December 20, 2014
December 19, 2014
December 18, 2014
High Stakes: Will Google’s Alleged Circumvention of Safari Privacy Settings Expose It to a $100,000,000,000+ Fine?
Google’s strong interest (some might say desperation) in conquering the social media territory already so thoroughly dominated by Facebook may have caused it to go a little too far. Or a lot too far, assuming you think liability numbering potentially into the hundreds of billions range is substantial. For anyone just coming out of winter hibernation, the latest Google controversy relates to its alleged, intentional circumvention of privacy settings that come with Apple’s Safari web browser, an issue first brought to light by a Stanford researcher and widely publicized following reports in the Wall Street Journal.
At the heart of the debate is the question of whether Google circumvented Safari’s privacy settings in order to place cookies on Safari users’ devices, in apparent contravention of those users’ privacy preferences (expressed through their Safari settings). Google’s statement about the incident suggests the Safari circumvention, which was disabled after the Wall Street Journal story broke, was undertaken to facilitate Google’s provision of features to Google+ users. Google+ provides users with the ability to receive personalized ads and other features that would require tracking individual users (with consent). Safari’s settings prevented Google from “seeing” its users, so it apparently devised a workaround. Google explains that it did not realize its workaround would trigger Safari functionality to essentially open the door to other Google advertising cookies that Safari would otherwise have blocked. There is some dispute and disagreement about Google’s version of events, but even accepting Google’s explanation, it is clear that cookies were placed in spite of Safari users’ privacy preferences to the contrary.
Meanwhile, Google is operating under a consent order with the FTC stemming from prior privacy gaffes committed during its roll out of the Google+ predecessor, Google Buzz. That order prohibits Google from misrepresenting the “extent to which consumers may exercise control over the collection…of covered information,” among other things. The order also obligates Google to develop a comprehensive privacy program that will identify reasonably foreseeable risks “that could result in [Google’s] unauthorized collection…of covered information.” It’s not clear that analysis was done (or at least done effectively) with regard to this Safari workaround.
While the FTC does not have the authority to levy fines against organizations that violate section 5 (assuming no FTC rule also was violated), they do have the ability to fine any organization that runs afoul of a consent order. Google’s explanation of this incident admits that it intentionally took advantage of Safari functionality, which accidentally resulted in unauthorized cookie planting. No matter which version of the story you believe, Google’s version makes clear that they engaged in a business practice that effectively circumvented user choices regarding privacy, and whether intentional or unintentional, it calls into doubt their claim that “Your privacy matters to Google,” which features prominently in their brand new privacy notice. In other parts of the notice, users are promised that “You may also set your browser to block all cookies, including cookies associated with our services.” In some cases, Google may have made more blatant misrepresentations by claiming that Safari settings could be used to avoid Google cookies. That statement has been pulled since this story broke but continues to be available from other sources. Since Google, whether purposefully or inadvertently, subverted the browser settings it claims will help users block cookies, these statements could be construed by the FTC as misrepresentations that violate Google’s consent order. The maximum fine is $16,000 per violation.
And that brings us to the math. The affected consumers in this case are Safari users. While the size of that population is not clear, it is known that Safari is installed as the default browser for many Apple devices and is available for download by users of non-Apple devices. If we use 2011 iPhone and iPad sales as a proxy for total Safari users (likely a gross underestimate), that comes to well over 100 million people. Since Safari blocks cookies by default, Safari users would have to purposefully re-set their browser preferences in order to permit (or consent to) Google’s cookies. It’s probably safe to assume that the vast majority of Safari users left their settings as-is, meaning that Google’s cookies should have been blocked if user choices were respected. But let’s be generous to Google and assume that only half of the Safari users left their default privacy settings turned on, such that a mere 50 million people might have been treated unfairly by Google’s circumvention of their browser privacy preferences or, worse, were actively deceived by Google’s privacy notice claiming that cookies could be blocked by browser settings. Making such misrepresentations is prohibited by the FTC’s consent order with Google, and each violation of that prohibition is subject to a maximum fine of $16,000. Thus we find that if 50 million people were deceived or treated unfairly, and each misrepresentation or unfair act is charged at $16,000, we reach a nice round total of $800 billion as the maximum fine. And that may be a low ball estimate, considering that we used only 2011 sales as a proxy for Safari users, assumed that half of users took action to allow Google cookies (it was probably far fewer), and did not attempt to account for Mac, iPod Touch, or other Safari users in the estimate.
There’s another way to do the math that may be valid, again depending on versions of events. It seems possible that Google’s circumvention was only aimed at Google account holders, which we approximate at 400-500 million people counting Gmail, Google+ and YouTube account holders. If Google did limit its targeting to those account holders, and its actions affected only those account holders who use Safari (presently sporting a 12% share of the browser market), then sticking to the lower estimate of 400 million account holders causes about 48 million people to be affected rather than the 50 million calculated above. So under either approximation we have a fine of around $800 billion.
Admittedly, the FTC may have some difficulty proving to the requisite degree of certainty exactly how many consumers were deceived or treated unfairly by Google’s practices toward Safari users. On the other hand, one wonders if the agency would really need to go to the trouble. When you start settlement negotiations with a fairly conservative estimate of $800 billion as the ballpark potential fine, walking away with even a fraction of that amount as a settlement will prove your point. A resolution amount of just 10% of our estimate (a healthy $8 billion) would dwarf any privacy enforcement actions taken to date.