Google’s $22.5 million FTC penalty is not enough:

google ftc fine header privacy ios safari

As reports circulate Google is about to enter into a record privacy settlement with the FTC, just how bad is Google’s privacy record compared to other major tech companies?

The Wall Street Journal (subscription required) reports that Internet giant Google is on the verge of agreeing to a $22.5 million settlement with the FTC to put to rest charges that it violated iOS users’ privacy by intentionally bypassing the built-in privacy controls in Apple’s Safari Web browser so Google could track their browsing habits. If the settlement lays out as reported, it would represent the single largest penalty ever assessed against a single company by the Federal Trade Commission. Even though $22.5 million barely represents half a day’s income to Google, it’s probably not a achievement Google will memorialize with a bronze plaque outside its Mountain View headquarters.

This isn’t the first time Google has run afoul of the FTC over user privacy concerns. What’s the basis of the current case and how does it compare to Google’s privacy record with U.S. regulators? And does Google even stand out amongst tech companies taken to task by the FTC over privacy issues?

Google, Safari, and the FTC

Google Plus One button

The current case being investigated by the FTC surrounds Apple’s Safari Web browser, both in iOS devices like the iPhone and iPad as well as Apple’s desktop Mac OS X operating system. Since Safari debuted as a desktop browser all the way back in 2003, it has had a default setting to block third party cookies — it also featured a “privacy reset” option for clearing cookies and other browser settings. Safari 2.0 (from 2005) was the first to enable a “private browsing” mode — many ridiculed it as a way for Mac user to surf porn sites, but it also offered effective protection against first- and third-party cookies as well as being tracked by (many still-nascent) advertising networks.

As Google became a major force in online advertising — in part through acquisitions like Doubeclick and AdMob — Google wanted a way to serve personalized ad content and things like its “+1″ buttons to signed-in Google users. It did so using a post-back mechanism that enabled it to set cookies in the Safari browser even if the browser was set to disallow third-party cookies. (Stanford grad student Jonathan Mayer analyzed technical details of the mechanism.) One could argue that Google was only able to do this because of a flaw in Safari, but Google did more with the technique than just determine if users were signed in to Google and had agreed to receive personalized advertising: the technique also let Google install tracking cookies. So, even if users were blocking third party cookies in Safari (the default) and were not signed in to Google, Google could still track their actions through not just Google’s own sites, but any sites that carried Google advertising or services. Given the near-ubiquity of things like YouTube and Google’s AdSense advertising services, that’s a major chunk of the Internet.

Google has maintained it did nothing wrong, and began deleting the tracking cookies as soon as it became aware they were being set. It characterized the bypass technique as “known Safari functionality,” said it was deleting any data it gathered as a result of the cookies and that no harm was done to consumers. However, Google did collect information about all Safari users it encountered, regardless of whether they had a Google account, were signed in to it, or had agreed to accept social advertising; however, there is no indication Google shared that information with other companies. Nonetheless, Google may well have profited from knowing more about Safari users’ browsing habits than its competitors.

The FTC isn’t alone investigating these issues: several states’ attorneys general have launched their own probes, and European regulators are also investigating Google’s bypassing of Safari’s built-in privacy tools.

Buzzkill

Google Buzz

The Safari situation puts Google in hot water because the company had previously entered into a 20-year consent decree in 2011 for “deceptive privacy practices” surrounding the launch of Google Buzz. In that case, Google escaped having to pay any fines, but it did agree to implement a comprehensive privacy program, and subject itself to regular independent privacy audits for 20 years.

Google Buzz, for folks who don’t recall, was Google’s initial ill-fated effort to leverage its widely used Gmail service into a social networking platform. To launch the service, Google enrolled Gmail users in aspects of Google Buzz without their consent, which resulted in details of users’ contacts and correspondents automatically being disclosed to other users — in some cases even if they declined to try out Google Buzz. By the end of the year, Google had killed off Google Buzz and switched its focus to Google+, but the damage was done: Google had not only flubbed its first serious move into social networking, it had brought down 20 years of federal scrutiny about its privacy practices too.

As a result of the Buzz fiasco, Google can be liable for up to $16,000 per day that it violates its consent agreement with the FTC. If the $22.5 million figure cited by the Wall Street Journal is accurate and the $16,000-per-day fine is the basis for the penalty, that could mean Google would essentially admit it was tracking using Safari users without their consent for the better part of four years.

What about everyone else?

ftc facebook privacy

A number of federal agencies monitor aspects of many Internet companies’ businesses. Google doesn’t just tangle with the FTC. Just a few months ago the Federal Communications Commission fined Google a paltry $25,000 for collecting personal information with its Street View vehicles as it cruised by Wi-Fi hotspots. However, although it’s a small agency, the Federal Trade Commission is primarily responsible for consumer protection. How have other Internet giants fared with the FTC?

Not so well, as it turns out. Perhaps the most public settlement with the FTC over privacy issues was from social networking giant Facebook: the FTC accused Facebook of failing to keep a number of privacy-related promises it made to users, including making formerly-private information public, sharing data with third parties without user consent, keeping data around and accessible even after accounts were deleted, and falsely claiming it complied with the U.S.-EU Safe Harbor Framework for data transfer. For all that and more, however, Facebook paid no penalties — but it did agree to the same 20 years of independent, third-party privacy audits later applied to Google.

Social networking aggregator Spokeo also had to settle with the FTC — and it didn’t get off for free, agreeing to pay $800,000 to settle charges it violated the Fair Credit Reporting Act as well as “astroturfing” by posting false endorsements of its services to blogs and Web sites. However, unlike Google and Facebook, Spokeo isn’t a primarily consumer-facing service. Rather, it collects and aggregates information about individuals from social networking sites and the Internet, bundles it up, and sells it to recruiters, background screeners, and human resources departments — if you’ve ever had a foul-mouthed tweet or drunken Facebook photo come back to haunt you during a job interview, Spokeo may be why. The FTC alleged, among other things, that Spokeo failed to comply with requirements governing consumer reporting agencies.

What about social networking sites? Believe it or not, in May MySpace had to work a settlement with the FTC for sharing personal information with third parties without user consent. Sound similar to Facebook? It does: and, like Facebook, MySpace didn’t have to pay a penny, but did have to agree to having its privacy practices audited for the next 20 years.

Twitter hasn’t emerged unscathed either — although the circumstances are different. Twitter agreed to have its security and privacy practices audited for 20 years as a result of two security breaches in January and May of 2009 during which attackers were able to get administrative access to Twitter — including accessing private information and the ability to generate phony tweets. In these instances, Twitter didn’t promise one thing and do another — it promised users privacy and wound up getting hacked. Something similar happened with game site Rock You, from which hackers managed to glean some 32 million email addresses during an attack. However, Rock You also wound up agreeing to pay $250,000 in penalties because it also collected personal information from nearly 180,000 children without their parents’ consent, in violation of the Child Online Privacy Protection Act (COPPA), which bars the collection or sharing of children’s information online without their parents’ consent.

Kids on Facebook

COPPA has been at the core of settlements the FTC has reached with many technology companies, including Broken Thumbs Apps, Skidekids, and Xanga.com. The Xanga case (from 2006) involved the highest fine ever levied for a COPPA violation: $1 million. Xanga knowingly collecting and disclosing information about 1.7 million children age 13 and under without parents’ consent over a period of five years.

Even Microsoft has run afoul of COPPA. Back in 2002 the company reached a settlement with the FTC that its Passport single sign-in and wallet service was designed to let users easily and safely make purchased from participating merchants, and even set up accounts for kids that limited collection of personal information by participating sites; among other things, Microsoft was found to have misrepresented what information was shared with third parties about children.