Risk
2/17/2012
05:15 PM
Thomas Claburn
Thomas Claburn
Commentary
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Google's Privacy Invasion: It's Your Fault

If we really wanted privacy, we would turn off JavaScript, block ads, and browse in privacy mode through an anonymous proxy. But we would rather have free services.

Google stepped in it, again. The company was caught bypassing the privacy settings of those using Apple's Safari Web browser, which unlike other major browsers blocks third-party cookies by default. Google, like just about every other online company, relies on cookie files to improve ad relevancy, to identify users, and to deliver online services.

The Wall Street Journal, which Friday broke the story as part of its ongoing investigation into online privacy, reports that Google, along with at least three other advertising companies--Vibrant Media, WPP PLC's Media Innovation Group, and Gannett's PointRoll--"exploited a loophole in the browser's privacy settings" to place a cookie file on OS X and iOS devices such as iPhones using Safari.

The incident has prompted Consumer Watchdog, a consumer advocacy group critical of Google's privacy practices, to call for intervention from the Federal Trade Commission. Another consumer advocacy group, the American Consumer Institute, said, "Google’s willful disregard for the privacy choices of consumers and the privacy policies of Apple is a new low even for Google."

Google insists the Wall Street Journal report "mischaracterizes what happened and why." The company says it "used known Safari functionality to provide features that signed-in Google users had enabled" and that it did not collect personal information.

[ Google has been under fire for its planned privacy policy change. Read Google Rejects EU Request On Privacy Policy Consolidation. ]

Google hasn't helped its case by ceasing to use the HTML code that overrode Safari's default behavior. That looks like an admission of guilt. But let's step back for a moment and examine the situation.

The American Consumer Institute's contention Google willfully disregarded "the privacy choices of consumers and the privacy policies of Apple" isn't accurate.

Google disregarded the privacy choices of Apple, which chooses to block third-party cookies by default in its browser. And Google has nothing to do with Apple's privacy policies, which describe how Apple handles customer data.

Google argues that it manipulated Safari to resolve contradictory browser settings. Safari blocks third-party cookies by default. At the same time, Apple has implemented exceptions to Safari's third-party cookie blocking to allow social features like the +1 button to function.

Rachel Whetstone, SVP of communications and public policy, said in a statement that Google deployed its workaround code "to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to '+1' things that interest them."

The fact that other Google cookies got set, Google insists, was accidental. "The Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser," Whetstone explained. "We didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It's important to stress that, just as on other browsers, these advertising cookies do not collect personal information."

Were it not for the fact that Google's advertising cookie opt-out help page stated explicitly that Safari's default setting was the functional equivalent of opting out, Google's explanation might suffice.

But rewind now to the July 2011 release of OS X Lion. With Lion came Safari 5.1, which included for the first time third-party cookie blocking by default.

Could Apple's decision to block third-party cookies by default have been influenced by its competition with Google, a company that depends on advertising and cookies?

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 4   >   >>
Steven Noyes
50%
50%
Steven Noyes,
User Rank: Apprentice
2/19/2012 | 7:00:55 PM
re: Google's Privacy Invasion: It's Your Fault
Sadly, Google's "Do no evil" went out of the door with their Google Books project. From that point on, it has been a steady down hill slide for them where the only thing they see in getting more and more information tied into their advertising networks regardless of who actually owns that information/data/IP.

So don't ever anticipate the "Don't be evil" to every be made "official". It was lost long ago:-(
DSMITH7949
50%
50%
DSMITH7949,
User Rank: Apprentice
2/19/2012 | 1:43:59 PM
re: Google's Privacy Invasion: It's Your Fault
Privacy is more than collecting names. If I decide to drive somewhere today, it's not your business where I go; in fact, if you follow me, you are stalking me which is a crime.
DAGOSTA000
50%
50%
DAGOSTA000,
User Rank: Apprentice
2/19/2012 | 12:11:40 PM
re: Google's Privacy Invasion: It's Your Fault
Yup, I guess it is National Judgmental Ass Day!
DAGOSTA000
50%
50%
DAGOSTA000,
User Rank: Apprentice
2/19/2012 | 12:10:48 PM
re: Google's Privacy Invasion: It's Your Fault
Dear Emeritus,

We're sorry that we didn't know that digital information would be invented when we said "secure in their possessions" or we'd have been specific.

Yours Truly,

Old wig-wearing white guys
mrtt
50%
50%
mrtt,
User Rank: Apprentice
2/18/2012 | 10:11:12 PM
re: Google's Privacy Invasion: It's Your Fault
A few years ago I had an idea for a website that would let users exchange messages and files by posting them (similar to what they do on MySpace or Facebook) but with the confidence that everything they uploaded or posted was encrypted while in-transit and at-rest. In addition, I wanted the user to have the option to control the passkeys used in the encryption process to insure that their encrypted data could not be compromised by anyone, not even the database owner. It started simple and ended up with a rich set of the latest and greatest privacy options like two-factor authentication, auto logoff, email and SMS notifications. I though I was on to something, especially with all the uproar around Facebook's privacy practices. I made it simple to use, ad free and cost free. I did it because I needed a challenge. What I learned was that people like to complain about Privacy, but don't want to do anything about it if it means learning something new or straying from what is considered mainstream. Have you heard much about Diaspora lately?

In case you are still reading and are wondering what happened to the website, it's still out there. A few new users sign up every week. I won't post the name here, but if you Google "private secure encrypted", it is the first non-ad search result.
boohoosoo
50%
50%
boohoosoo,
User Rank: Apprentice
2/18/2012 | 7:41:51 PM
re: Google's Privacy Invasion: It's Your Fault
Call me an aluminum foil hat person, but I have been feeling queasy about Google power-playing for a very long time, and I am not a bandwagon person.

However I liked this article for the wonderful fact that it pointed out exactly what the definitive problem is. We have been baited with free service, and Google has provided a wonderful product. I have really come to rely on Google for just about everything...AND THEREIN LIES THE PROBLEM. Have any of you tried to un-encumber yourself of Google's influence? It's pretty near futile. Even the alternative search engines rely on Google for info. Alternate emails are good. Trying to get your old emails back that are archived on Google not so easy.

Many people have not thought through about the fragility of our cyber-dependent status. And this article points it out in brilliant relief! If we want to disengage from Google, it will cost us plenty, whether it's setting up our paid private privileged network, or whether it's giving up our unwittingly posted family photos, letters, and archived business records.

Linux is looking good. At least I would know their limits, and I have now learned not to tip my hand. There are zealous people who know not what kind of can of worms they are dealing with here. Big brother/business/government is infiltrating the whole system, and I am extremely uneasy about it. Get out the washboard and the buggy.
Emeritus
50%
50%
Emeritus,
User Rank: Apprentice
2/18/2012 | 6:52:55 PM
re: Google's Privacy Invasion: It's Your Fault
Actually privacy is not a term which appears in the Constitution, and is largely a 20th century invention. (a good one to be sure, but a recent concept). Privacy against government Action and privacy in the private sector have fundamentally different origins. Roe v Wade was the culmination of an evolution in the concept of behavioral privacy. Informational privacy in the private sector has been largely statutory.
Michael_
50%
50%
Michael_,
User Rank: Apprentice
2/18/2012 | 6:48:29 PM
re: Google's Privacy Invasion: It's Your Fault
People are too lazy or stupid that they have tools like NoScript and Adblock yet they don't use them. It's easier for them to point to the fingers at somebody else. There are plenty of tools out there to keep information private, but people choose to not use them. Is it Google's fault that people are too lazy to actually learn the tools they use on a regular basis? It's the same with people who complain how their computer doesn't work right and it gives them "so much trouble", when there is nothing wrong with the computer, they are just too lazy to actually spend the time to learn the highly complicated machine they rely on day to day.
Michael_
50%
50%
Michael_,
User Rank: Apprentice
2/18/2012 | 6:41:33 PM
re: Google's Privacy Invasion: It's Your Fault
People need to stop complaining and take off their aluminum foil hats thinking that Google is out to get them. Am I the only one that's getting sick and tired of people whining like babies about privacy policies from companies like Google and Facebook? Whatever happened to "if you don't like it's policies, don't use it!"?

I use ad blockers, I clear out my cookies all the time, I clear my cache regularly, I don't use services that I don't like. My only complaints? The people who are constantly making a mountain out of a mole hill. I don't put personal information on the internet that I don't want people to have. Pretty damn simple if you ask me.

What I find even funnier, is that the people I see in my personal life that complain about these privacy policies are people who have NO clue what they are talking about, they just complain about them because they hear brief snippets about "privacy concerns" and they just jump on the bandwagon. They don't even know what cookies are, let alone JavaScript. Yet... they keep on using Facebook like it's their job. So let me get this straight, you do not like this web page, yet you use it constantly, as well as use it to complain about the FREE service that you are using religiously?
ageofknowledge
50%
50%
ageofknowledge,
User Rank: Apprentice
2/18/2012 | 6:39:10 PM
re: Google's Privacy Invasion: It's Your Fault
The way China is going, they might end up with your personal information if you're not careful.

http://www.businessweek.com/ne...

http://www.independent.co.uk/n...

http://abcnews.go.com/Internat...
<<   <   Page 2 / 4   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.