · · Score: 2

      Because they can. The real problem here is that the browser cannot enforce its own security settings. The fact that Google is evil is beside the point. If I check a "don't track me" option in my browser then end up being tracked, my anger is directed toward the browser, not the tracker. Anything else doesn't make sense and is counter-productive.

      Risky analogy: if my partner cheats on me, my anger should be directed toward my partner, not to anyone else (provided my partner cheated on me with someone who doesn't know me).

  2. Really? by kullnd · · Score: 4, Insightful

    Maybe Google should start charging us for their services that we get for free... They have to make their money from something, if you don't like it don't use it. Also, anyone who honestly believes that a toggle in their browser is going to prevent them from being tracked on the open internet needs an education on how things really work in the real digital world.

    --
    +++ATH0 NO CARRIER
    1. Re:Really? by Dexter+Herbivore · · Score: 5, Insightful

      Also, anyone who honestly believes that a toggle in their browser is going to prevent them from being tracked on the open internet needs an education on how things really work in the real digital world.

      When the law says that the user shouldn't be tracked, then the user shouldn't be tracked. In an ideal world, Google shouldn't be going out of the way to circumvent those laws.

    2. Re:Really? by Anonymous Coward · · Score: 4, Insightful

      However, the law says that you must inform users they are being tracked.

      Which is the case here.

      It's an astroturf movement. Apple getting at Google for Android.

      It was a similar faked outrage when *33* people complained about Attenborough's bit on a polar bear giving birth which was done in a zoo for the safety of the cameramen and the polar bears and described on the BBC web site for the program. But, because it dared say that AGW was a problem, the daily hate mail insisted this was AN OUTRAGE.

      Manufactured.

      PS to use the BBC website, you are required to accept cookies or the site won't work. Mostly for technical reasons, but you still have to allow cookies.

      They DO tell you "We use cookies" and that is all the law required.

      It was a pretty useless law.

    3. Re:Really? by Anonymous Coward · · Score: 1

      I don't use Google services, and yet 99% of the websites on the 'net ping back to google-analytics.com informing them of every link I click on. Are you saying I should stop using the web completely?

      This isn't about tracking people's use of Google's services, it is about tracking every single thing every single person does on the web. Apple added some privacy protection into Safari, and Google actively worked around it, bypassing the users' wishes to not be tracked.

    4. Re:Really? by tlhIngan · · Score: 1

      Maybe Google should start charging us for their services that we get for free... They have to make their money from something

      It's called "advertising". Though perhaps Google should charge users who use NoScript/ABP/etc. to block ads from Google and Google-owned companies like DoubleClick, AdMob, etc. (Google owns basically the entire online adversing companies - from their AdSense ads to the companies that do all the annoying popover/popunder/interstitials and such - all owned by Google).

      Also, anyone who honestly believes that a toggle in their browser is going to prevent them from being tracked on the open internet needs an education on how things really work in the real digital world.

      It's a toggle that Google actively worked around. It's not a "Do Not Track" flag that people can ignore, it's an active protection that Safari attempts to do to give you a modicum of privacy including dumping cookies. What Google did was actively work around them so all those +1 buttons would attach your Google ID to them.

      Google actually wrote their code to circumvent such settings (not just ignore DNT), then deny it happened. Sort of like Lance Armstrong and performance-enhancing drugs.

    5. Re:Really? by Nostromo21 · · Score: 1

      So basically, you/they/crApple is sore that Safari security is weak as piss & worse than IE's? Gotcha.

    6. Re:Really? by kullnd · · Score: 1

      I'm sorry, but blaming Google for the web site owners that by their own choice put Google code onto their websites is kind of retarded...

      --
      +++ATH0 NO CARRIER
    7. Re:Really? by TapeCutter · · Score: 1

      Yeah the Daily Fail tried to discredit Attenborough but all they did was drag their own reputation deeper down the gutter. Why? - Because Attenborough's persona and 50yr track record is such that people see his face and they know it's legit.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    8. Re:Really? by Americano · · Score: 1

      Actually, I'd love it if Google offered a subscription-based, ad-free/tracking-free consumer version of their services. That's not much of a threat, I wish they'd start charging for services that we get for free.

      They have to make their money from something, if you don't like it, don't use it.

      The problem here is that people specifically set their browser in a way that said, "don't track me," and Google said, "Well, since you couldn't possibly have meant to exclude US with that setting, we'll just circumvent that setting and track you anyway using a known bug in your browser." People tried not to use it, and Google still tracked them.

    9. Re:Really? by Smauler · · Score: 1

      It wasn't legit. I don't know the Mail's take on the situation, I don't read it.

      However, the BBC presented video from a zoo and implied it was in the wild. Attenborough should be ashamed for providing the voiceover, not try to defend it.

      The problem was not that the BBC used footage from a zoo. The problem was that they deliberately tried to trick the viewer into thinking that the bear cubs filmed were in the wild. Just because they were open in saying that they did so after the event does not make it ok.

    10. Re:Really? by TapeCutter · · Score: 1

      I have the documentary in my collection, there is no "deliberate trickery". As the OP stated, it was a manufactured controversy intended to punish Attenborough for his views on AGW. You'd have to be a complete moron to fall for such a transparent attempt to assassinate his character.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    11. Re:Really? by Plumpaquatsch · · Score: 1

      However, the law says that you must inform users they are being tracked.

      Which is the case here.

      It's an astroturf movement. Apple getting at Google for Android.

      [...] PS to use the BBC website, you are required to accept cookies or the site won't work. Mostly for technical reasons, but you still have to allow cookies.

      They DO tell you "We use cookies" and that is all the law required.

      It was a pretty useless law.

      Amazing that your post is rated so how while being so wrong. First of all, there is no information to the user that they are being tracked. The BBC doesn't require you to allow third party cookies to work. Google and assorted Advertising scum does. And remind me why Google has to pay a record fine to the FTC for doing this (which the summary so cleverly avoids telling by calling it a settlement)

      --
      Of course news about a fake are Fake News.
  3. Heh by benjfowler · · Score: 1, Insightful

    Apple fanboi nerd rage is funny

    1. Re:Heh by Anonymous Coward · · Score: 1

      Which are nowhere nears as pathetic as Apple apologists...(Offense intended)

    2. Re:Heh by Nostromo21 · · Score: 2

      Last I checked, Google hasn't apologised for jack shit, not should they. OTOH, Samsung is still waiting for a proper one from crApple...

    3. Re:Heh by Plumpaquatsch · · Score: 1

      Last I checked, Google hasn't apologised for jack shit, not should they. OTOH, Samsung is still waiting for a proper one from crApple...

      Yeah, they only had to pay the biggest fine to the FTC ever. No reason to apologize after you paid for your sins, obviously.

      --
      Of course news about a fake are Fake News.
  4. pot, kettle, black, etc. by dontbemad · · Score: 4, Insightful

    i find it mildly amusing that Apple product users are suing google over something related to tracking.

    1. Re:pot, kettle, black, etc. by GodfatherofSoul · · Score: 4, Insightful

      Regardless, Google lied and got busted lying. "She hit me first" didn't work for your mother, and it won't work in court either.

      --
      I swear to God...I swear to God! That is NOT how you treat your human!
    2. Re:pot, kettle, black, etc. by BasilBrush · · Score: 1

      i find it mildly amusing that Apple product users are suing google over something related to tracking.

      Why?

    3. Re:pot, kettle, black, etc. by gnasher719 · · Score: 1

      i find it mildly amusing that Apple product users are suing google over something related to tracking.

      Why would you find that amusing? It's not amusing for users who have to go to court to avoid being tracked, it's not amusing for Google.

    4. Re:pot, kettle, black, etc. by RocketRabbit · · Score: 2

      Why? Google is the biggest data miner on the planet, and they make more money as they refine their profile of you. They are the Internet Gestapo.

      Apple, by comparison, is rather innocent.

    5. Re:pot, kettle, black, etc. by dontbemad · · Score: 1

      not a shill, and even if i really am that stupid, at least i don't hide behind being an AC.

  5. Can't let every consumer dictate what privacy is by Anonymous Coward · · Score: 2, Insightful

    Much as I can agree with the sentiment, we cannot allow every single consumer out there to dictate what constitutes privacy data. Perhaps google should publish what it deems as privacy information, and then allow the consumer to decide to play along or not.

  6. A group of Apple's Safari web browser users by DeathToBill · · Score: 1

    "Both of Apple's Safari web browser users..."

    FTFY

    --
    Slashdot - News for Nerds, Stuff that Matters, in ISO-8859-1 Has just realised that beta makes this signature redundant
    1. Re:A group of Apple's Safari web browser users by thetoadwarrior · · Score: 2

      Given how many more iphone users use the internet over android users it's by far the most userd mobile / tablet browser.

    2. Re:A group of Apple's Safari web browser users by thetoadwarrior · · Score: 1

      It could explain why the numbers don't match up with web stats or some people are just wasting their time with a smart phone. I wouldn't bother with a mobile phone at all if I couldn't use the internet every day. Even with my old G1 I'd surf Slashdot even if it was the worst possible way to view the site.

    3. Re:A group of Apple's Safari web browser users by RocketRabbit · · Score: 1

      Wikipedia does an interesting breakdown on the devices used to visit their site and Android usage is much lower than one might expect from Google's and that shady ass StatCounter's numbers.

  7. Re:Can't let every consumer dictate what privacy i by icebike · · Score: 4, Informative

    Much as I can agree with the sentiment, we cannot allow every single consumer out there to dictate what constitutes privacy data. Perhaps google should publish what it deems as privacy information, and then allow the consumer to decide to play along or not.

    What an excellent Idea. I wonder why Google Never Thought About That.

    I find Google far more forthcoming than most companies, and offering a much finer grained level of control.

    I would also wager, that Judith Vidal-Hall has a facebook page, a Linkedin page. As far as I'm concerned, anyone signing up for either of those two services has abdicated all semblance of Privacy. Living in a country with CCTV cameras on every street corner, and a government hell bent on capturing every keystroke on your computer forever, how can she object if Google complies with her country's laws?

    --
    Sig Battery depleted. Reverting to safe mode.
  8. "group of Apple's Safari web browser users"? Hmmm by Ian.Waring · · Score: 2

    It is of course perfectly coincidental that the lawyer firm involved is the same one who previously acted for Microsoft in a case against unlicensed X-Box accessories.

  9. Why not sue Apple? by TheSkepticalOptimist · · Score: 4, Insightful

    I mean ultimately its Safari's problem that Google could find a way to circumvent their privacy settings and write cookies to their user profile. If Safari was written properly then no website should be able to access private information or write to profile.

    What is at fault here is the users thought Safari was secure, but Google found a way around the security. Its Safari's issue, period.

    --
    I haven't thought of anything clever to put here, but then again most of you haven't either.
    1. Re:Why not sue Apple? by Anonymous Coward · · Score: 1

      No. That's a ridiculous line of reasoning. When someone breaks into your house you don't go after the manufacturer of the lock, you go after the thief.

      As stupid as this law suit or maybe even the idea of do not track is, your idea is considerably more stupid.

    2. Re:Why not sue Apple? by Kenja · · Score: 1

      Depends, if the lock company made a point about how using their locks would make your house burgle proof I get people would sure them.

      --

      "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    3. Re:Why not sue Apple? by thetoadwarrior · · Score: 2

      Because you prosecute the one who did the crime. Do you sue you car manufacturer when your car gets broke into?

    4. Re:Why not sue Apple? by cbhacking · · Score: 1

      The entire Internet, including (especially, in this case) the WWW, is based on published specifications that describe how clients and servers are supposed to interact with each other. Some of these specifications relate to privacy. In particular, there is a thing called a "compact privacy policy" which is a very shorthand way of indicating many of the most salient points of a privacy policy in a machine-readable format. This is a published specification, part of the Platform for Privacy Preferences (P3P), described in http://www.w3.org/TR/P3P/.

      The goal of P3P is to provide a way for the user of an HTTP client (generally, a web browser) to specify automatic behaviors based on privacy settings. It's not a security feature at all; it's a convenience feature for sites where the user trusts the server to not lie about what its privacy policy is. The idea is that the server sends a compact privacy policy, and the user agent decides what to do based on that policy. It removes the need for the user to manually review each cookie, etc. and decide, based on the info it contains and the policy of the site, what to do with it.

      Google, in their infinite not-evilness, decided that P3P is old and broken (somewhat debatable, but they make some good points) and they weren't going to respect the specification. Of course, the usual way that somebody would do this is to not implement it on their end at all; i.e. don't send any compact privacy policy and let the browser do whatever it does with cookies that don't come with privacy info attached. Google thought differently, and decided to instead send a CPP that is interpreted in the following way by P3P-compliant user agents:
      We have a privacy policy, it is all-inclusive and has no exceptions.
      Of course, this is a complete lie - Google does do various things which may compromise your privacy, such as track you with cookies. However, they decided that rather than indicate this in the machine-readable format specified in P3P, they would instead send a human-readable English text string, utterly meaningless under the specification, telling people to go read their actual privacy policy. The problem is, the user is never supposed to read the raw CPP. It's a bunch of meaningless characters to anybody unfamiliar with the specification, and generally isn't ever displayed to the user. The end result is that, if the user's browser is configured to use P3P to decide how to handle cookies, Google's cookies are going to be automatically accepted regardless of whether what Google uses those cookies for is actually acceptable to the user.

      In a very real sense, Google has published a false security policy. It's not a security exploit - the entire specification is built on trust, as is true of any security policy - but it's a very flagrant violation of that trust and, in the EU, is illegal. That's what they're in hot water for. Apple is only relevant to this story because they use P3P, presumably by default (how many Safari users are going to customize their privacy settings?), and adhere to the specification as written.

      "Don't be evil" my ass. By the way, I own zero Apple products and am generally not a fan of the way they treat their users. That does not absolve Google of this kind of bullshit, however.

      --
      There's no place I could be, since I've found Serenity...
    5. Re:Why not sue Apple? by smash · · Score: 1

      Apple has made no such claims about safari. They've played the "mac's don't get viruses" card. This isn't a virus.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    6. Re:Why not sue Apple? by smash · · Score: 1

      This post pretty much sums it up. IIRC, IE was affected too, for complying with P3P.

      And yes. "don't be evil" my arse.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    7. Re:Why not sue Apple? by smash · · Score: 1

      This isn't a security exploit. No software was "exploited". It is Google being a dick with internet standards.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    8. Re:Why not sue Apple? by viperidaenz · · Score: 1

      4. Compact Policies

      Compact policies are summarized P3P policies that provide hints to user agents to enable the user agent to make quick, synchronous decisions about applying policy. Compact policies are a performance optimization that is OPTIONAL for either user agents or servers. User agents that are unable to obtain enough information from a compact policy to make a decision according to a user's preferences SHOULD fetch the full policy.

      The text Google sends is obviously not a valid CPP, so the browser is incorrectly implementing an optional part of the spec to the detriment of the users.

      They don't incorrectly add any of the defined compact tokens to the CP header. No correct implementation should be able to determine a policy from what is returned.

  10. Re:Can't let every consumer dictate what privacy i by nschubach · · Score: 1

    I read that line and thought... great. Someone out there is going to think that their screen height is private and break every website that uses scroll effects. That's not a major loss, but what if they decided that the browser is private? People can't be allowed to determine everything that's private... can they?

    --
    Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
  11. Re:Can't let every consumer dictate what privacy i by Mister+Whirly · · Score: 1

    Yes if only there was some sort of policy regarding privacy that sites like Google would make public... Something that was easy to find, perhaps right on the bottom of every page. Something that said something like Privacy & Terms that you could simply click on to get information.

    --
    "But this one goes to 11!"
  12. Re:Can't let every consumer dictate what privacy i by Anonymous Coward · · Score: 1

    I would also wager, that Judith Vidal-Hall has a facebook page, a Linkedin page. As far as I'm concerned, anyone signing up for either of those two services has abdicated all semblance of Privacy.

    A Judith Vidal-hall is on Facebook, but provides no additional information to strangers. Despite the Slashdogma, it is possible to have a Facebook page and not spend your entire day posting your SSN and rapid status updates about what you ate for lunch and how it is propogating through your digestive system.

    As far as I'm concerned, anyone making poorly educated sweeping generalizations based on bad stereotypes has abdicated all semblance of Trust on public forums.

  13. Whether by TsuruchiBrian · · Score: 2

    "'Whether something is private or not should be up to the internet surfer, not Google. We are best placed to decide, not them.'"

    Fulfilling the expectation that the internet surfer's privacy wishes are being honored is the job of a browser without security, not a massive corporation whose primary income source is targeted advertisements.

  14. Re:Can't let every consumer dictate what privacy i by EasyTarget · · Score: 1

    Apparently there is a facebook page where you can sign up to support this..
    My ironyometer went off-scale when I saw that.

    --
    "Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
  15. Re:Can't let every consumer dictate what privacy i by penix1 · · Score: 1

    Despite the Slashdogma, it is possible to have a Facebook page and not spend your entire day posting your SSN and rapid status updates about what you ate for lunch and how it is propogating through your digestive system.

    That is not the default for FB and never was. You have to jump through hoops to set it up so that a small semblance of privacy (or more accurately the illusion of it) is maintained there. And every time they update something the privacy settings for that something is always "Show it to the whole wide world!"

    Also, we aren't talking about what is shown to other users but what is shown and recorded forever and tracked by the company behind it. That was a nice bit of sleight of hand you did with that by the way. FB does record, aggregate and sell your user data no matter what your security settings.

    --
    This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
  16. Since when.... by Dcnjoe60 · · Score: 1

    Since when is Google storing a cookie on your local computer the same as Google collecting data on you. Collecting, by its very definition, would mean that they are storing the data on their computer. Now, if Google then harvests the data stored locally and does something with it, that is a different story, but just having Google store a cookie, does not in and of itself mean that they are collecting personal data, even if the cookie contains personal data. If that were the case, then just about every website you visit would be guilty of the same thing as almost all of them store cookies.

    Here is another problem with the legal action being brought. It is being done so by somebody who knows and understands how computers work. Therefore, if you know that Google, or anybody else, is storing cookies and you allow it to persist, when your browser allows you to refuse cookies from certain sites, isn't their a form of contributory fault there? I'm not talking about John Q. Public, but a so called expert in the field (whether self proclaimed or not).

    I know that you have a much more difficult time getting an insurance company to pay a claim for a valuable stolen item if it was left on the front seat of a car with the windows rolled down and the door unlocked. It doesn't mean that the person should have stolen it, but that you should have protected it. If that is accepted, then why would an "expert" in the field of computer security not be held to the same standard?

  17. Re:Can't let every consumer dictate what privacy i by Plumpaquatsch · · Score: 1

    Yes if only there was some sort of policy regarding privacy that sites like Google would make public... Something that was easy to find, perhaps right on the bottom of every page. Something that said something like Privacy & Terms that you could simply click on to get information.

    Is the link to that page also on every webpage that Google uses it's third-party cookies on?

    --
    Of course news about a fake are Fake News.