The Wall Street Journal reports U.S. and European regulators have both launched investigations into Google’s bypassing of Safari privacy protections in order to put “+1” buttons on targeted advertising sent to users. As part of the effort, Google also bypassed Safari’s privacy settings and installed tracking cookies on users’ browsers, enabling Google to track those users’ online activity and pass that information on to its DoubleClick subsidiary, one of the largest online advertising networks.
Google has said that bypassing Safari’s privacy settings was accidental, and that it stopped the practice and deleted the data associated with it as soon as it became aware of the situation last month. The privacy bypass applied to both mobile and desktop versions of Safari used in Apple’s iOS and Mac OS X operating systems.
Google has pledged to cooperate with investigations, but emphasized it had no intention of bypassing Safari security, and has been removing the tracking cookies.
In the United States, Google now faces multiple investigations from state and federal authorities. A group of state attorney generals have launched their own investigation into the gaffe; in theory, each state could fine Google up to $5,000 per violation. Potentially more worrying to Google is an investigation from the Federal Trade Commission: earlier this year, Google reached a settlement with the FTC regarding privacy violations associated with the launch of its now-killed Google Buzz service. Part of Google’s settlement agreement is that it would not misrepresent its privacy practices, implement a comprehensive privacy program, and submit to third-party audits of its privacy practices. If Google’s actions with Safari cookies are found to have violated that settlement Google could be on the hook for up to $16,000 per violation, per day. Given the hundreds of millions of iOS and Safari-running devices currently on the market, fines and penalties could represent a significant financial burden to Google.
In Europe, the French Nationale de l’Informatique et des Libertés (CNIL) has added the Safari situation to its existing investigation of Google’s recent privacy police changes. CNIL is still investigating those changes, but has published an analysis that concludes Google’s new privacy policy violates European data protection laws. CNIL previously fined Google in France for privacy violations surround collecting usernames and password to Wi-Fi networks when collecting data for its Street View service.
Google maintains that it used existing Safari functionality to create a temporary connection between Safari browsers and Google servers to determine if a user was signed in to a Google account and had opted to receive personalized ads and other content. However, Google says when they used that known Safari functionality, the browser also wound up accepting Google advertising cookies.
