online prescription solutions
online discount medstore
pills online
buy lorazepam without prescription
xanax for sale
buy xanax without prescription
buy ambien without prescription
ambien for sale
buy modafinil without prescription
buy phentermine without prescription
modafinil for sale
phentermine for sale
lorazepam for sale
buy lexotan without prescription
bromazepam for sale
xenical for sale
buy stilnox without prescription
valium for sale
buy prosom without prescription
buy mefenorex without prescription
buy sildenafil citrate without prescription
buy adipex-p without prescription
librium for sale
buy restoril without prescription
buy halazepam without prescription
cephalexin for sale
buy zoloft without prescription
buy renova without prescription
renova for sale
terbinafine for sale
dalmane for sale
buy lormetazepam without prescription
nobrium for sale
buy klonopin without prescription
priligy dapoxetine for sale
buy prednisone without prescription
buy aleram without prescription
buy flomax without prescription
imovane for sale
adipex-p for sale
buy niravam without prescription
seroquel for sale
carisoprodol for sale
buy deltasone without prescription
buy diazepam without prescription
zopiclone for sale
buy imitrex without prescription
testosterone anadoil for sale
buy provigil without prescription
sonata for sale
nimetazepam for sale
buy temazepam without prescription
buy xenical without prescription
buy famvir without prescription
buy seroquel without prescription
rivotril for sale
acyclovir for sale
loprazolam for sale
buy nimetazepam without prescription
buy prozac without prescription
mogadon for sale
viagra for sale
buy valium without prescription
lamisil for sale
camazepam for sale
zithromax for sale
buy clobazam without prescription
buy diflucan without prescription
modalert for sale
diflucan for sale
buy alertec without prescription
buy zyban without prescription
buy serax without prescription
buy medazepam without prescription
buy imovane without prescription
mefenorex for sale
lormetazepam for sale
prednisone for sale
ativan for sale
buy alprazolam without prescription
buy camazepam without prescription
buy nobrium without prescription
mazindol for sale
buy mazindol without prescription
buy mogadon without prescription
buy terbinafine without prescription
diazepam for sale
buy topamax without prescription
cialis for sale
buy tafil-xanor without prescription
buy librium without prescription
buy zithromax without prescription
retin-a for sale
buy lunesta without prescription
serax for sale
restoril for sale
stilnox for sale
lamotrigine for sale

Safarigate: Benign Behavior or Malignant Breach?

Last Thursday, the Wall Street Journal reported that Google has purposefully circumvented Safari’s privacy settings, allowing it to track the behavior of users on non-Google sites. These findings contradicted Google’s own instructions as to how users worried about privacy settings could avoid tracking. The report was based off
of research at Stanford that had identified four different advertising companies who utilize known exceptions to Safari’s privacy feature that blocks third-party cookies.

Naturally, the idea that Google wrote code to evade Safari’s privacy settings has not sat well with many. The Electronic Freedom Frontier dubbed Google’s actions “just as paternalistic as ad networks” and posited that Google needed a new approach to privacy to “restore [its] users’ trust.” Several Congressmen have asked the FTC to investigate whether these actions violate the Google Buzz settlement, which prohibits Google from making “future privacy misrepresentations.” One user has filed a class action suit against Google, claiming violation of federal wiretapping laws and other computer-related statutes.

Tensions often run high when privacy is threatened. Nevertheless, amidst the outcry, it is important to identify the contours of the threat and know what exactly it is we are upset about.

Circumvention Explained

Apple Inc.’s Safari is the only web browser that blocks third-party cookies by default. Cookies are essentially helper-files that websites commonly use to store things like user preferences and session information (for example, the state of a shopping cart). When a site contains third-party content (for example, a banner advertisement on your favorite news site), that third-party (in our example, the advertising company) can write its own cookie. Third-party advertisers commonly use this feature to record where and for whom  their advertisements have been displayed, allowing them to build a history of the sites an individual user visits.

Last September, in an effort to compete with Facebook’s “like” functionality, Google added a “+1” button to certain Google ads, which Google+ users could click on to indicate they “liked” those ads. However, because Google has set up its services such that Google+ and Google Ads reside on different domains, interfacing between the two required the use of third-party cookies. Because Safari blocks these by default, Google faced the prospect that most Safari users – a sizeable user base – would not be able to use this new feature.

To address this problem, Google exploited a known exception to Safari’s no third-party cookie policy. Safari allows third-party cookies when a user submits an HTML form, so Google created an invisible form, never seen by the user, which it submitted any time the user clicked “+1.” This triggered Safari’s form exception, allowing the creation of third-party cookies by Google Ads. The Stanford study showed that, in practice, Google used this backdoor method to create cookies that not only enabled the  “+1 Ads” functionality, but also set up the general Google Ads tracking cookie, which monitors the browsing behavior of users going forward. Google stated that they “didn’t anticipate that this [(setting up the general Google Ads tracking cookie)] would happen” and that they have “now started removing these advertising cookies from Safari browsers.”

So We Are Fighting For?

It’s true the technical facts aren’t flattering for Google: its code uses an invisible form to emulate Little Red Riding Hood and gain access to Grandma’s house, exposing the user to whatever tracking Google Ads decides to subject her to.  It’s true that Google’s primary motivation was enabling the “+1” feature for Safari users, but can we really say the end justifies the means in this case?

Still, this begs the question: what is it about Google’s actions that render them so troubling? Is it the fact that Google can track a user’s browser history? This seems unlikely. Google already tracks search history and processes electronic mail information in Gmail – how much more of an invasion can ad tracking be? Moreover, this backdoor is not triggered until a user actually clicks on “+1” – arguably this surveillance involves some kind of consent, albeit uninformed in most cases. Even if we can’t call this consent, enabling tracking involves some affirmative act by the user, and avoiding this is much easier than with search or Gmail.

If, then, it’s not the tracking itself that is particularly disquieting, perhaps the issue goes to some more fundamental idea of respect. By circumventing Safari’s privacy settings to enable the “+1 Ads” feature, one could say that Google ignored the express desires of its users, elevating its own commercial interests over the user’s personal privacy interests. This kind of disregard may be particularly troubling given the relative bargaining power that an individual consumer has against a monolith like Google.  At the same time, however, it may be hard to say that Google was ignoring express interests – blocking third-party cookies is Safari default behavior that most users are not aware of. Moreover, as one blog points out, Safari’s policy may just be a strategic move by Apple to curb the information its competitors can glean from its customers. Viewed in this light, Google’s actions could be understood as commonplace competitive behavior rather than neglect towards individual privacy concerns.

In this case, prudential arguments may bolster the respect rationale. Even if Safari’s default settings were not actual expressions of most users’ real desires, they nonetheless provide the interface through which these preferences can be expressed. Much like a court artificially thinks about Congress as a unified body with “wishes” and “intentions,” it makes sense for Google to treat browser preferences as a real expression of user preferences. Otherwise, it seems unclear what forum users have left. If browser settings are indeed an expression of real user preferences, then, slippery slope arguments counsel against tolerance of any disregard for them. If Google can violate privacy preferences in this area, what is to stop violations in other areas? And, if Google can do it, why can’t Apple or Microsoft do it too?

Looking Ahead

Clearly, slopes are not always slippery and it is possible to draw lines. Context is also useful – why privacy was breached, the extent of the harm caused by the breach, and the basis under which we deem that harm problematic should all be considered in determining whether that breach should be tolerated. In the case of Google, much uncertainty remains in at least two of these areas – nevertheless, consumers, policymakers, and Google executives alike should think critically about these questions in developing rules and recourse available for internet privacy violations.

About the Author

Kristen Lovin

Kristen Lovin is a Staffer for the Columbia Science and Technology Law Review. She is a 2L at Columbia Law School.
  • hughw

    “it makes sense for Google to treat browser preferences as a real expression of user preferences. Otherwise, it seems unclear what forum users have left. ” 

    Google maintains that its users had expressed their preference, not in the Safari  browser, but in agreeing to Google’s TOS. They executed their third party cookie trick only for  ’signed-in Google users on Safari who had opted to see personalized ads and other content–such as the ability to “+1″ things that interest them.’

blog comments powered by Disqus