Should The FTC Investigate Google's Safari Gaffe?

[nsane.forums]

Complaints mount about the difference between policy and practice in Google's efforts to respect privacy but serve up targeted ads.

Privacy advocates and now some members of Congress say Google should answer for its practice of bypassing the default privacy settings of potentially millions of users of Apple's Safari browser.

Three members of the U.S. House of Representatives are asking the Federal Trade Commission to investigate Google's Safari workaround. The Electronic Privacy Information Center is going further, asking [PDF] the FTC to find that Google violated its recent settlement with the federal agency regarding its Buzz privacy practices. Google, meanwhile, says it was merely using "known functionality" in Safari and any resulting privacy violations were just a mishap the company "didn't anticipate."

Goofari

The Wall Street Journalrecently reported that Google was bypassing the default privacy settings in Apple's Safari for both desktop and mobile devices. Google's privacy violations potentially include users of iPhone, iPod Touch, iPad, and Mac OS X devices, as well as Safari for Windows users. Safari's defaults prohibit third parties such as advertising and web analytics firms from setting tracking cookies without user authorization. This presented a problem for Google, since the company wanted to identify when users were signed in to their Google accounts in order to deliver personalized advertising and the ability to +1 (similar to a Facebook like) items online.

To get around this issue, Google inserted an invisible web form into its advertising if a user clicked on the company's +1 buttons embedded in Google advertising. Safari would then think the user interacted with the invisible form and allow the browser to accept further cookies.

This workaround also enabled Google to track users across the web even though their privacy settings said they didn't want to be tracked. Google responded to the accusations by saying it was only providing features that signed-in Google users had enabled using "known functionality" in Safari's web browser. But, the company said, it didn't anticipate that Safari's "known functionality" would have the side effect of allowing other tracking cookies to be set as well, such as cookies from its advertising service, DoubleClick.

So should the FTC chalk this up to a big misunderstanding and a mistake, or investigate Google's potential misbehavior? Regardless, of Google's motives, I think the FTC should investigate and here's why.

Broke the Rules

"We used known Safari functionality to provide features that signed-in Google users had enabled," says Rachel Whetstone, Google's senior vice president of communications and public policy in response to the Journal's report. "Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies...Last year, we began using this functionality to enable features for signed-in Google users on Safari."

Whetstone argues that Google was only enabling "known functionality" in Safari to carry out the wishes of signed-in Google users. But was this the best plan? Instead of using this workaround couldn't Google have used a browser pop-up or a web page redirect to alert users they needed to change their cookie settings to enable this kind of activity? Instead, the company chose to use an invisible method beyond the control of the user.

Popularity

Thanks to the popularity of Apple's Safari browser on iOS, the result of Google's workaround is that the privacy of perhaps millions of users was violated. Apple's Safari currently accounts for 55 percent of all smartphone and tablet browsing activity worldwide, according to metrics firm Netmarketshare.

Same old Song and Dance

Every time Google is found to be up to no good, the company uses virtually the same excuse: "Oops, sorry, that was a mistake, we didn't know we were doing that." This time around it was Whetstone saying that Google "didn't anticipate" its Safari workaround would allow it to set tracking cookies the user hadn't explicitly authorized.

When privacy concerns were raised over Google's failed social networking platform, Buzz, in February 2010, the company responded, "We quickly realized that we didn't get everything quite right. We're very sorry for the concern we've caused." Google then promised to do better.

A few months later, in May, Google was caught collecting user data from unencrypted Wi-Fi networks as it used its Street View cars to create a worldwide database of Wi-Fi routers to help improve the company's mobile location services. "We have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products," Google said.

More recently, in January, Google was accused of trying to weasel money out of small business owners in Kenya, Africa by falsely claiming that it was in a joint venture with Mocality, a Kenya-based crowd sourced business directory. And what was Google's response this time? "We were mortified to learn that a team of people working on a Google project improperly used Mocality’s data and misrepresented our relationship with Mocality," said Nelson Mattos Google's vice president for product and engineering in Europe and emerging markets. "We’re still investigating exactly how this happened, and as soon as we have all the facts, we’ll be taking the appropriate action with the people involved." Oops, we didn't know -- again.

So inside of 12 months, Google has committed four serious gaffes and for all four times the company said it didn't realize what it was doing. That may in fact be true in each case, but does oversight excuse the error? How many times can Google say, "Oops, we goofed, we didn't know" before the company is held to account for its self-inflicted stupidity? Accident or not, Google should be investigated for its bad behavior and held accountable for its actions.

View: Original Article

[johndoe]

not to be the devil's advocate but i would like to reiterate what i said before. in this particular instance, it should not be google thats held accountable, rather the makers of the browsers that were exploited, Microsoft (IE9) and Apple (Safari). After all, it could have been someone with drastically more malicious intent than google had that exploited these vulnerabilities and could in fact have cause much more damage. Google in fact should actually be praised for having brought these vulnerabilities to light :D

[DKT27]

Google didn't bring this to light. Infact it never wanted it to come to light. It was exploiting these vulnerabilities from a long time and didn't wanted anyone to know. A software without vulnerabilities and/or bugs is not a software. A responsible act would have been that Google would have reported this to M$ and Apple, but instead, they exploited it. This is something moral-less black hats do, for personal gains, not world class company, that kinda has a reputation.

[Tweety.Abd]

Most definitely yes, they should probe the matter and find their intentions of their actions.

[johndoe]

i did not mean google brought it to light, i meant because of what google did and because it is a high profile company it automatically came to light. if another smaller company had done the same thing ms and apple would have sent their lawyers to threaten them to cease and desist and shut up about it as well. because it was google, both companies started crying to put all the blame on google