Skip to main content

Google slapped with record $22.5 million fine over Safari breach

The US Federal Trade Commission has announced that Google has agreed to pay $22.5 million (£14.4 million) to settle charges that it misrepresented how users of Apple's Safari browser were having their Internet activity tracked.

According to the complaint, Google placed advertising cookies on the computers of Safari users who visited sites within Google's DoubleClick advertising network. Google, however, had wrongly told Safari users they would be opted out of such tracking thanks to Safari's default settings. The search giant also said it was a member of the Network Advertising Initiative, which requires firms to disclose their data collection and use practices.

Google's actions, the FTC said, did not violate US law, but they did violate a March 2011 deal over Google's Buzz program that required Google to implement privacy safeguards, submit to regular audits, and banned it from future privacy misrepresentations. The deal was finalised in October.

The $22.5 million civil penalty is the largest the FTC has ever obtained for a violation of a commission order.

"The record setting penalty in this matter sends a clear message to all companies under an FTC privacy order," Jon Leibowitz, chairman of the FTC, said in a statement. "No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place."

In a statement, a Google spokeswoman said "we set the highest standards of privacy and security for our users. The FTC is focused on a 2009 help centre page published more than two years before our consent decree, and a year before Apple changed its cookie-handling policy. We have now changed that page and taken steps to remove the ad cookies, which collected no personal information, from Apple's browsers."

Rumors of the $22.5 million settlement first cropped up in June, but the issue dates back to February. At that point, a Stanford University graduate student, Jonathan Mayer, released a report that accused Google and three other ad networks of side-stepping the privacy settings on Apple's Safari browser to track usage on iPhones and Macs without permission.

At the time, Google said the report "mischaracterizes" the search giant's efforts. But the company admitted that a glitch accidentally allowed Google cookies "to be set" on Safari and promised a fix.

Several members of Congress, however, asked the FTC to investigate, leading to today's settlement.

David Vladeck, director of the FTC's Bureau of Consumer Protection, said during a conference call with reporters that it is "troubling" that Google said it did not know about the Safari glitch, just as it said it did not know about the Street View Wi-Fi data collection.

"A company like Google that is the steward of personal information from hundreds of millions of people has to do better," Vladeck said. "In some ways ... it's hard to know which answer is worse: I didn't know or I did it deliberately. Both are bad."

The fact that the glitch was discovered by a Stanford University student prompted Wired magazine to pen an article that criticised the FTC for being late to the game and suggested that "the federal government is often the last to know about digital invasions of your privacy."

When asked about the article this morning, Vladeck hit back and said there was "nothing in the Wired article that was correct."

The FTC investigation into Google was well underway before the news was made public, Vladeck said. "Our investigations are non-public, [but] that doesn't mean we're not investigating."

"It takes us time to build up a case that will stand up in court," Vladeck continued. "We operate under constraints" with which people like Stanford's Jonathan Mayer do not have to contend.

The settlement was approved by a four to one vote, with Commissioner J. Thomas Rosch dissenting [PDF].

When asked why Google did not have to admit to any wrongdoing in agreeing to the settlement, Vladeck said there was nothing to gain, from a legal perspective, from getting an admission from Google. The search giant, meanwhile, is facing multiple investigations into its business all over the world, so "its concern is that anything other than a denial might be used against them in courts of law."

At this point, Google has removed most of the offending cookies, but the company has until 15 February, 2014 to remove them all, the FTC said. The long lead time was put in place because Google can only remove cookies when somebody visits a site included in its ad networks. The "stragglers are those who haven't yet gotten to those places on the Internet," Vladeck said.