Google Facing FTC Fine Over Safari Privacy Breach 73
suraj.sun writes "Bloomberg is reporting on Google's negotiation with the U.S. Federal Trade Commission over 'how big a fine, which could amount to more than $10 million, it will have to pay for its breach of Apple's Safari browser. The fine would be the first by the FTC for a violation of Internet privacy as the agency steps up enforcement of the Web.' Last year, Google agreed to a settlement in which the FTC would monitor Google's privacy practices for an extended period of time. 'The 20-year settlement bars Google from misrepresenting how it handles user information and requires the company to follow policies that protect consumer data in new products.' This February, Google was found to be bypassing privacy controls in Safari by making the browser think a user was submitting a form, when they actually weren't. '(The code used by Google was part of its program to place the "+1" button in advertisements.) At the time, the company issued a statement saying that the circumvention wasn't intentional, but privacy groups were still quick to file complaints with the FTC over Google's actions. That was quickly followed by a class-action lawsuit and an investigation by European regulators.'"
Re: (Score:1)
Re: (Score:1)
(Guy who thinks that copyright infringement is stealing)
Re: (Score:2, Insightful)
If you forget to lock your car door and someone steals your car, should you be arrested as an accessory to grand theft?
Poor car analogy, not least because your insurance company might not be very sympathetic, and also because it isn't the end user's fault in the Safari case. Better analogy:
If your car manufacturer builds a faulty door lock, and the car gets stolen, should the manufacturer have liability (i.e. should you be able sue them for loss of your car when you had some expectation of security)? Probably, the answer is "yes" (but probably you can leave the insurance guys to take them to task instead, since they're the
Re: (Score:3)
No, more accurately –if the manufacturer builds a faulty lock, and bill steals the car, should bill still go to jail for theft ;)
Re: (Score:2)
Pfft whatever... If Google broke the law, they should be fined. It will be a slap on the wrist anyway. If not, write a nasty press release about them, and let god sort it out. This is like the senate wasting an infinite amount of time on steroids in professional sports.
Re: (Score:3)
How about fix the browser (Score:2, Insightful)
Re: (Score:2, Informative)
Safari does block third-party cookies. Google fooled Safari into thinking they were first-party cookies so that they would be accepted by the browser. RTFA next time.
Re:How about fix the browser (Score:5, Interesting)
Safari does block third-party cookies. Google fooled Safari into thinking they were first-party cookies so that they would be accepted by the browser. RTFA next time.
Safari does NOT block third party cookies. Safari blocks SOME third party cookies -- You know, unless the user interacts with 3rd party assets, then they don't block the 3rd party cookies at all. The issue is caused by Safari's erroneous concept of what a user initiated event is. Which it damn sure knows how to tell the difference between a user initiated event! That's how pop up blocking has worked for over a decade. It's defective by design. Submitting a form to a hidden iframe is how we made Ajax work before XML HTTP Request was born, so it's not like Google did some magic mojo. I used to be able to pass JS variables across domains via iframe, but now browsers don't allow that -- Was I fooling the browsers by using their features before they disabled the feature?
Oh I can hear the apple sauce sloshing already! But you're WRONG. You see -- There's this thing called JavaScript, and using it I can hover a 1px invisible iframe around under your gods damn mouse cursor -- And within that iframe: A 3rd party site. Now, just try and click anything. TADA Safari not blocking 3rd party cookies again. BECAUSE THEY DON'T. Well, actually yes... Safari does block a few 3rd party cookies -- But only if the 3rd party doesn't really want you to have the cookie. That you can't easily tell your browser WTF to do and have it just do what it says the option is Ridiculous. Here, I'll show you:
if ( Third_Party_Cookies_Disabled && window.top.location != window.location ) return; // without setting the cookie.
But NOOO! Safari has some other explicit BS logic that makes EXCEPTIONS to the rule. On Purpose! Google used such features that Apple devs made... And the dumb ass users got pissed off because their browser wasn't doing what they told it, but they couldn't blame Apple -- NO! Not Apple! So who? Google -- Protip: Google's not the only one bypassing your 3rd party cookie "blocking" system... Hey, doesn't Apple sells ads too? I bet they want them to "just work" too.
Google was only serving up the form to people who were logged in to the service and had accepted their privacy policy stating that GOOGLE WOULD DO THIS.
Also, if you disable all cookies in Safari -- It keeps sending my sites your cookies. You have to restart the browser before that setting takes effect. Why? Why doesn't that just work?! Every other browser just stops sending the cookies. Why? Because the names of the settings in Safari are specious. They're misinformative to say the least! "Disable 3rd party cookies unless you just recently changed the setting, or you accidentally click a 3rd party site, or the page submits a form or some Javascript puts a button under your cursor, or a bunch of other BS logic that we added to specifically ALLOW 3rd party cookies." -- THAT is what Safari does. RTFM next time, then test the software to be sure the manual's not lying. -- That's what I did.
Re: (Score:2)
Blocks outgoing cookies
All web browsers (known bugs notwithstanding) are able to block incoming cookies and prevent them from being stored and used either temporarily or permanently. But only Firefox and Opera are designed to block the sending of any cookies they might have previously acquired but which the browser's cookie policy now blocks. If either Internet Explorer or Safari are set to block cookies, only newly arriving (incoming) cookies are blocked. They will both continue sending any (undesired) cookies outbound that they had previously acquired . . . which is almost certainly not what their user intends.
From GRC's cookie research pages [grc.com] -- Which is what I've also observed. You disable 3rd party cookies, and yet it continues sending out any 3rd party cookies they already have set. The page is a bit outdated, since FF3 is out, but the statement about Safari holds true.
Sure doesn't sound like it's Disabling 3rd Party Cookies to me....
Re:How about fix the browser (Score:5, Insightful)
That this comment got insightful mods shows just how poorly understood this whole mess is on slashdot (or perhaps that the prevailing wisdom is that "Google can do no wrong"?).
Safari already blocks third party cookies by default, and to get around that "pesky" setting that prevents Google's ad tracking from working (and making them money), they designed a process that used an exploit to trick Safari into believing that user authorisation had been given to set the cookie anyway.
No one is disputing that Safari needs to close that exploit (I'm sure it's being worked on, if it hasn't been closed already), but this certainly CAN NOT be described as "legitimate" use of a browser feature by any stretch of the imagination. It was an browser exploit designed to get around Safari's privacy settings.
Put it this way, the user has the setting that says "do not accept third party cookies unless I specifically say so" and Google's response and direct action to that was "nah! that's really inconvenient to us, so we'll set that cookie anyway even though you have specifically said no"
"Do No Evil (unless it interferes with the bottom line)".
Re: (Score:3)
But there have been a lot- and I mean a lot- of recent reports about Google failing to live up to the whole "do no evil" thing. To sum up some recent stories about Google: Google paid $500 million to the government for
Re: (Score:2)
That this comment got insightful mods shows just how poorly understood this whole mess is on slashdot (or perhaps that the prevailing wisdom is that "Google is evil"?).
First, blocking third party cookies is the browser's job. The site has *zero* way of knowing what that setting is. Google literally cannot respect that setting by itself, they don't have that information.
Second, the issue isn't remotely what you think it was, nor is it an "exploit" at all. Go read the actual webkit bug: https://bugs.webkit.or [webkit.org]
Re: (Score:2, Informative)
Punitive fines are a thing. They are designed to discourage bad behavior.
If fines only made you pay back damages, then there is no disincentive to fuck people over.
WHILE(1){
Cheat();
IF(CAUGHT) Pay Fine();
}
With punitive damages:
WHILE(IsProfitable(totalFines, totalIllicitGains)){
Cheat();
IF(CAUGHT) Pay Fine();
}
Absolutely right! (Score:5, Insightful)
Since Google was on the hook for previous privacy violations, and had agreed to a settlement where they agreed that the FTC should check for further violations, a fine at this time is quite correct.
Re: (Score:1, Troll)
Well, according to some of the early posts, this is somehow Apple's fault, and they should be fined! Seriously. It's like, at what point do you hold Google accountable for anything? Because according to supporters, the Street View thing was okay, Google Search Plus Your World excluding other more popular social networks was okay, the bypassing of Safari privacy controls was okay...and so on. The constant defense of their actions is getting really silly.
Google really needs to do some soul-searching. 2012 has
Re: (Score:2, Flamebait)
Re: (Score:2)
Well, according to some of the early posts, this is somehow Apple's fault, and they should be fined
Well, it was only possible for Google to exploit this security hole because the security hole existed, and that was Apple's fault. If you check back in the archives, you'll see a lot of people suggesting that Microsoft should be held liable for security holes in Windows, Internet Explorer, and so on. The reason this is unlikely to happen is that making developers liable for every bug (and almost any bug is a potential security hole when you're talking about a browser) would push development costs to such
Re: (Score:1)
Re: (Score:2)
It's not quite that simple and you know it.
The default setting is "no third party cookies unless the user specifically says so" so Google can't just set a third party cookie. What they can do (and did do) is trick the browser into accepting a cookie by silently creating a form and auto-submitting it to get around the privacy setting.
It was a browser exploit, plain and simple. It needs to be fixed, obviously, but it's not the fault of Apple that Google used the exploit.
Re: (Score:2)
Re: (Score:2)
Again, this is not about the setting "lying". The setting works perfectly well - if you try to set a third party cookie the browser prevents it. That is why Google resorted to an exploit to get around it.
Again, the exploit needs to be fixed - that is not in question - but the use of the exploit is not in any way Safari's fault.
Your attempt to get Google off the hook here or somehow justify their choice to deliberately ignore user's settings and invade their privacy by tracking them is quite remarkable. I th
Re: (Score:2)
If that was the case then no cookies would be set and we wouldn't be having this discussion. Be it an exploit or not, the browser is what ignored the setting.
The browser is what ignored the setting, there can be no question about this as Google didn't modify its behaviour. The real question is where workarounds of software problems (this is very, very common
Re: (Score:2)
If that was the case then no cookies would be set and we wouldn't be having this discussion. Be it an exploit or not, the browser is what ignored the setting.
Right - that's the point. The setting works in most cases, it just doesn't work when the exploit is used - that's how exploits work and why they're called that.
The setting says (I just checked the exact wording) "Block cookies from:" and then gives three options: third parties and advertisers (default), Always and Never.
As indicated, the default is "third parties and advertisers" and it does this effectively. It is because it does this effectively that Google decided to use an exploit to get around it (ie,
Re: (Score:2)
The case against Google would be much stronger if it was not a default. It's much easier to believe that they went the technical workaround route to make multi service login work so as not to bother the user with changing a "broken" default. Had it been off by default the argument that Google deliberately ignored the users wishes would be more convincing as then the users actual wishes would be known, an obscure (in function, not location) default doesn't reflect deliberate user choice.
Not sure why you are
Re: (Score:2)
Again, you're trying to make this all about Google overcoming an "inconvenient"and "broken" default privacy setting.
Nothing about the default setting makes "multi service logins" fail to work since those are selected and approved by the user (for example, checking a box for "keep me logged in" or "remember me" or "keep me logged in across multiple sites". What it *does not* allow is setting a cookie from a third party site - for example, Google's tracking cookie set when you browse to someone else's page (a
Re: (Score:2)
No, I'm still consistently bringing it up as one of the aspects.
Re:Absolutely right! (Score:5, Interesting)
Re: (Score:2)
Not bonch, never been bonch, never will be bonch, but nice troll attempt. I thought all this nonsense ended a couple of months ago?
Re: (Score:2, Offtopic)
So, what you're saying, GreatBunzinni, is that you have no evidence beyond "I post on the same website as bonch" and "I share similar opinions"?
I've got news for you, son, not everyone who disagrees with you is the same person, nor is everyone who disagrees with you paid to do so because otherwise how else can they justify posting "obviously incorrect" information. I've been on this site since registering this account from new, and I've been the same person (and never anyone else) in that time. I've posted
Re: (Score:3)
Re: (Score:1)
Like I say, major apoligism for Google here.
Look, I like them as much as the next guy (use Chrome, have gmail, use google maps all the time, use google search etc), but what they did here was wrong on a level that simply can't be handwaved away as "oh, it was a browser fault" or "oh, they didn't realise they were doing it" or "well, it's how it's always been done".
The setting is "no third party cookies unless allowed specifically by the user". Google exploited a flaw to get around that user setting to do it
Re: (Score:2)
Google has enemies. (Score:5, Insightful)
Google gets big, makes powerful enemies. News at 11.
Funny how we only really vague, trivial shit gets Google in to the court room.
For all those with a clue, Google's actions are really a workaround to a broken, stupid browser privacy scheme that does nothing to protect users from the real bad guys. Just a way to fix web pages for a browser that's not standards compliant. Many times less harmless to the hackery you have to commit to get a web page to work properly in IE6.
20 years seems excessive (Score:5, Insightful)
Microsoft only got 10 years, and they were not merely spying on people but also abusing their monopoly position to drive competitors out of business. (Kinda like what Comcast is doing now with Hulu, Amazon video streaming.) Google should receive a more-lenient settlement than 20 years.
Re: (Score:2)
According to Google, [cite] [google.com], it made about $40 billion last year in income. How much is a $20 million dollar fine compared to that? Let's put it this way... if you earned the median income for 2011 for your personal income ($49,445), and you were fined an equivalent percentage, the fine would be $24.74.
In other words, Google is being fined less for violating your privacy than you would for a parking ticket.
Re: (Score:2)
Re: (Score:2)
Those were simpler times... Google has a lot more data acquisition capabilities, market power, and social influence now than Microsoft ever had. They practically defeated SOPA single-handedly with a single ad on their main web page (yes, Wikipedia helped a bit). Sure, they've pledged to "don't be evil", and for the moment I'm inclined to give their current leadership the benefit of the doubt, but ten years out and who knows who'll be in control of all their data...
Google still makes a ton of money, but cl
Re: (Score:1)
Google should receive a more-lenient settlement than 20 years.
You must be joking / shilling!
From the summary: 'The 20-year settlement bars Google from misrepresenting how it handles user information and requires the company to follow policies that protect consumer data in new products.' .
You might also want to RTFA: http://idealab.talkingpointsmemo.com/2011/10/googles-privacy-practices-to-be-monitored-for-the-next-20-years.php [talkingpointsmemo.com]
They're talking specifically about 'misrepresenting' user information and 'protect[ing] consumer data' ... by one of the most powerful compani
Wait (Score:3)
Hipocrisy (Score:2)
Defective Products (Score:2)
So, what about the defective Safari?
Did Google actually violate the law any more so than Apple by expecting all websites to behave?
Re: (Score:2)
Good point. If Google is at fault here, why is Apple not also for offering a feature that claims to block 3rd party cookies and then actually allows them? Google can claim that they simply rely on the browser's stated features to actually work, and they can't be responsible for every possible bug in any browser in existence that might ignore the user's wishes and give Google more information than they should have. Personally, I think that if Google is investigated, so too should Apple be - they left this
In Good Faith? (Score:2)
drop, meet bucket. (Score:2, Insightful)
$10 million, even $50 or $100 million isn't going to phase a company with google's revenues. they'll pay, admit to nothing, "promise" to do better (but not really do it).. life will go on and google will continue to trample on its users' privacy.
Only google? (Score:3)
Last year, Google agreed to a settlement in which the FTC would monitor Google's privacy practices for an extended period of time
Does facebook have a similar agreement? This safari thing seems like peanuts compared to some of the stuff they pull. If I am wrong please feel free to explain to me how, I am not claiming to be an expert merely asking a question.