FTC Dings Google $22.5M in Safari Cookie Flap

Photo: compujeramey/Flickr

Google agreed to pay a record $22.5 million to settle Federal Trade Commission charges it intentionally circumvented the default privacy settings of Apple’s Safari browser, using a backdoor to set cookies on browsers configured to reject them, the commission said Wednesday.

Google immediately disabled the practice in February after the Wall Street Journal disclosed it, which was discovered by Stanford researcher Jonathan Mayer and confirmed by security consultant Ashkan Soltani.

Safari, which accounts for about 6 percent of desktop browsing and more than 50 percent of mobile browsing, is the only major browser to block so-called third-party cookies by default. When you visit a website, all browsers by default, including Safari, allow that site to put a small tracking file on your computer, which allows the site to identify a unique user, track what they’ve done and remember settings. That’s a first-party cookie. Cookies placed by ad networks and social sharing buttons are third-party cookies.

The FTC complaint said Google had maintained publicly that users would be opted out automatically of getting Google ad cookies on other people’s sites under the default Safari settings.

The fine, while minuscule when juxtaposed to Google’s second-quarter revenue of $12.21 billion, represents another PR blow to the Mountain View, California-based media giant that has adopted the slogan: “Don’t be evil.” Google has come under fire for misrepresenting its Google Buzz information-collecting practices and for collecting Wi-Fi payload data from its Street View cars as they drove through neighborhoods.

The FTC said Google’s underhanded practice breached a 2011 consent agreement related to Google Buzz in which Google agreed with the agency not to misrepresent its privacy practices, including whether it is collecting personal information, for the next 20 years.

“The record-setting penalty in this matter sends a clear message to all companies under an FTC privacy order,” said Jon Leibowitz, FTC chairman. “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”

Safari blocks the sites that power those services from setting or reading cookies, so a Facebook “Like” button on a news site, for instance, can’t tell if you are logged in, so it can’t load a personalized widget. Google’s DoubleClick advertising network, along with a number of ad servers, were caught avoiding this block, using a loophole in Safari that lets third parties set cookies if the browser thinks you are filling out an online form. (See a good technical overview here.)

Google said it used the backdoor so that it could place +1 buttons on ads it places around the web via its Adsense program, so that logged-in Google+ users could press the button to share an ad. Without the work-around, the button wouldn’t be able to tell Google which Google account to link the button to.