Google staffs up ‘Red Team’ to protect the world from its privacy lapses

Google staffs up 'Red Team' to poke at its own privacy practices post-FTC settlement

Privacy. Image from ShutterstockAfter agreeing earlier in the month to cough up a record $22.5 million in a settlement with the Federal Trade Commission for sneaking tracking cookies past Safari browsers’ no-tracking controls, Google is creating a privacy “Red Team” to police its products’ own privacy bugs and dangers.

The settlement is over Google’s override of the cookie controls in Apple’s Safari browser.

As the FTC explained, Google snuck around those controls by creating an invisible HTML form and then using JavaScript to pretend a user had submitted it.

Google thereby bypassed the browser’s blocking of third-party cookies – i.e., those set by sites other than the ones a user originally visits.

The form was invisible and lacked either content or a Submit button, meaning the user could never have actually submitted it.

But Safari, duped into thinking the user had submitted a form, then allowed Google to place a DoubleClick cookie on the user’s computer.

The FTC cried foul, charging Google with misrepresenting its use of tracking cookies and of breaking its privacy promises.

Now, Google’s hiring a ninja – pardon me, make that a “back-end ninja” – to slap itself into privacy shape.

Specifically, a recently posted job listing advertises for a Data Privacy Engineer to join its team of privacy “back-end ninjas”.

Google job advert

The task of the Google back-end ninja:

As a Data Privacy Engineer at Google you will help ensure that our products are designed to the highest standards and are operated in a manner that protects the privacy of our users. Specifically, you will work as member of our Privacy Red Team to independently identify, research, and help resolve potential privacy risks across all of our products, services, and business processes in place today.

Red teams are nothing new: the term refers to an independent group that serves to challenge an organization to keep it on its toes.

Penetration-testing is on Google’s wish list, so the search empire is obviously planning to kick its own privacy tires.

The responsibilities are to:

Analyze software and services from a privacy perspective, ensuring they are in line with Google's stated privacy policies, practices, and the expectations of our users.

That sounds, actually, like whoever assumes the role will function as something of an ombudsman, watching out for the constituent interests of the user base.

Google to date hasn’t done much to earn users’ trust that even a large-ish fine will stop it from pulling egregious privacy shenanigans.

When Sophos’s Paul Ducklin polled users, over 90% said that no, financial penalties are certainly not enough to make the online behemoths play ball on privacy.

Well, hiring a privacy red team certainly sounds like Google’s on the road to improving a situation that led to its slipping ghost forms, cookies and ads past the blocks on users’ browsers.

This time, let’s hope Google’s privacy promises aren’t as empty as that Safari-bamboozling, empty HTML form.

Privacy image from Shutterstock.