Google FTC Privacy Settlement Awaits Approval
Federal Trade Commission said to be seeking a $22.5 million fine, its largest ever. Is it overkill?
The Wall Street Journal on Tuesday reported that Google's settlement will involve a $22.5 million penalty. That would be the largest fine imposed by the FTC to date, but significantly less than the $500,000 fine levied last year by the Justice Department for Google's promotion of unlawful pharmaceuticals. Google was fined $25,000 by the FTC in April for failing to comply with agency document requests related to its privacy investigation of Google's Street View.
More Government Insights
- Building a Hybrid Cloud in Government: It's not that Complicated
- Secure Access: Next Steps In Identity Management
- Best Practices Guide for IT Governance & Compliance
- Bloomberg BusinessWeek Agility for Differentiation
"We cannot comment on any specifics," a Google spokesman said in an email. "However we do set the highest standards of privacy and security for our users. The FTC is focused on a 2009 help center page published more than two years before our consent decree, and a year before Apple changed its cookie-handling policy. We have now changed that page and taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers."
The FTC didn't immediately respond to a request for comment.
Google's decision to bypass privacy controls in Safari was disclosed in February by Stanford graduate student Jonathan Mayer.
The company previously defended its decision as an attempt to balance the privacy established as a Safari default and the expressed desire of Internet users, who might be both Apple and Google customers, to see personalized ads and content.
Rachel Whetstone, SVP of communications and public policy, said at the time that Google bypassed Safari's controls "to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to '+1' things that interest them."
Apple is the only major browser vendor that ships its Web browser with third-party cookie blocking turned on, a privacy feature that the company promotes. A technical change in Safari that Apple adopted in 2010, which established an exception for allowing third-party cookies, ended up making Google's 2009 help page language about how it handles Safari's privacy settings inaccurate. And because Apple made the change without much fanfare, Google evidently failed to realize that what it said was happening with cookies was not what was actually happening. It's this discrepancy that the FTC seeks to punish.
Since last year, Google has been required to submit to 20 years of independent privacy audits as a result of the company's mishandled launch of its now-defunct Buzz social network in 2010. The company violated its own privacy promises by using information gathered through Gmail to promote social networking, the FTC charged.
Google's inaccurate help page language is being viewed by the FTC as a violation of its Buzz settlement.
Daniel Castro, a senior analyst for the Information Technology and Innovation Foundation (ITIF), a tech policy think tank, considers the settlement excessive given the absence of demonstrable harm arising from Google's actions.
"Unfortunately the FTC's proposed settlement shows that the FTC is focusing its limited resources on penalizing companies for unintentional actions that do not result in any actual user harm rather than directing these resources at cases where users suffer real harm or companies intentionally tried to mislead users," he wrote in a blog post. "As a result, this proposed settlement may discourage companies from fully disclosing details about their data handling practices in the future."
Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)