When it comes to privacy, is the Googleplex speaking with one voice?
A new Google privacy controversy has revealed conflicting messages and actions between two different factions within the company: those working to protect consumer privacy on the one hand, and those seeking to improve advertising and social networking on the other.
Meanwhile, the news that Google overrode default cookie settings in Apple's Safari browser has prompted two complaints to the U.S. Federal Trade Commission (FTC) and renewed calls for legislation and industry standards that would protect Web surfers from being tracked across sites if they don't want to be.
To be fair, Google isn't the only company to have taken advantage of an exemption in Safari that was designed to keep third-party cookies from tracking people as they bounce from site to site. Besides Google, The Wall Street Journal reported that three other online ad companies were taking advantage of this loophole. And separately, Google offers Ads Preferences Manager that allows people to opt out of DoubleClick cookies. But, in this case, it's hard to see what would compel the company to disable opt-out settings in Safari.
Google, for its part, says the Safari backdoor allowed Google+ users on iOS devices to see +1 buttons and use them to indicate to their network when they saw a product or service in an ad they liked. "Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to '+1' things that interest them," the company said in a statement.
Unfortunately, the way this +1/Safari initiative was implemented allowed other Google ad cookies to be set on the browser, which was unintentional, according to Google. The Google cookie was temporary, but it opened the door for additional cookies. "We have now started removing these advertising cookies from Safari browsers," the company said, adding that the code has been disabled. "It's important to stress that, just as on other browsers, these advertising cookies do not collect personal information."
While one Google team was taking advantage of a little-known backdoor that could change the default Safari setting, the Google Chrome team was working to get Apple to close the backdoor--apparently with neither team having knowledge of the other's actions. Engineers for Chrome notified Apple about seven months ago that the loophole was there, although it remains open.
"We are aware that some third parties are circumventing Safari's privacy features and we are working to put a stop to it," an Apple representative told CNET.
Meanwhile, Google's Chrome team offers an Advertising Cookie Opt-Out Plugin that lets people do exactly what Safari's default setting provides: block third-party cookies. Oddly, the instructions for confirming the default settings in Safari on that page were removed as The Wall Street Journal was preparing its news report.
The World Privacy Forum (WPF) and Consumer Watchdog both filed complaints against Google today with the FTC accusing the company of unfair and deceptive practices and of violating a settlement it reached last year with the FTC over its former social network dubbed Buzz. Google violated the Buzz consent decree by "its misrepresentations of consumer choice and how much control users actually had," alleges the WPF complaint (PDF), which also asks the FTC to investigate the other ad firms accused of overriding Safari's default settings: Vibrant Media, Media Innovation Group, and PointRoll.
An FTC representative said the agency had received the Consumer Watchdog complaint but said he could not comment further.
"We are taking immediate steps to address concerns, and we are happy to answer any questions regulators and others may have," Google said in a statement when asked to comment.
The Electronic Frontier Foundation called on Google today to include a Do Not Track option in Chrome, an option all the other major browsers provide, and for Google sites to respect Do Not Track requests from those other browsers.
Justin Brookman, consumer privacy director at the Center for Democracy and Technology, said he was baffled by Google's latest actions.
"Why are they anathema to Do Not Track? Because advertising is more core to Google's business than it is to Microsoft's and Apple's, maybe," he said. "I'm not sure."
Brookman said the CDT was talking to Google about Do Not Track and there was interest in it. "The Chrome team may want to do it, but Google is pushing on ads and social right now so they're scared to do it."
They should have tested the Safari override technology more, but "there's been a big rush to get social right and they wanted to integrated with ads," he added.
Marc Rotenberg, executive director of the Electronic Privacy Information Center, said "cookie-gate," as it has been dubbed by some, proves that Do Not Track is not the solution. "We need enforcement by the FTC," he said. "We need legislation, because even when big companies like Apple build it into their browser, companies can get around it."
EPIC filed the original complaint with the FTC over Google Buzz and has asked the agency to investigate whether changes to Google's privacy policies that will take effect March 1 violate that settlement. The FTC late today issued its response in a federal court in Washington, D.C., where the matter will be decided. "We are asking the Court to dismiss the case because parties such as EPIC are barred by law from interfering with the proper investigation and enforcement of FTC orders," the FTC said.
EPIC had earlier today sent the FTC a letter (PDF) urging the agency to enforce the settlement in light of the latest Google privacy incident.
Sarah Downey, privacy analyst and attorney at online privacy company Abine, said ultimately change will be driven by consumers and Do Not Track technologies. (Abine offers a Do Not Track Plus browser add-on that can protect people from tracking, even if the advertiser was able to subvert the default settings as in the Google Safari case.)
"We're happy to see that Google is fixing the issue, but there's an obvious conflict of interest within the company and there are things consumers should be aware of that affects their privacy, by design," she said.
In a possible indication of divergence of interests within Google, Downey recounted how a Google ad executive initially told the firm it couldn't run an ad designed to educate people about the privacy issues with cookies because it might be seen as "fear mongering." The Abine ad was eventually allowed to run, however, after the case was elevated.