Mobile phones are great for on-the-go access to the Web, even better if you can block cookies and not be tracked. So finding out the largest search engine in the world has been ignoring your wishes and dropping a cookie anyway is not great news, says David Reed.
If you have covered your windows in aluminium foil to prevent the World Government from reading your thoughts, then this piece of news will have come as no surprise - Google circumvented privacy controls on the iPhone in order to track users and serve them targeted ads.
If you bought the iPhone partly in the knowledge that Apple was shipping it with third-party cookie blocking as standard on the Safari web browser, you might feel shocked. Around 100 individuals in the UK certainly do - so much so that they are considering being party to a law suit being brought for invasion of privacy.
And if you are a mobile marketer keen to exploit this fast growing channel, you might feel let down by one of the most important parties involved in it. As far as Google is concerned, however, no personal information was involved and therefore there was no invasion of privacy. That view seems likely to be tested in court sometime this summer.
Google’s manoeuvre came to light courtesy of a researcher at Stanford University. Jonathan Mayer reported to the Wall Street Journal that the search engine was using specially-written code to get around the cookie-blocking settings. These tricked the iPhone operating system into believing the user had submitted a form which allowed cookies to be stored on the phone without consent or knowledge. These were used to serve ads onto sites in the DoubleClick network, targeting which is critical to Google’s revenue stream.
Enter the Federal Trade Commission (FTC) in the United States which slapped a record $22.5 million fine on the company. One reason for the size of the penalty was that Google had previously entered into a 20-year privacy order with the FTC following challenges to its Buzz social network.
Jon Leibowitz, chairman of the FTC, said in a statement: “The record setting penalty in this matter sends a clear message to all companies under an FTC privacy order. No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”
Another factor in the decision was a help page on Google which told Safari users that because the browser’s default setting is to block third-party cookies, as long as users do not change those, this setting “effectively accomplishes the same thing as [opting out of this particular Google advertising tracking cookie].”
Google’s response to the fine was that, “we set the highest standards of privacy and security for our users. The FTC is focused on a 2009 help center page published more than two years before our consent decree, and a year before Apple changed its cookie-handling policy. We have now changed that page and taken steps to remove the ad cookies, which collected no personal information, from Apple's browsers.”
The company has further explained its position, saying: “Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as ‘Like’ buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalised ads and other content - such as the ability to ‘+1’ things that interest them.”
At this point, European data experts might seek to point out that placing cookies onto a device without explicit consent is a breach of the ePrivacy Directive (“cookies law”) which so vexed the digital marketing industry when it was adopted in 2011. According to a legal source, however, this is unlikely to form the basis of a law suit because of the staggered way in which this law was introduced. “It happened during the period of grace before the law was being enforced by the ICO,” he suggests.
Instead, a group of UK iPhone users have set in train a law suit against Google for invasion of privacy. Individuals have a reasonable expectation of privacy for activities which they carry out in private - that includes browsing the Internet. Should another person make use of the same device (iPads were affected as well as iPhones), then the ads targeted at the original individual could end up revealing something about their interests.
Since Apple was shipping its devices with blocking as the default setting, users are likely to have had that “reasonable expectation” that their browsing was not being tracked in this way. Around 10 million iPhones were bought in the UK during the period when this practice was being used. Ten users, including a privacy campaigner, initiated a law suit through Olswangs which is now being joined by dozens more plaintiffs.
Letters before action have been sent to Google executives with an expectation that a substantive response will have been received by late February. Should the company resist the claims being made, court proceedings will be initiated in the UK with a technical application to serve papers outside of jurisdiction.
The legal source expects no difficulties to arise from pursuing Google in this country. “US entities are sued every day of the week in the UK. If Google wants to hide behind jurisdictional issues, that would be disappointing,” he says.
If the court were to find against the search engine, it could be hit for substantial damages. By the time it goes before a judge, the number of claimants is likely to have risen considerably, making even a modest award of damages for each one multiply rapidly to a large total.
Not everybody sees this pursuit of Google over its privacy practices as reasonable. One such is The Atlas Society’s Business Rights Centre, which seeks to protect American producers against “politically-motivated persecution, disguising itself as law enforcement and exposé journalism”. It reported on the American fine under the headline, “FTC extracts fine from Google as harassment continues.”
It protests that Google was not found guilty of anything in court, but was judged by the FTC to have broken the promise it gave to the Commission, in essence treating it with contempt. Alexander R. Cohen of the BRC wrote: “The problem Google faces is that it isn’t safe for Google to treat its government harassers with contempt,” largely because it has not played the political game in Washington. (The Atlas Society is named after the Ayn Rand novel, “Atlas Shrugged”, which advocates laissez-faire capitalism and individualism and is a touchstone for US right-wing politicians.)
Given the polarised nature of American politics, it is no surprise to find Google being defended on the basis of perceived bias against it. In the more balanced climate of the UK, few are likely to see political malice lying behind the law suit - more an important issue related to one of the most important and powerful engines of the modern economy.
(It is also somewhat ironic that an Apple device should be at the centre of a storm about privacy, since the iPhone itself keeps track of timestamped data of the longitude and latitude of the phone’s position. Many users are unaware of this tracking, which is relatively easy for another party to access via the phone or any Mac it has been synched with.)
What an independent observer might question about the explanation Google has given is the mechanism it used to place cookies onto iPhones and iPads. Where users had signed-in to Google and were actively using “+1” functions, there can be no problem. But apparently faking a handset into believing the user had taken this action, by creating a phantom form, seems far more dubious.
Consent is dear to the heart of regulators in Europe - the European Commission took the UK to court for allowing the ill-fated Phorm experiment in behavioural targeting to take place without informing subscribers. That led directly to the “cookies law” being introduced.
Commercial businesses relying on personal information will also have concerns, as should any brand that serves ads via DoubleClick. The more consumers learn of such activities, the more they will refuse consent when mechanisms to do so are offered. In one survey carried out by Ovum, 68 per cent of consumers across 11 countries would make use of “do not track” if they could. An Emailvision survey found 40 per cent of consumers unwilling to trade personal information in return for better targeted offers.
Those numbers should worry data practitioners as they threaten the free flow of data, especially in digital channels, which current marketing operations are heavily reliant on. We have not yet reached the stage where all consumers are metaphorically covering their windows with foil, but they are definitely becoming more worried about being tracked.