The Wall Street Journal (subscription required) reports that Internet giant Google is on the verge of agreeing to a $22.5 million settlement with the FTC to put to rest charges that it violated iOS users’ privacy by intentionally bypassing the built-in privacy controls in Apple’s Safari Web browser so Google could track their browsing habits. If the settlement lays out as reported, it would represent the single largest penalty ever assessed against a single company by the Federal Trade Commission. Even though $22.5 million barely represents half a day’s income to Google, it’s probably not a achievement Google will memorialize with a bronze plaque outside its Mountain View headquarters.
This isn’t the first time Google has run afoul of the FTC over user privacy concerns. What’s the basis of the current case and how does it compare to Google’s privacy record with U.S. regulators? And does Google even stand out amongst tech companies taken to task by the FTC over privacy issues?
Google, Safari, and the FTC
The current case being investigated by the FTC surrounds Apple’s Safari Web browser, both in iOS devices like the iPhone and iPad as well as Apple’s desktop Mac OS X operating system. Since Safari debuted as a desktop browser all the way back in 2003, it has had a default setting to block third party cookies — it also featured a “privacy reset” option for clearing cookies and other browser settings. Safari 2.0 (from 2005) was the first to enable a “private browsing” mode — many ridiculed it as a way for Mac user to surf porn sites, but it also offered effective protection against first- and third-party cookies as well as being tracked by (many still-nascent) advertising networks.
As Google became a major force in online advertising — in part through acquisitions like Doubeclick and AdMob — Google wanted a way to serve personalized ad content and things like its “+1″ buttons to signed-in Google users. It did so using a post-back mechanism that enabled it to set cookies in the Safari browser even if the browser was set to disallow third-party cookies. (Stanford grad student Jonathan Mayer analyzed technical details of the mechanism.) One could argue that Google was only able to do this because of a flaw in Safari, but Google did more with the technique than just determine if users were signed in to Google and had agreed to receive personalized advertising: the technique also let Google install tracking cookies. So, even if users were blocking third party cookies in Safari (the default) and were not signed in to Google, Google could still track their actions through not just Google’s own sites, but any sites that carried Google advertising or services. Given the near-ubiquity of things like YouTube and Google’s AdSense advertising services, that’s a major chunk of the Internet.
Google has maintained it did nothing wrong, and began deleting the tracking cookies as soon as it became aware they were being set. It characterized the bypass technique as “known Safari functionality,” said it was deleting any data it gathered as a result of the cookies and that no harm was done to consumers. However, Google did collect information about all Safari users it encountered, regardless of whether they had a Google account, were signed in to it, or had agreed to accept social advertising; however, there is no indication Google shared that information with other companies. Nonetheless, Google may well have profited from knowing more about Safari users’ browsing habits than its competitors.
The FTC isn’t alone investigating these issues: several states’ attorneys general have launched their own probes, and European regulators are also investigating Google’s bypassing of Safari’s built-in privacy tools.
Buzzkill
The Safari situation puts Google in hot water because the company had previously entered into a 20-year consent decree in 2011 for “deceptive privacy practices” surrounding the launch of Google Buzz. In that case, Google escaped having to pay any fines, but it did agree to implement a comprehensive privacy program, and subject itself to regular independent privacy audits for 20 years.
Google Buzz, for folks who don’t recall, was Google’s initial ill-fated effort to leverage its widely used Gmail service into a social networking platform. To launch the service, Google enrolled Gmail users in aspects of Google Buzz without their consent, which resulted in details of users’ contacts and correspondents automatically being disclosed to other users — in some cases even if they declined to try out Google Buzz. By the end of the year, Google had killed off Google Buzz and switched its focus to Google+, but the damage was done: Google had not only flubbed its first serious move into social networking, it had brought down 20 years of federal scrutiny about its privacy practices too.
As a result of the Buzz fiasco, Google can be liable for up to $16,000 per day that it violates its consent agreement with the FTC. If the $22.5 million figure cited by the Wall Street Journal is accurate and the $16,000-per-day fine is the basis for the penalty, that could mean Google would essentially admit it was tracking using Safari users without their consent for the better part of four years.
What about everyone else?
A number of federal agencies monitor aspects of many Internet companies’ businesses. Google doesn’t just tangle with the FTC. Just a few months ago the Federal Communications Commission fined Google a paltry $25,000 for collecting personal information with its Street View vehicles as it cruised by Wi-Fi hotspots. However, although it’s a small agency, the Federal Trade Commission is primarily responsible for consumer protection. How have other Internet giants fared with the FTC?
Not so well, as it turns out. Perhaps the most public settlement with the FTC over privacy issues was from social networking giant Facebook: the FTC accused Facebook of failing to keep a number of privacy-related promises it made to users, including making formerly-private information public, sharing data with third parties without user consent, keeping data around and accessible even after accounts were deleted, and falsely claiming it complied with the U.S.-EU Safe Harbor Framework for data transfer. For all that and more, however, Facebook paid no penalties — but it did agree to the same 20 years of independent, third-party privacy audits later applied to Google.
Social networking aggregator Spokeo also had to settle with the FTC — and it didn’t get off for free, agreeing to pay $800,000 to settle charges it violated the Fair Credit Reporting Act as well as “astroturfing” by posting false endorsements of its services to blogs and Web sites. However, unlike Google and Facebook, Spokeo isn’t a primarily consumer-facing service. Rather, it collects and aggregates information about individuals from social networking sites and the Internet, bundles it up, and sells it to recruiters, background screeners, and human resources departments — if you’ve ever had a foul-mouthed tweet or drunken Facebook photo come back to haunt you during a job interview, Spokeo may be why. The FTC alleged, among other things, that Spokeo failed to comply with requirements governing consumer reporting agencies.
What about social networking sites? Believe it or not, in May MySpace had to work a settlement with the FTC for sharing personal information with third parties without user consent. Sound similar to Facebook? It does: and, like Facebook, MySpace didn’t have to pay a penny, but did have to agree to having its privacy practices audited for the next 20 years.
Twitter hasn’t emerged unscathed either — although the circumstances are different. Twitter agreed to have its security and privacy practices audited for 20 years as a result of two security breaches in January and May of 2009 during which attackers were able to get administrative access to Twitter — including accessing private information and the ability to generate phony tweets. In these instances, Twitter didn’t promise one thing and do another — it promised users privacy and wound up getting hacked. Something similar happened with game site Rock You, from which hackers managed to glean some 32 million email addresses during an attack. However, Rock You also wound up agreeing to pay $250,000 in penalties because it also collected personal information from nearly 180,000 children without their parents’ consent, in violation of the Child Online Privacy Protection Act (COPPA), which bars the collection or sharing of children’s information online without their parents’ consent.
COPPA has been at the core of settlements the FTC has reached with many technology companies, including Broken Thumbs Apps, Skidekids, and Xanga.com. The Xanga case (from 2006) involved the highest fine ever levied for a COPPA violation: $1 million. Xanga knowingly collecting and disclosing information about 1.7 million children age 13 and under without parents’ consent over a period of five years.
Even Microsoft has run afoul of COPPA. Back in 2002 the company reached a settlement with the FTC that its Passport single sign-in and wallet service was designed to let users easily and safely make purchased from participating merchants, and even set up accounts for kids that limited collection of personal information by participating sites; among other things, Microsoft was found to have misrepresented what information was shared with third parties about children.
Breaking the pattern
Leaving aside issues of the Child Online Privacy Protection Act, the Federal Trade Commission is empowered under the FTC Act. Although it’s been amended since, the act dates all the way back to 1914 and doesn’t include any language about privacy practices of business. The FTC’s mandate essentially derives from the Act’s prohibition of deceptive and unfair trade practices. The FTC’s settlements with companies like Microsoft, Google, Twitter, and Facebook stem from interpretation of that act. A company could potentially take the FTC to court and argue the FTC’s interpretation over-reach the authority granted by the act.
It may seem ludicrous for a company to try to take the federal government to court and argue it has no authority to regulate how it conducts business — but that’s exactly what Comcast did with the FCC over its Internet regulatory framework, essentially gutting the idea of Net neutrality. Although it’s rare for firms to challenge the FTC’s interpretation of its authority, the rapidly evolving Internet and mobile industries might be the place where it happens.
Why? Because companies like Facebook and Google have now established a pattern where they unilaterally expand their collection and usage of consumer data and violate promises they made to their users — and see very little downside. Both Google and Facebook have rolled out new services that exposed information about their users without first obtaining consent — and, to date, neither have paid a penny in penalties, or even admitted to any wrongdoing. Google and Facebook are both companies that don’t charge directly for most of their services: and they’re hardly alone in that regard. The value these companies derive from their users stems largely from the personal and profile information they’re able to collect about their lives and interest and, in turn, sell to advertisers. As the saying goes: If you’re not paying for it, you are the product, not the customer.
The FTC’s settlements to date with the likes of Google, Facebook, and even Twitter (which resulted from a data breach) are consistently on the side of transparency:
- Companies need to get affirmative consent from user before making retroactive, adverse changes to privacy policies;
- Companies must disclose important changes in their privacy practices;
- Companies must be straightforward when soliciting consent to new uses of data — weasel words and less-than-complete disclosure won’t do.
Subjecting Internet companies as much as 20 years of privacy audits might seem like major enforcement move — and now Google, Twitter, and Facebook are all now under such requirements. However, Google looks like it will be the first company that will have to come to terms with violating a privacy settlement with the FTC. And what does that look like it’s going to cost them?
Half a day’s pay.
At that rate, it’s hard to believe any company trying to compete with Google or Facebook will consider dodgy privacy practices anything more than a minor cost of doing business.
Image via Shutterstock/Lightspring
Why wasn’t Apple fined for having a backdoor in their system allowing anybody access? Apple was the one to blame here!
Why isnt Apple fined for knowingly logging, tracking and monitoring their clients? Where is all this information going?
Facebook logs, sells and distributes private information and yet is never touched.
Google sneezes and everyone jumps on it.
Personally I’m more worried about facebook, and Apple! They’re the two data miners to be concerned with (IMO)!
Thank you for an extremely informative and well written article. Too often, clarity is what is missing in the IT journalism industry and it’s nice to see something well fleshed out for a change instead of the same regurgitated headline scalped from someone else’s newsfeed.
We don’t fine foreign corporations, we only fine domestic corporations. Then the government asks why our industry has moved overseas.
The government tried the same shake-down on Microsoft during the Bush administration, but Bush stopped it.
Was not happy that as soon as my phone number was changed and I went unlisted, I began getting automated calls from a Google service that is no longer available. It was Google Phone Book. It’s version of White and Yellow Pages. I phoned technical support and for an hour the technician went over the ways to have my name removed from their phone books. Nothing worked. That is because they cancelled this service years ago. The employees didn’t know about it, yet the thing was still alive on their computer harassing me daily by phone to update my phone number. Never giving me the option to choose to update, it just hung up on me no matter what I pressed on the phone. How they got my unlisted number the day after I changed? Who knows, but it just made me hate Google’s big eye too much. So much for the corporate “Do No Evil”. As far as I am concerned they should be treated as a monopoly and split all of their services to form a different division, or spin them off.
Your number is only unlisted starting the moment you request it, any time before that it was fair game, including when it wasnt your number. Chances are they had your number before you even did thanks to its previous owner.
My point is, they cancelled this service years ago. It does not exist. Google Phone Book Is gone and has been gone for years. The harassment started immediately from a service that no longer existed. My point is the day I called my phone company and changed my number, Google’s outdated obsolete service was contacting me to update my phone number. The fact that it is unlisted has nothing to do with this. The fact that their customer support had me on the line for hours trying to take me off of their NON EXISTENT phone book, which they were unable to do is because the employees did not know that Google Phone Book was no longer in existence. I blocked the number through caller ID and that was the only way I was able to stop the calls. AT&T was even worse. They would not stop harassing me trying to sell me UVERSE. I had to call my local AT&T to stop the calls selling UVERSE. Calling the main number just routed me overseas where they can do nothing but tell you they did something. I got them to stop calling me by choosing EMAIL as my preferred contact. The calls stopped and I haven’t received emails either.
Better to reach a consensus, technologically and as a society, that privacy is important.
Zuckerberg is an idiot, as is anyone who believes in a completely open web. We shouldn’t be investing in idiocy.
By “open” I mean the identification of its members. Technology for the web should itself be entirely open, to achieve that goal, almost paradoxically.
Yeah, so the government gets a few thousand here and a few million there. The government wasn’t the individual harmed. Where is the restitution for the hundreds of thousands, if not millions, of individuals who were?
You’re welcome to file a civil suit yourself if you feel you were ‘harmed’ enough to be worth any money. I wish you the best of luck proving damages caused by Google tracking you. The FTC could justify a 17 million dollar fine not because citizens were harmed but because Google was engaged in something that gave it an advantage over businesses who respected these restrictions people tried to put in place.
Believe it or not, the actual financial impact of the ‘harm’ done in privacy concerns is practically nil. Your privacy as an individual is more or less worthless to the world at large. Unless you are a major business owner or public figure, you are in negligable minority who thinks your private non-financial information is worth even $1 (note that there are plenty of people who thing THEIR personal info is priceless, they just don’t want to buy yours). It’s only in packages of thousands or millions that there is any significant monetary value.
should have been 100x as much !
Charging them half a years revenue is a bit crazy, especially considering it looks like a case of doing something stupid unlike some of the examples given that were purposefully negligent.
That would be 50 days’ revenue if the article’s statement that the current fine is equal to half a days’ revenue.
I agree that 170 million is excessive but your numbers are off. While half a days’ income is an interesting statistic, it is worthless as an indicator of the fairness of the penalty. Since the goal is supposed to be to make deceptive or unfair practices unprofitable so the gov is supposed to penalize based on the advantage gained by performing the unfair or deceptive practice. If the practice was worth $10 million in benefits, the gov fines $20 mil and the company gets the point that doing X causes them to lose money.
The gov doesn’t make fines based on how much legal and legitimate business the business is involved in (total revenue) because that would encourage companies to simply engage in nothing but unfair and deceptive practices since they are better off earning as much as possible before the gov comes in and fines them 10% of their net worth.
I think Bob, like most people, vastly overestimates the actual worth of his private information.