The Stanford privacy researcher who first uncovered Google evading the default privacy settings for all users of Apple’s Safari web browser believes that the Federal Trade Commission has a “slam dunk” case that Google violated its privacy agreement with the government.
“The facts in this case are unusually clear cut,” Jonathan Mayer, a grad student in computer science and law and a researcher at the Stanford Law Center for Internet and Society, in a phone interview with TPM.
Mayer’s research in February uncovered incriminating evidence that Google and several other advertising companies were stealthily planting advertising cookies that tracked users of Apple’s Safari Web browser, despite default settings in the browser that were supposed to stop such activity.
Safari is the default browser found on all of Apple’s devices, from Mac computers to the iPhone to the iPad. It is the most popular browser on mobile devices, with 62 percent share, according to Web surveying firm Net Applications.
The advertising cookies were being installed on users’ devices when they encountered Google-hosted ads, whether or not they clicked on them, despite the fact that Google’s own policy statement originally said that Safari’s default settings prevented the company from doing so.
Mayer’s research led to an extensive report published in February by the the Wall Street Journal, to which Google responded by going on the defensive, immediately disabling the cookies and quietly changing the language of its policy statement to omit the claim that Safari’s default settings could block Google’s cookies.
Google further told The Journal that its report “mischaracteri[zed] what happened and why,” arguing that the cookies had only been installed to allow Safari users to see the “+1 buttons,” of Google’s new social network, Google Plus, that now pepper the Web on articles and other content.
The settlement, first struck in October 2011 , was the result of the FTC’s year-long privacy investigation into Google over its failed Google Buzz social network. The FTC concluded that Google had indeed misled users and violated their privacy and subjected Google to 20 years worth of privacy audits and ordered that Google no longer “misrepresent” its privacy settings to users. If Google violates any of the terms of the settlement, the FTC can slap the company with a $16,000 civil fine for every day that the company violated any of the terms.
On Thursday night, The Journal reported that the FTC “is examining whether Google’s actions violated last year’s legal settlement,” and another regulatory body in France (the CNIL) and several states attorneys general were also investigating Google over the practice and could levy fines of their own.
Asked about the Journal’s report of the investigations and Mayer’s comments, Google responded to TPM with the following statement:
We used known Safari functionality to provide features that signed-in Google users had enabled. We created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for personalized ads and other content.
However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We will of course cooperate with any officials who have questions. But it’s important to remember that we didn’t anticipate this would happen, and we have been removing these advertising cookies from Safari browsers.
From Stanford, Mayer told TPM that there “was no doubt that Google’s representation of Safari security settings were untrue from a technical matter,” and that based on his understanding of Web privacy laws in the U.S., the FTC would likely come to the conclusion that Google had indeed violated its settlement.
“It’s fairly clear google made a misrepresentation and under the consent order established from the Google Buzz debacle, it was required that they not make misrepresentations going forward,” Mayer said. “It’s fair to say they weren’t in compliance.”
“I have to say I was surprised that it was Google doing this,” Mayer added, “For a long time I and others viewed Google as one of the few exceptions to the rule in Silicon Valley that companies engage in wide-ranging irresponsible handling of personal data. Google was generally ‘responsible,’ and owned up to its mistakes. But this episode has unwound that entire perception for me.”
Mayer said that his most recent tests had found that Google had stopped the practice. The FTC declined to comment on this story.