Google Facing Tens of Millions of Dollars in Fines over Safari Privacy Circumvention

[Rocketman]

Were you really damaged by this? The fines pay for the legal & technical investigation done by the government.

No it doesn't. They have an annual budget for investigations. Fines go to the treasury and are spent frivelously by the executive branch within the limits set by congress.

The only way there is symmetry is if the money goes to users via their walled garden supplier, Apple, who will use it far more productively. As demonstrated by past results.

Edit:

Here's a case where the fines and costs were a couple of orders of magnitude in excess of the damages.

Michael Milken

http://en.wikipedia.org/wiki/Michael_Milken

"The estimated injury for all counts combined was, by the judge's account, $318,000 and by the U.S. Probation Office's account $685,000.[12]

As part of his plea, Milken agreed to pay $200 million in fines. At the same time, he agreed to a settlement with the SEC in which he paid $400 million to investors who had been hurt by his actions. He also accepted a lifetime ban from any involvement in the securities industry. In a related civil lawsuit against Drexel he agreed to pay $500 million to Drexel's investors.[13][14] In total this means that he paid $1.1 billion for all lawsuits related to his actions while working at Drexel.

Critics of the government charge that the government indicted Milken's brother Lowell in order to put pressure on Milken to settle, a tactic condemned as unethical by some legal scholars. "I am troubled by - and other scholars are troubled by - the notion of putting relatives on the bargaining table," said Vivian Berger, a professor at Columbia University Law School, in a 1990 interview with the New York Times.[15] As part of the deal, the case against Lowell was dropped. Federal investigators also questioned some of Milken's relatives—including his aging grandfather—about their investments.[6]"

Summary:
the judge's account, $318,000 (fair and legal) and by the U.S. Probation Office's account $685,000 (where do they get the right?)
As part of his plea, Milken agreed to pay $200 million in fines (totally disproportional due to the extortion of the plea bargain-TD)
He also accepted a lifetime ban from any involvement in the securities industry. (TD)
Originally sentenced to 10 years in prison

That is not "equitable".

The FEDGOV treasury was not damaged yet received and kept $200m. None of that was given to victims, real or perceived.

 

[JohnDoe98]

Google should be reprimanded for doing this, but Apple shouldn't get a free pass when they leave us open to threats after they've been informed about security problems. This could have been anyone. Not just Google. Apple is a big boy now... it has to act like a grown up and mend its fences. We're the ones that suffer when they choose to ignore gaping holes in their systems.

Just think this through. You would be (1) constantly pushing out security patches and (2) in so doing calling attention to the security holes in your system.

"But they are patched now so who cares?". Well, (1) not everyone is constantly updating their systems, and (2) even less people would do so if you had constant updates coming in.

 

[phillipduran]

Dont Be Evil!!

What a bunch of dirtbags.

 

[Rocketman]

Don't Be Evil!!

It's a saying, not a lifestyle.

 

[Rodimus Prime]

Oh yeah nice supposition with no basis. The lengths people will go to defend Google is pathetic.

You'd think if there was one thing that was indefensible it would be a company collecting your private data without your knowledge or consent, but nope, the Google apologists think that's ok too! Sad, really.

Was not defending Google. I stated a fact.

The last 2 trojan that hit OSX were things that Apple knew about for months and they sat on it until it was exploited. It was magicly patch days later.

 

[iMikeT]

Do I get a piece of these tens of millions in fines because I am a Safari user?

 

[100Teraflops]

Every time I read a story like this I feel like I'm getting the okie doke. There is never enough information provided by either side. Although, I'm not happy with Google who in turn have become an advertising agency. Internet search engine? Not! Also, I think Apple had to have known about the loopholes of their browser. At this point, this topic is hear say and perfect for the rumor network.

 

[blackburn]

Want privacy? Ditch the Internet, your mobile phone, apple, google, microsoft, facebook etc.
Privacy nowadays is a myth. My droid has no google apps because they send a LOT of 'usage' data.

 

[AidenShaw]

Google picked them by inserting code into their ads which fooled safari into thinking the user was submitting a form.

Straight up exploitation of the browser. but no, it's apples fault

"Google Inc. (GOOG) is negotiating with the U.S. Federal Trade Commission over how big a fine it will have to pay"

Anyone else find this the most F'ed up part? That they can negotiate there fine.

People, you need to realize that Google had its own privacy setting.

Google's "trick" wasn't as nefarious as the tin-foil hat folks try to paint it.

If your Google preference was set to "remember sites", then Google would "remember sites" even if your Apple browser setting was "don't remember sites".

Negotiating the fine makes perfect sense, because Google was only doing what the user asked them to do.
_______________

By the way, I do think that Google is the current "evil empire" - but I think that in this case "doing what the customer asks" isn't necessarily evil. In particular, when the customer says both "Do X" and "Don't do X" in different preference settings.

 

[reedmartin]

People, you need to realize that Google had its own privacy setting.

Google's "trick" wasn't as nefarious as the tin-foil hat folks try to paint it.

If your Google preference was set to "remember sites", then Google would "remember sites" even if your Apple browser setting was "don't remember sites".

Negotiating the fine makes perfect sense, because Google was only doing what the user asked them to do.

i love how nicely you packaged it up for the tin foil folks

So, to review, Google realizes that a user does not want third party cookies. They then see that the user does want Google cookies. Instead of letting the user know there's a conflict or that their browser setting will be overridden, they insert code (hidden iframes often used by malware agents) into their ads which override the users browser setting without letting them know what they're doing and fool the browser into thinking that the user created an exception for googles cookies, when they didn't.

Thank goodness for aidenshaw and his great explanation for us slow folks!

 

[AidenShaw]

hitting the nail on the head

(snip)
So, to review, Google realizes that a user does not want third party cookies. They then see that the user does want Google cookies.
(snip)

This succinctly sums up the argument.

Thank you for the additional support.

 

[reedmartin]

This succinctly sums up the argument.

Thank you for the additional support.

Way to be selective. There's others here who do the same thing. I hope you don't design software. When there's a conflict you just assume the least restrictive one and then hide your activity with no mention to the user? Nice.

 

[albiesr2]

"Google Inc. (GOOG) is negotiating with the U.S. Federal Trade Commission"

Forget the negoations I so tired of all these companies selling information. I get call email and misc other stuff that took place almost ten years ago. Put an end to it, fine the hell out of them and make it hurt and in order to hurt a company this size it's going to need to be a billion, a 20 million fine is a drop inn the bucket as they have already made up for that with all the info they have collected

 

[Flitzy]

Good - the only problem with the fine is that it's not big enough. I can't believe that the "tech community" still fawns over Google like they're some kind of consumer based company.

Seriously, this is why I don't use most google apps. (Unfortunately youtube and google search I cannot find suitable alternatives for )

I understand that they make money tracking people, but the fact that they will utilize exploits and security flaws to do so is really disconcerting.

Use Yahoo - I like them much better (or Bing - Yahoo has options to search by date, though, which I like). I haven't used Google in a couple months now and I've never been happier.

 

[AidenShaw]

Way to be selective. There's others here who do the same thing. I hope you don't design software. When there's a conflict you just assume the least restrictive one and then hide your activity with no mention to the user? Nice.

When there's a conflict, you look at inheritance and whether app/user/system preferences should rule.

And usually that's the order of inheritance - app/user/system.

I'm not saying that what Google did doesn't warrant a fine and reprimand - just pointing out that there's quite a bit of ambiguity here, and negotiating the fine makes sense.

...and yes, I do design software.

 

[reedmartin]

When there's a conflict, you look at inheritance and whether app/user/system preferences should rule.

And usually that's the order of inheritance - app/user/system.

I'm not saying that what Google did doesn't warrant a fine and reprimand - just pointing out that there's quite a bit of ambiguity here, and negotiating the fine makes sense.

...and yes, I do design software.

I would argue that using safari amounts to using a "no access" type permission setting so it would be the least inclusive setting that takes precedence and not the most inclusive. If you've explicitly set that you want to block ALL cookies, permission should be asked to unblock/allow one.

I agree that there's no issue with the fine being negotiated, because it's going to be a drop in the bucket fine no matter what, and Google has already stopped this practice. Plus, let's be real, the ftc wasn't going to fine them a billion dollars.

However, i don't agree that Google is all innocent here. They knew exactly what they were doing and actively exploited a security flaw to collect data with zero indication to the user. The fact that they hid their activity in code just makes their wrongdoing even more ridiculous.

 

[jwise73]

Privacy on the internet? That's a laugh!

 

[AidenShaw]

However, i don't agree that Google is all innocent here.

Clearly we agree on this.

They knew exactly what they were doing and actively exploited a security flaw to collect data with zero indication to the user. The fact that they hid their activity in code just makes their wrongdoing even more ridiculous.

On the other hand, the world's HTML is full of special casing based on the browser's useragent ID string. To a programmer trying to make their own website work as intended for their users, adding custom code for particular browsers is part of everyday work.

Some people were lapse in not realizing that at least a popup should have asked whether the user wanted their Google preferences or their Apple preferences to prevail.

But, as much as I dislike Google, it's not a tin-foil hat "OMG Google is evil" event. At least fifty shades of grey here.

 

[reedmartin]

Clearly we agree on this.




On the other hand, the world's HTML is full of special casing based on the browser's useragent ID string. To a programmer trying to make their own website work as intended for their users, adding custom code for particular browsers is part of everyday work.

Some people were lapse in not realizing that at least a popup should have asked whether the user wanted their Google preferences or their Apple preferences to prevail.

But, as much as I dislike Google, it's not a tin-foil hat "OMG Google is evil" event. At least fifty shades of grey here.

I wouldn't think it was a tin foil hat Google is evil thing if they hadn't hidden the code in ads and tricked the browser into thinking the user had filled out a form if they clicked the ad. That screams premeditated. But i respect your opinion.

 

[JohnDoe98]

This succinctly sums up the argument.

Thank you for the additional support.

Except in your version it was the other way around. First it was on, then off. The reasonable thing is to presume the new, latest, setting is the correct one. Google chose to trust the first setting and then introduce this extremely shady and hidden ways of override the second setting. How's that for support?

----------

When there's a conflict, you look at inheritance and whether app/user/system preferences should rule.

And usually that's the order of inheritance - app/user/system.

I'm not saying that what Google did doesn't warrant a fine and reprimand - just pointing out that there's quite a bit of ambiguity here, and negotiating the fine makes sense.

...and yes, I do design software.

Does chronology play no role in your considerations? It seems to me the most important variable.

----------

I would argue that using safari amounts to using a "no access" type permission setting so it would be the least inclusive setting that takes precedence and not the most inclusive. If you've explicitly set that you want to block ALL cookies, permission should be asked to unblock/allow one.

Yep, at least that is how I always understood things to work. So I was quite surprised and frustrated to learn that those settings were being circumvented. I'd wager the majority of people interpreted things the way I did.

 

[kdarling]

Exactly, it's not like Google did this by accident. They purposely added code to trick the browser.

Well, "they" being a programmer or maybe two at Google. I'm betting the programmer had no idea his/her clever idea could become a cause célèbre, and I'm betting that their upper management didn't know about it either.

In real life, people sometimes screw up and their employers take the heat.

Another example of programmers not thinking about consequences, was the Apple developer who thought that an infinite location data lookup cache was okay. That became a public fiasco and caused a Congressional inquiry.

Is that how iAd works?

Yes. As Apple puts it:

Each ad is shown only to the audience you want to reach, in the apps they love and use the most. Our highly-effective targeting can leverage demographic data, as well as unique interest and preference data that taps into user passions that are relevant for your brand. Whether they are reading the news, playing a game or checking the local weather, your ad will make an impact.

Available Targeting Includes:

■Demographics
■Application preferences
■Music passions
■Movie, TV and audiobook genre interests
■Location
■Device (iPhone, iPad, iPod touch)
■Network (WiFi, 3G)

When a request comes in for an iAd, Apple chooses one from the information they have about you, including age, sex, income, media and app sales, etc.

IIRC, they keep a temporary database of which ad was served to you at that location, so that they won't repeat it for at least a month or so.

Apple gets one cent per ad view, of which they kick back 0.7 cent to the app that hosts the ad. They used to charge the advertiser $2 per click, but they recently stopped that due to advertisers running out of money after $100K worth of those in a short time.

 

[reedmartin]

Well, "they" being a programmer or maybe two at Google. I'm betting the programmer had no idea his/her clever idea could become a cause célèbre, and I'm betting that their upper management didn't know about it either.

In real life, people sometimes screw up and their employers take the heat.

Another example of programmers not thinking about consequences, was the Apple developer who thought that an infinite location data lookup cache was okay. That became a public fiasco and caused a Congressional inquiry

Oh no i agree, i don't think it was a corporate wide conspiracy by Google, but like you mentioned the company takes the heat, and honestly rightfully so. It may not be fair, but it's always the company that's gonna be blamed and not some programmer in a cubicle in mountain view. That's how is supposed to be.

People screw up but if you screw up like that you needed to be punished. I'm glad Google will be. There's no excuse when it comes to privacy, especially when you're actively violating sometimes privacy

 

[AidenShaw]

Except in your version it was the other way around. First it was on, then off. The reasonable thing is to presume the new, latest, setting is the correct one.
----------
Does chronology play no role in your considerations? It seems to me the most important variable.

I can't think of any system or language where chronology is a factor in inheritance.

And I would think that in fact many people would be annoyed if an update changed preferences that they have set.

I "mouse left", and I'd be annoyed if a mouse driver update changed my preference setting to "mouse right".

Same here - the user has told Google to save cookies. Should a browser update override the user preference?

Let me repeat, however, that IMO Google was wrong in not asking the user whether the Google setting or the Apple setting should prevail. I'm just arguing that the tin-hat "OMG Google is evil" position really ignores the facts of the situation. Fifty shades of grey.

 

[JohnDoe98]

Yes. As Apple puts it:



When a request comes in for an iAd, Apple chooses one from the information they have about you, including age, sex, income, media and app sales, etc.

IIRC, they keep a temporary database of which ad was served to you at that location, so that they won't repeat it for at least a month or so.

Apple gets one cent per ad view, of which they kick back 0.7 cent to the app that hosts the ad. They used to charge the advertiser $2 per click, but they recently stopped that due to advertisers running out of money after $100K worth of those in a short time.

Thanks!

----------

I can't think of any system or language where chronology is a factor in inheritance.

Really? I find that surprising, but fine.

And I would think that in fact many people would be annoyed if an update changed preferences that they have set.

Well that is puzzling. If a user changes a setting, intentionally, I'd find it odd for the person to then be annoyed that their updated setting wasn't changed. After all, why the hell did they just bother to change the setting in the first place? It isn't like turning on private browsing happens accidentally and the other setting is there to help prevent these inadvertent slips.

I "mouse left", and I'd be annoyed if a mouse driver update changed my preference setting to "mouse right".

This is not an analogous situation. The mouse setting in this case is changing on its own. Private browsing is manually turned on.

Same here - the user has told Google to save cookies. Should a browser update override the user preference?

Absolutely, if the browser setting happens after the google setting. And similarly, if the browser setting is on, blocking cookies, and the user intentionally, and manually, turns on Google's caching of cookies, one would expect that to override the browser. I'm shocked you are contesting this.

Let me repeat, however, that IMO Google was wrong in not asking the user whether the Google setting or the Apple setting should prevail. I'm just arguing that the tin-hat "OMG Google is evil" position really ignores the facts of the situation. Fifty shades of grey.

I'm all for avoiding irrational and over-emotional responses, but in this case in particular I do think the reprimand warranted. I simply can't see how Google can twist itself out of this one. But I'm still open to be convinced otherwise.

----------

Oh no i agree, i don't think it was a corporate wide conspiracy by Google, but like you mentioned the company takes the heat, and honestly rightfully so. It may not be fair, but it's always the company that's gonna be blamed and not some programmer in a cubicle in mountain view. That's how is supposed to be.

People screw up but if you screw up like that you needed to be punished. I'm glad Google will be. There's no excuse when it comes to privacy, especially when you're actively violating sometimes privacy

Normally I'd be inclined to agree, but this isn't the first instance where Google employs these types of tactics. There was the other issue with the Google StreetView where they employed rather objectionable means to mine their data. There is a precedent emerging and that suggests to me we should be cautious to think it is always rogue programmers who are to blame. Accountability must become a consideration, if not now, certainly by the next time.

 

[reedmartin]

Thanks!

----------



Really? I find that surprising, but fine.



Well that is puzzling. If a user changes a setting, intentionally, I'd find it odd for the person to then be annoyed that their updated setting wasn't changed. After all, why the hell did they just bother to change the setting in the first place? It isn't like turning on private browsing happens accidentally and the other setting is there to help prevent these inadvertent slips.



This is not an analogous situation. The mouse setting in this case is changing on its own. Private browsing is manually turned on.



Absolutely, if the browser setting happens after the google setting. And similarly, if the browser setting is on, blocking cookies, and the user intentionally, and manually, turns on Google's caching of cookies, one would expect that to override the browser. I'm shocked you are contesting this.



I'm all for avoiding irrational and over-emotional responses, but in this case in particular I do think the reprimand warranted. I simply can't see how Google can twist itself out of this one. But I'm still open to be convinced otherwise.

----------



Normally I'd be inclined to agree, but this isn't the first instance where Google employs these types of tactics. There was the other issue with the Google StreetView where they employed rather objectionable means to mine their data. There is a precedent emerging and that suggests to me we should be cautious to think it is always rogue programmers who are to blame. Accountability must become a consideration, if not now, certainly by the next time.

I absolutely believe Google is accountable for everything. Passing the buck to "oh it was that silly programmer" doesn't work. I just don't know or think it was a concerted effort by top Google brass to do this. However, the brass is ultimately responsible and I'm glad they'll be fined.