Skip to main content

Filed under:

Google, cookies, and the battle over browser privacy settings

Share this story

Google has found itself suddenly enmeshed in a battle over how it uses cookies, small pieces of code for tracking users through their web browsers. While some argue that Google's use of cookies invades user privacy, Google claims it is simply using common web practices for innocuous tracking.

  • Chris Welch

    Nov 18, 2013

    Chris Welch

    Google agrees to pay states $17 million in browser privacy settlement

    Google New York Chelsea Office (STOCK)
    Google New York Chelsea Office (STOCK)

    Google has entered into a $17 million settlement with 37 states and the District of Columbia after the company was found to circumvent privacy settings in Apple's Safari browser. Between 2011 and 2012, Google secretly stored web tracking cookies in Safari, overriding Apple's default settings that forbid third-party cookies from being installed. "By tracking millions of people without their knowledge, Google violated not only their privacy, but also their trust," New York Attorney General Eric Schneiderman said in a statement. His state will receive $899,580 of the settlement money.

    Last year, Google agreed to pay another settlement of $22.5 million in response to similar complaints from the FTC. Users have also tried unsuccessfully to sue the company directly over the privacy blunder; a judge dismissed their class action lawsuit last month. For its part, Google has always maintained that the cookie incident was a mistake, one that the company quickly corrected after it was publicized. "We work hard to get privacy right at Google and have taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers,” the company said in its statement. Google's FTC settlement terms allow the company to avoid admitting any wrongdoing.

    Read Article >
  • Adi Robertson

    Oct 10, 2013

    Adi Robertson

    Judge dismisses suit against Google for bypassing Safari privacy settings

    Google 3D logo white stock 1020
    Google 3D logo white stock 1020

    A Delaware judge has dismissed a class-action lawsuit against Google for secretly storing Safari cookies even when users had opted out. In a ruling from yesterday, Judge Sue Robinson wrote that the plaintiffs — who had filed suit under a variety of privacy and anti-hacking laws — hadn't proved real harm under any of them, nor had they convincingly argued that Google had violated their legal rights.

    The basic facts of the case aren't particularly in dispute. In early 2012, researchers discovered that Google and several advertising networks had found an exploit that let them surreptitiously store cookies through the Safari and mobile Safari browsers, regardless of users' privacy settings. While Google essentially called the process an accident and quickly removed the cookies, it was later found to have a similar system on Internet Explorer. The users in this suit argued that by using cookies to track users across sites without their consent, Google was essentially swindling them out of personal information that would otherwise have monetary value and was infringing on their right to privacy.

    Read Article >
  • Nathan Ingraham

    Aug 11, 2012

    Nathan Ingraham

    After Facebook privacy snafu, FTC may force companies to admit wrongdoing even if they settle

    Facebook Password lock
    Facebook Password lock

    The FTC settled two high-profile cases with Google and Facebook this week, but in both cases the technology giants got off without having to admit any wrongdoing in the cases. Google simply will pay its $22.5 million fine, while Facebook' privacy policies will be assessed by a third party every two years, among a number of other restrictions — but terms of the settlement mean that both companies are exempt from owning up to the behaviors that got them into trouble in the first place. In the wake of these high-profile cases, the New York Times is reporting that the FTC is planning to re-examine the practice of letting companies settle without admitting guilt.

    One of the driving forces around any potential changes appears to be FTC commissioner J. Thomas Rosch, who dissented from both the Facebook and Google settlements last week. He reportedly agreed with the general guidelines of Facebook's settlement, but disagrees with the FTC's language that states that a settlement "does not constitute an admission" of guilt. Rosch believes that the current system is "inviting denials of liability in every case in the future," and instead pointed to the Security and Exchange Commission's policy as a better solution. It states that a refusal to admit is equivalent to denying the allegations, unless a defendant says that he "neither admits or denies" the allegation — a rule that would disallow the FTC's current policy.

    Read Article >
  • Chris Welch

    Aug 9, 2012

    Chris Welch

    Google to pay $22.5 million to settle privacy charges

    Google logo
    Google logo

    Google has agreed to pay a $22.5 million penalty to settle FTC privacy charges that the search giant ignored user settings within Apple's Safari browser. The figure, rumored for some time now, is the largest fee the agency has ever collected for such a violation. Google violated a prior privacy agreement with the FTC earlier this year when it bypassed browser settings by placing cookies on a user's computer — even if they had been specifically disabled in settings.

    "The record setting penalty in this matter sends a clear message to all companies under an FTC privacy order," said FTC chairman Jon Leibowitz of the agreement. ""No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place."

    Read Article >
  • Nathan Ingraham

    Jul 31, 2012

    Nathan Ingraham

    FCC reportedly approves $22.5 million Google fine for Safari cookie scandal

    iOS Safari Cookies Settings 640
    iOS Safari Cookies Settings 640

    We heard that the FCC and Google were near a $22.5 million settlement for Google's part in circumventing Safari users' cookie privacy settings, and now Reuters is reporting that the FCC has voted to approve the fine, with an official announcement expected in the next few days. Rather than a straight fine, this settlement is being described as a "consent decree," which allows Google to settle with the FCC without admitting liability. The crux of this issue comes from a discovery earlier this year that Google (as well as other ad networks) were circumventing Safari privacy settings which allowed the companies to deposit cookies, despite browser settings that shouldn't have allowed that behavior. This was an issue for both the desktop and mobile versions of Safari — not to mention the fact that Google reportedly did the same thing to Internet Explorer. Still, it sounds like Google will be out of hot water for this Safari issue within the next few days.

    Read Article >
  • Jeff Blagdon

    Jul 10, 2012

    Jeff Blagdon

    Google facing FTC's largest fine ever for circumventing Safari's cookie blocker, says WSJ

    safari cookies 1020 stock
    safari cookies 1020 stock

    Five months after the first news that Google circumvented users’ cookie settings in Apple’s mobile and desktop Safari web browsers, it looks like the company is close to settling the matter with the FTC for $22.5 million. According to The Wall Street Journal, there is a good chance that the penalty will be the largest the Commission has ever levied on a single company.

    By default, Safari only accepts cookies from sites that users have actually visited, or from things that the user clicks, like ads. In this default state, advertisers can't leave cookies on users’ devices, so in order to get around the behavior, Google used some sneaky code to submit blank forms to its ad network, DoubleClick. These transmissions — of blank forms from users’ browsers — signaled that they were interacting with DoubleClick, telling Safari to allow its cookies; ostensibly to provide Google+ users with otherwise-barred +1 button functionality. Google has insisted that users signed into the social platform want the behavior, but unfortunately, setting the initial cookie green lights others coming from DoubleClick, including the "id" cookie that tracks users’ activity across multiple websites. This is precisely the kind of code that the Safari setting is designed to block, hence the uproar.

    Read Article >
  • Adi Robertson

    May 4, 2012

    Adi Robertson

    Google facing FTC fine for circumventing Safari privacy settings, says Bloomberg

    iOS Safari Cookies Settings 640
    iOS Safari Cookies Settings 640

    Google may be in the process of negotiating with the US Federal Trade Commission over a fine for using an invasive advertising cookie on Safari. According to Bloomberg, "a person familiar with the matter" says that the company could pay up to tens of millions of dollars over a violation of privacy safeguards. If the case goes forward, the FTC will apparently allege that Google "deceived consumers and violated terms of a consent decree signed with the commission last year" when it tracked Safari users' web activity regardless of their privacy settings.

    If Google pays this fine, it could still face investigation by the EU, which is also rumored to be looking into the matter. Google has previously maintained that the breach was accidental, and that the practices it employs are commonplace for web tracking. Besides Safari, Microsoft has also alleged that Google used a similarly invasive cookie on Internet Explorer. The FTC declined to comment on Bloomberg's report.

    Read Article >
  • Aaron Souppouris

    Mar 16, 2012

    Aaron Souppouris

    Google facing more privacy litigation, according to WSJ

    Google Logo 640px
    Google Logo 640px

    The Wall Street Journal has reported that US and EU regulators are investigating Google for its circumvention of Safari's privacy settings, according to "people familiar with the investigations." The scandal, which was also broken by the WSJ, revolved around Google using an invasive advertising cookie that tracked web activity regardless of the users privacy settings, and Microsoft quickly called Google out for the same issue.

    According to the report, the use of this cookie may have violated a previous settlement regarding misrepresentation of its privacy practices, and has sparked the Federal Trade Commission (FTC) to look into any potential breach. Google could face a very large fine of $16,000 per violation, per day, for breaching the agreement, although the FTC has not confirmed the WSJ's allegations. According to Google, the offending cookies are being removed from Safari browsers, and it also maintains that the breach was accidental. In order for the FTC to levy a fine on the search giant, it would have to prove that Google was intentionally tracking users.

    Read Article >
  • T.C. Sottek

    Feb 21, 2012

    T.C. Sottek

    Google responds to Microsoft over privacy issues, calls IE's cookie policy 'widely non-operational'

    Google logo
    Google logo

    Earlier today, Microsoft accused Google of manipulating Internet Explorer's default privacy restrictions in order to "bypass user preferences about cookies." Google's just responded with a lengthy rebuttal, arguing that Microsoft's P3P cookie technology is "widely non-operational," and that the issue has been around since 2002. The response also points to other offenders, citing a 2010 Carnegie Mellon research paper that says over 11,000 websites don't use valid P3P policies.

    Google's also specifically bringing Facebook and Amazon into the fracas, citing their similar use of the P3P bypass. Google references Facebook's policy on P3P cookies, and says that it and other websites have been open about their approach. Both Facebook and Google say that P3P doesn't support their modern web services — Google says that "newer cookie-based features are broken by the Microsoft implementation in IE," and Facebook's policy states that "the P3P standard is now out of date and does not reflect technologies that are currently in use on the web."

    Read Article >
  • T.C. Sottek

    Feb 20, 2012

    T.C. Sottek

    Google also bypasses user privacy settings in Internet Explorer, says Microsoft

    IE Logo 2
    IE Logo 2

    Just a few days after the Wall Street Journal reported that Google, Facbeook, and others have been using a workaround to bypass the cookie restrictions in Apple's Safari and Mobile Safari web browsers, Microsoft now claims that Google has taken similar measures to bypass privacy settings in Internet Explorer. Microsoft says that Google is improperly representing its cookies by using a non-standard P3P cookie policy statement: it claims that "Google's P3P policy is actually a statement that it is not a P3P policy," which allows Google's cookies to pass through without being blocked.

    In response to accusations over cookies in Safari, Google said that it made a mistake with how it asked Safari to handle cookies, and that its advertising cookies do not collect personal information. It also said that users of Internet Explorer, Firefox, and Chrome were not affected — though that claim now appears suspect.

    Read Article >
  • Bryan Bishop

    Feb 17, 2012

    Bryan Bishop

    Google and others caught circumventing Safari and Mobile Safari privacy restrictions (updated)

    iOS Safari Cookies Settings 640
    iOS Safari Cookies Settings 640

    The Wall Street Journal reports that Google and several prominent online advertising networks have been using a workaround to bypass the privacy restrictions on Apple's Safari and Mobile Safari web browsers, allowing the companies to deposit cookies on a user's computer even if the device is set to prevent such behavior. At issue is the way Safari treats cookies. Under its default settings, both the desktop and iOS versions of the app only accept the files, which can be used to track browsing habits, from sites that individuals specifically visit or interact with. This prevents a cookie from an outside source from making its way onto a user's computer without their direct involvement. Google reportedly butted up against this restriction when it couldn't use cookies to determine if users were logged into Google services in conjunction with its +1 recommendation system.

    To get around the problem, Google took advantage of an exploit that was first noted by developer Anant Garg in 2010, which uses a blank form sent in the background to trick Safari into accepting cookies from unauthorized sources. Google's use of the workaround was spotted by Stanford researcher Jonathan Mayer, and later corroborated by the WSJ. When contacted about the technique, Google reportedly ceased the practice, saying in a statement that "the Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information."

    Read Article >