Forgot your password?
typodupeerror
Google Government Privacy Safari United States News Your Rights Online

Google Facing FTC Fine Over Safari Privacy Breach 73

Posted by Soulskill
from the really-expensive-cookies dept.
suraj.sun writes "Bloomberg is reporting on Google's negotiation with the U.S. Federal Trade Commission over 'how big a fine, which could amount to more than $10 million, it will have to pay for its breach of Apple's Safari browser. The fine would be the first by the FTC for a violation of Internet privacy as the agency steps up enforcement of the Web.' Last year, Google agreed to a settlement in which the FTC would monitor Google's privacy practices for an extended period of time. 'The 20-year settlement bars Google from misrepresenting how it handles user information and requires the company to follow policies that protect consumer data in new products.' This February, Google was found to be bypassing privacy controls in Safari by making the browser think a user was submitting a form, when they actually weren't. '(The code used by Google was part of its program to place the "+1" button in advertisements.) At the time, the company issued a statement saying that the circumvention wasn't intentional, but privacy groups were still quick to file complaints with the FTC over Google's actions. That was quickly followed by a class-action lawsuit and an investigation by European regulators.'"
This discussion has been archived. No new comments can be posted.

Google Facing FTC Fine Over Safari Privacy Breach

Comments Filter:
  • They were using a legitimate feature of the browser. It's not as if they were hacking/etc.. anyone can do this and submitting forms has been around since the web was born. If Apple wants to block cookies on 3rd party form submissions they can go right ahead. Until they do the blame is on Apple not Google.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Safari does block third-party cookies. Google fooled Safari into thinking they were first-party cookies so that they would be accepted by the browser. RTFA next time.

      • by VortexCortex (1117377) <(VortexCortex) ( ... -retrograde.com)> on Saturday May 05, 2012 @06:39AM (#39900487)

        Safari does block third-party cookies. Google fooled Safari into thinking they were first-party cookies so that they would be accepted by the browser. RTFA next time.

        Safari does NOT block third party cookies. Safari blocks SOME third party cookies -- You know, unless the user interacts with 3rd party assets, then they don't block the 3rd party cookies at all. The issue is caused by Safari's erroneous concept of what a user initiated event is. Which it damn sure knows how to tell the difference between a user initiated event! That's how pop up blocking has worked for over a decade. It's defective by design. Submitting a form to a hidden iframe is how we made Ajax work before XML HTTP Request was born, so it's not like Google did some magic mojo. I used to be able to pass JS variables across domains via iframe, but now browsers don't allow that -- Was I fooling the browsers by using their features before they disabled the feature?

        Oh I can hear the apple sauce sloshing already! But you're WRONG. You see -- There's this thing called JavaScript, and using it I can hover a 1px invisible iframe around under your gods damn mouse cursor -- And within that iframe: A 3rd party site. Now, just try and click anything. TADA Safari not blocking 3rd party cookies again. BECAUSE THEY DON'T. Well, actually yes... Safari does block a few 3rd party cookies -- But only if the 3rd party doesn't really want you to have the cookie. That you can't easily tell your browser WTF to do and have it just do what it says the option is Ridiculous. Here, I'll show you:

        if ( Third_Party_Cookies_Disabled && window.top.location != window.location ) return; // without setting the cookie.

        But NOOO! Safari has some other explicit BS logic that makes EXCEPTIONS to the rule. On Purpose! Google used such features that Apple devs made... And the dumb ass users got pissed off because their browser wasn't doing what they told it, but they couldn't blame Apple -- NO! Not Apple! So who? Google -- Protip: Google's not the only one bypassing your 3rd party cookie "blocking" system... Hey, doesn't Apple sells ads too? I bet they want them to "just work" too.

        Google was only serving up the form to people who were logged in to the service and had accepted their privacy policy stating that GOOGLE WOULD DO THIS.

        Also, if you disable all cookies in Safari -- It keeps sending my sites your cookies. You have to restart the browser before that setting takes effect. Why? Why doesn't that just work?! Every other browser just stops sending the cookies. Why? Because the names of the settings in Safari are specious. They're misinformative to say the least! "Disable 3rd party cookies unless you just recently changed the setting, or you accidentally click a 3rd party site, or the page submits a form or some Javascript puts a button under your cursor, or a bunch of other BS logic that we added to specifically ALLOW 3rd party cookies." -- THAT is what Safari does. RTFM next time, then test the software to be sure the manual's not lying. -- That's what I did.

        • Also there's this:

          Blocks outgoing cookies
          All web browsers (known bugs notwithstanding) are able to block incoming cookies and prevent them from being stored and used either temporarily or permanently. But only Firefox and Opera are designed to block the sending of any cookies they might have previously acquired but which the browser's cookie policy now blocks. If either Internet Explorer or Safari are set to block cookies, only newly arriving (incoming) cookies are blocked. They will both continue sending any (undesired) cookies outbound that they had previously acquired . . . which is almost certainly not what their user intends.

          From GRC's cookie research pages [grc.com] -- Which is what I've also observed. You disable 3rd party cookies, and yet it continues sending out any 3rd party cookies they already have set. The page is a bit outdated, since FF3 is out, but the statement about Safari holds true.

          Sure doesn't sound like it's Disabling 3rd Party Cookies to me....

    • by jo_ham (604554) <joham999 AT gmail DOT com> on Friday May 04, 2012 @10:00PM (#39898425)

      That this comment got insightful mods shows just how poorly understood this whole mess is on slashdot (or perhaps that the prevailing wisdom is that "Google can do no wrong"?).

      Safari already blocks third party cookies by default, and to get around that "pesky" setting that prevents Google's ad tracking from working (and making them money), they designed a process that used an exploit to trick Safari into believing that user authorisation had been given to set the cookie anyway.

      No one is disputing that Safari needs to close that exploit (I'm sure it's being worked on, if it hasn't been closed already), but this certainly CAN NOT be described as "legitimate" use of a browser feature by any stretch of the imagination. It was an browser exploit designed to get around Safari's privacy settings.

      Put it this way, the user has the setting that says "do not accept third party cookies unless I specifically say so" and Google's response and direct action to that was "nah! that's really inconvenient to us, so we'll set that cookie anyway even though you have specifically said no"

      "Do No Evil (unless it interferes with the bottom line)".

      • Let me preface this by saying that I like Google. Google is my homepage, I use Google and Gmail on a daily basis, and I literally don't know how I could do my job without Google and Google Scholar. I liked the fact that they took a stand on the China issue, and I like the "do no evil" ethos.

        But there have been a lot- and I mean a lot- of recent reports about Google failing to live up to the whole "do no evil" thing. To sum up some recent stories about Google: Google paid $500 million to the government for

      • by kllrnohj (2626947)

        That this comment got insightful mods shows just how poorly understood this whole mess is on slashdot (or perhaps that the prevailing wisdom is that "Google is evil"?).

        First, blocking third party cookies is the browser's job. The site has *zero* way of knowing what that setting is. Google literally cannot respect that setting by itself, they don't have that information.

        Second, the issue isn't remotely what you think it was, nor is it an "exploit" at all. Go read the actual webkit bug: https://bugs.webkit.or [webkit.org]

  • Absolutely right! (Score:5, Insightful)

    by gnasher719 (869701) on Friday May 04, 2012 @07:04PM (#39897303)
    Safari lets the user choose in which situations cookies are accepted from a website. One of those situations is when the user fills out a form on the website, so clearly the user has knowingly interacted with the website. Google subverted this by secretly creating a form and pretending that it was filled out by the user, tricking Safari into accepting cookies. That was no accident, that was a deliberate trick to get around the user's privacy settings.

    Since Google was on the hook for previous privacy violations, and had agreed to a settlement where they agreed that the FTC should check for further violations, a fine at this time is quite correct.
    • Re: (Score:1, Troll)

      Well, according to some of the early posts, this is somehow Apple's fault, and they should be fined! Seriously. It's like, at what point do you hold Google accountable for anything? Because according to supporters, the Street View thing was okay, Google Search Plus Your World excluding other more popular social networks was okay, the bypassing of Safari privacy controls was okay...and so on. The constant defense of their actions is getting really silly.

      Google really needs to do some soul-searching. 2012 has

      • Re: (Score:2, Flamebait)

        by pseudofrog (570061)
        Thankfully, we have companies like Microsoft and Apple -- true bastions of ethical business practice. It would be a shame if we lost their litiguous, anti-competitive behavior.
      • Well, according to some of the early posts, this is somehow Apple's fault, and they should be fined

        Well, it was only possible for Google to exploit this security hole because the security hole existed, and that was Apple's fault. If you check back in the archives, you'll see a lot of people suggesting that Microsoft should be held liable for security holes in Windows, Internet Explorer, and so on. The reason this is unlikely to happen is that making developers liable for every bug (and almost any bug is a potential security hole when you're talking about a browser) would push development costs to such

    • by arose (644256)
      Is Google supposed to read Safari settings? You tell your software it should do X, it doesn't. Fine third party?
      • by jo_ham (604554)

        It's not quite that simple and you know it.

        The default setting is "no third party cookies unless the user specifically says so" so Google can't just set a third party cookie. What they can do (and did do) is trick the browser into accepting a cookie by silently creating a form and auto-submitting it to get around the privacy setting.

        It was a browser exploit, plain and simple. It needs to be fixed, obviously, but it's not the fault of Apple that Google used the exploit.

        • by arose (644256)
          Id doesn't matter what the setting says. In this case the setting lied (no third party cookies... but we'll set them anyway) and the cookie owner is being blamed for not carefully follwing what the browser setting claims to do, not what it actually does. This is a design flaw, not an exploit. Google didn't inject code into Safari, didn't break into the user's machine and chaged the settings. I'm more worried about setting precedents that constrain third parties into doing what the first party understood a s
          • by jo_ham (604554)

            Again, this is not about the setting "lying". The setting works perfectly well - if you try to set a third party cookie the browser prevents it. That is why Google resorted to an exploit to get around it.

            Again, the exploit needs to be fixed - that is not in question - but the use of the exploit is not in any way Safari's fault.

            Your attempt to get Google off the hook here or somehow justify their choice to deliberately ignore user's settings and invade their privacy by tracking them is quite remarkable. I th

            • by arose (644256)

              The setting works perfectly well - if you try to set a third party cookie the browser prevents it.

              If that was the case then no cookies would be set and we wouldn't be having this discussion. Be it an exploit or not, the browser is what ignored the setting.

              their choice to deliberately ignore user's settings

              The browser is what ignored the setting, there can be no question about this as Google didn't modify its behaviour. The real question is where workarounds of software problems (this is very, very common

              • by jo_ham (604554)

                The setting works perfectly well - if you try to set a third party cookie the browser prevents it.

                If that was the case then no cookies would be set and we wouldn't be having this discussion. Be it an exploit or not, the browser is what ignored the setting.

                Right - that's the point. The setting works in most cases, it just doesn't work when the exploit is used - that's how exploits work and why they're called that.
                The setting says (I just checked the exact wording) "Block cookies from:" and then gives three options: third parties and advertisers (default), Always and Never.

                As indicated, the default is "third parties and advertisers" and it does this effectively. It is because it does this effectively that Google decided to use an exploit to get around it (ie,

                • by arose (644256)

                  The case against Google would be much stronger if it was not a default. It's much easier to believe that they went the technical workaround route to make multi service login work so as not to bother the user with changing a "broken" default. Had it been off by default the argument that Google deliberately ignored the users wishes would be more convincing as then the users actual wishes would be known, an obscure (in function, not location) default doesn't reflect deliberate user choice.

                  Not sure why you are

                  • by jo_ham (604554)

                    Again, you're trying to make this all about Google overcoming an "inconvenient"and "broken" default privacy setting.

                    Nothing about the default setting makes "multi service logins" fail to work since those are selected and approved by the user (for example, checking a box for "keep me logged in" or "remember me" or "keep me logged in across multiple sites". What it *does not* allow is setting a cookie from a third party site - for example, Google's tracking cookie set when you browse to someone else's page (a

                    • by arose (644256)

                      Again, you're trying to make this all about Google overcoming an "inconvenient"and "broken" default privacy setting.

                      No, I'm still consistently bringing it up as one of the aspects.

                      What it *does not* allow is setting a cookie from a third party site - for example, Google's tracking cookie set when you browse to someone else's page (as in, not a Google page) with a G+ button on it, or a google text ad. Google is not allowed to set a cookie in this instance unless the user clicks on the button or advert. The

    • Re:Absolutely right! (Score:5, Interesting)

      by symbolset (646467) * on Friday May 04, 2012 @09:19PM (#39898201) Journal
      This is a fairly standard method. If Safari's design allows more disclosure than intended that's Safari's fault, not Google's. If this is not the intended functionality it's a browser bug and should be fixed.
  • by Anonymous Coward on Friday May 04, 2012 @07:07PM (#39897323)

    Google gets big, makes powerful enemies. News at 11.
    Funny how we only really vague, trivial shit gets Google in to the court room.

    For all those with a clue, Google's actions are really a workaround to a broken, stupid browser privacy scheme that does nothing to protect users from the real bad guys. Just a way to fix web pages for a browser that's not standards compliant. Many times less harmless to the hackery you have to commit to get a web page to work properly in IE6.

  • by cpu6502 (1960974) on Friday May 04, 2012 @07:10PM (#39897359)

    Microsoft only got 10 years, and they were not merely spying on people but also abusing their monopoly position to drive competitors out of business. (Kinda like what Comcast is doing now with Hulu, Amazon video streaming.) Google should receive a more-lenient settlement than 20 years.

    • According to Google, [cite] [google.com], it made about $40 billion last year in income. How much is a $20 million dollar fine compared to that? Let's put it this way... if you earned the median income for 2011 for your personal income ($49,445), and you were fined an equivalent percentage, the fine would be $24.74.

      In other words, Google is being fined less for violating your privacy than you would for a parking ticket.

      • Sorry, I re-read the article and realized the fine in my original post was double what was being suggested... It is instead about the price you would pay to buy you and your partner dinner at McDonald's. -_- Would you like to Supersize that privacy violation?
    • Those were simpler times... Google has a lot more data acquisition capabilities, market power, and social influence now than Microsoft ever had. They practically defeated SOPA single-handedly with a single ad on their main web page (yes, Wikipedia helped a bit). Sure, they've pledged to "don't be evil", and for the moment I'm inclined to give their current leadership the benefit of the doubt, but ten years out and who knows who'll be in control of all their data...

      Google still makes a ton of money, but cl

    • Google should receive a more-lenient settlement than 20 years.

      You must be joking / shilling!

      From the summary: 'The 20-year settlement bars Google from misrepresenting how it handles user information and requires the company to follow policies that protect consumer data in new products.' .

      You might also want to RTFA: http://idealab.talkingpointsmemo.com/2011/10/googles-privacy-practices-to-be-monitored-for-the-next-20-years.php [talkingpointsmemo.com]

      They're talking specifically about 'misrepresenting' user information and 'protect[ing] consumer data' ... by one of the most powerful compani

  • by Charliemopps (1157495) on Friday May 04, 2012 @07:24PM (#39897469)
    There is no expectation of privacy on the internet, irrelevant of the browser you use or the site you visit. I would LOVE for the government to pass a law specifically stating there were such an expectation... but to do so would mean they would have to obey the law as well. For the government to fine a business for privacy violations when the government itself is collecting far more sensitive information about us, for much more nefarious purposes than profits, is just silly.
  • Whatever privacy violation Google committed here is diminutive in comparison to what our government does. Ironic that I just finished perusing this: http://yro.slashdot.org/story/12/05/04/1935210/fbi-we-need-wiretap-ready-web-sites-now [slashdot.org]
  • So, what about the defective Safari?
    Did Google actually violate the law any more so than Apple by expecting all websites to behave?

    • Good point. If Google is at fault here, why is Apple not also for offering a feature that claims to block 3rd party cookies and then actually allows them? Google can claim that they simply rely on the browser's stated features to actually work, and they can't be responsible for every possible bug in any browser in existence that might ignore the user's wishes and give Google more information than they should have. Personally, I think that if Google is investigated, so too should Apple be - they left this

  • As someone who has spent quite a bit of time dealing with quirks between the different browsers, it seems (barring evidence to the contrary) entirely possible that the developer may not even have just assumed they were working around a quirk.
  • drop, meet bucket. (Score:2, Insightful)

    by sdnoob (917382)

    $10 million, even $50 or $100 million isn't going to phase a company with google's revenues. they'll pay, admit to nothing, "promise" to do better (but not really do it).. life will go on and google will continue to trample on its users' privacy.

  • by Internetuser1248 (1787630) on Friday May 04, 2012 @11:12PM (#39898823)

    Last year, Google agreed to a settlement in which the FTC would monitor Google's privacy practices for an extended period of time

    Does facebook have a similar agreement? This safari thing seems like peanuts compared to some of the stuff they pull. If I am wrong please feel free to explain to me how, I am not claiming to be an expert merely asking a question.

"Silent gratitude isn't very much use to anyone." -- G. B. Stearn

Working...