UK Apple Users Sue Google Over Safari Tracking

Dupple writes "After settling with the FTC, Google is under pressure again regarding user privacy. From the BBC: 'A group of Apple's Safari web browser users has launched a campaign against Google over privacy concerns. They claim that Google bypassed Safari's security settings to install cookies which tracked their movements on the internet. Between summer 2011 and spring 2012 they were assured by Google this was not the case, and believed Safari's settings to be secure. Judith Vidal-Hall, former editor of Index On Censorship magazine, is the first person in the UK to begin legal action. 'Google claims it does not collect personal data but doesn't say who decides what information is "personal,"' she said. 'Whether something is private or not should be up to the internet surfer, not Google. We are best placed to decide, not them.'"

How is this news?

[Anonymous Coward]

Have you seen those small "Share" and "Like" buttons all over the web?

Thats right, Facebook, Google, and others, see every time a browser downloads those buttons and which URL it was loaded from. It the user happens to be logged on to their service, they also see the user's identity.

In otherwords, Facebook, Google can track almost every user and page load on the web!

Re:

[BasilBrush]

The news is that in the EU it's illegal to track users with cookies without their consent. Google went out of their way to circumvent the security settings on Safari, such that they tracked users even when they's said no. And then on top of that Google lied about it, saying they weren't doing so.

It's illegal. There is no "it's already happening" defence.

Re:

[Stewie241]

So a website can override a browser's security settings? Nifty.

Re:

[BasilBrush]

The details were covered on Slashdot at the time, but here it is again: http://blogs.wsj.com/digits/2012/02/16/how-google-tracked-safari-users/ [wsj.com]

Re:

[toutankh]

Because they can. The real problem here is that the browser cannot enforce its own security settings. The fact that Google is evil is beside the point. If I check a "don't track me" option in my browser then end up being tracked, my anger is directed toward the browser, not the tracker. Anything else doesn't make sense and is counter-productive.

Risky analogy: if my partner cheats on me, my anger should be directed toward my partner, not to anyone else (provided my partner cheated on me with someone who does

Re:

[icebike]

Have you seen those small "Share" and "Like" buttons all over the web?

Thats right, Facebook, Google, and others, see every time a browser downloads those buttons and which URL it was loaded from. It the user happens to be logged on to their service, they also see the user's identity.

In otherwords, Facebook, Google can track almost every user and page load on the web!

"Apple users: Only Apple can track us! Not Google [theregister.co.uk]" was the headline that The Register used to describe this story in their usually thinly veiled laughing up their sleeve sort of way.

Allegedly these clowns are suing for damages. Let them prove damages.

Really?

[kullnd]

Maybe Google should start charging us for their services that we get for free... They have to make their money from something, if you don't like it don't use it. Also, anyone who honestly believes that a toggle in their browser is going to prevent them from being tracked on the open internet needs an education on how things really work in the real digital world.

Re:Really?

[Dexter Herbivore]

Also, anyone who honestly believes that a toggle in their browser is going to prevent them from being tracked on the open internet needs an education on how things really work in the real digital world.

When the law says that the user shouldn't be tracked, then the user shouldn't be tracked. In an ideal world, Google shouldn't be going out of the way to circumvent those laws.

Re:Really?

[Anonymous Coward]

However, the law says that you must inform users they are being tracked.

Which is the case here.

It's an astroturf movement. Apple getting at Google for Android.

It was a similar faked outrage when *33* people complained about Attenborough's bit on a polar bear giving birth which was done in a zoo for the safety of the cameramen and the polar bears and described on the BBC web site for the program. But, because it dared say that AGW was a problem, the daily hate mail insisted this was AN OUTRAGE.

Manufactured.

PS to use the BBC website, you are required to accept cookies or the site won't work. Mostly for technical reasons, but you still have to allow cookies.

They DO tell you "We use cookies" and that is all the law required.

It was a pretty useless law.

Re:

[TapeCutter]

Yeah the Daily Fail tried to discredit Attenborough but all they did was drag their own reputation deeper down the gutter. Why? - Because Attenborough's persona and 50yr track record is such that people see his face and they know it's legit.

Re:

[Smauler]

It wasn't legit. I don't know the Mail's take on the situation, I don't read it.

However, the BBC presented video from a zoo and implied it was in the wild. Attenborough should be ashamed for providing the voiceover, not try to defend it.

The problem was not that the BBC used footage from a zoo. The problem was that they deliberately tried to trick the viewer into thinking that the bear cubs filmed were in the wild. Just because they were open in saying that they did so after the event does not make it ok

Re:

[TapeCutter]

I have the documentary in my collection, there is no "deliberate trickery". As the OP stated, it was a manufactured controversy intended to punish Attenborough for his views on AGW. You'd have to be a complete moron to fall for such a transparent attempt to assassinate his character.

Re:

[Plumpaquatsch]

However, the law says that you must inform users they are being tracked.

Which is the case here.

It's an astroturf movement. Apple getting at Google for Android.

[...] PS to use the BBC website, you are required to accept cookies or the site won't work. Mostly for technical reasons, but you still have to allow cookies.

They DO tell you "We use cookies" and that is all the law required.

It was a pretty useless law.

Amazing that your post is rated so how while being so wrong. First of all, there is no information to the user that they are being tracked. The BBC doesn't require you to allow third party cookies to work. Google and assorted Advertising scum does. And remind me why Google has to pay a record fine to the FTC for doing this [huffingtonpost.com] (which the summary so cleverly avoids telling by calling it a settlement)

Re:

[Anonymous Coward]

I don't use Google services, and yet 99% of the websites on the 'net ping back to google-analytics.com informing them of every link I click on. Are you saying I should stop using the web completely?

This isn't about tracking people's use of Google's services, it is about tracking every single thing every single person does on the web. Apple added some privacy protection into Safari, and Google actively worked around it, bypassing the users' wishes to not be tracked.

Re:

[kullnd]

I'm sorry, but blaming Google for the web site owners that by their own choice put Google code onto their websites is kind of retarded...

Re:

[thetoadwarrior]

Google doesn't really provide anything for free other than other people's content or their complete ripoff of facebook.

Re:

[tlhIngan]

Maybe Google should start charging us for their services that we get for free... They have to make their money from something

It's called "advertising". Though perhaps Google should charge users who use NoScript/ABP/etc. to block ads from Google and Google-owned companies like DoubleClick, AdMob, etc. (Google owns basically the entire online adversing companies - from their AdSense ads to the companies that do all the annoying popover/popunder/interstitials and such - all owned by Google).

Also, anyone who ho

Re:

[Nostromo21]

So basically, you/they/crApple is sore that Safari security is weak as piss & worse than IE's? Gotcha.

Re:

[Americano]

Actually, I'd love it if Google offered a subscription-based, ad-free/tracking-free consumer version of their services. That's not much of a threat, I wish they'd start charging for services that we get for free.

They have to make their money from something, if you don't like it, don't use it.

The problem here is that people specifically set their browser in a way that said, "don't track me," and Google said, "Well, since you couldn't possibly have meant to exclude US with that setting, we'll just circumvent

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Which are nowhere nears as pathetic as Apple apologists...(Offense intended)

Re:

[Nostromo21]

Last I checked, Google hasn't apologised for jack shit, not should they. OTOH, Samsung is still waiting for a proper one from crApple...

Re:

[Plumpaquatsch]

Last I checked, Google hasn't apologised for jack shit, not should they. OTOH, Samsung is still waiting for a proper one from crApple...

Yeah, they only had to pay the biggest fine to the FTC ever. No reason to apologize after you paid for your sins, obviously.

pot, kettle, black, etc.

[dontbemad]

i find it mildly amusing that Apple product users are suing google over something related to tracking.

Re:pot, kettle, black, etc.

[GodfatherofSoul]

Regardless, Google lied and got busted lying. "She hit me first" didn't work for your mother, and it won't work in court either.

Re:

[BasilBrush]

i find it mildly amusing that Apple product users are suing google over something related to tracking.

Why?

Re:

[gnasher719]

i find it mildly amusing that Apple product users are suing google over something related to tracking.

Why would you find that amusing? It's not amusing for users who have to go to court to avoid being tracked, it's not amusing for Google.

Re:

[RocketRabbit]

Why? Google is the biggest data miner on the planet, and they make more money as they refine their profile of you. They are the Internet Gestapo.

Apple, by comparison, is rather innocent.

Re:

[dontbemad]

not a shill, and even if i really am that stupid, at least i don't hide behind being an AC.

Can't let every consumer dictate what privacy is

[Anonymous Coward]

Much as I can agree with the sentiment, we cannot allow every single consumer out there to dictate what constitutes privacy data. Perhaps google should publish what it deems as privacy information, and then allow the consumer to decide to play along or not.

Re:Can't let every consumer dictate what privacy i

[icebike]

Much as I can agree with the sentiment, we cannot allow every single consumer out there to dictate what constitutes privacy data. Perhaps google should publish what it deems as privacy information, and then allow the consumer to decide to play along or not.

What an excellent Idea. I wonder why Google Never Thought About That. [google.com]

I find Google far more forthcoming than most companies, and offering a much finer grained level of control.

I would also wager, that Judith Vidal-Hall has a facebook page, a Linkedin page. As far as I'm concerned, anyone signing up for either of those two services has abdicated all semblance of Privacy. Living in a country with CCTV cameras on every street corner, and a government hell bent on capturing every keystroke on your computer forever, how can she object if Google complies with her country's laws?

Re:

[Anonymous Coward]

I would also wager, that Judith Vidal-Hall has a facebook page, a Linkedin page. As far as I'm concerned, anyone signing up for either of those two services has abdicated all semblance of Privacy.

A Judith Vidal-hall [facebook.com] is on Facebook, but provides no additional information to strangers. Despite the Slashdogma, it is possible to have a Facebook page and not spend your entire day posting your SSN and rapid status updates about what you ate for lunch and how it is propogating through your digestive system.

As far as I'm concerned, anyone making poorly educated sweeping generalizations based on bad stereotypes has abdicated all semblance of Trust on public forums.

Re:

[penix1]

Despite the Slashdogma, it is possible to have a Facebook page and not spend your entire day posting your SSN and rapid status updates about what you ate for lunch and how it is propogating through your digestive system.

That is not the default for FB and never was. You have to jump through hoops to set it up so that a small semblance of privacy (or more accurately the illusion of it) is maintained there. And every time they update something the privacy settings for that something is always "Show it to the w

Re:

[EasyTarget]

Apparently there is a facebook page where you can sign up to support this..
My ironyometer went off-scale when I saw that.

Re:

[nschubach]

I read that line and thought... great. Someone out there is going to think that their screen height is private and break every website that uses scroll effects. That's not a major loss, but what if they decided that the browser is private? People can't be allowed to determine everything that's private... can they?

Re:

[Mister Whirly]

Yes if only there was some sort of policy regarding privacy that sites like Google would make public... Something that was easy to find, perhaps right on the bottom of every page. Something that said something like Privacy & Terms [google.com] that you could simply click on to get information.

Re:

[Plumpaquatsch]

Yes if only there was some sort of policy regarding privacy that sites like Google would make public... Something that was easy to find, perhaps right on the bottom of every page. Something that said something like Privacy & Terms [google.com] that you could simply click on to get information.

Is the link to that page also on every webpage that Google uses it's third-party cookies on?

A group of Apple's Safari web browser users

[DeathToBill]

"Both of Apple's Safari web browser users..."

FTFY

Re:

[thetoadwarrior]

Given how many more iphone users use the internet over android users it's by far the most userd mobile / tablet browser.

Re:

[thetoadwarrior]

It could explain why the numbers don't match up with web stats or some people are just wasting their time with a smart phone. I wouldn't bother with a mobile phone at all if I couldn't use the internet every day. Even with my old G1 I'd surf Slashdot even if it was the worst possible way to view the site.

Re:

[RocketRabbit]

Wikipedia does an interesting breakdown on the devices used to visit their site and Android usage is much lower than one might expect from Google's and that shady ass StatCounter's numbers.

"group of Apple's Safari web browser users"? Hmmm

[Ian.Waring]

It is of course perfectly coincidental that the lawyer firm involved is the same one who previously acted for Microsoft in a case against unlicensed X-Box accessories.

Why not sue Apple?

[TheSkepticalOptimist]

I mean ultimately its Safari's problem that Google could find a way to circumvent their privacy settings and write cookies to their user profile. If Safari was written properly then no website should be able to access private information or write to profile.

What is at fault here is the users thought Safari was secure, but Google found a way around the security. Its Safari's issue, period.

Re:

[Anonymous Coward]

No. That's a ridiculous line of reasoning. When someone breaks into your house you don't go after the manufacturer of the lock, you go after the thief.

As stupid as this law suit or maybe even the idea of do not track is, your idea is considerably more stupid.

Re:

[Kenja]

Depends, if the lock company made a point about how using their locks would make your house burgle proof I get people would sure them.

Re:

[smash]

Apple has made no such claims about safari. They've played the "mac's don't get viruses" card. This isn't a virus.

Re:

[thetoadwarrior]

Because you prosecute the one who did the crime. Do you sue you car manufacturer when your car gets broke into?

Re:

[cbhacking]

The entire Internet, including (especially, in this case) the WWW, is based on published specifications that describe how clients and servers are supposed to interact with each other. Some of these specifications relate to privacy. In particular, there is a thing called a "compact privacy policy" which is a very shorthand way of indicating many of the most salient points of a privacy policy in a machine-readable format. This is a published specification, part of the Platform for Privacy Preferences (P3P), d

Re:

[smash]

This post pretty much sums it up. IIRC, IE was affected too, for complying with P3P.

And yes. "don't be evil" my arse.

Re:

[viperidaenz]

4. Compact Policies

Compact policies are summarized P3P policies that provide hints to user agents to enable the user agent to make quick, synchronous decisions about applying policy. Compact policies are a performance optimization that is OPTIONAL for either user agents or servers. User agents that are unable to obtain enough information from a compact policy to make a decision according to a user's preferences SHOULD fetch the full policy.

The text Google sends is obviously not a valid CPP, so the browser is incorrectly implementing an optional part of the spec to the detriment of the users.

They don't incorrectly add any of the defined compact tokens to the CP header. No correct implementation should be able to determine a policy from what is returned.

Re:

[smash]

This isn't a security exploit. No software was "exploited". It is Google being a dick with internet standards.

Whether

[TsuruchiBrian]

"'Whether something is private or not should be up to the internet surfer, not Google. We are best placed to decide, not them.'"

Fulfilling the expectation that the internet surfer's privacy wishes are being honored is the job of a browser without security, not a massive corporation whose primary income source is targeted advertisements.

Since when....

[Dcnjoe60]

Since when is Google storing a cookie on your local computer the same as Google collecting data on you. Collecting, by its very definition, would mean that they are storing the data on their computer. Now, if Google then harvests the data stored locally and does something with it, that is a different story, but just having Google store a cookie, does not in and of itself mean that they are collecting personal data, even if the cookie contains personal data. If that were the case, then just about every webs