Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Google Privacy Government Safari

Google Facing New Privacy Probe Over Safari Incident 134

Posted by Soulskill
from the hand-in-the-cookie-jar dept.
An anonymous reader writes "Last month we discussed news of a controversial method Google was using to bypass Safari's privacy settings in order to enable certain features for users who were logged in to Google. Now, U.S. regulators are investigating Google's actions to see whether the search giant has violated the privacy protection agreement they signed last year that includes a clause prohibiting Google from misrepresenting how users control the collection of their data. 'The fine for violating the agreement is $16,000 per violation, per day. Because millions of people were affected, any fine could add up quickly, depending on how it is calculated. ... A group of state attorneys general, including New York's Eric Schneiderman and Connecticut's George Jepsen, are also investigating Google's circumvention of Safari's privacy settings, according to people familiar with the investigation. State attorneys general can have the ability to levy fines of up to $5,000 per violation.' European regulators are adding the Safari investigation to their review of Google's consolidated privacy policy."
This discussion has been archived. No new comments can be posted.

Google Facing New Privacy Probe Over Safari Incident

Comments Filter:
  • I still don't understand, isn't this a browser exploit that needs to be fixed? What's stopping another website from doing exactly the same thing?

    • Re:Bug? (Score:5, Informative)

      by Dak RIT (556128) on Friday March 16, 2012 @11:31AM (#39379085) Homepage

      It is a bug, and also seems very likely to be a (granted rather trivial) exploit. Google seems to be the primary target here, even though multiple sites have been identified using the workaround [webpolicy.org], because of previous agreements it has made regarding privacy.

    • by Anonymous Coward

      Yes, Apple announced they will be patching this. It still doesn't look good for Google to be exploiting a browser vulnerability, they are supposedly a reputable corporation.

    • by betterunixthanunix (980855) on Friday March 16, 2012 @11:33AM (#39379115)
      Why fix security problems when you can just prosecute people?
      • by Anthony Mouse (1927662) on Friday March 16, 2012 @12:21PM (#39379857)

        The thing people are continuously forgetting about all of this is that the bug in question was in the open source Webkit, which both Safari and Chrome are based on, and Google had already submitted a patch to fix the bug before any of this even became an issue.

        This all seems a lot more about this [falkvinge.net] than any sort of legitimate complaint the government has about what Google is doing. If the government had literally done nothing, the problem had already been solved before they became involved -- but now we have a big dog and pony show. Cui bono? Microsoft.

        • by Anonymous Coward

          They submitted a patch and exploited it anyway. Exploiting privacy vulnerabilities is bad, bad, bad. I don't care if Joseph Kony funds the investigation.

          • Re: (Score:3, Insightful)

            Exploiting privacy vulnerabilities is bad, bad, bad.

            That word...I don't think it means what you think it means.

            Let me give you an example. If you want to jailbreak an iPhone, you have to find a security vulnerability. Like, a real one, not this "well if you submit a form then it isn't considered a third party cookie" grey area nonsense, a real root shell "exploit." Is the company that makes the jailbreak website then "exploiting privacy vulnerabilities" because having rooted the phone, the software could in theory then send all the user's pictures and web hi

            • Who said anything about stealing credit card numbers? You're conflating issues radically. This isn't a grand theft trial, and nobody is talking about taking root access to your PC. This is a probe into whether Google is adhering to privacy agreements.

              My best guess is that you're objecting to the AC's use of the term "exploit" in the context of privacy (or maybe the term "vulnerability")? But what else do you call it if you say the hole is being used? It's a vulnerability, in the privacy field, which is

              • As for whether it's a grey area, if Google submitted a patch to end this behaviour as you say, presumably they thought the behaviour was wrong. Otherwise, why did they submit the patch?

                It's a pretty obvious false negatives vs. false positives trade off. There are a ton of legitimate uses for third party cookies, so over-blocking them breaks a lot of stuff. But they also get used by ad networks to track people between websites, which can be undesirable. The problem is that the dividing line between first and third party cookies is very blurry (e.g. is fbcdn.net 'third party' when you're on facebook.com?) and even trying to make the distinction is somewhat questionable. So you draw a line a

                • by znrt (2424692)

                  There are a ton of legitimate uses for third party cookies, so over-blocking them breaks a lot of stuff.

                  really easy: http://www.abine.com/dntdetail.php [abine.com]

                • Crap! and my mod points just expired. Someone mod the parent up! I think people fail to realize that 50% of web development involves "hacking" web browsers just to get legitimate functions to work consistently. (Well, maybe less than 50% now that IE6 is finally getting less support.)

                  While it is possible that Google violated an agreement here, that has limited relation to this being an "exploit". The negative connotation and inaccuracy around the terminology is misleading.

                  P.S. When Slashdot said my mod point

            • I say the right to privacy is dead, antiquated, and probably never existed in the first place. If you want privacy then you need to consciously make an effort to protect your data. If you are not sure it is private, then assume it is not private. Don't be so beef-headed as to assume your life is private because you have not published it. I think the assholes are right, and we just don't want to admit it because of some ideological cognitive dissonance. There is no privacy on the internet. If information abo

        • Google refuses to play their little game so the "government" is always at their heels. Microsoft started sucking up to government a long time ago to make money. They now have a lot of pull because of this in Washington whereas Google has no political power--and it seems like they want to keep it that way. Yeah, I'm a Google fan boy, and I will be until they start playing the game. Maybe they want to track their user behavior, but the obvious treatment they receive from our Washington overlords makes it clea

        • by hairyfeet (841228)

          So if I submit a patch and they don't jump to it fast enough to suit me i can then pwn them consequence free? Don't think that is how it works friend. I would link to the former Google employee's "Why i quit Google" over on OSNews but since they guy took a job at MSFT nobody would read it anyway, but it is looking more and more like what he posted was correct. he said in the beginning they were an engineering company that made cool stuff that you could then sell ads on, he likened it to making a top rated s

          • So if I submit a patch and they don't jump to it fast enough to suit me i can then pwn them consequence free?

            To be perfectly honest I do think that computer hacking laws are totally redundant and should all be repealed. If you don't secure your system, blackhats in Russia and China (and Americans with identity-concealing botnets) are going to pwn you anyway, so it doesn't really matter whether you can prosecute the stupid ones in America because you need good security in any event and once you have it then the law is useless. All the law does is allow overzealous prosecutors to harass people, many of which are rea

      • The thing is a bit deeper than that. Analogy time.

        Google had this agreement. According to Anthony Mouse below in the comments, Google knew of this problem. They submitted a bug fix. So the question for the prosecution and layperson is this, was there a way Google at this point could not abuse this bug?

        Let's say there is gas pump at the only gas station in town. The pump are calibrated wrong and providing 1.5 gallons of fuel for every gallon "measured". In a fair world this would never have happened.

        • by Anthony Mouse (1927662) on Friday March 16, 2012 @02:21PM (#39381473)

          The question becomes what happens after Google reported it, and seemingly kept using that pump until it was properly calibrated.

          You're making the "corporations are people" fallacy. Corporations are not actually, literally people. The people who work on Chrome and Webkit are almost certainly not the same people who work on Google+ and the like. They probably don't have any idea what the other is doing. It's not like every time anyone submits a patch to anything, they go running around to all the other departments to tell them about it.

          On top of that, calling this a "vulnerability" or "exploit" is really pushing it. There is no obvious hard line between first and third party cookies. They have no obvious or official definition. Safari drew the line in a way that classified a lot of the borderline cases as "first party" cookies -- which actually makes a certain amount of sense, since they block third party cookies by default and over-blocking would break too many things.

          So along comes, I don't know, everybody who uses cookies that would be blocked by Safari's defaults, and when they encounter Safari, they take steps to restore the original functionality. And since some (but not all) of those people are the sort of ad networks who track you in a way that made browser vendors consider an option to block third party cookies in the first place, Google submitted a patch to classify more of them as third party. Which breaks more legitimate stuff, because it's a trade off. It's not that the original default is bad, broken, or a vulnerability...it's that the line is a silly, ambiguous one to draw in the first place. What it's trying to accomplish is Do Not Track, but as a hack and consequently with a lot of collateral damage to legitimate features that everyone then scrambles to mitigate with work arounds like the one Google had been using.

          So that happens, and along comes the Microsoft propaganda machine to point out that because Google is both a social network and an ad network, wouldn't it be nice to accuse the ad network of privacy violation as a result of a borderline cookie feature shared by all social networks? Give me a break.

          • by drinkypoo (153816)

            You're making the "corporations are people" fallacy. Corporations are not actually, literally people. The people who work on Chrome and Webkit are almost certainly not the same people who work on Google+ and the like. They probably don't have any idea what the other is doing. It's not like every time anyone submits a patch to anything, they go running around to all the other departments to tell them about it.

            On the other hand, Google clearly has an agenda. It includes access to as much of your data as they can manage. So it shouldn't be hard to imagine some sort of unifying goal when you read about something like this, and consider that notscripts still blows compared to noscript due to Chrome's architecture, and so on.

            • That sounds suspiciously like a conspiracy theory.

              • by drinkypoo (153816)

                That sounds suspiciously like a conspiracy theory.

                Two people getting together to bone a third person out of something is a conspiracy. A small handful of people deciding to lead a few products in the direction that gives their company the greatest advantage is hardly worth implying that someone is some kind of wacko over. It's precisely the Microsoft story, why should a variation be unbelievable at Google? Has human nature changed overnight? How about tactics, are they all different now?

                • The difference is that in the Microsoft case they actually had some, you know, evidence. The Halloween memos [wikipedia.org] and so forth. So what I'm saying is, do you have any evidence, or is it just a conspiracy theory?

                  • by drinkypoo (153816)

                    So what I'm saying is, do you have any evidence, or is it just a conspiracy theory?

                    Just a theory, but at least it's supported by what evidence there is. You should particularly note that I am not proposing a sinister conspiracy, just a conspiracy.

                    • Then I guess I don't really buy it. I mean Chrome and Safari are both based on Webkit, which was mostly not created by Google. (It was originally KDE and then Apple played a big role.) By the time Google entered the scene most of the major architectural decisions had already been made and implemented, so if anybody designed it in a way that makes plugins that block javascript harder, it was KDE or Apple.

                      Likewise this thing with the cookies: I mean think about it. If it was this huge top down conspiracy then

                    • by drinkypoo (153816)

                      The whole thing smells like standard issue human imperfection rather than some grand evil master plan.

                      There you go again, moving the goalposts, and attributing things to me that I didn't say or imply. You're a troll. Go away.

                    • If I understand your point correctly it's that Google as an institution has an incentive to prevent ad blocking and so forth, which is "supported by what evidence there is," and that therefore we should ascribe that intent to the actions of its individual software engineers without any further evidence.

                      What I'm pointing out is that that doesn't make a lot of sense: They don't uniformly behave as though that is their goal, and in the instances where their actions are consistent with that theory (which, natur

                    • by drinkypoo (153816)

                      What I'm pointing out is that that doesn't make a lot of sense:

                      No, you can point that out without all the hyperbole and false association. What you're doing is trolling, and now also being disingenuous. Or really stupid. And if that's a false dichotomy, please enlighten me as to what the third way might be.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      If I leave my car door unlocked it's still illegal to steal it.

      LOL the CAPTCHA for this post is "burglar".

    • Re:Bug? (Score:4, Insightful)

      by bkaul01 (619795) on Friday March 16, 2012 @11:47AM (#39379331)
      Of course, but patching the hole and going after people who create malware that takes advantage of it is not an either/or choice: both are necessary, generally speaking. Google, in taking advantage of a browser exploit, is essentially stooping to the tactics used by malware authors, even though unlike them it has signed agreements and generated official privacy policies saying it'd do no such thing.
    • by alen (225700)

      yes it's a bug but in the end the user said dont do this to my computer and google still did it

      my computer is my property and google shouldn't have the right to install software/files on it if i say don't do it

    • It's a browser vulnerability, yes. Apple should fix it, absolutely. However, the existence of security holes has never been a valid defence for exploiting them. If it were, then there would be almost no computer-related crimes...
    • Let's say you lock your car door. Someone comes along, unlocks your car door, and takes a shit on your front seat. Well, locks can be picked and people can shit in inappropriate places (cf Occupy Wall Street), so you can't prevent someone from breaking into your care and taking a shit. But that doesn't excuse anyone who does that. In fact, you could say that they, not the door lock, is the problem.

  • by cpu6502 (1960974) on Friday March 16, 2012 @11:28AM (#39379041)

    "Google did no wrong. Google is awesome."

    Realthink:
    I don't trust Google anymore than I trust Microsoft or Apple or any other megacorp. I hate corporations. (But I fear government.)

    • Re: (Score:3, Funny)

      by Anonymous Coward

      But but but, if people can't build their identity over corporate cheerleaderism, what will they do? You mean I'm really a middle-class IT drone and not a proud member of TEAM GOOGLE or TEAM APPLE? Impossible!

      Ra ra my mega corp can beat up your mega corp! Apple is evil, Google loves me!

    • by jdgeorge (18767)

      Looks to me as if the Slashdot Groupthink is currently a rant against Google posted from new iPads.

    • Hating corporations is a bit strong. They are a necessary part of an economy that is no government owned.

      I'd say just realize that they are out after their own interests and you'll be on sound footing.

      • No, businesses are a necessity. Corporations are not.

        • by cpu6502 (1960974)

          Exactly.

          The ideal U.S. would not have an corporations..... just private-owned proprietorships or partnerships where the owners(s) are directly responsible for the actions of their company and managers/employees.

        • Nope. Corporations are necessary. Single proprietorships cannot reach the scale needed to undertake large scale economic activities such as building the world-scale infrastructure needed for say, building a modern airliner or a transcontinental railway system.

    • You are getting the two confused. Corporations morph into the acting governmental force. How is this eluding you? Google has not morphed into a governmental force, yet.

  • by stupor (165265) on Friday March 16, 2012 @11:29AM (#39379047)

    If my boss asked me to do something like this, I'd fight it kicking and screaming. I'd probably quit too if the software was significant like a google.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      It's always been 'Do know evil'

  • Investigate Apple (Score:2, Insightful)

    by haystor (102186)

    Isn't Safari the one misrepresenting what the security settings do?

    While I'm as shocked as the next person that google knows I've been buying windshield wipers, how is it that google is being held to the promises Safari has made to its users?

    • by Richard_at_work (517087) <.moc.liamg. .ta. .ecirpdrahcir.> on Friday March 16, 2012 @12:02PM (#39379575)

      Google isn't being held to the promises Safari has made, Google is being held to the agreement it had with the DoJ because in the course of collecting data about the user they deliberately circumvented, admittedly fairly weak, restrictions the user placed on their actions within the browser.

      There are two entirely different issues at hand here - Safari needs to be fixed somehow (although someone further down the thread suggests this isnt an easy fix) and Google got caught with its hand in the cookie jar when it probably shouldn't have had it there.

      Just because your window is open doesn't mean people are allowed to climb through it to circumvent the locked door.

      • Re: (Score:2, Informative)

        restrictions Apple claimed to have placed on their actions within the browser.

        The user never decided anything. That's really half the problem: Apple created a stupid default that would have impaired significant functionality, and for the users who don't understand how to or are afraid to change browser settings, this was the only way to make that user-desired functionality actually work.

        This would be a completely different thing if the default had been what it is in every other browser and it was being circumvented when the user had explicitly changed it, because in that case you hav

        • The user never decided anything. That's really half the problem: Apple created a stupid default that would have impaired significant functionality, and for the users who don't understand how to or are afraid to change browser settings, this was the only way to make that user-desired functionality actually work.

          The problem is: Apple created a default that protects the privacy of its users. Google wanted functionality that could only be implemented by either a breach of the user's privacy or by getting the consent of the user, so they decided to exploit a loophole and breach the user's privacy.

          • The problem is: Apple created a default that protects the privacy of its users. Google wanted functionality that could only be implemented by either a breach of the user's privacy or by getting the consent of the user, so they decided to exploit a loophole and breach the user's privacy.

            You're begging the question. The assumption you're making is that every possible use of third party cookies is inherently a privacy violation. If all they're using them to do is to see if you're logged into Google+ (so that they can give you a +1 button), how is that a privacy violation?

          • by haystor (102186)

            Which browser is it that Apple made that protects the privacy of its users? It's not Safari. That's what this is all about.

            Did Google "circumvent" only for Safari, or is this how they set a cookie for all browsers and Apple claims it's an exploit because they mislead their Safari users into thinking they had privacy.

    • by TheRaven64 (641858) on Friday March 16, 2012 @12:05PM (#39379621) Journal
      Apple released a browser that had a security hole. Google exploited the security hole. If OpenSSH ships with a vulnerability that allows someone to get root access on my server, should the OpenSSH team or the attacker be prosecuted?
      • If you leave your front door unlocked and I let myself in, do you file a lawsuit against Kwikset or do you have me arrested?
    • by Americano (920576) on Friday March 16, 2012 @12:25PM (#39379907)

      Isn't Safari the one misrepresenting what the security settings do?

      It's an unintended side effect of how Safari handles third-party cookies: Safari blocks third party cookies, but makes an exception for sites the user interacts with (i.e., if you click on an ad, it will allow that ad to install a cookie). So what Google is doing is basically loading a no-op form element in an iframe and automatically submitting it - this tricks Safari into behaving as if the USER submitted the form (thus interacting with the ad), allowing Google to set the cookie.

      Safari WOULD block setting of the cookie without this workaround being coded & inserted into the ads being served up by DoubleClick... so it's not a case of Google being held to account for promises Safari makes, it's that Google is being held to account for intentionally exploiting a loophole in the software to abuse users. People keep trying to turn this into an "Google vs. Apple" issue, and the real issue (and where it's eroding trust in Google) is that it's a "Google vs. Users" issue. I can't trust Google to honor those settings in my browser, can I trust them to honor any other settings and preferences I set in my browser, or register with them?

      There's no reason Google couldn't have instead put up a page saying "We notice you don't allow third party cookies... this will mean you can't +1 things, blah blah blah," and include instructions on changing the setting if the user wishes to enable +1's and other tracking, rather than simply disregarding the users' settings and exploiting the loophole.

  • would change their mind if Google gave them access to that info. THEN it would be ok because the online safety of every citizen and restoring the consumable media market is paramount.

    • by oodaloop (1229816)
      Yes, because the United States government is one unified whole, and the NSA and the FCC sit in the same office and have the same goals.
  • Safari Incident (Score:2, Offtopic)

    by necro81 (917438)
    Before the comprehension-side of the my brain caught up, for a moment I thought we were talking about Google going out for a hunt on the savanna.
  • What Google did (Score:5, Informative)

    by Animats (122034) on Friday March 16, 2012 @11:43AM (#39379263) Homepage

    Google created an invisible form on a web page and then simulated a click on to bypass Safari's privacy controls. That didn't happen by accident. That's hostile code.

    Safari treated a "submit" action as permission for the site to plant a cookie. It's hard to stop that in the browser without breaking some legitimate forms. As a result of this, all web forms which want to trigger a cookie event may have to have explicit "submit" buttons.

  • by Lexx Greatrex (1160847) * on Friday March 16, 2012 @12:49PM (#39380273) Homepage Journal

    I visited this rogue site that posts hostile code exploits and learned how to circumvent user privacy....

    http://www.w3schools.com/jsref/met_form_submit.asp [w3schools.com]

    Even worse, this malware generating site makes exploit code even easier...

    http://api.jquery.com/submit/ [jquery.com]

    And yes, I used the most evil and corrupt search engine ever invented (past and future) to locate these hacker havens

  • It's like making a door without a key and a lock. Instead we post instructions on the door telling you when you are allowed to open the door and when not. We then sue people for by passing the security mechanism instead of simply adding a lock.

    Very nice.

  • I love how one branch of the government is suing Google for privacy breach, while another is building a top secret domestic spy center (in Bluffdale Utah of all places), in absolute contempt of the US constitution. Is it that the right hand doesn't know what the left hand is doing or does the government think only it has the right to spy on us? And isn't Google hooked up to the NSA? How does that work? Boggles my fragile little mind. Maybe the whole thing's just a publicity stunt to keep the American Idol
  • I cannot believe that Google would ever do anything a nefarious as this. Only Microsoft is capable of this treachery.. Why next thing you know, they will be insinuating that there are security bugs in Firefox.

The idle man does not know what it is to enjoy rest.

Working...