Risk
2/17/2012
05:15 PM
Thomas Claburn
Thomas Claburn
Commentary
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Google's Privacy Invasion: It's Your Fault

If we really wanted privacy, we would turn off JavaScript, block ads, and browse in privacy mode through an anonymous proxy. But we would rather have free services.

Google stepped in it, again. The company was caught bypassing the privacy settings of those using Apple's Safari Web browser, which unlike other major browsers blocks third-party cookies by default. Google, like just about every other online company, relies on cookie files to improve ad relevancy, to identify users, and to deliver online services.

The Wall Street Journal, which Friday broke the story as part of its ongoing investigation into online privacy, reports that Google, along with at least three other advertising companies--Vibrant Media, WPP PLC's Media Innovation Group, and Gannett's PointRoll--"exploited a loophole in the browser's privacy settings" to place a cookie file on OS X and iOS devices such as iPhones using Safari.

The incident has prompted Consumer Watchdog, a consumer advocacy group critical of Google's privacy practices, to call for intervention from the Federal Trade Commission. Another consumer advocacy group, the American Consumer Institute, said, "Google’s willful disregard for the privacy choices of consumers and the privacy policies of Apple is a new low even for Google."

Google insists the Wall Street Journal report "mischaracterizes what happened and why." The company says it "used known Safari functionality to provide features that signed-in Google users had enabled" and that it did not collect personal information.

[ Google has been under fire for its planned privacy policy change. Read Google Rejects EU Request On Privacy Policy Consolidation. ]

Google hasn't helped its case by ceasing to use the HTML code that overrode Safari's default behavior. That looks like an admission of guilt. But let's step back for a moment and examine the situation.

The American Consumer Institute's contention Google willfully disregarded "the privacy choices of consumers and the privacy policies of Apple" isn't accurate.

Google disregarded the privacy choices of Apple, which chooses to block third-party cookies by default in its browser. And Google has nothing to do with Apple's privacy policies, which describe how Apple handles customer data.

Google argues that it manipulated Safari to resolve contradictory browser settings. Safari blocks third-party cookies by default. At the same time, Apple has implemented exceptions to Safari's third-party cookie blocking to allow social features like the +1 button to function.

Rachel Whetstone, SVP of communications and public policy, said in a statement that Google deployed its workaround code "to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to '+1' things that interest them."

The fact that other Google cookies got set, Google insists, was accidental. "The Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser," Whetstone explained. "We didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It's important to stress that, just as on other browsers, these advertising cookies do not collect personal information."

Were it not for the fact that Google's advertising cookie opt-out help page stated explicitly that Safari's default setting was the functional equivalent of opting out, Google's explanation might suffice.

But rewind now to the July 2011 release of OS X Lion. With Lion came Safari 5.1, which included for the first time third-party cookie blocking by default.

Could Apple's decision to block third-party cookies by default have been influenced by its competition with Google, a company that depends on advertising and cookies?

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 4   >   >>
Mooboch
50%
50%
Mooboch,
User Rank: Apprentice
2/18/2012 | 6:04:55 PM
re: Google's Privacy Invasion: It's Your Fault
Listen up all you righteous privacy loving Americans: this is absolutely NOTHING compared to the invasion of your privacy by the American government! Privacy, among many of your other rights, protected by the constitution, have been violated by our very own president and other elected officials, and nobody seems to give a rat's rectum about it. To cry over Google using a built in feature of a web browser with unintended consequences is kind of idiotic. If you really care so much about your privacy then fight the fights worth fighting. WAKE UP AMERICANS!!!!!! Take your privacy, and FREEDOM back!
BCOOK6432
50%
50%
BCOOK6432,
User Rank: Apprentice
2/18/2012 | 5:57:47 PM
re: Google's Privacy Invasion: It's Your Fault
it's kind of funny how hypocritical this article is since the only way to comment on it is if I register with the website and there are currently 20 scripts running, or trying to run, in the background of the page keeping an eye on everyone who looks at it, 2 of which are Google related. I personally use NoScript to block about half of them.
DAGOSTA000
50%
50%
DAGOSTA000,
User Rank: Apprentice
2/18/2012 | 5:33:32 PM
re: Google's Privacy Invasion: It's Your Fault
I agree with 'what screaming nonsense.'

Put the blame on users of the internet? Of course. Every internet user knows what RFC and P3P mean in their daily lives.

You reference an article: "This is what the EFF recommends." In the footnotes of that article is this: "As this blog goes to press, we are unsure whether ad blockers for Safari can prevent the browser from sending requests, which is essential for this kind of privacy protection to be effective."

Is that the fault of "internet users?"
nomanzone
50%
50%
nomanzone,
User Rank: Apprentice
2/18/2012 | 5:25:28 PM
re: Google's Privacy Invasion: It's Your Fault
As long as the information that Google collects is non-personal, non-persistent, and only used for real time advertisements (such as the ads you see along side your gmail), Google is not only harmless, it is invaluable for the modern society. But it is in a position that it could do a lot more. The question is do you trust Google? Under the current management, I'd say yes. But it is always possible that someone like Rupert Murdoch may become the CEO of Google. When that happens, he does not need to hack into your phone or email any more. Everything is laid in the open for him.
Emeritus
50%
50%
Emeritus,
User Rank: Apprentice
2/18/2012 | 5:08:43 PM
re: Google's Privacy Invasion: It's Your Fault
What screaming nonsense. I've taught technological regulation for 35 years. The whole point of regulation is to allow workers or consumers to have the benefits of technology without being "raped" by those with power. And many concepts, like privacy or safety or patentable innovation cannot be defined in isolation. They are implemented on a case by case basis.
Geo Love
50%
50%
Geo Love,
User Rank: Apprentice
2/18/2012 | 4:31:27 PM
re: Google's Privacy Invasion: It's Your Fault
Nice Thomas. A lesson to learn from... for Google and for us. Having been a huge supporter of Google from the start I'm saddened to see such blatant behavior as we have been subject to. But let's be real. Should I be/am I surprised? (Politely) NO!

Being THE premier, major search engine and data collector AND free service provider, AND, AND, AND... that pervades every aspect of our lives today' it is pretty amazing that Google has been able to go this far without hitting the speed bumps any harder than it has or has been caught doing.

That said. I'd love to see Google's unofficial "Don't be evil" motto http://en.wikipedia.org/wiki/D... upgraded to "official" and reestablished as it's core value to it's end users. But "money is the root of all evil" and ultimately ends up trumping any well intentioned money making enterprise that may wish to aspire to such great, lofty ideals.

Can it ever be achieved? Truthfully, probably not. The balancing act of pleasing both sides of the equation is just not a realistic business objective.

Stockholders' bank accounts simply don't accept it as a form of currency; an immense pressure that can't be overridden. "Business is business" and "the bottom line" focus is what they expect and demand. That's Corporate Reality.

So... it IS up to US to protect ourselves by CLOSELY, ACTIVELY, RESPONSIBLY monitoring every move AND LEARNING/UTILIZING those available and free 3rd party tools/addons as part of our everyday personal security and privacy interactions while webbing.

My end user friends... Be Aware. Be Very Aware. Foremost and Always!

And Google... We do still love you, but YES, we are watching you.
Nickolas
50%
50%
Nickolas,
User Rank: Apprentice
2/18/2012 | 4:00:00 PM
re: Google's Privacy Invasion: It's Your Fault
Great job on the well thought out article that actually decided to give both sides of the story. I've been following this story since yesterday and until now I couldn't find an article that told the whole story. The tech sphere is in a really sad state these days. Playing on privacy fears is one of the few tools they have left, though ironic since their own websites have intrusive ads that install tracking cookies on consumer's computers.
gorkable
50%
50%
gorkable,
User Rank: Apprentice
2/18/2012 | 3:48:07 PM
re: Google's Privacy Invasion: It's Your Fault
Yes, actually a fairly balanced article. Oh, you mean Apple has privacy/security "holes" too, surprise surprise...but Apple somehow will not get much negative press for not catching this- It does sound like Google did respond to the users request to keep them signed in, the question is simply if the extra cookies were accidental.
Stingray1964
50%
50%
Stingray1964,
User Rank: Apprentice
2/18/2012 | 3:21:37 PM
re: Google's Privacy Invasion: It's Your Fault
You are so correct !
We are the blame but people never see it that way.
But you know know what with all the faults of any of these Search engines , I do like Google the most , Chrome works fine me , I love my Google Phone and my gmail as well , Had Yahoo and Hotmail and few others , So i get an ad banner but not as much junk mail . Just maybe if people learned how to use their settings. then things would work better for them .
But as far Apple goes , I rather have the faults of a windows base computer then an apple. I like the change things and move around and not have to buy a whole computer cause Apple made on little change or Have to spend 700 for a cellphone cause I thought 8gigs was fine but now I have to buy a whole new phone cause I need more memory .
PMEIBOSCH000
50%
50%
PMEIBOSCH000,
User Rank: Apprentice
2/18/2012 | 3:15:06 PM
re: Google's Privacy Invasion: It's Your Fault
IF YOU THINK PAYING FOR A SERVER OR ANYTHING ELSE GIVES YOU PRIVACY
ON THE INERTNET:YOU ARE A FOOL ...
<<   <   Page 3 / 4   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.