Risk
2/17/2012
05:15 PM
Thomas Claburn
Thomas Claburn
Commentary
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Google's Privacy Invasion: It's Your Fault

If we really wanted privacy, we would turn off JavaScript, block ads, and browse in privacy mode through an anonymous proxy. But we would rather have free services.

Google stepped in it, again. The company was caught bypassing the privacy settings of those using Apple's Safari Web browser, which unlike other major browsers blocks third-party cookies by default. Google, like just about every other online company, relies on cookie files to improve ad relevancy, to identify users, and to deliver online services.

The Wall Street Journal, which Friday broke the story as part of its ongoing investigation into online privacy, reports that Google, along with at least three other advertising companies--Vibrant Media, WPP PLC's Media Innovation Group, and Gannett's PointRoll--"exploited a loophole in the browser's privacy settings" to place a cookie file on OS X and iOS devices such as iPhones using Safari.

The incident has prompted Consumer Watchdog, a consumer advocacy group critical of Google's privacy practices, to call for intervention from the Federal Trade Commission. Another consumer advocacy group, the American Consumer Institute, said, "Google’s willful disregard for the privacy choices of consumers and the privacy policies of Apple is a new low even for Google."

Google insists the Wall Street Journal report "mischaracterizes what happened and why." The company says it "used known Safari functionality to provide features that signed-in Google users had enabled" and that it did not collect personal information.

[ Google has been under fire for its planned privacy policy change. Read Google Rejects EU Request On Privacy Policy Consolidation. ]

Google hasn't helped its case by ceasing to use the HTML code that overrode Safari's default behavior. That looks like an admission of guilt. But let's step back for a moment and examine the situation.

The American Consumer Institute's contention Google willfully disregarded "the privacy choices of consumers and the privacy policies of Apple" isn't accurate.

Google disregarded the privacy choices of Apple, which chooses to block third-party cookies by default in its browser. And Google has nothing to do with Apple's privacy policies, which describe how Apple handles customer data.

Google argues that it manipulated Safari to resolve contradictory browser settings. Safari blocks third-party cookies by default. At the same time, Apple has implemented exceptions to Safari's third-party cookie blocking to allow social features like the +1 button to function.

Rachel Whetstone, SVP of communications and public policy, said in a statement that Google deployed its workaround code "to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to '+1' things that interest them."

The fact that other Google cookies got set, Google insists, was accidental. "The Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser," Whetstone explained. "We didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It's important to stress that, just as on other browsers, these advertising cookies do not collect personal information."

Were it not for the fact that Google's advertising cookie opt-out help page stated explicitly that Safari's default setting was the functional equivalent of opting out, Google's explanation might suffice.

But rewind now to the July 2011 release of OS X Lion. With Lion came Safari 5.1, which included for the first time third-party cookie blocking by default.

Could Apple's decision to block third-party cookies by default have been influenced by its competition with Google, a company that depends on advertising and cookies?

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
DSMITH7949
50%
50%
DSMITH7949,
User Rank: Apprentice
2/19/2012 | 1:43:59 PM
re: Google's Privacy Invasion: It's Your Fault
Privacy is more than collecting names. If I decide to drive somewhere today, it's not your business where I go; in fact, if you follow me, you are stalking me which is a crime.
DAGOSTA000
50%
50%
DAGOSTA000,
User Rank: Apprentice
2/19/2012 | 12:11:40 PM
re: Google's Privacy Invasion: It's Your Fault
Yup, I guess it is National Judgmental Ass Day!
DAGOSTA000
50%
50%
DAGOSTA000,
User Rank: Apprentice
2/19/2012 | 12:10:48 PM
re: Google's Privacy Invasion: It's Your Fault
Dear Emeritus,

We're sorry that we didn't know that digital information would be invented when we said "secure in their possessions" or we'd have been specific.

Yours Truly,

Old wig-wearing white guys
mrtt
50%
50%
mrtt,
User Rank: Apprentice
2/18/2012 | 10:11:12 PM
re: Google's Privacy Invasion: It's Your Fault
A few years ago I had an idea for a website that would let users exchange messages and files by posting them (similar to what they do on MySpace or Facebook) but with the confidence that everything they uploaded or posted was encrypted while in-transit and at-rest. In addition, I wanted the user to have the option to control the passkeys used in the encryption process to insure that their encrypted data could not be compromised by anyone, not even the database owner. It started simple and ended up with a rich set of the latest and greatest privacy options like two-factor authentication, auto logoff, email and SMS notifications. I though I was on to something, especially with all the uproar around Facebook's privacy practices. I made it simple to use, ad free and cost free. I did it because I needed a challenge. What I learned was that people like to complain about Privacy, but don't want to do anything about it if it means learning something new or straying from what is considered mainstream. Have you heard much about Diaspora lately?

In case you are still reading and are wondering what happened to the website, it's still out there. A few new users sign up every week. I won't post the name here, but if you Google "private secure encrypted", it is the first non-ad search result.
boohoosoo
50%
50%
boohoosoo,
User Rank: Apprentice
2/18/2012 | 7:41:51 PM
re: Google's Privacy Invasion: It's Your Fault
Call me an aluminum foil hat person, but I have been feeling queasy about Google power-playing for a very long time, and I am not a bandwagon person.

However I liked this article for the wonderful fact that it pointed out exactly what the definitive problem is. We have been baited with free service, and Google has provided a wonderful product. I have really come to rely on Google for just about everything...AND THEREIN LIES THE PROBLEM. Have any of you tried to un-encumber yourself of Google's influence? It's pretty near futile. Even the alternative search engines rely on Google for info. Alternate emails are good. Trying to get your old emails back that are archived on Google not so easy.

Many people have not thought through about the fragility of our cyber-dependent status. And this article points it out in brilliant relief! If we want to disengage from Google, it will cost us plenty, whether it's setting up our paid private privileged network, or whether it's giving up our unwittingly posted family photos, letters, and archived business records.

Linux is looking good. At least I would know their limits, and I have now learned not to tip my hand. There are zealous people who know not what kind of can of worms they are dealing with here. Big brother/business/government is infiltrating the whole system, and I am extremely uneasy about it. Get out the washboard and the buggy.
Emeritus
50%
50%
Emeritus,
User Rank: Apprentice
2/18/2012 | 6:52:55 PM
re: Google's Privacy Invasion: It's Your Fault
Actually privacy is not a term which appears in the Constitution, and is largely a 20th century invention. (a good one to be sure, but a recent concept). Privacy against government Action and privacy in the private sector have fundamentally different origins. Roe v Wade was the culmination of an evolution in the concept of behavioral privacy. Informational privacy in the private sector has been largely statutory.
Michael_
50%
50%
Michael_,
User Rank: Apprentice
2/18/2012 | 6:48:29 PM
re: Google's Privacy Invasion: It's Your Fault
People are too lazy or stupid that they have tools like NoScript and Adblock yet they don't use them. It's easier for them to point to the fingers at somebody else. There are plenty of tools out there to keep information private, but people choose to not use them. Is it Google's fault that people are too lazy to actually learn the tools they use on a regular basis? It's the same with people who complain how their computer doesn't work right and it gives them "so much trouble", when there is nothing wrong with the computer, they are just too lazy to actually spend the time to learn the highly complicated machine they rely on day to day.
Michael_
50%
50%
Michael_,
User Rank: Apprentice
2/18/2012 | 6:41:33 PM
re: Google's Privacy Invasion: It's Your Fault
People need to stop complaining and take off their aluminum foil hats thinking that Google is out to get them. Am I the only one that's getting sick and tired of people whining like babies about privacy policies from companies like Google and Facebook? Whatever happened to "if you don't like it's policies, don't use it!"?

I use ad blockers, I clear out my cookies all the time, I clear my cache regularly, I don't use services that I don't like. My only complaints? The people who are constantly making a mountain out of a mole hill. I don't put personal information on the internet that I don't want people to have. Pretty damn simple if you ask me.

What I find even funnier, is that the people I see in my personal life that complain about these privacy policies are people who have NO clue what they are talking about, they just complain about them because they hear brief snippets about "privacy concerns" and they just jump on the bandwagon. They don't even know what cookies are, let alone JavaScript. Yet... they keep on using Facebook like it's their job. So let me get this straight, you do not like this web page, yet you use it constantly, as well as use it to complain about the FREE service that you are using religiously?
ageofknowledge
50%
50%
ageofknowledge,
User Rank: Apprentice
2/18/2012 | 6:39:10 PM
re: Google's Privacy Invasion: It's Your Fault
The way China is going, they might end up with your personal information if you're not careful.

http://www.businessweek.com/ne...

http://www.independent.co.uk/n...

http://abcnews.go.com/Internat...
Mooboch
50%
50%
Mooboch,
User Rank: Apprentice
2/18/2012 | 6:04:55 PM
re: Google's Privacy Invasion: It's Your Fault
Listen up all you righteous privacy loving Americans: this is absolutely NOTHING compared to the invasion of your privacy by the American government! Privacy, among many of your other rights, protected by the constitution, have been violated by our very own president and other elected officials, and nobody seems to give a rat's rectum about it. To cry over Google using a built in feature of a web browser with unintended consequences is kind of idiotic. If you really care so much about your privacy then fight the fights worth fighting. WAKE UP AMERICANS!!!!!! Take your privacy, and FREEDOM back!
<<   <   Page 2 / 3   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.