Latest Privacy Kerfuffle Shows Limits of Proposed Privacy Legislation

safari-privacy-settings

Last week the Wall Street Journal published an article accusing four online advertisers—Google, Vibrant Media, Media Innovation Group and PointRoll—of using special code on web pages to circumvent the privacy settings in the Apple Safari web browser for the purpose of “tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked.” The Safari web browser is used by approximately 7 percent of desktop Internet users and 24 percent of mobile users. Google responded in a statement by saying, “The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.” Google also disabled the code in question.

First, it’s worth discussing the actual technology involved here. When a user visits a website, the website can request that the user’s web browser store certain data in a cookie. A cookie is just a small data file stored on a user’s computer by a web browser. Most browsers, including Safari, allow this activity by default. However, the default setting for Safari is to block most third-party cookies. (Other browsers have this feature but do not enable it by default.) Third-party cookies are cookies set by a domain other than the primary one being visited. Privacy advocates dislike third-party cookies because they can be used for online behavioral advertising (which they object to); however, third-party cookies are used for many purposes.

For example, if a user visits www.whitehouse.gov with Safari using the default settings, the only cookie that is set is one from whitehouse.gov. However, if a user visits the website with this privacy feature disabled or with another browser, they will get a cookie from the domain newrelic.com. New Relic is a website monitoring and management tool used to manage a website. Similar types of third-party cookies are frequently used for website analytics, such as to determine how many unique visitors come to a website. This type of use does not harm user privacy in any way.

Many web pages pull content from more than one domain. For example, a website might use a Facebook Like or Google “+1” button on its page.  To allow this type of functionality to work properly, Safari allows some third-party cookies. To decide whether or not to allow a cookie, Safari tries to determine whether the user has sent information to a particular domain. If an HTTP request is sent to a particular domain (such as by the user clicking a link or a Facebook “Like” button), then the cookies for that domain will be allowed. If not, they will be denied. Google used this browser functionality so that it could set cookies on websites using its Google +1 button or displaying Google ads. It did this by using code that would send an HTTP request to a Google domain. After sending this request, Safari would accept third-party cookies from this domain. This meant that Safari users with this feature enabled may have thought that third-party sites could not track their Internet activity, when it fact they could.

By analogy, let’s compare this to the use of a privacy device in the real-world. Suppose a company is placing cameras along a toll bridge to deliver targeted ads to drivers on billboards. Rather than charge a toll for using the bridge, the user pays for using the bridge by seeing a targeted ad (let’s ignore the possible safety issues for now). The company uses a vehicle’s license plate number to track which ads the user is shown and delivers custom ads based on that (perhaps also based on assumptions about the driver based on the time of day the driver typically passes by). Some people are concerned about their vehicles being tracked by its license plate, but still want to use the toll bridge (quite literally becoming “free riders”). So these people might decide to install an anti-camera license plate cover on their cars (such as the Photoshield which is used to avoid photo-enforced speeding and red light tickets). These covers make the license plate unreadable to cameras but the tags are still visible to the naked eye from directly behind the vehicle.  The company that sells this product says that it will protect the consumer’s privacy and people start buying it because it works. But what if the company making the cameras figures out how take better photos so that the license plate covers are now ineffective?  Is the camera company really to blame for building a more effective camera?

The main argument against Google is that since this technique hadn’t been used by others, it must be bad. But norms and conventions change over time. We’ve see similar debates before over the use of flash cookies, web beacons and other methods that are used to track users online. Personally, I think this is mostly just clever engineering (just as pop-up blockers are), but one man’s cleverness is another man’s evil genius. Not surprisingly, most of the privacy fundamentalists believe Google falls into the latter camp. Their initial reaction was to use this as yet another attempt to call for Do Not Track or other new federal privacy regulations (and throw in a few cheap shots directed at their frenemy Google).  Even members of Congress jumped in on this with Reps. Markey, Barton and Stearns sending a letter to the FTC calling on it to investigate whether Google violated its existing FTC consent agreement. AndSen. Kerry said “It’s not hard to figure out that unless and until Congress creates some common-sense rules for collecting, using and distributing personal information, companies will keep making up their own rules.”

The reality is that none of the privacy bills proposed to date would have prevented this from occurring unless the legislation banned websites from tracking users (a terrible idea if we want to maintain the Internet economy). At best, legislation might penalize companies for violating expectations, but the purpose of privacy legislation should not be to just to make it easier to sue or levy fines against companies that make honest mistakes. Instead, the purpose of any legislation should be to give people better control over their private data. Moreover, many European countries have implemented stricter data privacy regulations (with more on the way) and it doesn’t appear Europeans were any more protected from this software bug than were Americans.

Top-down solutions, whether they are policy mandates from Congress or technology mandates from privacy advocates, are not effective ways of managing user privacy. We do not want to start an arms race on the technology front between those who want to block advertisements and online tracking and those who want to circumvent those blocks. Doing so would only turn the Internet ecosystem into a highly regulated space with significantly fewer revenues to support the vast array of free content and services users now enjoy. We should continue to encourage innovation in business models and data management tool that empower user choice, but respect the economics of the Internet. This means being transparent about business practices and respecting user choice, but it also means telling users that free-riding on the Internet by avoiding ads has a cost that somebody has to pay for. Users should be able to opt out of online behavioral advertising, but they should not receive the free content that others receive. Privacy is not free. It has a price that someone has to pay.

Did Google violate its FTC agreement? That is up to the FTC to decide (the main issue will likely revolve around whether public statements from the company indicated that Safari’s third-party cookie blocking was an effective way to opt-out of targeted advertising). As always, the FTC can and should investigate if it discovers legitimate concerns about the business practices of a particular company. But companies should not face punitive sanctions for actions that do not cause consumer harm and are taken in good faith. To do so would discourage the type of fast-paced innovation that has defined the remarkable progress of the Internet era.

Print Friendly

About the author

Daniel Castro is a Senior Analyst with ITIF specializing in information technology (IT) policy. His research interests include health IT, data privacy, e-commerce, e-government, electronic voting, information security and accessibility. Before joining ITIF, Mr. Castro worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies. He contributed to GAO reports on the state of information security at a variety of federal agencies. He has a B.S. in Foreign Service from Georgetown University and an M.S. in Information Security Technology and Management from Carnegie Mellon University.