Google Settles With State AGs On Privacy

Google agrees to pay $17 million to 37 states to settle claims it circumvented cookie-blocking controls in Apples Safari browser.

Google Barge: 10 Informative Images (click image for larger view)
Google this week agreed to pay a $17 million settlement to 37 states after the search giant circumvented cookie-blocking controls built into Apples Safari browser.
If this sounds familiar, its because its Googles second go-round, after agreeing in August 2012 to
pay a record-breaking $22.5 million fine
to settle a similar complaint filed by the Federal Trade Commission.
Usually, I dont like seeing states expend time and effort to replicate cases that the FTC has already prosecuted -- and vice versa, said Justin Brookman, who directs the Center for Democracy and Technologys Project on Consumer Privacy, in a
blog post
. Regulators have limited resources and need to manage their caseload to maximize the impact that their cases will have on the ecosystem.
This instance, however, is different, said Brookman, who previously led the Internet Bureau at the New York attorney generals office. The state AGs settlement agreement is considerably more expansive than the FTCs, and potentially establishes a new precedent for companies: evading privacy controls -- even default privacy controls -- is per se [inherently] deceptive.
[Learn more about Internet privacy. See
10 Most Misunderstood Facebook Privacy Facts
.]
The states
settlement agreement with Google
requires the company to nuke the cookies that it placed via Safari and prohibits it from placing cookies on PCs of consumers that signal they want third-party cookies blocked. Or in the words of the settlement:

Google shall not employ HTTP form POST functionality that uses JavaScript to submit a form without affirmative user action for the purpose of overriding a browsers cookie-blocking settings so that it may place an HTTP cookie on such browser, without that users prior consent.

That refers to a trick employed by Google -- among other companies -- which uses a POST command to evade third-party cookie blocks Apple put in Safari. This was despite the following promise from Apple:

Some companies track the cookies generated by the websites you visit, so they can gather and sell information about your web activity. Safari is the first browser that blocks these tracking cookies by default, better protecting your privacy. Safari accepts cookies only from the current domain.

Privacy researcher Jonathan Mayer, a Stanford University graduate student, first spotted that Google was
circumventing the cookie blocking
and allowing its DoubleClick advertising subsidiary to place tracking cookies onto Safari users systems. Mayer found that three other advertising companies -- Vibrant Media, Media Innovation Group, and PointRoll -- also appeared to be purposefully defeating Safaris third-party cookie blocks.
The FTC and 37 states have taken action only against Google, likely because Googles privacy policy stated that the company would comply with Safari users tracking choices. Accordingly, the FTC was able to charge Google with deceptive business practices.
The states settlement language may signal a shift in the privacy debate -- for example: the mass tracking of consumers by advertising firms and data brokers. If its illegal for companies to try to get around privacy controls, thats a big deal for consumers, said Brookman.
The settlements language might also suggest a legal roadmap for pro-privacy browser manufacturers as they implement the Do Not Track browser setting that signals a user doesnt want to be tracked by advertising networks. If browsers were to try to enforce the standard by limiting access to companies that dont honor the settings in certain ways, efforts to get around that enforcement could be deemed deceptive, said Brookman.
How might browsers do that? Well, Safari -- and soon Mozilla -- turning off third-party cookies is an example, said Brookman via email. While advertisers could use the POST trick, Java, or Flash to sneak around those blocks or reactivate old HTML cookies, browsers could also limit use of JavaScript or requests for certain data elements in order to better fingerprint users, he said. Or they could block third-party calls entirely -- like several add-ons do today.
Browser manufacturers could add more proactive countermeasures, for example, by blocking the use of JavaScript and Flash for any websites and advertising tracking networks that dont explicitly say -- in their privacy policies -- that they will honor consumers Do Not Track preferences. If a company were to misrepresent that it honors the flag, thats a pretty easy FTC case, Brookman said.
Despite Googles settlement with the FTC and 37 states attorneys general, the fallout from the Safari-cookie bypass may not be at an end. Google still faces
a related lawsuit
filed by Safari users in the United Kingdom.
In addition, US consumers filed a class-action lawsuit against the companies named in Mayers report. Last month, a judge dismissed the suit against all the companies except PointRoll, which had already agreed to settle by deleting the Safari cookies it had collected. The consumers who filed the suit have appealed the judges decision.
Theres no such thing as perfection when it comes to software applications, but organizations should make every effort to ensure that their developers do everything in their power to get as close as possible. This Dark Reading report,
Integrating Vulnerability Management Into The Application Development Process
, examines the challenges of finding and remediating bugs in applications that are growing in complexity and number, and recommends tools and best-practices for weaving vulnerability management into the development process from the very beginning. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Google Settles With State AGs On Privacy