Google Facing New Privacy Probe Over Safari Incident 134
An anonymous reader writes "Last month we discussed news of a controversial method Google was using to bypass Safari's privacy settings in order to enable certain features for users who were logged in to Google. Now, U.S. regulators are investigating Google's actions to see whether the search giant has violated the privacy protection agreement they signed last year that includes a clause prohibiting Google from misrepresenting how users control the collection of their data. 'The fine for violating the agreement is $16,000 per violation, per day. Because millions of people were affected, any fine could add up quickly, depending on how it is calculated. ... A group of state attorneys general, including New York's Eric Schneiderman and Connecticut's George Jepsen, are also investigating Google's circumvention of Safari's privacy settings, according to people familiar with the investigation. State attorneys general can have the ability to levy fines of up to $5,000 per violation.' European regulators are adding the Safari investigation to their review of Google's consolidated privacy policy."
Bug? (Score:2)
I still don't understand, isn't this a browser exploit that needs to be fixed? What's stopping another website from doing exactly the same thing?
Re:Bug? (Score:5, Informative)
It is a bug, and also seems very likely to be a (granted rather trivial) exploit. Google seems to be the primary target here, even though multiple sites have been identified using the workaround [webpolicy.org], because of previous agreements it has made regarding privacy.
Re: (Score:1)
Yes, Apple announced they will be patching this. It still doesn't look good for Google to be exploiting a browser vulnerability, they are supposedly a reputable corporation.
Re: (Score:2)
Look at the monkey! (Score:5, Insightful)
Re:Look at the monkey! (Score:5, Informative)
The thing people are continuously forgetting about all of this is that the bug in question was in the open source Webkit, which both Safari and Chrome are based on, and Google had already submitted a patch to fix the bug before any of this even became an issue.
This all seems a lot more about this [falkvinge.net] than any sort of legitimate complaint the government has about what Google is doing. If the government had literally done nothing, the problem had already been solved before they became involved -- but now we have a big dog and pony show. Cui bono? Microsoft.
Re: (Score:1)
They submitted a patch and exploited it anyway. Exploiting privacy vulnerabilities is bad, bad, bad. I don't care if Joseph Kony funds the investigation.
Re: (Score:3, Insightful)
Exploiting privacy vulnerabilities is bad, bad, bad.
That word...I don't think it means what you think it means.
Let me give you an example. If you want to jailbreak an iPhone, you have to find a security vulnerability. Like, a real one, not this "well if you submit a form then it isn't considered a third party cookie" grey area nonsense, a real root shell "exploit." Is the company that makes the jailbreak website then "exploiting privacy vulnerabilities" because having rooted the phone, the software could in theory then send all the user's pictures and web hi
Re: (Score:2)
Who said anything about stealing credit card numbers? You're conflating issues radically. This isn't a grand theft trial, and nobody is talking about taking root access to your PC. This is a probe into whether Google is adhering to privacy agreements.
My best guess is that you're objecting to the AC's use of the term "exploit" in the context of privacy (or maybe the term "vulnerability")? But what else do you call it if you say the hole is being used? It's a vulnerability, in the privacy field, which is
Re: (Score:2)
As for whether it's a grey area, if Google submitted a patch to end this behaviour as you say, presumably they thought the behaviour was wrong. Otherwise, why did they submit the patch?
It's a pretty obvious false negatives vs. false positives trade off. There are a ton of legitimate uses for third party cookies, so over-blocking them breaks a lot of stuff. But they also get used by ad networks to track people between websites, which can be undesirable. The problem is that the dividing line between first and third party cookies is very blurry (e.g. is fbcdn.net 'third party' when you're on facebook.com?) and even trying to make the distinction is somewhat questionable. So you draw a line a
Re: (Score:1)
There are a ton of legitimate uses for third party cookies, so over-blocking them breaks a lot of stuff.
really easy: http://www.abine.com/dntdetail.php [abine.com]
Re: (Score:2)
And...? What does that have to do with Microsoft lobbying the government to harass Google about ambiguous cookie settings?
Re: (Score:2)
I need evidence before I can accept the reality you just pretended *is* happening.
Re: (Score:2)
Is this [falkvinge.net] the sort of thing you're looking for, or do you want something else?
Re: (Score:1)
Crap! and my mod points just expired. Someone mod the parent up! I think people fail to realize that 50% of web development involves "hacking" web browsers just to get legitimate functions to work consistently. (Well, maybe less than 50% now that IE6 is finally getting less support.)
While it is possible that Google violated an agreement here, that has limited relation to this being an "exploit". The negative connotation and inaccuracy around the terminology is misleading.
P.S. When Slashdot said my mod point
Re: (Score:2)
Re: (Score:2)
Google was quite explicitly abusing this vulnerability, and they got caught after signing something that suggested they would never do it.
So says Microsoft. But why would anyone ever believe anything Microsoft says about a competitor?
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
So if I submit a patch and they don't jump to it fast enough to suit me i can then pwn them consequence free?
To be perfectly honest I do think that computer hacking laws are totally redundant and should all be repealed. If you don't secure your system, blackhats in Russia and China (and Americans with identity-concealing botnets) are going to pwn you anyway, so it doesn't really matter whether you can prosecute the stupid ones in America because you need good security in any event and once you have it then the law is useless. All the law does is allow overzealous prosecutors to harass people, many of which are rea
Re: (Score:2)
The thing is a bit deeper than that. Analogy time.
Google had this agreement. According to Anthony Mouse below in the comments, Google knew of this problem. They submitted a bug fix. So the question for the prosecution and layperson is this, was there a way Google at this point could not abuse this bug?
Let's say there is gas pump at the only gas station in town. The pump are calibrated wrong and providing 1.5 gallons of fuel for every gallon "measured". In a fair world this would never have happened.
Re:Look at the monkey! (Score:5, Insightful)
The question becomes what happens after Google reported it, and seemingly kept using that pump until it was properly calibrated.
You're making the "corporations are people" fallacy. Corporations are not actually, literally people. The people who work on Chrome and Webkit are almost certainly not the same people who work on Google+ and the like. They probably don't have any idea what the other is doing. It's not like every time anyone submits a patch to anything, they go running around to all the other departments to tell them about it.
On top of that, calling this a "vulnerability" or "exploit" is really pushing it. There is no obvious hard line between first and third party cookies. They have no obvious or official definition. Safari drew the line in a way that classified a lot of the borderline cases as "first party" cookies -- which actually makes a certain amount of sense, since they block third party cookies by default and over-blocking would break too many things.
So along comes, I don't know, everybody who uses cookies that would be blocked by Safari's defaults, and when they encounter Safari, they take steps to restore the original functionality. And since some (but not all) of those people are the sort of ad networks who track you in a way that made browser vendors consider an option to block third party cookies in the first place, Google submitted a patch to classify more of them as third party. Which breaks more legitimate stuff, because it's a trade off. It's not that the original default is bad, broken, or a vulnerability...it's that the line is a silly, ambiguous one to draw in the first place. What it's trying to accomplish is Do Not Track, but as a hack and consequently with a lot of collateral damage to legitimate features that everyone then scrambles to mitigate with work arounds like the one Google had been using.
So that happens, and along comes the Microsoft propaganda machine to point out that because Google is both a social network and an ad network, wouldn't it be nice to accuse the ad network of privacy violation as a result of a borderline cookie feature shared by all social networks? Give me a break.
Re: (Score:2)
You're making the "corporations are people" fallacy. Corporations are not actually, literally people. The people who work on Chrome and Webkit are almost certainly not the same people who work on Google+ and the like. They probably don't have any idea what the other is doing. It's not like every time anyone submits a patch to anything, they go running around to all the other departments to tell them about it.
On the other hand, Google clearly has an agenda. It includes access to as much of your data as they can manage. So it shouldn't be hard to imagine some sort of unifying goal when you read about something like this, and consider that notscripts still blows compared to noscript due to Chrome's architecture, and so on.
Re: (Score:2)
That sounds suspiciously like a conspiracy theory.
Re: (Score:2)
That sounds suspiciously like a conspiracy theory.
Two people getting together to bone a third person out of something is a conspiracy. A small handful of people deciding to lead a few products in the direction that gives their company the greatest advantage is hardly worth implying that someone is some kind of wacko over. It's precisely the Microsoft story, why should a variation be unbelievable at Google? Has human nature changed overnight? How about tactics, are they all different now?
Re: (Score:2)
The difference is that in the Microsoft case they actually had some, you know, evidence. The Halloween memos [wikipedia.org] and so forth. So what I'm saying is, do you have any evidence, or is it just a conspiracy theory?
Re: (Score:2)
So what I'm saying is, do you have any evidence, or is it just a conspiracy theory?
Just a theory, but at least it's supported by what evidence there is. You should particularly note that I am not proposing a sinister conspiracy, just a conspiracy.
Re: (Score:2)
Then I guess I don't really buy it. I mean Chrome and Safari are both based on Webkit, which was mostly not created by Google. (It was originally KDE and then Apple played a big role.) By the time Google entered the scene most of the major architectural decisions had already been made and implemented, so if anybody designed it in a way that makes plugins that block javascript harder, it was KDE or Apple.
Likewise this thing with the cookies: I mean think about it. If it was this huge top down conspiracy then
Re: (Score:2)
The whole thing smells like standard issue human imperfection rather than some grand evil master plan.
There you go again, moving the goalposts, and attributing things to me that I didn't say or imply. You're a troll. Go away.
Re: (Score:2)
If I understand your point correctly it's that Google as an institution has an incentive to prevent ad blocking and so forth, which is "supported by what evidence there is," and that therefore we should ascribe that intent to the actions of its individual software engineers without any further evidence.
What I'm pointing out is that that doesn't make a lot of sense: They don't uniformly behave as though that is their goal, and in the instances where their actions are consistent with that theory (which, natur
Re: (Score:2)
What I'm pointing out is that that doesn't make a lot of sense:
No, you can point that out without all the hyperbole and false association. What you're doing is trolling, and now also being disingenuous. Or really stupid. And if that's a false dichotomy, please enlighten me as to what the third way might be.
Re: (Score:3, Funny)
If I leave my car door unlocked it's still illegal to steal it.
LOL the CAPTCHA for this post is "burglar".
Re:Bug? (Score:4, Insightful)
Re: (Score:2)
yes it's a bug but in the end the user said dont do this to my computer and google still did it
my computer is my property and google shouldn't have the right to install software/files on it if i say don't do it
Re: (Score:3)
Re: (Score:1)
Let's say you lock your car door. Someone comes along, unlocks your car door, and takes a shit on your front seat. Well, locks can be picked and people can shit in inappropriate places (cf Occupy Wall Street), so you can't prevent someone from breaking into your care and taking a shit. But that doesn't excuse anyone who does that. In fact, you could say that they, not the door lock, is the problem.
Slashdot Groupthink (Score:4, Insightful)
"Google did no wrong. Google is awesome."
Realthink:
I don't trust Google anymore than I trust Microsoft or Apple or any other megacorp. I hate corporations. (But I fear government.)
Re: (Score:3, Funny)
But but but, if people can't build their identity over corporate cheerleaderism, what will they do? You mean I'm really a middle-class IT drone and not a proud member of TEAM GOOGLE or TEAM APPLE? Impossible!
Ra ra my mega corp can beat up your mega corp! Apple is evil, Google loves me!
Re: (Score:1)
Ha Ha!
Funny Anon. Coward. :-)
Re:Don't be Evil (Score:2)
It's okay for Google to do the same things Apple and Microsoft do, because Google has goodness in their hearts.
Re: (Score:2)
Re: (Score:2)
Looks to me as if the Slashdot Groupthink is currently a rant against Google posted from new iPads.
Re: (Score:2)
Hating corporations is a bit strong. They are a necessary part of an economy that is no government owned.
I'd say just realize that they are out after their own interests and you'll be on sound footing.
Re: (Score:2)
No, businesses are a necessity. Corporations are not.
Re: (Score:2)
Exactly.
The ideal U.S. would not have an corporations..... just private-owned proprietorships or partnerships where the owners(s) are directly responsible for the actions of their company and managers/employees.
Re: (Score:2)
Nope. Corporations are necessary. Single proprietorships cannot reach the scale needed to undertake large scale economic activities such as building the world-scale infrastructure needed for say, building a modern airliner or a transcontinental railway system.
Re: (Score:2)
Do no Evil out the door! (Score:4, Insightful)
If my boss asked me to do something like this, I'd fight it kicking and screaming. I'd probably quit too if the software was significant like a google.
Re: (Score:2, Interesting)
It's always been 'Do know evil'
Re: (Score:2)
Investigate Apple (Score:2, Insightful)
Isn't Safari the one misrepresenting what the security settings do?
While I'm as shocked as the next person that google knows I've been buying windshield wipers, how is it that google is being held to the promises Safari has made to its users?
Re: (Score:1)
I'm being facetious about investigating Apple. If it's not the way it should be, close the hole.
Google has code that raises its presence on a page to the level where it can then attach a cookie to the browser.
I'm unfamiliar with the exact nature of this problem, but is it a matter of:
if (BLOCKED) { circumvent() }
or just:
doSomething(); # Safari should have blocked this
It is my understanding that it does something of the latter. It submits a form in order to set a cookie so that things like the +1 button
Re: (Score:1)
Google imitated a legit form click. Blocking it in Safari will require a great deal of care to not break actual forms. This is why it's such a shit move on Googles part.
Re: (Score:2)
Re: (Score:2)
It is my understanding that it does something of the latter. It submits a form in order to set a cookie so that things like the +1 button can be set. In my mind this is part and parcel of using Google's services. The code works the same regardless of the privacy settings.
The only reason to submit this form is to circumvent Safari's security settings. If the user allowed cookies to be set without user interaction, then the form is not needed. It is needed because it tricks Safari into believing that there was some user action, when there actually wasn't one.
Your argument is basically "if they check whether the door is locked and climb through the window if it is locked, but go through the front door if it's not locked, that's bad. But if they always climb through the wind
Re: (Score:3, Interesting)
I love Google as much as the next /. tard (and hate Apple to boot, I mean comeon, look at the evil deeds of each company and apple has so much more on it.) But Google purposely exploiting a security flaw in Safari is wrong. Plain and simple, however honestly I would like to wager Apple put it there on purpose to see if they could catch Google doing this. The reason I say this is, in chess (and corporate strategy is akin to Chess at times) one might allow themselves to lose a piece (reputation loss for Apple
Re: (Score:2)
Re: (Score:2)
Re:Investigate Apple (Score:5, Insightful)
Google isn't being held to the promises Safari has made, Google is being held to the agreement it had with the DoJ because in the course of collecting data about the user they deliberately circumvented, admittedly fairly weak, restrictions the user placed on their actions within the browser.
There are two entirely different issues at hand here - Safari needs to be fixed somehow (although someone further down the thread suggests this isnt an easy fix) and Google got caught with its hand in the cookie jar when it probably shouldn't have had it there.
Just because your window is open doesn't mean people are allowed to climb through it to circumvent the locked door.
Re: (Score:2, Informative)
restrictions Apple claimed to have placed on their actions within the browser.
The user never decided anything. That's really half the problem: Apple created a stupid default that would have impaired significant functionality, and for the users who don't understand how to or are afraid to change browser settings, this was the only way to make that user-desired functionality actually work.
This would be a completely different thing if the default had been what it is in every other browser and it was being circumvented when the user had explicitly changed it, because in that case you hav
Re: (Score:2)
The user never decided anything. That's really half the problem: Apple created a stupid default that would have impaired significant functionality, and for the users who don't understand how to or are afraid to change browser settings, this was the only way to make that user-desired functionality actually work.
The problem is: Apple created a default that protects the privacy of its users. Google wanted functionality that could only be implemented by either a breach of the user's privacy or by getting the consent of the user, so they decided to exploit a loophole and breach the user's privacy.
Re: (Score:2)
The problem is: Apple created a default that protects the privacy of its users. Google wanted functionality that could only be implemented by either a breach of the user's privacy or by getting the consent of the user, so they decided to exploit a loophole and breach the user's privacy.
You're begging the question. The assumption you're making is that every possible use of third party cookies is inherently a privacy violation. If all they're using them to do is to see if you're logged into Google+ (so that they can give you a +1 button), how is that a privacy violation?
Re: (Score:1)
Which browser is it that Apple made that protects the privacy of its users? It's not Safari. That's what this is all about.
Did Google "circumvent" only for Safari, or is this how they set a cookie for all browsers and Apple claims it's an exploit because they mislead their Safari users into thinking they had privacy.
Re: (Score:2)
It didn't break any Google functionality. This is just for ad tracking purposes.
Try Ghostery and see for yourself
You can't try it anymore because they've turned it off. But what had happened was that if you were signed into Google+, on third party websites it would check for that cookie and give you a +1 button. That doesn't inherently involve any tracking at all. The possibility exists that they were using the same cookies to also track you, but that happens on the server side, so there is no real way to know that -- all this noise about privacy violations is pure speculation.
Re: (Score:2)
Uhm, it is tracking because Google, by virtue of accessing that cookie, gets to know you visited that website - they get passed the unique cookie associated with your account and they also get the referrer ID of the website. Tracking.
If they didn't explicitly want to track you, they could implement a completely cookieless implementation of their Plus 1 button which only associates you with your account when you actually click it. But they didn't, because they want the info regardless of whether you clicked
Re: (Score:2)
Uhm, it is tracking because Google, by virtue of accessing that cookie, gets to know you visited that website - they get passed the unique cookie associated with your account and they also get the referrer ID of the website. Tracking.
You're collapsing "can" and "do" when they aren't the same thing. The cookie could be used to track you, if every time you visit a website they record it in a database somewhere, but has anyone provided any evidence that they were intentionally doing that?
If they didn't explicitly want to track you, they could implement a completely cookieless implementation of their Plus 1 button which only associates you with your account when you actually click it. But they didn't, because they want the info regardless of whether you clicked or not.
Except that they would need to read your cookie to know if you're signed into Google+ to know whether to put the +1 there at all.
Re: (Score:2)
And what's so bad about putting the Plus 1 button on the page regardless? I get the Facebook Like button (and a load of others) and I don't even have an account, so what makes Google special?
The entire way in which they did this screams "we want to track you", despite your protestations to the contrary. No one needs to provide evidence that there is an actual database behind it, the implementation they went out of their way to use specifically allows for it when they don't need to do it that way at all.
Re: (Score:2)
And what's so bad about putting the Plus 1 button on the page regardless?
They wanted you to be able to +1 ads if you like them. I kind of doubt the third party websites would be happy to see a redirect from their website to the Google+ sign in page in the event someone is not signed in.
The entire way in which they did this screams "we want to track you", despite your protestations to the contrary. No one needs to provide evidence that there is an actual database behind it, the implementation they went out of their way to use specifically allows for it when they don't need to do it that way at all.
You keep assuming that they "went out of their way" to do this somehow. More likely chain of events is that they designed it to use cookies in the first place, then someone realized it wasn't working properly on Safari and implemented a work around. Submitting a form is far, far, far less work tha
Re: (Score:2)
And what's so bad about putting the Plus 1 button on the page regardless?
They wanted you to be able to +1 ads if you like them. I kind of doubt the third party websites would be happy to see a redirect from their website to the Google+ sign in page in the event someone is not signed in.
I don't care what they want you to be able to do, your point is ludicrous.
Taking a random page off of Autosport.com (a site I currently have open), gives me a Twitter button which redirects to a sign in page when clicked, a LinkedIn button which redirects when clicked, a Facebook button which redirects when clicked, and indeed a Google +1 button which, surprise surprise, redirects anyway because I'm logged into a Google+ account which is not my own (business account) and requests permission to continue.
And
Re: (Score:2)
Taking a random page off of Autosport.com (a site I currently have open), gives me a Twitter button which redirects to a sign in page when clicked, a LinkedIn button which redirects when clicked, a Facebook button which redirects when clicked, and indeed a Google +1 button which, surprise surprise, redirects anyway because I'm logged into a Google+ account which is not my own (business account) and requests permission to continue.
Those are somewhat different species of buttons. The third party website in those cases specifically inserted code for the buttons so that users would +1/like/whatever the website's own content, which directly benefits the website. What I'm talking about is putting the button on an ad, which only indirectly benefits the website it's actually on (by making ads more relevant/profitable), and which might be on websites that hadn't wanted or expected an ad that would spawn a new tab just for that. I could also
Re:Investigate Apple (Score:5, Insightful)
Re: (Score:2)
Re:Investigate Apple (Score:5, Insightful)
It's an unintended side effect of how Safari handles third-party cookies: Safari blocks third party cookies, but makes an exception for sites the user interacts with (i.e., if you click on an ad, it will allow that ad to install a cookie). So what Google is doing is basically loading a no-op form element in an iframe and automatically submitting it - this tricks Safari into behaving as if the USER submitted the form (thus interacting with the ad), allowing Google to set the cookie.
Safari WOULD block setting of the cookie without this workaround being coded & inserted into the ads being served up by DoubleClick... so it's not a case of Google being held to account for promises Safari makes, it's that Google is being held to account for intentionally exploiting a loophole in the software to abuse users. People keep trying to turn this into an "Google vs. Apple" issue, and the real issue (and where it's eroding trust in Google) is that it's a "Google vs. Users" issue. I can't trust Google to honor those settings in my browser, can I trust them to honor any other settings and preferences I set in my browser, or register with them?
There's no reason Google couldn't have instead put up a page saying "We notice you don't allow third party cookies... this will mean you can't +1 things, blah blah blah," and include instructions on changing the setting if the user wishes to enable +1's and other tracking, rather than simply disregarding the users' settings and exploiting the loophole.
Re: (Score:2)
Perfectly stated. +1
Re: (Score:1)
I haven't seen evidence of "knowingly and willingly" other than they wrote the code. Setting cookies like that isn't exactly ground breaking. Does google set their cookies this way for all browsers?
If they only set it for Safari, and only when blocked, then sure. I haven't seen anyone make that claim though.
I bet the gov (Score:2)
would change their mind if Google gave them access to that info. THEN it would be ok because the online safety of every citizen and restoring the consumable media market is paramount.
Re: (Score:2)
Safari Incident (Score:2, Offtopic)
What Google did (Score:5, Informative)
Google created an invisible form on a web page and then simulated a click on to bypass Safari's privacy controls. That didn't happen by accident. That's hostile code.
Safari treated a "submit" action as permission for the site to plant a cookie. It's hard to stop that in the browser without breaking some legitimate forms. As a result of this, all web forms which want to trigger a cookie event may have to have explicit "submit" buttons.
Re: (Score:2, Redundant)
Why would you believe Apple over Google. Fanboy much?
let me tell you a story about the pot that called the kettle 'black'.
Re: (Score:2)
What a zealot. You may disagree with Apple's view of its customers, but at least it views us end users as its customers. Google has no such illusions: their customers are carriers, and secondarily manufacturers. You know, those same carriers and manufacturers who have been screwing us for years?
So yes, when it comes to serving its customers, I believe Apple (me as a customer) over Google (my carrier as a customer, and my information as its asset) any day of the week. And twice on weekends.
Re: (Score:2)
Exactly. Firefox also allows you to uncheck the option "Accept third-party cookies", and doesn't have this problem.
Alert W3C posting exploit code! (Score:4, Funny)
I visited this rogue site that posts hostile code exploits and learned how to circumvent user privacy....
http://www.w3schools.com/jsref/met_form_submit.asp [w3schools.com]
Even worse, this malware generating site makes exploit code even easier...
http://api.jquery.com/submit/ [jquery.com]
And yes, I used the most evil and corrupt search engine ever invented (past and future) to locate these hacker havens
Re: (Score:2, Informative)
Re: (Score:2)
Please don't confuse the World Wide Web Consortium [w3.org] with the shitty spam farm known as W3Schools.
There is no confusion. The satire benefits from the brevity of the w3schools and jquery links rather than the firehose of information at http://www.w3.org/Submission/web-forms2/#for-javascript [w3.org], for example.
Re: (Score:2)
What are you, illiterate?
That's a rather harsh assumption coming from someone who didn't bother to read the title of GP's post. If you are confused as to what "W3C" stands for, perhaps you should actually check out w3.org instead of asking stupid questions.
The security mechanism suck (Score:1)
It's like making a door without a key and a lock. Instead we post instructions on the door telling you when you are allowed to open the door and when not. We then sue people for by passing the security mechanism instead of simply adding a lock.
Very nice.
Re: (Score:2)
Why don't they sue themselves? (Score:1)
Unbelievable (Score:1)
Re: (Score:1)
What's remarkable about the New York bill is that it would expand the state's database to include DNA from people convicted of almost any crime, even misdemeanors as minor as jumping over a subway turnstile.'
Interesting. Of course, it would make sense to simply collect a DNA sample in circumstances where previously they would have collected fingerprints. Going beyond that is expansion of their tracking.
Keep in mind, it's not "the government" that's asking for this. It's the people who elect the government. Maybe not all of them, but most of them.