Google’s tracking sets off another privacy debate

by James Temple, San Francisco Chronicle

Google and several other advertising companies are bypassing the privacy settings in Apple’s Safari browser, according to a report from a Stanford University researcher that set off a heated debate on Friday.

The Wall Street Journal reported Thursday night that the Mountain View search giant and others were "tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked." The story prompted an outcry from privacy advocates, and many tech and legal observers.

The group Consumer Watchdog and some lawmakers asked publicly whether Google had violated last year’s settlement agreement with the Federal Trade Commission over an unrelated privacy breach. Some tech watchers said that while the company’s actions are certainly questionable, the full extent of the breach probably exceeded what Google had intended to do, as Google itself maintains.

But a couple of things are clear: First, whatever the motivations, the episode represents a huge privacy whiff for a company already facing growing regulatory scrutiny, public mistrust and mounting competition. Second, it’s another stark reminder that our nation’s largely voluntary digital privacy regimen is woefully insufficient.

Stanford study

The Stanford study was written by Jonathan Mayer, a graduate student in law and computer science who has cranked out a growing body of headline-generating literature on online privacy. In his paper, he noted that unlike every other browser vendor, Apple’s Safari automatically blocks tracking cookies generated by websites that users visit. Apple’s Safari is one of the most popular browsers for mobile devices, and the default browser on Macs.

These cookies can collect information about where users go online and what they do – data that advertisers treasure.

There are exceptions to Safari’s cookie blocking, however. For instance, it allows what are known as "first-party cookies," those that sites like Facebook or Google drop onto devices so users don’t have to sign in every time they visit. Certain carve-outs also allow Facebook users to "like" things on third-party sites.

Unlike Facebook, the problem for Google was that its social and ad networks run on different domains from its main one, Google.com. That prevents it from allowing a user of the Google+ social network to give a virtual thumbs up (or "+1") to an ad on another site, a step that makes such ads more valuable. That would require a "third-party cookie" that is blocked by Safari.

But it turns out there are a few ways for companies to get around these limitations. The one that Mayer’s paper focused on involved inserting code to place tracking cookies within Safari. He found four companies doing this: Google, Vibrant Media, Media Innovation Group and PointRoll.

In a statement, Google spokeswoman Rachel Whetstone said the Journal "mischaracterizes what happened and why."

She said the code was limited to users who are signed into Google on Safari, have not blocked behavioral advertising, and have opted to use the Google social network on third-party sites. The implicit argument is that those users had agreed to the tracking necessary to allow them to "+1" content they liked online through Safari.

But in an interview, Mayer said Google had unilaterally decided that privacy permissions for its products superseded the privacy restrictions those users had enacted – implicitly or explicitly – by choosing to use Safari.

"The user is giving up some privacy in exchange for lining Google’s pockets," he said.

Meanwhile, an even bigger problem occurred. Once Google tweaked the way Safari functions, other Google advertising cookies could be installed on the devices.

"We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers," Whetstone said.

Why this problem was spotted by a Stanford graduate student and not by a major corporation that’s been under continual privacy scrutiny is a fair question that Google has yet to answer.

"I think that’s a pretty big ‘oops,’ and it raises pretty big questions," Mayer said.

Chris Hoofnagle, a digital privacy expert at UC Berkeley’s law school, said there’s a corporate tone-deafness within the engineering-centric culture of Google that leads to these sorts of mistakes.

"To the engineer, cookie blocking appears to be a technical error that they should try to solve," he said. "It’s very difficult for them to accept the frame that some people do not want this tracking."

At a minimum, this episode is another bright flashing sign that we need a Do Not Track system that allows people to easily, consistently and clearly state their privacy preferences across devices and sites. All browsers must offer this option, and all advertisers must respect the stated wishes of users.

A committee of industry representatives and privacy advocates are negotiating the appropriate means for implementing and complying with Do Not Track requests. Google is a member of that working group.

There was a sense Friday among some that this latest high-profile privacy flap will add momentum to the Do Not Track effort – or at least should – because it’s become increasingly difficult for industry players to make a credible case that they’ll act responsibly on their own.

"It’s time for Google to acknowledge that it can do a better job of respecting the privacy of Web users," the Electronic Frontier Foundation said in a blog post on Friday.