Google, cookies, and the battle over browser privacy settings

Google has entered into a $17 million settlement with 37 states and the District of Columbia after the company was found to circumvent privacy settings in Apple's Safari browser. Between 2011 and 2012, Google secretly stored web tracking cookies in Safari, overriding Apple's default settings that forbid third-party cookies from being installed. "By tracking millions of people without their knowledge, Google violated not only their privacy, but also their trust," New York Attorney General Eric Schneiderman said in a statement. His state will receive $899,580 of the settlement money.

Last year, Google agreed to pay another settlement of $22.5 million in response to similar complaints from the FTC. Users have also tried unsuccessfully to sue the company directly over the privacy blunder; a judge dismissed their class action lawsuit last month. For its part, Google has always maintained that the cookie incident was a mistake, one that the company quickly corrected after it was publicized. "We work hard to get privacy right at Google and have taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers,” the company said in its statement. Google's FTC settlement terms allow the company to avoid admitting any wrongdoing.

A Delaware judge has dismissed a class-action lawsuit against Google for secretly storing Safari cookies even when users had opted out. In a ruling from yesterday, Judge Sue Robinson wrote that the plaintiffs — who had filed suit under a variety of privacy and anti-hacking laws — hadn't proved real harm under any of them, nor had they convincingly argued that Google had violated their legal rights.

The basic facts of the case aren't particularly in dispute. In early 2012, researchers discovered that Google and several advertising networks had found an exploit that let them surreptitiously store cookies through the Safari and mobile Safari browsers, regardless of users' privacy settings. While Google essentially called the process an accident and quickly removed the cookies, it was later found to have a similar system on Internet Explorer. The users in this suit argued that by using cookies to track users across sites without their consent, Google was essentially swindling them out of personal information that would otherwise have monetary value and was infringing on their right to privacy.

The FTC settled two high-profile cases with Google and Facebook this week, but in both cases the technology giants got off without having to admit any wrongdoing in the cases. Google simply will pay its $22.5 million fine, while Facebook' privacy policies will be assessed by a third party every two years, among a number of other restrictions — but terms of the settlement mean that both companies are exempt from owning up to the behaviors that got them into trouble in the first place. In the wake of these high-profile cases, the New York Times is reporting that the FTC is planning to re-examine the practice of letting companies settle without admitting guilt.

One of the driving forces around any potential changes appears to be FTC commissioner J. Thomas Rosch, who dissented from both the Facebook and Google settlements last week. He reportedly agreed with the general guidelines of Facebook's settlement, but disagrees with the FTC's language that states that a settlement "does not constitute an admission" of guilt. Rosch believes that the current system is "inviting denials of liability in every case in the future," and instead pointed to the Security and Exchange Commission's policy as a better solution. It states that a refusal to admit is equivalent to denying the allegations, unless a defendant says that he "neither admits or denies" the allegation — a rule that would disallow the FTC's current policy.

Google has agreed to pay a $22.5 million penalty to settle FTC privacy charges that the search giant ignored user settings within Apple's Safari browser. The figure, rumored for some time now, is the largest fee the agency has ever collected for such a violation. Google violated a prior privacy agreement with the FTC earlier this year when it bypassed browser settings by placing cookies on a user's computer — even if they had been specifically disabled in settings.

"The record setting penalty in this matter sends a clear message to all companies under an FTC privacy order," said FTC chairman Jon Leibowitz of the agreement. ""No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place."

We heard that the FCC and Google were near a $22.5 million settlement for Google's part in circumventing Safari users' cookie privacy settings, and now Reuters is reporting that the FCC has voted to approve the fine, with an official announcement expected in the next few days. Rather than a straight fine, this settlement is being described as a "consent decree," which allows Google to settle with the FCC without admitting liability. The crux of this issue comes from a discovery earlier this year that Google (as well as other ad networks) were circumventing Safari privacy settings which allowed the companies to deposit cookies, despite browser settings that shouldn't have allowed that behavior. This was an issue for both the desktop and mobile versions of Safari — not to mention the fact that Google reportedly did the same thing to Internet Explorer. Still, it sounds like Google will be out of hot water for this Safari issue within the next few days.

Five months after the first news that Google circumvented users’ cookie settings in Apple’s mobile and desktop Safari web browsers, it looks like the company is close to settling the matter with the FTC for $22.5 million. According to The Wall Street Journal, there is a good chance that the penalty will be the largest the Commission has ever levied on a single company.

By default, Safari only accepts cookies from sites that users have actually visited, or from things that the user clicks, like ads. In this default state, advertisers can't leave cookies on users’ devices, so in order to get around the behavior, Google used some sneaky code to submit blank forms to its ad network, DoubleClick. These transmissions — of blank forms from users’ browsers — signaled that they were interacting with DoubleClick, telling Safari to allow its cookies; ostensibly to provide Google+ users with otherwise-barred +1 button functionality. Google has insisted that users signed into the social platform want the behavior, but unfortunately, setting the initial cookie green lights others coming from DoubleClick, including the "id" cookie that tracks users’ activity across multiple websites. This is precisely the kind of code that the Safari setting is designed to block, hence the uproar.

Google may be in the process of negotiating with the US Federal Trade Commission over a fine for using an invasive advertising cookie on Safari. According to Bloomberg, "a person familiar with the matter" says that the company could pay up to tens of millions of dollars over a violation of privacy safeguards. If the case goes forward, the FTC will apparently allege that Google "deceived consumers and violated terms of a consent decree signed with the commission last year" when it tracked Safari users' web activity regardless of their privacy settings.

If Google pays this fine, it could still face investigation by the EU, which is also rumored to be looking into the matter. Google has previously maintained that the breach was accidental, and that the practices it employs are commonplace for web tracking. Besides Safari, Microsoft has also alleged that Google used a similarly invasive cookie on Internet Explorer. The FTC declined to comment on Bloomberg's report.

The Wall Street Journal has reported that US and EU regulators are investigating Google for its circumvention of Safari's privacy settings, according to "people familiar with the investigations." The scandal, which was also broken by the WSJ, revolved around Google using an invasive advertising cookie that tracked web activity regardless of the users privacy settings, and Microsoft quickly called Google out for the same issue.

According to the report, the use of this cookie may have violated a previous settlement regarding misrepresentation of its privacy practices, and has sparked the Federal Trade Commission (FTC) to look into any potential breach. Google could face a very large fine of $16,000 per violation, per day, for breaching the agreement, although the FTC has not confirmed the WSJ's allegations. According to Google, the offending cookies are being removed from Safari browsers, and it also maintains that the breach was accidental. In order for the FTC to levy a fine on the search giant, it would have to prove that Google was intentionally tracking users.

Earlier today, Microsoft accused Google of manipulating Internet Explorer's default privacy restrictions in order to "bypass user preferences about cookies." Google's just responded with a lengthy rebuttal, arguing that Microsoft's P3P cookie technology is "widely non-operational," and that the issue has been around since 2002. The response also points to other offenders, citing a 2010 Carnegie Mellon research paper that says over 11,000 websites don't use valid P3P policies.

Google's also specifically bringing Facebook and Amazon into the fracas, citing their similar use of the P3P bypass. Google references Facebook's policy on P3P cookies, and says that it and other websites have been open about their approach. Both Facebook and Google say that P3P doesn't support their modern web services — Google says that "newer cookie-based features are broken by the Microsoft implementation in IE," and Facebook's policy states that "the P3P standard is now out of date and does not reflect technologies that are currently in use on the web."

Just a few days after the Wall Street Journal reported that Google, Facbeook, and others have been using a workaround to bypass the cookie restrictions in Apple's Safari and Mobile Safari web browsers, Microsoft now claims that Google has taken similar measures to bypass privacy settings in Internet Explorer. Microsoft says that Google is improperly representing its cookies by using a non-standard P3P cookie policy statement: it claims that "Google's P3P policy is actually a statement that it is not a P3P policy," which allows Google's cookies to pass through without being blocked.

In response to accusations over cookies in Safari, Google said that it made a mistake with how it asked Safari to handle cookies, and that its advertising cookies do not collect personal information. It also said that users of Internet Explorer, Firefox, and Chrome were not affected — though that claim now appears suspect.