HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
Your attention please! Anyone looking to collect a fine from Google must now take a number and get in that long ass line over there. 
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Navigation
Install the app
How to install the app on iOS
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
More options
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Google Facing Fine Over Apple Safari Breach
- Thread starter HardOCP News
- Start date
goodcooper
[H]F Junkie
- Joined
- Nov 4, 2005
- Messages
- 9,771
seems stupid... since when is placing a cookie a security breach?
seems like browser security should land squarely on the people who make the browser, no?
seems like browser security should land squarely on the people who make the browser, no?
Not when the company placing the cookie has already entered a legal agreement not to do such things:seems stupid... since when is placing a cookie a security breach?
seems like browser security should land squarely on the people who make the browser, no?
Google signed a consent decree with the FTC last year in which it agreed it used deceptive tactics and violated its own privacy policies in introducing the Buzz social-networking service in 2010. The 20-year settlement bars Google from misrepresenting how it handles user information and requires the company to follow policies that protect consumer data in new products.
Not when the company placing the cookie has already entered a legal agreement not to do such things:
Except this gets awkward because WebKit explicitly decided to accept 3rd party cookies even though the preference said they wouldn't (see: https://bugs.webkit.org/show_bug.cgi?id=35824 - seriously, go check it out, it's quite a good read). Google didn't exploit or bypass any setting as was often reported, the privacy setting in Safari just didn't mean what people thought it meant.
I read through half of it and then it occurred to me if your conclusion of what you told me to read is correct, then why would a graduat student write this: http://webpolicy.org/2012/02/17/safari-trackers/ and then the WSJ pick it up and do their own independent research and publish this:
I'm unclear on how to resolve your interpretation of that bug discussion and the findings in the quoted segment from the report.
-- http://online.wsj.com/article_email...html?mod=wsj_share_email #articleTabs=articleGoogle's tracking of Safari users traces its roots to Google's competition with social-network giant Facebook Inc. After Facebook launched its "Like" button—which gives people an easy way to indicate they like various things online—Google followed with a "+1" button offering similar functionality on its rival social network, known as Google+.
Last year, Google added a feature to put the +1 button in ads placed across the Web using Google's DoubleClick ad technology. The idea: If people like the ad, they could click "+1" and post their approval to their Google social-networking profile.
But Google faced a problem: Safari blocks most tracking by default. So Google couldn't use the most common technique—installation of a small file known as a "cookie"—to check if Safari users were logged in to Google.
To get around Safari's default blocking, Google exploited a loophole in the browser's privacy settings. While Safari does block most tracking, it makes an exception for websites with which a person interacts in some way—for instance, by filling out a form. So Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.
I'm unclear on how to resolve your interpretation of that bug discussion and the findings in the quoted segment from the report.
So what?
This all makes sense. What it comes down to is simple math. All companies calculate the numbers and if they find profit, even after any potential legal costs, they do it. Legality means nothing other than the costs of doing business.
Now...if the legal system really wanted to make things right, they would make these cases criminal and someone would be up for jail time. That will never happen because the legal system makes a profit by accepting fine settlement-payoffs and putting people in jail would interrupt the money stream to the justice department.
This all makes sense. What it comes down to is simple math. All companies calculate the numbers and if they find profit, even after any potential legal costs, they do it. Legality means nothing other than the costs of doing business.
Now...if the legal system really wanted to make things right, they would make these cases criminal and someone would be up for jail time. That will never happen because the legal system makes a profit by accepting fine settlement-payoffs and putting people in jail would interrupt the money stream to the justice department.
I read through half of it and then it occurred to me if your conclusion of what you told me to read is correct, then why would a graduat student write this: http://webpolicy.org/2012/02/17/safari-trackers/ and then the WSJ pick it up and do their own independent research and publish this:
-- http://online.wsj.com/article_email...html?mod=wsj_share_email #articleTabs=article
I'm unclear on how to resolve your interpretation of that bug discussion and the findings in the quoted segment from the report.
Well, you can also read Google's follow up statement:
"The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. Its important to stress that these advertising cookies do not collect personal information.
Unlike other major browsers, Apples Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as Like buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to '+1' things that interest them.
To enable these features, we created a temporary communication link between Safari browsers and Googles servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the users Safari browser and Googles servers was anonymouseffectively creating a barrier between their personal information and the web content they browse.
However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didnt anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. Its important to stress that, just as on other browsers, these advertising cookies do not collect personal information.
Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Googles Ads Preferences Manager."
And look at the webkit change that resulted from it (note, written by Google engineers): http://trac.webkit.org/changeset/92142
But at the end of the day if you choose to believe that a grad student and the WSJ know more about WebKit than the people that fucking wrote WebKit do, well, that's your call.
There's also still the problem that Safari ships with a terrible, terrible default setting. It can't have any real teeth behind the "block 3rd party" because then they break half the internet, so they're trying to walk this tightrope of "block some 3rd party some of the time" - no other browser has this problem because nobody else picked an idiotic default value. It's a setting that is trying to be clever, and as a result it inevitably gets it wrong and is unpredictable, leading to this whole issue in the first place.
In order to believe google's position you have to ignore the fact that they monetize aggregate data, that their cookies are collecting aggregate data, their characterization of the bug you posted as a "feature," and the unlikely claim that they weren't aware their implementation was going to bypass the security features.
Given they were found guilty of violating their agreement by the FTC and are being fined upwards of 10 million dollars it seems to me that there isn't much to debate about at this point.
Given they were found guilty of violating their agreement by the FTC and are being fined upwards of 10 million dollars it seems to me that there isn't much to debate about at this point.
In order to believe google's position you have to ignore the fact that they monetize aggregate data, that their cookies are collecting aggregate data, their characterization of the bug you posted as a "feature," and the unlikely claim that they weren't aware their implementation was going to bypass the security features.
They make money from ads, not data. And you don't need cookies to gather data. You can actually be fairly confident you have uniquely identified someone *without* using cookies.
Given they were found guilty of violating their agreement by the FTC and are being fined upwards of 10 million dollars it seems to me that there isn't much to debate about at this point.
I was unaware the FTC had already reached a decision, can you link to that please? The one in the OP merely says that the FTC is considering fining Google, and no charges have yet been placed or contested. And, of course, that's also all just rumors - neither the FTC nor Google said anything.
But even still, there is plenty left to debate. Just because the FTC charges Google doesn't mean Google actually deserved it or was guilty. Similarly, if the FTC doesn't charge Google it doesn't mean Google was innocent. This isn't a court case, this is the FTC deciding if it wants a $10 million pay day.