Sophos Cloud Optix
After agreeing earlier in the month to cough up a record $22.5 million in a settlement with the Federal Trade Commission for sneaking tracking cookies past Safari browsers’ no-tracking controls, Google is creating a privacy “Red Team” to police its products’ own privacy bugs and dangers.
The settlement is over Google’s override of the cookie controls in Apple’s Safari browser.
As the FTC explained, Google snuck around those controls by creating an invisible HTML form and then using JavaScript to pretend a user had submitted it.
Google thereby bypassed the browser’s blocking of third-party cookies – i.e., those set by sites other than the ones a user originally visits.
The form was invisible and lacked either content or a Submit button, meaning the user could never have actually submitted it.
But Safari, duped into thinking the user had submitted a form, then allowed Google to place a DoubleClick cookie on the user’s computer.
The FTC cried foul, charging Google with misrepresenting its use of tracking cookies and of breaking its privacy promises.
Now, Google’s hiring a ninja – pardon me, make that a “back-end ninja” – to slap itself into privacy shape.
Specifically, a recently posted job listing advertises for a Data Privacy Engineer to join its team of privacy “back-end ninjas”.
The task of the Google back-end ninja:
As a Data Privacy Engineer at Google you will help ensure that our products are designed to the highest standards and are operated in a manner that protects the privacy of our users. Specifically, you will work as member of our Privacy Red Team to independently identify, research, and help resolve potential privacy risks across all of our products, services, and business processes in place today.
Red teams are nothing new: the term refers to an independent group that serves to challenge an organization to keep it on its toes.
Penetration-testing is on Google’s wish list, so the search empire is obviously planning to kick its own privacy tires.
The responsibilities are to:
Analyze software and services from a privacy perspective, ensuring they are in line with Google's stated privacy policies, practices, and the expectations of our users.
That sounds, actually, like whoever assumes the role will function as something of an ombudsman, watching out for the constituent interests of the user base.
Google to date hasn’t done much to earn users’ trust that even a large-ish fine will stop it from pulling egregious privacy shenanigans.
When Sophos’s Paul Ducklin polled users, over 90% said that no, financial penalties are certainly not enough to make the online behemoths play ball on privacy.
Well, hiring a privacy red team certainly sounds like Google’s on the road to improving a situation that led to its slipping ghost forms, cookies and ads past the blocks on users’ browsers.
This time, let’s hope Google’s privacy promises aren’t as empty as that Safari-bamboozling, empty HTML form.
Privacy image from Shutterstock.
Google is like any other company. They have their share of decent people, and they have their share of scumbags. They have their noble ideals ("Don't be evil"), and, alas…they have those who set a dark standard by which "evil" might be defined.
I know a bloke who works for Google. He has integrity, and would never stand for the kind of scumbaggery for which Google was nicked for $22.5 million. He's a confirmed capitalist whose definition of capitalism REQUIRES moral behavior. Yes, Virginia, there are such people. In the real world. Right here on Planet Earth. Really. If there weren't, civilization would have collapsed into chaos long ago.
That such people exist at Google gives me a reasonable expectation that their Red Team will meet with some success. Let us hope they will shine a light so bright that it will send the cockroaches who infest Google scurrying for cover.