Google's Circumvention of Browser Privacy Settings

Google's Circumvention of Browser Privacy Settings

Introduction

On February 17, 2012, Stanford researcher Jonathan Mayer reported that Google intentionally circumvented the privacy settings of Safari users to gather more personal information and more effectively target ads despite Google's promise to respect such settings. Google took elaborate measures to circumvent Safari's privacy safeguards and benefited from its misrepresentations with commercial value it surreptitiously obtained. These actions are in clear violation of a recent Consent Order between Google and the FTC -- a consent order that EPIC recently filed a lawsuit to compel the FTC to enforce. As a result of Google's Safari tracking, EPIC wrote to the Federal Trade Commission urging it to enforce the consent order with Google.

Top News

Background

Google Circumvents Privacy Settings

As part of its default privacy settings, Apple's Safari web browser blocks third-party internet cookies. As uncovered by Jonathan Mayer and first reported on by the Wall Street Journal, Google has taken specific steps to circumvent these user privacy settings. Specifically, third-party Google services use Javascript to submit invisible forms containing tracking cookies despite user preferences to the contrary. This allows Google to track user behavior on non-Google websites.

EPIC obtained screen shots of Google's descriptions of its treatment of the third-party tracking of Safari users before and after Google became aware that its tracking practices would be revealed. As part of these descriptions, Google removed the key section "Instructions for Safari." The original Google statement that users of Safari who have not changed their privacy settings "accomplishes the same thing as setting the opt-out cookie" is a per se misrepresentation. Not only did the company know this not to be true, it took elaborate measures to circumvent the Safari privacy safeguards, and it benefited from the misrepresentations by the commercial value it surreptitiously obtained. The fact that Google removed the evidence and made it no longer available by means of a Google search is an admission by the company as to its malfeasance.

On February 20, 2012, Microsoft also reported that Google bypassed Internet Explorer privacy settings.

Google's Consent Order

On October 13, 2011, the FTC determined that Google engaged in unfair and deceptive trade practices when it attempted to launch Buzz, a social networking service linked to Gmail. As a result, the FTC issued a consent order establishing new privacy safeguards for users of all Google products and services and subjecting the company to regular privacy audits. This order bars Google from misrepresenting the company’s privacy practices, requires the company to obtain users' consent before disclosing personal data, and requires the company to develop and comply with a comprehensive privacy program.

On January 24, 2012, Google announced that it would change its terms of service for current users of more than 60 Google services, including Gmail, Google+, Youtube, and the Android mobile operating system. Rather than keeping personal information about a user of a given Google service separate from information gathered from other Google services, Google will consolidate user data from across its services and create a single merged profile for each user. The change will become effective on March 1, 2012.

On February 8, 2012, EPIC filed a complaint and motion for a temporary restraining order and preliminary injuction compelling the FTC to enforce the Google consent order. EPIC argued that Google's proposed March 1, 2012 change in business practices is in clear violation of this consent order. Google violated Part I(a) of the Consent Order by misrepresenting the extent to which it maintains and protects the privacy and confidentiality of covered information. Google also violated Part I(b) of the Consent Order by misrepresenting the extent to which it complies with the U.S.-EU Safe Harbor Framework. Google violated Part II of the Consent Order by failing to obtain affirmative consent from users prior to sharing their information with third parties. Google violated Part III of the Consent Order by failing to comply with the requirements of a comprehensive privacy program.

Resources

Safari Tracking

EPIC v. FTC

In re Google Buzz

News Reports

News Stories and Blog Items

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security