Google agrees to pay $17 million to 37 states to settle claims it circumvented cookie-blocking controls in Apple's Safari browser.

Mathew J. Schwartz, Contributor

November 22, 2013

5 Min Read
Image credit: Flickr user <a href="http://www.flickr.com/photos/ssoosay/5762345557/" target="_blank">ssoosay</a>.

Google Barge: 10 Informative Images

Google Barge: 10 Informative Images


Google Barge: 10 Informative Images (click image for larger view)

Google this week agreed to pay a $17 million settlement to 37 states after the search giant circumvented cookie-blocking controls built into Apple's Safari browser.

If this sounds familiar, it's because it's Google's second go-round, after agreeing in August 2012 to pay a record-breaking $22.5 million fine to settle a similar complaint filed by the Federal Trade Commission.

"Usually, I don't like seeing states expend time and effort to replicate cases that the FTC has already prosecuted -- and vice versa," said Justin Brookman, who directs the Center for Democracy and Technology's Project on Consumer Privacy, in a blog post. "Regulators have limited resources and need to manage their caseload to maximize the impact that their cases will have on the ecosystem."

"This instance, however, is different," said Brookman, who previously led the Internet Bureau at the New York attorney general's office. "The state AGs' settlement agreement is considerably more expansive than the FTC's, and potentially establishes a new precedent for companies: evading privacy controls -- even default privacy controls -- is per se [inherently] deceptive."

[Learn more about Internet privacy. See 10 Most Misunderstood Facebook Privacy Facts.]

The states' settlement agreement with Google requires the company to nuke the cookies that it placed via Safari and prohibits it from placing cookies on PCs of consumers that signal they want third-party cookies blocked. Or in the words of the settlement:

"Google shall not employ HTTP form POST functionality that uses JavaScript to submit a form without affirmative user action for the purpose of overriding a browser's cookie-blocking settings so that it may place an HTTP cookie on such browser, without that user's prior consent."

That refers to a trick employed by Google -- among other companies -- which uses a POST command to evade third-party cookie blocks Apple put in Safari. This was despite the following promise from Apple:

"Some companies track the cookies generated by the websites you visit, so they can gather and sell information about your web activity. Safari is the first browser that blocks these tracking cookies by default, better protecting your privacy. Safari accepts cookies only from the current domain."

Privacy researcher Jonathan Mayer, a Stanford University graduate student, first spotted that Google was circumventing the cookie blocking and allowing its DoubleClick advertising subsidiary to place tracking cookies onto Safari users' systems. Mayer found that three other advertising companies -- Vibrant Media, Media Innovation Group, and PointRoll -- also appeared to be purposefully defeating Safari's third-party cookie blocks.

The FTC and 37 states have taken action only against Google, likely because Google's privacy policy stated that the company would comply with Safari users' tracking choices. Accordingly, the FTC was able to charge Google with deceptive business practices.

The states' settlement language may signal a shift in the privacy debate -- for example: the mass tracking of consumers by advertising firms and data brokers. "If it's illegal for companies to try to get around privacy controls, that's a big deal for consumers," said Brookman.

The settlement's language might also suggest a legal roadmap for pro-privacy browser manufacturers as they implement the "Do Not Track" browser setting that signals a user doesn't want to be tracked by advertising networks. "If browsers were to try to enforce the standard by limiting access to companies that don't honor the settings in certain ways, efforts to get around that enforcement could be deemed deceptive," said Brookman.

How might browsers do that? "Well, Safari -- and soon Mozilla -- turning off third-party cookies is an example," said Brookman via email. While advertisers could use the POST trick, Java, or Flash to sneak around those blocks or reactivate old HTML cookies, "browsers could also limit use of JavaScript or requests for certain data elements in order to better fingerprint users," he said. "Or they could block third-party calls entirely -- like several add-ons do today."

Browser manufacturers could add more proactive countermeasures, for example, by blocking the use of JavaScript and Flash for any websites and advertising tracking networks that don't explicitly say -- in their privacy policies -- that they will honor consumers' Do Not Track preferences. "If a company were to misrepresent that it honors the flag, that's a pretty easy FTC case," Brookman said.

Despite Google's settlement with the FTC and 37 states' attorneys general, the fallout from the Safari-cookie bypass may not be at an end. Google still faces a related lawsuit filed by Safari users in the United Kingdom.

In addition, US consumers filed a class-action lawsuit against the companies named in Mayer's report. Last month, a judge dismissed the suit against all the companies except PointRoll, which had already agreed to settle by deleting the Safari cookies it had collected. The consumers who filed the suit have appealed the judge's decision.

There's no such thing as perfection when it comes to software applications, but organizations should make every effort to ensure that their developers do everything in their power to get as close as possible. This Dark Reading report, "Integrating Vulnerability Management Into The Application Development Process," examines the challenges of finding and remediating bugs in applications that are growing in complexity and number, and recommends tools and best-practices for weaving vulnerability management into the development process from the very beginning. (Free registration required.)

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights