Google's Circumvention of Browser Privacy Settings

• Latest News |
• Background |
• Resources |
• News Reports

Introduction

On February 17, 2012, Stanford researcher Jonathan Mayer reported that Google intentionally circumvented the privacy settings of Safari users to gather more personal information and more effectively target ads despite Google's promise to respect such settings. Google took elaborate measures to circumvent Safari's privacy safeguards and benefited from its misrepresentations with commercial value it surreptitiously obtained. These actions are in clear violation of a recent Consent Order between Google and the FTC -- a consent order that EPIC recently filed a lawsuit to compel the FTC to enforce. As a result of Google's Safari tracking, EPIC wrote to the Federal Trade Commission urging it to enforce the consent order with Google.

Top News

Background

Google Circumvents Privacy Settings

As part of its default privacy settings, Apple's Safari web browser blocks third-party internet cookies. As uncovered by Jonathan Mayer and first reported on by the Wall Street Journal, Google has taken specific steps to circumvent these user privacy settings. Specifically, third-party Google services use Javascript to submit invisible forms containing tracking cookies despite user preferences to the contrary. This allows Google to track user behavior on non-Google websites.

EPIC obtained screen shots of Google's descriptions of its treatment of the third-party tracking of Safari users before and after Google became aware that its tracking practices would be revealed. As part of these descriptions, Google removed the key section "Instructions for Safari." The original Google statement that users of Safari who have not changed their privacy settings "accomplishes the same thing as setting the opt-out cookie" is a per se misrepresentation. Not only did the company know this not to be true, it took elaborate measures to circumvent the Safari privacy safeguards, and it benefited from the misrepresentations by the commercial value it surreptitiously obtained. The fact that Google removed the evidence and made it no longer available by means of a Google search is an admission by the company as to its malfeasance.

On February 20, 2012, Microsoft also reported that Google bypassed Internet Explorer privacy settings.

Google's Consent Order

On October 13, 2011, the FTC determined that Google engaged in unfair and deceptive trade practices when it attempted to launch Buzz, a social networking service linked to Gmail. As a result, the FTC issued a consent order establishing new privacy safeguards for users of all Google products and services and subjecting the company to regular privacy audits. This order bars Google from misrepresenting the company’s privacy practices, requires the company to obtain users' consent before disclosing personal data, and requires the company to develop and comply with a comprehensive privacy program.

On January 24, 2012, Google announced that it would change its terms of service for current users of more than 60 Google services, including Gmail, Google+, Youtube, and the Android mobile operating system. Rather than keeping personal information about a user of a given Google service separate from information gathered from other Google services, Google will consolidate user data from across its services and create a single merged profile for each user. The change will become effective on March 1, 2012.

On February 8, 2012, EPIC filed a complaint and motion for a temporary restraining order and preliminary injuction compelling the FTC to enforce the Google consent order. EPIC argued that Google's proposed March 1, 2012 change in business practices is in clear violation of this consent order. Google violated Part I(a) of the Consent Order by misrepresenting the extent to which it maintains and protects the privacy and confidentiality of covered information. Google also violated Part I(b) of the Consent Order by misrepresenting the extent to which it complies with the U.S.-EU Safe Harbor Framework. Google violated Part II of the Consent Order by failing to obtain affirmative consent from users prior to sharing their information with third parties. Google violated Part III of the Consent Order by failing to comply with the requirements of a comprehensive privacy program.

Resources

Safari Tracking

• Congressional Letter to FTC on Google Safari Tracking, Feb. 17, 2012.
• EPIC's Letter to FTC Commissioner John Leibowitz on Google Safari Tracking, Feb. 17, 2012.
• Google's iPhone Tracking, Julia Angwin & Jennifer Valentino-Devries, Wall St. J., Feb. 17, 2012.
• Safari Trackers, Jonathan Mayer, Web Policy, Feb. 17, 2012.

EPIC v. FTC

• FTC Motion to Dismiss and Memorandum in Opposition to EPIC's Motion
• Motion for Temporary Restraining Order and Preliminary Injunction
• EPIC's Complaint for Injunctive Relief
• Background: EPIC v. FTC

In re Google Buzz

• Google Privacy Compliance Report, as required by In re Google Buzz
• FTC Consent Order, In re Google Buzz
• FTC - "FTC Charges Deceptive Privacy Practices in Google's Rollout of Its Buzz Social Network."
• Background: EPIC - In re Google Buzz

News Reports

News Stories and Blog Items

• Google sued by Safari user over privacy flap, Phil Milford and Jef Feeley, Bloomberg, Feb. 17, 2012.
• More Sneaky Business From Google: It Bypasses Internet Explorer Privacy Settings, Too, Mark Rosoff, SFGate, Feb. 20, 2012.
• Google Tricks Internet Explorer into Accepting Tracking Cookies, Microsoft Claims, Jon Brodkin, Web Monkey (blog), Feb. 21, 2012.
• Google Privacy Fiasco Lesson: There Is No Privacy, Tony Bradley, PCWorld Business Center (blog), Feb. 20, 2012.
• Pressure on Google over privacy problems mounts, Cecilia Kang, Wash. Post, Feb. 21, 2012.
• Did Google Intentionally Track You?, Chester Wisniewski, CNN, Feb. 12, 2012.
• Google Bypassing User Privacy Settings, Dean Hachamovitch, Corporate Vice President, Internet Explorer, Internet Explorer Blog, Feb. 20, 2012.
• Will the FTC Investigate Google's Safari Gaffe, Ian Paul, PCWorld, Feb. 20, 2012.
• Congress demands FTC investigation into Google's Safari tracking, Zack Whittaker, ZDNet (blog), Feb. 20, 2012.
• Story of the Week: Google Feeds Safari Cookies, Maryam Nabi, Financial Times, Feb. 18, 2012.
• Setting the Record Straight on Google's Safari Tracking, Jonathan Mayer, Web Policy, Feb. 20, 2012.
• Google facing Congressional backlash over tracking of Safari users, Byron Acohido, USA Today, Feb. 17, 2012.
• Google's iPhone Tracking, Julia Angwin & Jennifer Valentino-Devries, Wall St. J., Feb. 17, 2012.
• Safari Trackers, Jonathan Mayer, Web Policy, Feb. 17, 2012.