Vote in our poll: is Google's fine of $22.5 million enough to buy privacy?

Filed Under: Apple Safari, Featured, Google, Law & order, Privacy

An apparently unrepentant Google has agreed to cough up $22.5 million to the US Federal Trade Commission (FTC) to dispose of charges that it "misrepresented privacy assurances to users of Apple's Safari browser."

As with my previous story about Google and its WiFi trawling, we need a timeline summary to keep track (no pun intended) of what's been going on here:

* In February 2010, Google launched Buzz, a social networking application for Gmail.

The launch drew the ire of of those concerned about privacy, and a class action lawsuit arose alleging that Google "automatically enrolled Gmail users in Buzz, and that Buzz publicly exposed data, including users' most frequent Gmail contacts, without enough user consent."

* In November 2010, Google paid $8.5 million to settle the class action.

As we reported back then, Google didn't pay out nickels-and-dimes to each offended individual in the class action, but agreed to put the lump sum "into an independent fund to "support organisations promoting privacy education and policy on the web."

* In March 2011, Google apologised to Buzz users and settled with the FTC.

The settlement included an agreement by Google to implement a comprehensive privacy program that includes privacy and data protection audits by an independent third party every two years for the next 20 years. Google's apology certainly sounded pretty straight-from-the-hip, telling you that:

User trust really matters to Google. That's why we try to be clear about what data we collect and how we use it — and to give people real control over the information they share with us.

* In December 2011, the FTC busted Google using sneaky web coding to bypass Safari's cookie policy.

Briefly explained in a neat technical posting from the FTC itself, Google overrode Safari's cookie controls to bypass the browser's regular behaviour of blocking so-called third party cookies. (That's a cookie which is set by a site other than the original one you visited.)

Google achieved this by creating an invisible HTML form and then using JavaScript to pretend that the user had submitted it. This caused Safari to process the third-party page, and, by extension, its cookies, at the same trust level as the first-party page. The FTC understandably considered this dubious, not least because the HTML form had neither content nor a Submit button.

So much for giving people "real control over the information they share with us."

* In August 2012, Google agreed to pay $22.5 million to the FTC.

The FTC's argument against Google was simple: the company hadn't lived up to the privacy promises it made to its consumers.

And there you have it. What more to say?

Google will cough up $22.5 million for putting sneaky code into its web pages, even after agreeing that it would get comprehensive about privacy.

Nevertheless, according to reports, Google's public response seems unrepentant - or at least unapologetic - and comes close to dismissing the issue as old, tired and unimportant. The BBC, for example, quotes a Google spokesman as saying: "The FTC is focused on a 2009 help centre page published more than two years before our consent decree, and a year before Apple changed its cookie-handling policy."

Optimistically, the BBC goes on to report the comments of Nick Pickles, director of privacy campaign group Big Brother Watch:

The size of the fine in this case should deter any company from seeking to exploit underhand means of tracking consumers. It is essential that anyone who seeks to over-ride consumer choices about sharing their data is held to account.

To be sure, $22.5 million is a lot of money.

But Google already forked out $500 million in August 2011 for helping illegal vendors of pharmaceuticals to place ads on its servers. Not just for taking the scammers' money, you understand, but for helping these "customers" to bypass the controls Google had already put in place to prevent the abuse.

So...is the money enough? Or is Google just treating the penalty as part of its cost of doing business?

Have your say in our poll.


-

-

, , , , , , , ,

You might like

19 Responses to Vote in our poll: is Google's fine of $22.5 million enough to buy privacy?

  1. John · 753 days ago

    That is what the world of bussiness has become. Be sneaky and screw people; get a slap on the wrist. Rinse and repeat. Maybe bankrupsy would get thier attension. I am not kidding here; I am EXTREEMLY SERIOUS. This goes for the banks and every business that tries to "sneak one by".

  2. Freida Gray · 753 days ago

    This is Google.They aren't going to get serious about protecting anybody's privacy until somebody gets serious about shutting their servers down if they don't get serious about protecting people's privacy.

  3. theo · 753 days ago

    Nothing can buy privacy, people should stop trusting compromised companies (like Google) based in countries with badly damaged reputation (like USA). Neither Google, nor it's mother country respects privacy.

  4. teejuu · 753 days ago

    $500 million is a lot for me. However Google reported a $2.89bn net income for the first quarter of this year and quarterly revenue that exceeds $10bn (Source: http://www.bbc.co.uk/news/business-17697687)

    Surely fines would have a greater effect if they represented a reasonable percetage (25%?) of their last published profits?

  5. royfot · 752 days ago

    I keep seeing messages from Google suggesting, almost demanding, that I improve my account security by giving them my Mobile Phone Number. Yeah right. Do I look stupid?.

  6. Gabriel Munoz · 752 days ago

    I like the fact that Naked Security informs us all of thing that are going on. Now I wonder why when I clicked the link on on your email. Little Snitch told me that my browser (Firefox)
    wanted to connect to "feedproxy.google.com on TCP port 80 (http).

    At first I told Little Snitch to block the connection and Firefox could not load your page. So I closed Firefox and then try it again, again I got the Firefox wants to connect to "feedproxy.google.com on TCP port 80 (http), so I allowed it and here I am posting about how every time we want to connect to any internet site we have go through something or the other.google.com! So what does it matter what we think, when we have to go through google.com to express our opinion!

    • Graham Cluley · 752 days ago

      For clarity, our polling system is hosted on PollDaddy.com (part of the Auttomattic/WordPress empire). You can visit the poll directly at http://polldaddy.com/poll/6452632/ if you wish.

      Our daily newsletter (which is, I presume, the email you are referring to) is distributed via MailChimp, and fed by our RSS feed. Our RSS feed is distributed via Feedburner (part of the Google empire). See http://en.wikipedia.org/wiki/FeedBurner for more info on Feedburner.

      • Internaut · 752 days ago

        I have to agree with Gabriel Munoz question. I don't think he asked what SOPHOS is using, rather the question seems to be why does anyone have to go to any third party site in order to make a comment.

        There is a SOPHOS article titled "Insecure WordPress blogs unwittingly host Blackhole malware attack." and if I want to post here with an account, I have to either have an account at WordPress, or one at "intensedebate".

        Their "privacy" policies read like verbal vomit from a Philadelphia lawyer. But in the end, there is no privacy, not even through SOPHOS own Privacy statement.

        • Graham Cluley · 752 days ago

          You can leave anonymous comments on Naked Security, and plenty of people do.

          You don't have to log in via WordPress / IntenseDebate / Twitter / etc unless you want to.

          I'm not sure what the problem is.

  7. Toby · 752 days ago

    I found a calculation by heise.de quite revealing: The 22.5 million are less than a day's net income for Google. So clearly that won't hurt them.
    The only thing that probably would hurt them are massive customer revolts against Google's privacy practices. But so far that does not seem to be happening...

  8. Gavin · 752 days ago

    Here's my jaded but (I think) sadly relatively accurate opinion:

    Almost any company that is answerable to shareholders will do cost/benefit and risk analysis on its various processes to figure out if the cost of doing business is more or less than the gain from it. But at that point "duty to the shareholders" trumps many questions along the lines of, "Is this right or fair or what we should really be doing?"

    That's not the same as saying an exec is sitting in an office purposefully working out how to mess with people and make money at the same time. I don't think the two are necessarily so closely interlinked in the early stages of planning something. But if an initiative that sounded like good innovation to start with then involves having to 'kludge' or 'work around' something during its development, and if that kludge involves circumventing privacy controls but if the cost/benefit analysis at that stage shows it to be good business from the numbers perspective then there's a significant chance that that kludge will get implemented.

    The only answer that I can see is that the punishment for such transgressions must be severe enough such that a company's cost/benefit analysis leaves no shadow of doubt that kludgy behavior with privacy and security is highly unlikely to be profitable.

    Until we get there it's same old same old, just as Google is portraying it.

  9. tom wiseman · 752 days ago

    was i dreaming - 'do no evil' ?
    SJ was presciently on the nail with his ' all bull...t"

  10. Internaut · 752 days ago

    About Google's Googoyle:

    With all of the software out there, and the brilliance behind some of it, one would think that true anonymity would be the norm - without relying on add-ins, extensions, or third party relays.

    We are having to protect our privacy from Google and cohort's spyware. Not by any stretch of the imagination can what they have done and try to do, be called anything but an invasion of privacy via spyware.

    Unfortunately, the majority seem to think that Googoyle can walk on water, and turn it in to wine.

    I eagerly await an alternative to Googoyle or software that let's me fly under the radar unless I click to do otherwise.

  11. Randy · 752 days ago

    I Googled Google's financial records for 2011:
    Cash – As of December 31, 2011, cash, cash equivalents, and short-term marketable securities were $44.6 billion.

    $22.5 Million is nothing to them. It's not even a tip at Applebees for those people.

  12. Jack · 751 days ago

    Having watched this and other 'privacy violations' and the large corporations that perpetuate them, I must say I can only state that the people on the top should spend some time in jail. That would give them a good view of what someones privacy means to those whom lost their data or had it abused. I don't even think Bankruptcy would affect them, they would go on, with another high salary job watching the green pour in. Google seems to be repeating what it says it won't do. I also wonder if they the ol 'one hand doesn't know what the other is doing' syndrome.

    Don't think we won't see more of this with the cloud services. The USA needs to get it's politicians in line, which is a real problem and many are saying that it's time to dump the 'Career Politicians' for some that will work like the founding fathers wanted. I believe the worst is when they pass laws then make themselves exempt from them! Does this happen anywhere else or do they pass them and use influence to get by? Too bad, once again money over what's right.

  13. Orlando · 742 days ago

    Just give the 2m to me and pay only 20m

  14. John · 728 days ago

    Nope, the fine is nothing in their budget, a minor expense, compared to what the daata is worth to them as a saleable item. We need a bigger stick.

  15. DoktorThomas™ · 377 days ago

    This poll was not widely exposed. Never heard of it before today, after its closure.

    The G.fine should have been large enough to severely cripple Google's operations for the foreseeable future--don't care for their complicity with treasonous federal agencies and actors spying on citizens, nations and foreigners without probable cause and then lying about it and continuing to do the same hundreds of thousands of times. All complicit corporations do not deserve the support of customers.

    The concept of widely and freely distribution of quality substances/products outside of the purvey of fed.gov is a most honorable pursuit. The FDA, the AMA, state and federal licensing , and scores of other questionably constitutional laws/actors/agencies have turned actual freedom and actual liberty into fiat. Their controls/regulations are about guaranteeing monopolies to their campaign supporters, not about providing anything fruitful for the The People. If you can't see it for what it is, you need to do your own research. Epiphany cannot be purchased it must be earned.

    Welcome to the Government Plantation where your life pre-legislated to any possibility of excellence or improvement. Political Royalty excluded, of course. ©2013

  16. Peter · 167 days ago

    I dont understand your privacy problems, thats simple market research that everyone does for a long time now...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog