Google in hot water with Congress over Safari tracking

Google is finding itself in trouble with Congress again, after it exploited a flaw in Apple's Safari browser to track users without their consent. California Representative Mary Bono Mack, who moderated a discussion with Google two weeks ago, is demanding that Google reappear before Congress to explain the tracking controversy, as reported by USA Today.

The following statement appeared on Bono Mack's website:

Google has some tough new questions to answer in the wake of this latest privacy flap, and that’s why I am asking them to come in for another briefing. Even if unintentional, as the company claims, these types of incidents continue to create consumer concerns about how their personal information is used and shared. Companies need to be open about what they’re collecting, and how that information is used. Just as importantly, this needs to be clearly communicated to consumers. While I am determined to get to the bottom of this, some of it simply may be ‘growing pains.’ That’s why it’s important to sit down and figure out how we can better protect consumer privacy in the future.

Meanwhile, Congressmen Edward J. Markey and Joe Burton, co-Chairmen of the Bipartisan Congressional Privacy Caucus, and Cliff Sterns, Chariman of the Subcommittee on Oversight & Investigations, are asking the FTC to look into whether or not Google's tracking constitutes a violation of Congress' recent order restricting Google from misrepresenting its privacy policies. If that's not bad enough for Google, West Virginia Senator Jay Rockefeller seems interested in looking into the issue, too.

Google has been in the spotlight during the past few weeks over controversial changes it made to its privacy policy, which include centralizing data collection over all of Google's services. The new controversy started a few days ago when a blog post by grad student Jonathan Mayer regarding Google's exploitation of Safari got picked up by the Wall Street Journal (and they say bloggers aren't journalists).

Google isn't the only company that's been using the flaw; advertising groups like Vibrant Media and Gannett PointRoll have been using the flaw, which works by tricking Safari into believing that the user is voluntarily submitting a nonexistent form to the advertiser.

For his part, blogger Jonathan Mayer took discovery of the exploit as a chance to criticize Google's 'don't be evil' slogan – who saw that one coming? Speaking to CBS News correspondent John Blackstone (who, by the way, got Google's slogan wrong – it's don't be evil, John, not 'do no evil'), he said that although he's “[hesitant] to give a bright line response on the evil or not,” he does think that if “evil includes negligence and gross negligence, then this is evil.” Poor Google.

Report a problem with article
Previous Story

More storage and Windows/Mac apps for Skydrive?

Next Story

Smoked by Windows Phone reaches Hong Kong

30 Comments

Commenting is disabled on this article.

Remote Sojourner said,
What's surprising is that Facebook has been doing the same thing and they aren't mentioned anywhere.

Surprising? Hardly. We must wipe the floor with Google, and if the articles didn't highlight them alone and talked about every other company that abused this bug or has centralized data from all their services it wouldn't work.

Didn't you get the memo?

They really need a big fat slap. I mean really, are there ANY federal laws that Google did not brake in the last few years?

I'm really happy for not using any of their services and never will.

They need a nice legal supervision for at least 10 years like the one MS had.

This funny coming out of a government known to support hacking activities\online privacy violations (FBI rootkit, allowing US citizens to DoS wikileaks, patriot act etc).
Anyway Google must now pay the US & EU hundreds of millions and have their advertising programme barred for 12 years just to make it a bit fair for Microsoft taking the hit for that ****ty browser netscape

Riva said,
This funny coming out of a government known to support hacking activities\online privacy violations (FBI rootkit, allowing US citizens to DoS wikileaks, patriot act etc).
Anyway Google must now pay the US & EU hundreds of millions and have their advertising programme barred for 12 years just to make it a bit fair for Microsoft taking the hit for that ****ty browser netscape

netscape wasnt that bad IE6 at the time was just better. performance and standards wise.
then again, IE has its roots in the browser that practically created the WWW. even now still hard to beat.

Generally I'm, well not exactly a FAN, but generally I like Google. This, however, is just not on. For shame, Google! Don't be evil!

I hope they get a well deserved spanking for this. No company is above the law.

Google: Hey there is a vulnerability in your browser.
Apple: There is no vulnerability, thats a feature and you're using it wrong.
Google: Great, we'll use it to track your users.
Apple: Whatever, we don't care about our users.

recursive said,
Google: Hey there is a vulnerability in your browser.
Apple: There is no vulnerability, thats a feature and you're using it wrong.
Google: Great, we'll use it to track your users.
Apple: Whatever, we don't care about our users.

You missed the last response:

Google: Neither do we, we won't even tell them and hope nobody finds out!

Oh brother... It's funny how congress just randomly sticks its nose in frivolous issues to give the appearance that it's protecting the public. There's far worse things that it could be going after than tracking cookies....

Chugworth said,
Oh brother... It's funny how congress just randomly sticks its nose in frivolous issues to give the appearance that it's protecting the public. There's far worse things that it could be going after than tracking cookies....

Frivolous? Are you ****ing kidding me? Are you going to blame Congress for doing its job? What kind of cow dung are you smoking? Why don't you just go lick Google's ass? Learn to give credit where it is due for whatever is done right instead of acting like a callous little moron.

greenwizard88 said,
If congress was really doing their job, they would be asking Apple why they left a 7-month old vulnerability in their OS.

Greenwizard, don't take this the wrong way, but Google has done something unethical, and you cannot use that excuse, or any excuse to defend their case. A company like Google should know better, and they now must face tough questions.

farmeunit said,
Better yet, have Apple fix the flaw . . .

Apple bigwigs wave their hands in front of everyone: "there is no flaw..."

farmeunit said,
Better yet, have Apple fix the flaw . . .

What flaw? 99% of the visited websites use 3rd party or external servers with different domain names and IP addresses to host all content, including ads, images, javascript, CSS, Flash, among others.

Google exploits this unintentional consequence on all browsers. It's not only Safari.

Safari does its job by blocking 3rd party cookies from these 3rd party sites, BY DEFAULT, unlike all the other browsers which force the user to explicitly go and block 3rd party cookies from being set. This is a good thing that Safari does.

What Google did is this: Google added a script to their ads/widgets such as "+1" or Buzz or Google+ which automatically submits a form containing data about the visited page or the user to themselves and sets a cookie when a Google ad or Google widget is loaded on a page. This also enables Google to modify/update their own cookies with more tracking data.

Doing this makes any browser think that the user is interacting with the 1st party page, but in reality that is not the case.

This is tantamount to stealing data from someone's computer, which is illegal.

Get it now?

Edited by Jebadiah, Feb 19 2012, 11:53am :

Jebadiah said,

What flaw? 99% of the visited websites use 3rd party or external servers with different domain names and IP addresses to host all content, including ads, images, javascript, CSS, Flash, among others.

Google exploits this unintentional consequence on all browsers. It's not only Safari.

Safari does its job by blocking 3rd party cookies from these 3rd party sites, BY DEFAULT, unlike all the other browsers which force the user to explicitly go and block 3rd party cookies from being set. This is a good thing that Safari does.

What Google did is this: Google added a script to their ads/widgets such as "+1" or Buzz or Google+ which automatically submits a form containing data about the visited page or the user to themselves and sets a cookie when a Google ad or Google widget is loaded on a page. This also enables Google to modify/update their own cookies with more tracking data.

Doing this makes any browser think that the user is interacting with the 1st party page, but in reality that is not the case.

This is tantamount to stealing data from someone's computer, which is illegal.

Get it now?


IE9 will, depending on how you go through the first initial settings dialog, also blocks 3rd partij cookies by default... *cough* tracking protection *cough*

Shadowzz said,

IE9 will, depending on how you go through the first initial settings dialog, also blocks 3rd partij cookies by default... *cough* tracking protection *cough*

IE9 does not enable the Medium-High protection level for cookie filtering by default, and Tracking Protection is also disabled by default, and the user is NOT given the option to turn it on during the initial setup screens. One must click on the Cog Wheel (setup) button, then go to Safety, and finally Tracking Protection, and then enable it there, and also add tracking protection lists.

Get YOUR facts straight next time buddy!

Shadowzz said,

IE9 will, depending on how you go through the first initial settings dialog, also blocks 3rd partij cookies by default... *cough* tracking protection *cough*

Tracking protection does not block Javascript from submitting forms. It just blocks Tracking Cookies from the sites which are in the Tracking Protection List (TPL).

Also, does my grandma know what the **** a 3rd party cookie is? Does she know where to download a TPL from? Does she know where to go set it up? Hell ****ing NO.

Safari does a great service by blocking all 3rd party cookies by default.

Secondly, this is not a flaw as you might put it. However, blocking this from happening is equivalent to blocking Javascript standard functionality. Because of the antics of corporations like Google, we will have to live without such features.

farmeunit said,
Better yet, have Apple fix the flaw . . .

It's been fixed already. 7 months ago. By Google.
Apple just needs to get the webkit patch and update their browsers.