Naturally, the idea that Google wrote code to evade Safari’s privacy settings has not sat well with many. The Electronic Freedom Frontier dubbed Google’s actions “just as paternalistic as ad networks” and posited that Google needed a new approach to privacy to “restore [its] users’ trust.” Several Congressmen have asked the FTC to investigate whether these actions violate the Google Buzz settlement, which prohibits Google from making “future privacy misrepresentations.” One user has filed a class action suit against Google, claiming violation of federal wiretapping laws and other computer-related statutes.

Tensions often run high when privacy is threatened. Nevertheless, amidst the outcry, it is important to identify the contours of the threat and know what exactly it is we are upset about.

Circumvention Explained

Apple Inc.’s Safari is the only web browser that blocks third-party cookies by default. Cookies are essentially helper-files that websites commonly use to store things like user preferences and session information (for example, the state of a shopping cart). When a site contains third-party content (for example, a banner advertisement on your favorite news site), that third-party (in our example, the advertising company) can write its own cookie. Third-party advertisers commonly use this feature to record where and for whom  their advertisements have been displayed, allowing them to build a history of the sites an individual user visits.

Last September, in an effort to compete with Facebook’s “like” functionality, Google added a “+1” button to certain Google ads, which Google+ users could click on to indicate they “liked” those ads. However, because Google has set up its services such that Google+ and Google Ads reside on different domains, interfacing between the two required the use of third-party cookies. Because Safari blocks these by default, Google faced the prospect that most Safari users – a sizeable user base – would not be able to use this new feature.

To address this problem, Google exploited a known exception to Safari’s no third-party cookie policy. Safari allows third-party cookies when a user submits an HTML form, so Google created an invisible form, never seen by the user, which it submitted any time the user clicked “+1.” This triggered Safari’s form exception, allowing the creation of third-party cookies by Google Ads. The Stanford study showed that, in practice, Google used this backdoor method to create cookies that not only enabled the  “+1 Ads” functionality, but also set up the general Google Ads tracking cookie, which monitors the browsing behavior of users going forward. Google stated that they “didn’t anticipate that this [(setting up the general Google Ads tracking cookie)] would happen” and that they have “now started removing these advertising cookies from Safari browsers.”

So We Are Fighting For?

It’s true the technical facts aren’t flattering for Google: its code uses an invisible form to emulate Little Red Riding Hood and gain access to Grandma’s house, exposing the user to whatever tracking Google Ads decides to subject her to.  It’s true that Google’s primary motivation was enabling the “+1” feature for Safari users, but can we really say the end justifies the means in this case?

Still, this begs the question: what is it about Google’s actions that render them so troubling? Is it the fact that Google can track a user’s browser history? This seems unlikely. Google already tracks search history and processes electronic mail information in Gmail – how much more of an invasion can ad tracking be? Moreover, this backdoor is not triggered until a user actually clicks on “+1” – arguably this surveillance involves some kind of consent, albeit uninformed in most cases. Even if we can’t call this consent, enabling tracking involves some affirmative act by the user, and avoiding this is much easier than with search or Gmail.

If, then, it’s not the tracking itself that is particularly disquieting, perhaps the issue goes to some more fundamental idea of respect. By circumventing Safari’s privacy settings to enable the “+1 Ads” feature, one could say that Google ignored the express desires of its users, elevating its own commercial interests over the user’s personal privacy interests. This kind of disregard may be particularly troubling given the relative bargaining power that an individual consumer has against a monolith like Google.  At the same time, however, it may be hard to say that Google was ignoring express interests – blocking third-party cookies is Safari default behavior that most users are not aware of. Moreover, as one blog points out, Safari’s policy may just be a strategic move by Apple to curb the information its competitors can glean from its customers. Viewed in this light, Google’s actions could be understood as commonplace competitive behavior rather than neglect towards individual privacy concerns.

In this case, prudential arguments may bolster the respect rationale. Even if Safari’s default settings were not actual expressions of most users’ real desires, they nonetheless provide the interface through which these preferences can be expressed. Much like a court artificially thinks about Congress as a unified body with “wishes” and “intentions,” it makes sense for Google to treat browser preferences as a real expression of user preferences. Otherwise, it seems unclear what forum users have left. If browser settings are indeed an expression of real user preferences, then, slippery slope arguments counsel against tolerance of any disregard for them. If Google can violate privacy preferences in this area, what is to stop violations in other areas? And, if Google can do it, why can’t Apple or Microsoft do it too?

Looking Ahead

Clearly, slopes are not always slippery and it is possible to draw lines. Context is also useful – why privacy was breached, the extent of the harm caused by the breach, and the basis under which we deem that harm problematic should all be considered in determining whether that breach should be tolerated. In the case of Google, much uncertainty remains in at least two of these areas – nevertheless, consumers, policymakers, and Google executives alike should think critically about these questions in developing rules and recourse available for internet privacy violations.

Apple has announced that it will unveil its next version of the iPad this March. This new version is expected to have the same size and shape as the iPad2, but feature hardware upgrades like a faster processor and improved screen.

The Supreme Court of Canada ruled that internet service providers (ISPs) are not bound by the country’s broadcast regulations.  The court was unconvinced that ISPs should be considered broadcasters because they deliver content, stressing that “ISPs provide Internet access to end users” and, in doing so, “they take no part in the selection, origination, or packaging of content.”

Microsoft revealed new details about its efforts to offer Windows on ARM processors. While Windows on Arm (WOA) will share code and common features with Windows 8, Microsoft has partnered with PC manufacturers to specifically tailor WOA to ARM capabilities and form-factors.  WOA will support Metro-style apps and feature full desktop versions of Microsoft office products.

A bug in Citi’s iPad app caused customers to pay some bills twice over July to December last year.  The bank has since fixed this bug and reimbursed customers for the bogus payments, as well as lost interest.  Citi did not say how many customers were affected by this bug, but stressed that this bug affected less than 2 percent of iPad transactions.

When probed for the reasoning behind the change, Sony responded that the updated terms were “designed to benefit both the consumer and the company by ensuring that there is adequate time and procedures to resolve disputes.”  The gaming community seems unconvinced.  “Seems to me Sony is spontaneously forcing users to renegotiate their use contract in a decidedly one-sided fashion,” wrote one Slashdot contributor.  “With this new clause, Sony can make a quick buck off its customers without having to worry about ramifications,” another poster lamented.

But is this really the case?  Law and economics principles teach that arbitration clauses can actually be efficient for consumers: if given the choice between arbitrating or filing suit over a defective product (say, for example, an iPod), most consumers would choose arbitration.  Individual suits are expensive and take a long time; most consumers would rather recover quickly through an inexpensive procedure and move on.  Consumers may also prefer products with binding arbitration clauses because they cost less, as manufacturers often build litigation risk into their pricing.

However, it’s unclear whether these principles apply to Sony’s Playstation Network.  Rather than an off-the-shelf consumer product, the Playstation Network is a complex service with a wide range of potential consumer grievances.  Some, such as small service interruptions, could be worth very little to a consumer, while others, such as a massive leakage of sensitive financial data, could be worth a lot.  In these latter cases, consumers might be less willing to settle for an arbitration proceeding and would want the option to sue.  Moreover, because potential grievances are more diverse, it would be harder to design “efficient, streamlined [arbitration] procedures tailored to the type of dispute,” a key advantage of arbitration noted by the Supreme Court in AT&T Mobility v. Concepcion.  Given this, Sony’s new agreement may be more one-sided than its comments let on.

So what if consumers don’t think arbitration is the right answer to potential Playstation Network woes?  Sony allows users to opt out of the waiver by submitting a written request within 30 days.  Numerous gaming blogs have posted alerts with detailed instructions for opting out, but it remains to be seen how many people will notice the alerts or care to respond.