Risk
11/22/2013
11:20 AM
50%
50%

Google Settles With State AGs On Privacy

Google agrees to pay $17 million to 37 states to settle claims it circumvented cookie-blocking controls in Apple's Safari browser.

Google Barge: 10 Informative Images
Google Barge: 10 Informative Images
(click image for larger view)

Google this week agreed to pay a $17 million settlement to 37 states after the search giant circumvented cookie-blocking controls built into Apple's Safari browser.

If this sounds familiar, it's because it's Google's second go-round, after agreeing in August 2012 to pay a record-breaking $22.5 million fine to settle a similar complaint filed by the Federal Trade Commission.

"Usually, I don't like seeing states expend time and effort to replicate cases that the FTC has already prosecuted -- and vice versa," said Justin Brookman, who directs the Center for Democracy and Technology's Project on Consumer Privacy, in a blog post. "Regulators have limited resources and need to manage their caseload to maximize the impact that their cases will have on the ecosystem."

"This instance, however, is different," said Brookman, who previously led the Internet Bureau at the New York attorney general's office. "The state AGs' settlement agreement is considerably more expansive than the FTC's, and potentially establishes a new precedent for companies: evading privacy controls -- even default privacy controls -- is per se [inherently] deceptive."

[Learn more about Internet privacy. See 10 Most Misunderstood Facebook Privacy Facts.]

The states' settlement agreement with Google requires the company to nuke the cookies that it placed via Safari and prohibits it from placing cookies on PCs of consumers that signal they want third-party cookies blocked. Or in the words of the settlement:

Google shall not employ HTTP form POST functionality that uses JavaScript to submit a form without affirmative user action for the purpose of overriding a browser's cookie-blocking settings so that it may place an HTTP cookie on such browser, without that user's prior consent.

That refers to a trick employed by Google -- among other companies -- which uses a POST command to evade third-party cookie blocks Apple put in Safari. This was despite the following promise from Apple:

Some companies track the cookies generated by the websites you visit, so they can gather and sell information about your web activity. Safari is the first browser that blocks these tracking cookies by default, better protecting your privacy. Safari accepts cookies only from the current domain.

Privacy researcher Jonathan Mayer, a Stanford University graduate student, first spotted that Google was circumventing the cookie blocking and allowing its DoubleClick advertising subsidiary to place tracking cookies onto Safari users' systems. Mayer found that three other advertising companies -- Vibrant Media, Media Innovation Group, and PointRoll -- also appeared to be purposefully defeating Safari's third-party cookie blocks.

The FTC and 37 states have taken action only against Google, likely because Google's privacy policy stated that the company would comply with Safari users' tracking choices. Accordingly, the FTC was able to charge Google with deceptive business practices.

Image credit: Flickr user ssoosay.
Image credit: Flickr user ssoosay.

The states' settlement language may signal a shift in the privacy debate -- for example: the mass tracking of consumers by advertising firms and data brokers. "If it's illegal for companies to try to get around privacy controls, that's a big deal for consumers," said Brookman.

The settlement's language might also suggest a legal roadmap for pro-privacy browser manufacturers as they implement the "Do Not Track" browser setting that signals a user doesn't want to be tracked by advertising networks. "If browsers were to try to enforce the standard by limiting access to companies that don't honor the settings in certain ways, efforts to get around that enforcement could be deemed deceptive," said Brookman.

How might browsers do that? "Well, Safari -- and soon Mozilla -- turning off third-party cookies is an example," said Brookman via email. While advertisers could use the POST trick, Java, or Flash to sneak around those blocks or reactivate old HTML cookies, "browsers could also limit use of JavaScript or requests for certain data elements in order to better fingerprint users," he said. "Or they could block third-party calls entirely -- like several add-ons do today."

Browser manufacturers could add more proactive countermeasures, for example, by blocking the use of JavaScript and Flash for any websites and advertising tracking networks that don't explicitly say -- in their privacy policies -- that they will honor consumers' Do Not Track preferences. "If a company were to misrepresent that it honors the flag, that's a pretty easy FTC case," Brookman said.

Despite Google's settlement with the FTC and 37 states' attorneys general, the fallout from the Safari-cookie bypass may not be at an end. Google still faces a related lawsuit filed by Safari users in the United Kingdom.

In addition, US consumers filed a class-action lawsuit against the companies named in Mayer's report. Last month, a judge dismissed the suit against all the companies except PointRoll, which had already agreed to settle by deleting the Safari cookies it had collected. The consumers who filed the suit have appealed the judge's decision.

There's no such thing as perfection when it comes to software applications, but organizations should make every effort to ensure that their developers do everything in their power to get as close as possible. This Dark Reading report, "Integrating Vulnerability Management Into The Application Development Process," examines the challenges of finding and remediating bugs in applications that are growing in complexity and number, and recommends tools and best-practices for weaving vulnerability management into the development process from the very beginning. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
melgross
50%
50%
melgross,
User Rank: Apprentice
11/22/2013 | 12:21:06 PM
Some fine!
This is a slap on the wrist. Big companies assume that they might be caught at some point. They weigh the advantage of what they're doing against any fines and court costs they may incurr, and then go and do it. Google is notorious. User data is the lifeblood of their company. They are really just a glorified advertising company, after all. The fine for this should have been ten times as much, possibly more. Fines should be high enough to grab back any possible benefits the violation may have received, plus a tripling of the number. This will deter companies from doing this. What we have here is Google laughing all the way to the bank.
Tom Murphy
50%
50%
Tom Murphy,
User Rank: Apprentice
11/22/2013 | 12:33:17 PM
Narrow scope
While this could be a step in a long path to ending cookies, this seems quite limited in scope. First, it's a settlement involving Google's efforts on Apple browsers -- both big players, but this won't affect the majority of users who use other browsers and/or search engines. Second, the language says: "Google shall not employ HTTP form POST functionality that uses JavaScript." That blocks a leading way to deploy cookies, but not any others.  Third, not all browswer makers will want to bar cookies given that some cookies are useful to consumers and the browser may not gain wide acceptance in the broader, cookie-addicted industry.

Don't get me wrong. I'm pro-privacy, but I think the FTC and other governmental organizations need to address the issue on a broader level than through expensive, time-consuming, one-off settlements.  And they need to do it without causing serious economic harm to a surprisingly still-fragile and still-evolving Internet economy.  This can help shape this economy as it matures and create a stable, secure business environment that respects privacy.

Is that asking too much from an industry that is less than 20 years old?  Isn't it better to tackle this now before these issues start gaining the patina of accepted practices?
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
11/22/2013 | 3:44:47 PM
Re: Narrow scope
"While this could be a step in a long path to ending cookies..."

Cookies are already slated for obsolecence. See:

http://online.wsj.com/news/articles/SB10001424052702304682504579157780178992984

 
Tom Murphy
50%
50%
Tom Murphy,
User Rank: Apprentice
11/22/2013 | 3:48:19 PM
Re: Narrow scope
Tom: You're right of course, but the concept of tracking is not. That's the point. One technology merely replaces another, and barring one in one context won't resolve the underlying issue. 
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Moderator
11/22/2013 | 4:01:57 PM
Re: Narrow scope
The only way I see tracking diminishing is if those being tracked have equal power to obscure their footprints, as compared to those who are tracking them. And that's just not the way the law works: It's illegal to jam someone else's cell phone for example, to carry a set of lights to blind surveillance cameras, or to emit high-frequency radiation from a device to cripple nearby electronics. Tracking is set up as a right and tracking avoidance is considered suspicious. But it's time to revisit those assumptions. 
Tom Murphy
50%
50%
Tom Murphy,
User Rank: Apprentice
11/22/2013 | 4:07:38 PM
Re: Narrow scope
Now you're talking, Tom. The internet is a network controlled by the end user.  If we can block people from tracking us at that level, it's comparable to pulling down the shade in our homes -- and everyone should have that right. 

I wonder if that's a feature that computer makers can build right into the machine because, clearly, trying to build it into  browswer didn't work in this case. 
Or do we all need to start bouncing our signals aroudn the world like spammers to avoid being connected with our words.

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Strategist
11/23/2013 | 10:56:59 PM
Re: Narrow scope
Yeah, for true privacy, hidden services like Tor are still the way to go.

As Bruce Schneier put it in a September blog post on security in the wake of NSA revelations: "Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are."

Anything that makes it harder for a government agency to track you presumably makes it harder for marketers to track you.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.