Privacy advocates and now some members of Congress say Google should answer for its practice of bypassing the default privacy settings of potentially millions of users of Apple's Safari browser.
Three members of the U.S. House of Representatives are asking the Federal Trade Commission to investigate Google's Safari workaround. The Electronic Privacy Information Center is going further, asking [PDF] the FTC to find that Google violated its recent settlement with the federal agency regarding its Buzz privacy practices. Google, meanwhile, says it was merely using "known functionality" in Safari and any resulting privacy violations were just a mishap the company "didn't anticipate."
The Wall Street Journal recently reported that Google was bypassing the default privacy settings in Apple's Safari for both desktop and mobile devices. Google's privacy violations potentially include users of iPhone, iPod Touch, iPad, and Mac OS X devices, as well as Safari for Windows users. Safari's defaults prohibit third parties such as advertising and web analytics firms from setting tracking cookies without user authorization. This presented a problem for Google, since the company wanted to identify when users were signed in to their Google accounts in order to deliver pernalized advertising and the ability to +1 (similar to a Facebook like) items online.
To get around this issue, Google inserted an invisible web form into its advertising if a user clicked on the company's +1 buttons embedded in Google advertising. Safari would then think the user interacted with the invisible form and allow the browser to accept further cookies.
This workaround also enabled Google to track users across the web even though their privacy settings said they didn't want to be tracked. Google responded to the accusations by saying it was only providing features that signed-in Google users had enabled using "known functionality" in Safari's web browser. But, the company said, it didn't anticipate that Safari's "known functionality" would have the side effect of allowing other tracking cookies to be set as well, such as cookies from its advertising service, DoubleClick.
So should the FTC chalk this up to a big misunderstanding and a mistake, or investigate Google's potential misbehavior? Regardless, of Google's motives, I think the FTC should investigate and here's why.
Broke the Rules
"We used known Safari functionality to provide features that signed-in Google users had enabled," says Rachel Whetstone, Google's senior vice president of communications and public policy in response to the Journal's report. "Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies...Last year, we began using this functionality to enable features for signed-in Google users on Safari."
Whetstone argues that Google was only enabling "known functionality" in Safari to carry out the wishes of signed-in Google users. But was this the best plan? Instead of using this workaround couldn't Google have used a browser pop-up or a web page redirect to alert users they needed to change their cookie settings to enable this kind of activity? Instead, the company chose to use an invisible method beyond the control of the user.
Thanks to the popularity of Apple's Safari browser on iOS, the result of Google's workaround is that the privacy of perhaps millions of users was violated. Apple's Safari currently accounts for 55 percent of all smartphone and tablet browsing activity worldwide, according to metrics firm Netmarketshare.
Same old Song and Dance
Every time Google is found to be up to no good, the company uses virtually the same excuse: "Oops, sorry, that was a mistake, we didn't know we were doing that." This time around it was Whetstone saying that Google "didn't anticipate" its Safari workaround would allow it to set tracking cookies the user hadn't explicitly authorized.
When privacy concerns were raised over Google's failed social networking platform, Buzz, in February 2010, the company responded, "We quickly realized that we didn't get everything quite right. We're very sorry for the concern we've caused." Google then promised to do better.
A few months later, in May, Google was caught collecting user data from unencrypted Wi-Fi networks as it used its Street View cars to create a worldwide database of Wi-Fi routers to help improve the company's mobile location services. "We have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products," Google said.
More recently, in January, Google was accused of trying to weasel money out of small business owners in Kenya, Africa by falsely claiming that it was in a joint venture with Mocality, a Kenya-based crowd sourced business directory. And what was Google's response this time? "We were mortified to learn that a team of people working on a Google project improperly used Mocality’s data and misrepresented our relationship with Mocality," said Nelson Mattos Google's vice president for product and engineering in Europe and emerging markets. "We’re still investigating exactly how this happened, and as soon as we have all the facts, we’ll be taking the appropriate action with the people involved." Oops, we didn't know -- again.
Four serious gaffes and each time Google said it didn't realize what it was doing. That may in fact be true in each case, but does oversight excuse the error? How many times can Google say, "Oops, we goofed, we didn't know" before the company is held to account for its self-inflicted stupidity? Accident or not, Google should be investigated for its bad behavior and held accountable for its actions.