Google this week agreed to pay a $17 million settlement to 37 states after the search giant circumvented cookie-blocking controls built into Apple's Safari browser.
If this sounds familiar, it's because it's Google's second go-round, after agreeing in August 2012 to pay a record-breaking $22.5 million fine to settle a similar complaint filed by the Federal Trade Commission.
"Usually, I don't like seeing states expend time and effort to replicate cases that the FTC has already prosecuted -- and vice versa," said Justin Brookman, who directs the Center for Democracy and Technology's Project on Consumer Privacy, in a blog post. "Regulators have limited resources and need to manage their caseload to maximize the impact that their cases will have on the ecosystem."
"This instance, however, is different," said Brookman, who previously led the Internet Bureau at the New York attorney general's office. "The state AGs' settlement agreement is considerably more expansive than the FTC's, and potentially establishes a new precedent for companies: evading privacy controls -- even default privacy controls -- is per se [inherently] deceptive."
[Learn more about Internet privacy. See 10 Most Misunderstood Facebook Privacy Facts.]
The states' settlement agreement with Google requires the company to nuke the cookies that it placed via Safari and prohibits it from placing cookies on PCs of consumers that signal they want third-party cookies blocked. Or in the words of the settlement:
That refers to a trick employed by Google -- among other companies -- which uses a POST command to evade third-party cookie blocks Apple put in Safari. This was despite the following promise from Apple:
Some companies track the cookies generated by the websites you visit, so they can gather and sell information about your web activity. Safari is the first browser that blocks these tracking cookies by default, better protecting your privacy. Safari accepts cookies only from the current domain.
Privacy researcher Jonathan Mayer, a Stanford University graduate student, first spotted that Google was circumventing the cookie blocking and allowing its DoubleClick advertising subsidiary to place tracking cookies onto Safari users' systems. Mayer found that three other advertising companies -- Vibrant Media, Media Innovation Group, and PointRoll -- also appeared to be purposefully defeating Safari's third-party cookie blocks.
The states' settlement language may signal a shift in the privacy debate -- for example: the mass tracking of consumers by advertising firms and data brokers. "If it's illegal for companies to try to get around privacy controls, that's a big deal for consumers," said Brookman.
The settlement's language might also suggest a legal roadmap for pro-privacy browser manufacturers as they implement the "Do Not Track" browser setting that signals a user doesn't want to be tracked by advertising networks. "If browsers were to try to enforce the standard by limiting access to companies that don't honor the settings in certain ways, efforts to get around that enforcement could be deemed deceptive," said Brookman.
Despite Google's settlement with the FTC and 37 states' attorneys general, the fallout from the Safari-cookie bypass may not be at an end. Google still faces a related lawsuit filed by Safari users in the United Kingdom.
In addition, US consumers filed a class-action lawsuit against the companies named in Mayer's report. Last month, a judge dismissed the suit against all the companies except PointRoll, which had already agreed to settle by deleting the Safari cookies it had collected. The consumers who filed the suit have appealed the judge's decision.
There's no such thing as perfection when it comes to software applications, but organizations should make every effort to ensure that their developers do everything in their power to get as close as possible. This Dark Reading report, "Integrating Vulnerability Management Into The Application Development Process," examines the challenges of finding and remediating bugs in applications that are growing in complexity and number, and recommends tools and best-practices for weaving vulnerability management into the development process from the very beginning. (Free registration required.)