Goodbye, Privacy: Judge Dismisses Safari Tracking Case against Google

| Analysis

U.S. District Court Judge Sue Robinson handed Google a big win this week when she dismissed the class action lawsuit alleging the Internet search giant was bypassing Safari's privacy settings. According to the Judge, Google did actually did circumvent the browser privacy settings, but that the plaintiffs didn't show they had been harmed by the action.

Google gets a pass on circumventing consumer privacyGoogle gets a pass on circumventing consumer privacy

Google had been accused with intentionally working around the privacy settings in Apple's Safari Web browser to track user's online activity and then sell the data to the online advertising companies such as Media Innovation and Vibrant Media, who were also named in the suit. When the do not track settings are enabled in Safari, companies aren't supposed to be able to collect information from users, although Google found a way to work around that.

News that Google was circumventing Safari's privacy settings surfaced in February 2012 when a researcher showed that the company was placing specially crafted cookies into online ads that allowed tracking even when the browser's privacy settings said otherwise. Google responded by saying it wasn't doing anything wrong and was actually just taking advantage of "known functionality" in Safari.

Google wasn't alone, because Vibrant Media, Media Innovation Group, and PointRoll were doing the same thing.

When the Federal Trade Commission started looking into Google's actions, the company agreed to pay a US$22.5 million fine even though it claimed it hadn't done anything wrong. The company also backtracked on its earlier defense and said the tracking was unintentional and that users weren't actually harmed.

Judge Robinson agreed in part with Google in that consumers weren't harmed. A Google spokesperson said the company was pleased with the ruling, according to the Wall Street Journal.

The ruling doesn't mean that Google didn't bypass Safari's privacy settings and track user activity even when they explicitly blocked tracking because that's exactly what happened. What it means is that the plaintiffs couldn't prove they were actually harmed by Google's actions. The end result, however, is the same: Google now knows it can surreptitiously track consumer's online activity without fear of serious repercussions, and that's a big blow to online privacy.

Comments

Lee Dronick

Last year I switched to Bing for almost all of my searches. Now they may be doing the same, but…

Anyway, perhaps the answer is to have better cookie control in Safari. Accept from visited should mean accept from visited and only that domain, turing off cache should turn off caching, no local storage. I will give MacObserver a cookie for the privilege of commenting, but I don’t want to give one to entire class.

wab95

Jeff:

I find it fascinating that there is, practically speaking, almost no meaningful outrage, and very little expressed concern about Google surreptitiously tracking users online despite their expressed preference not be tracked, and now being further enabled by the court to continue doing so, on the grounds of no demonstrable harm to the user. My observation is that, were the same finishing made on behalf of the NSA or some other branch of the US Government, this column would have been trailed by over a dozen comments within the first hour.

We seem to have less concern about what the private sector will do with our data than we do about the public sector, specifically governments, and yet we have been explicitly shown that, when governments need those data, they turn to the private sector.

I personally don’t have any higher suspicion of ill intent by the public sector than I hold for the private, and see potential for substantial abuse at the hands of either without specific safeguards in place, which legislation, sadly, lags behind.

In the meantime, it seems that the safest bet for the consumer is assume that everything they do online can be, and likely is being, tracked and stored by someone, somewhere, in perpetuity; and that these data can be accessed by entities unknown, perhaps yet unborn, for purposes undisclosed to the consumer.

In the absence of protective legislation, the consumers’ only real weapon against the private sector, apart from the wrath of negative opinion in the blogosphere, is voting with their wallets in a way that harms this private sector business model. (Guerrilla strikes by the likes of Anonymous are recoverable, with ever more hardened systems, and to date have not reversed this trend). In the absence of an organised campaign, for which there appears to be no evidence, I don’t see this happening. This in turn leads me to conclude that our best bet continues to reside with the governments whose responsibility it is to insure public safety and security, the very entities that so many appear to trust far less than the private sector.

As I said at the beginning, fascinating.

ibuck

I agree with wab95 and think consumers and coders should respond. I would gladly pay for “poison pill” software that frustrates, stops or misleads Google and their ilk. And I wish EFF, and others, would write a referendum here in California (and other states) that makes illegal such gathering of info without explicit written permission from each user, with that permission set to expire within 30 or 90 days, and a quick & easy mechanism for consumers to retract that permission. Finally, there should be criminal penalties for writing or distributing software code that end runs privacy preferences, which is, after all, hacking.

skipaq

This decision is a big disappointment. I have commented in the past of my aversion to companies like Facebook and Google who sell their customers info as their primary source of income. We long ago stopped using both companies services. But I still get the feeling of eyes looking into our mundane lives. The court should recognize that damages are not only monetary.

webjprgm

Does ad blocking software block these ad-based tracking cookies?

webjprgm

Reading about the Do-Not-Track header on Wikipedia makes it sound like there’s nothing ever preventing Google from not tracking, just a simple request that they refrain from doing so.

So what was Google doing? Turning of the cookies from google.com but keeping the cookies from the ads?

gnasher729

On some sites where people discuss that kind of thing, I had the impression that “Google is good, Apple is evil” was so ingrained that any blame for Google spying on users of Apple’s Safari browser had to go straight to Apple. The same crowd that cries loudly that Google uses patents only to defend themselves against evil companies like Apple and Microsoft, which proves they are good, while Apple and Microsoft use evil patents to attack good companies like Google and Samsung, which proves they are evil.

To me, it looked like Google had developed two separate exploits, one that worked against Safari, another that worked against Internet Explorer, then they detected the browser and used the appropriate exploit to get around users’ privacy settings.

Pashtun Wally

So the court has, IN EFFECT, decided that Google (and by extension, others) can break into your home (you know, where you keep your privacy) and you can do nothing about it UNTIL AND UNLESS they break something and you can PROVE it.

Right in line with the insane-suspicion-of-government crowd, who get all starry-eyed at the notion of no government to protect them from companies like Monsanto, BP, or Google.  Clearly, Texas is a bad place to ask courts to restrain corporations…but how long will we have even THAT option at this rate?

ibuck

Pashtun Wally :

Clearly, Texas is a bad place to ask courts to restrain corporations…but how long will we have even THAT option at this rate?

Can’t we sell Texas back to Mexico?

Log-in to comment