Tech Law Journal Daily E-Mail Alert
Thursday, August 9, 2012, Alert No. 2,425.
Home Page | Calendar | Subscribe | Back Issues | Reference
FTC Sues and Settles With Google for Circumventing Apple Safari Browser's Blocking of Third Party Cookies

8/9. The United States, acting on behalf of the Federal Trade Commission (FTC), filed a complaint [26 pages in PDF] in the U.S. District Court (NDCal) against Google alleging violation of Sections 5(l) and 16 of the FTC Act in connection with Google's circumvention of the Apple Safari browser's default setting for blocking of third party cookies.

Section 5(a), which is codified at 15 U.S.C.§ 45, provides that "unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful". The FTC previously brought and settled an action against Google, based upon an alleged violation of Section 5(a), involving Google Buzz. That action concluded with a consent order. The present action does not allege that Google's circumvention itself is actionable. Nor does it allege that Google's circumvention violated its privacy policy in violation of Section 5(a). Rather, the complaint alleges that Google's circumvention, and resulting serving of ads, violated the terms of the consent order, which barred Google from misrepresenting its privacy related practices, and that this constitutes a violation of Section 5(l), which authorizes the FTC to enforce its consent orders. Section 16, which is codified at 15 U.S.C. § 56, authorizes the Attorney General to bring actions on behalf of the FTC.

The parties simultaneously filed a short proposed order [PDF] that settles this action with minimal inconvenience to Google. The proposed order contains no finding of wrongdoing, liability, violation of law, or violation of the previous FTC order. Indeed, the proposed order contains no findings or stipulation of facts regarding the events that gave rise to this action. There is a fine of $22.5 Million, which for a company with Google's market capitalization, is negligible.

This structuring of the complaint, and settlement with no finding of wrongdoing, or even findings of fact, works to the advantage of Google in related pending class action litigation.

The proposed order provides that "Until February 15, 2014, Defendant will maintain systems configured to instruct Safari-brand web browsers to expire any DoubleClick.net cookie placed by Defendant through February 15, 2012 if those systems encounter such a cookie, with the exception of the DoubleClick opt-out cookie."

February 15, 2014 is nearly two years to the day after the Wall Street Journal and Jonathan Mayer, a graduate student at Stanford University, published reports of Google's circumvention.

This settlement is particularly lenient in light of Google being a repeat violator of federal law in its advertising practices. See, story titled "Google to Pay $500 Million for Allowing Its AdWords Program to be Used to Promote Illegal Online Drug Sales" in TLJ Daily E-Mail Alert No. 2,292, August 24, 2011. See also, story titled "FTC Issues and Settles Complaint Against Google" in TLJ Daily E-Mail Alert No. 2,213, March 31, 2011.

Prior FTC Order Regarding Google Buzz. In 2011, the FTC brought and settled an enforcement action against Google in connection with its privacy related practices associated with the initial launch of its Buzz social networking service. See, Decision and Order [7 pages in PDF] dated October 13, 2011.

The just filed complaint alleges that Google violated that October 13 order. It states that the FTC "charged Google with violating the FTC Act in connection with Google's launch of its social networking tool, Google Buzz. ... The FTC alleged, among other things, that Google misrepresented to users of its Gmail email service that: (1) Google would not use their information for any purpose other than to provide that email service; (2) users would not be automatically enrolled in the Buzz network; and (3) users could control what information would be public on their Buzz profiles."

The October 13 order provided that Google "shall not misrepresent in any manner, expressly or by implication ... the extent to which respondent maintains and protects the privacy and confidentiality of any covered information" or "the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other entity".

Moreover, the just filed complaint states that the October 13 order provides that "covered information" includes "persistent identifier contained in a tracking cookie, a user's IP address, a user's account ID, a user's interests, or a user’s web-browsing activity".

Google's Safari Circumvention. Google and three other companies used surreptitious code to circumvent the block third party cookies feature of Apple's web browser, Safari, thereby enabling these companies to track the web browsing of users of Apple iPhones and iPads, without their permission or knowledge, and contrary to Apple's and users' efforts to protect their privacy. Google owns DoubleClick, whose cookies are placed on users' browsers when visiting Google AdSense partner web sites.

The complaint alleges in detail, at paragraphs 17 through 48, the nature of cookies, third party cookies, DoubleClick advertising cookies, online tracking, Apple Safari browser's privacy controls, Google's representations, and Google's overriding of Safari's controls.

For more on Google's circumvention, see stories titled "Google Tracked Users Online by Circumventing Apple Safari Browser's Blocking of Third Party Cookies" and "What Are Third Party Cookies?" in TLJ Daily E-Mail Alert No. 2,341, February 19, 2012.

Counts Pled in FTC Complaint. Consistent with most of the actions taken by or on behalf of the FTC under Section 5 of the FTC Act to protect consumer privacy, this complaint against Google builds on Google's having misrepresented its privacy related practices.

This action does not assert that the underlying action -- circumventing the Safari browser's default setting of blocking of third party cookies -- is actionable.

Count I alleges that the Google's circumvention violated the 2011 consent order by violating representations that it made in its web site regarding collection of information from Safari users. That is, the complaint alleges that "Google assured Safari users that the Safari default setting ``effectively accomplishes the same thing as setting the opt-out cookie,´´", but in fact, Google "placed DoubleClick Advertising Cookies on the browsers of Safari users with the default setting".

Count II alleges that Google's serving of targeted ads violated violated the 2011 consent order by violating representations that it made in its web site.

Count III alleges that Google is a member of the Network Advertising Initiative (NAI), a self-regulatory organization for companies in the online advertising marketplace, which has written a code, and that Google represented that it complies with the code, but in fact, Google failed to comply with the NAI Code. The complaint alleges that this too violated the 2011 consent order.

This case is USA v. Google, Inc., U.S. District Court for the Northern District of California, San Jose Division.

Commentary: Claims that the USA/FTC Did Not Bring Against Google

8/9. This piece addresses some claims that the USA and/or Federal Trade Commission (FTC) might have brought against Google for its circumvention of of the Apple Safari browser's blocking of third party cookies, but did not.

Notably, there is no claim against Google for the underlying act of circumvention. Claims might include reliance upon the unfairness prong of the unfair or deceptive trade practices statute, interception of electronic communications in violation of the Wiretap Act, or unauthorized access to a protected computer system.

First, the USA or FTC might have pled in this complaint that Google's act of circumvention itself is an unfair trade practice under Section 5 of the FTC Act.

Section 5(a), which is codified at 15 U.S.C.§ 45, provides that "unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful". Most FTC privacy related actions (other than those involving children and the COPPA) charge violation of the deceptive prong. However, the FTC has taken action based upon the unfairness prong before.

For example, in 2005, in an action against BJ's Wholesale Club, the FTC alleged unfairness in the context of data security. The FTC alleged in its administrative complaint that BJ's "did not employ reasonable and appropriate measures to secure personal information collected at its stores", such as encryption, and that "This practice was an unfair act or practice". See also, FTC web page with hyperlinks to pleadings in that proceeding.

In 2011, in FTC v. Frostwire, the FTC alleged unfairness in the context of default privacy settings. It filed a complaint in the U.S. District Court (SDFl) that alleged, in Count III, that "FrostWire for Android mobile file-sharing application was likely to cause a significant number of consumers installing and running it to unwittingly share personal files stored on their mobile computing devices with the public", thus increasing "consumers' vulnerability to identity theft", and that this constitutes "unfair acts or practices in violation of Section 5 of the FTC Act". See also, FTC web page with hyperlinks to pleadings in that proceeding.

Also, on March 26, 2012, the FTC released a report [112 pages in PDF] titled "Protecting Consumer Privacy in a Era of Rapid Change: Recommendations for Businesses and Policy Makers" that contains statements that may imply a forthcoming increased reliance upon unfairness, rather than deception, as the basis for FTC interpretation of its statutory authority under Section 5 of the FTC Act. See also, stories titled "FTC Releases Second Report on Privacy Issues" and "Commentary: Unfair v. Deceptive Conduct" in TLJ Daily E-Mail Alert No. 2,357, March 26, 2012.

Next, in the just filed complaint against Google, the USA might have pled civil violation of the Computer Fraud and Abuse Act (CFAA), which is codified at 18 U.S.C. § 1030. It bans certain unauthorized access to a protected computer system. The USA could also have brought a criminal CFAA charge in a separate criminal action.

Or, the USA might have alleged violation of 18 U.S.C. § 2511, which bans intercepts of electronic communications.

Or, the USA might have alleged violation of 18 U.S.C. § 2701, the Stored Communications Act (SCA). This statute provides that "whoever ... intentionally accesses without authorization a facility through which an electronic communication service is provided ... or ... intentionally exceeds an authorization to access that facility ... and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished".

There are private rights of action under the CFAA, Wiretap Act and SCA (but not the FTC Act).

Hence, Google is now a defendant in numerous class action lawsuits that arise out of the Safari circumvention and that allege violation of these statutes.

On June 12, 2012, a U.S. Judicial Panel on Multidistrict Litigation issued an order that centralizes eight pending putative class actions in the U.S. District Court (DDel). Google is incorporated in Delaware, and other defendants are located in nearby metropolitan areas.

Reaction to the Google Settlement

8/9. The Federal Trade Commission's (FTC) settlement with Google regarding its circumvention of the Apple Safari browser's blocking of third party cookies received a wide range of comments. Some criticized the FTC for not going far enough against Google. Some praised the FTC. Some argued that it was inappropriate for the FTC to take action against Google in this matter.

First, the five member Commission was not unanimous. Commissioner Thomas Rosch faulted the FTC for letting Google off without admitting liability.

Thomas RoschRosch (at right) wrote in his dissent that "There is no question in my mind that there is ``reason to believe´´ that Google is in contempt of a prior Commission order. However, I dissent from accepting this consent decree because it arguably cannot be concluded that the consent decree is in the public interest when it contains a denial of liability."

Similarly, John Simpson of Consumer Watchdog stated in a release that the fine in this case "is woefully insufficient considering that Google refused to admit any liability or wrongdoing".

Sen. John Rockefeller (D-WV) stated in a release that "I commend the FTC for using its existing consent order against Google to hold the company accountable for misleading users of the Safari Internet browser about their online privacy".

Sen. John RockefellerSen. Rockefeller (at left) continued that "I will continue to push for common sense privacy legislation to give consumers the ability to choose what information companies collect about them and how they use it. In the meantime, it is imperative that the FTC continues to make sure that individual companies abide by the promises they make about consumers’ privacy. Without strong enforcement actions, companies have shown a preference for profits over consumer protection."

Rep. Joe Barton (R-TX) praised the FTC in a release. He wrote that "Google was wrong to circumvent the anti-tracking program in the Safari system. Google compounded their culpability by misleading the FTC and the public about their actions."

Rep. Ed Markey (D-MA) also commended the FTC in a release. Rep. Barton, Rep. Markey and Rep. Cliff Stearns (R-FL) wrote the FTC regarding Google's Safari circumvention back in February. See, story titled "Representatives Urge FTC to Investigate Google's Safari Circumvention" in TLJ Daily E-Mail Alert No. 2,341, February 19, 2012.

Leslie Harris, head of the Center for Democracy and Technology (CDT), stated in a release that "It's telling that the FTC included a count for violating an industry code of conduct ... This settlement sends an unambiguous message to companies that the FTC is ready and willing to aggressively monitor and enforce such codes."

Berin Szoka (head of Tech Freedom) and Geoffrey Manne (International Center for Law and Economics), came to Google's defense. They wrote in a statement that "The FTC holds Google liable for a statement in a help page that was true when made and became untrue only because Apple quietly changed how its Safari browser handles cookies."

Berin SzokaSzoka (at right) and Manne elaborated. "Of course, companies do have a duty to ensure the accuracy of what they tell consumers about privacy as their own practices evolve. But holding them responsible for monitoring everything their rivals do that might affect their own past privacy statements will only discourage them from explaining their privacy practices in the first place. This is sadly ironic, as policymakers have spent years bemoaning the inadequacy of privacy policies and demanding companies do more to educate consumers. This is, at best, a pyrrhic victory for privacy."

They concluded that "Such arbitrary regulation-by-settlement undermines the rule of law and harms consumers by deterring privacy disclosures."

Ryan Radia of the Competitive Enterprise Institute (CEI) also criticized the FTC. He wrote in a release that "Although Google found itself in the FTC’s crosshairs this time, the agency could have just as easily targeted any number of other Web companies for similarly minor missteps."

Radia said that "While punishing businesses that defraud their customers is among government’s legitimate roles, Google’s only mistake here was failing to realize a software tweak by Apple rendered one of Google’s help pages inaccurate. There is no evidence that any users were ‘taken in’ or harmed by this inaccurate help page, nor does the FTC allege that Google knew or should've known that its help page was wrong."

In This Issue
This issue contains the following items:
 • FTC Sues and Settles With Google for Circumventing Apple Safari Browser's Blocking of Third Party Cookies
 • Commentary: Claims that the USA/FTC Did Not Bring Against Google
 • Reaction to the Google Settlement
 • More News
Washington Tech Calendar
New items are highlighted in red.
Friday, August 10

The House will not meet, except for pro forma sessions, until September 10.

The Senate will meet at 11:00 AM in pro forma session.

Deadline to submit written comments to the President's National Security Telecommunications Advisory Committee (NSTAC) in advance of its August 16 meeting. The agenda includes discussions of (1) the Nationwide Public Safety Broadband Network (NPSBN), (2) the DHS's National Cybersecurity and Communications Integration Center (NCCIC), and (3) the proposal to develop a separate out of band data network supporting communications among carriers, ISPs, vendors, and additional critical infrastructure owners and operators during a severe cyber incident that renders the internet unusable. See, notice in the Federal Register, Vol. 77, No. 146, Monday, July 30, 2012, at Pages 44641-44642.

Deadline to submit comments to the National Institute of Standards and Technology's (NIST) Computer Security Division (CSD) regarding its draft SP 800-76-2 [57 pages in PDF] titled "Biometric Data Specification for Personal Identity Verification".

Deadline to submit comments to the National Institute of Standards and Technology's (NIST) Computer Security Division (CSD) regarding its draft FIPS-201 -2 [89 pages in PDF] titled "Personal Identity Verification (PIV) of Federal Employees and Contractors".

11:59 PM. Deadline to submit comments to the Executive Office of the President's (EOP) Office of the Intellectual Property Enforcement Coordinator to assist it in developing a "Joint Strategic Plan on Intellectual Property Enforcement". See, notice in the Federal Register, Vol. 77, No. 140, July 20, 2012, at Pages 42765-42767.

Saturday, August 11

The Federal Communications Bar Association's (FCBA) Young Lawyers Committee will host an event titled "3rd Annual End of Summer Rooftop BBQ". The price to attend is $15. Registrations and cancellations are due by 4:00 PM. on August 8. See, notice. For more information contact Justin Faulb at faulbjl at gmail dot com, Delara Derakhshani at delara dot derakhshani at gmail dot com, or Brendan Carr at BrendanTCarr at gmail dot com. Location: undisclosed.

Monday, August 13

5:00 PM. Deadline to submit initial comments to the Copyright Office (CO) in response to its notice in the Federal Register (FR) regarding its proposed rules that implement the provision of the Satellite Television Extension and Localism Act of 2010 (STELA) that allows copyright owners to audit certain Statements of Account filed with the CO. See, FR, Vol. 77, No. 115, Thursday, June 14, 2012, at Pages 35643-35652. See also, story titled "Copyright Office Issues Proposed STELA Rules Regarding Auditing Statements of Account" in TLJ Daily E-Mail Alert No. 2,398, June 18, 2012.

Tuesday, August 14

The Senate will meet at 2:30 PM in pro forma session.

9:00 AM - 5:00 PM. Day one of a two day meeting of the Department of Energy's (DOE) Advanced Scientific Computing Advisory Committee (ASCAC). See, notice in the Federal Register, Vol. 77, No. 147, Tuesday, July 31, 2012, at Pages 45345-45346. Location: American Geophysical Union (AGU), 2000 Florida Ave., NW.

Wednesday, August 15

9:00 AM - 12:00 NOON. Day two of a two day meeting of the Department of Energy's (DOE) Advanced Scientific Computing Advisory Committee (ASCAC). See, notice in the Federal Register, Vol. 77, No. 147, Tuesday, July 31, 2012, at Pages 45345-45346. Location: American Geophysical Union (AGU), 2000 Florida Ave., NW.

9:00 AM - 3:00 PM. The Department of Health and Human Services' (DHHS) Office of the National Coordinator for Health Information Technology's (ONCHIT) HIT Standards Committee will meet by webcast. See, notice in the Federal Register, Vol. 77, No. 147, Tuesday, July 31, 2012, at Pages 45353-45354.

Deadline to submit reply comments to the Copyright Office (CO) in response to its notice in the Federal Register (FR) in which it proposes rules changes regarding the definition of a claimant for purposes of copyright registration. The CO proposes to eliminate the footnote to the definition of a claimant codified at 37 CFR § 202.3(a)(3)(ii), which provides that a claimant includes individuals or entities that have obtained the contractual right to claim legal title to copyright in an application for copyright registration. See, FR, Vol. 77, No. 96, Thursday, May 17, 2012, at Pages 29257-29259. See also, story titled "Copyright Office Proposes to Change Definition of Claimant" in TLJ Daily E-Mail Alert No. 2,386, May 30, 2012.

Thursday, August 16

1:00 - 2:30 PM. The American Bar Association (ABA) will host a webcast and telecast panel discussion titled "A New Beginning in the End: Sound Recording Copyright Terminations -- A Discussion and Debate". The speakers will be Lisa Alter (Alter & Kendrick), Lacy Lodes (Consor Intellectual Asset Management), Lisa Buckley (Pryor Cashman), Marybeth Peters (Oblon Spivak), and Mark Jaffe (Ekeland & Jaffe). Prices vary. CLE credits. See, notice.

2:00 - 3:15 PM. The President's National Security Telecommunications Advisory Committee (NSTAC) will meet via teleconference. The agenda includes discussions of (1) the Nationwide Public Safety Broadband Network (NPSBN), (2) the DHS's National Cybersecurity and Communications Integration Center (NCCIC), and (3) the proposal to develop a separate out of band data network supporting communications among carriers, ISPs, vendors, and additional critical infrastructure owners and operators during a severe cyber incident that renders the internet unusable. This event is open to the public. There will be a period for public comments. The deadline to register to present comments is August 9. The deadline to submit comments in advance of the meeting is August 10. The deadline to submit post meeting comments is August 30. See, notice in the Federal Register, Vol. 77, No. 146, Monday, July 30, 2012, at Pages 44641-44642.

Friday, August 17

The Senate will meet at 11:30 AM in pro forma session.

Deadline to submit comments to the National Institute of Standards and Technology's (NIST) Computer Security Division (CSD) regarding its draft SP 800-124 Rev 1 [29 pages in PDF] titled "Guidelines for Managing and Securing Mobile Devices in the Enterprise".

More News

8/9. The U.S. Patent and Trademark Office (USPTO) published a notice in the Federal Register (FR) that announces, describes, recites, and sets the effective date (August 9, 2012) for, it rules changes that incorporate classification changes adopted by the Nice Agreement Concerning the International Classification of Goods and Services for the Purposes of the Registration of Marks. See, FR, Federal Register, Vol. 77, No. 154, August 9, 2012, at Pages 47528-47530.

8/8. The National Institute of Standards and Technology's (NIST) Computer Security Division (CSD) released its draft SP 800-152 [26 pages in PDF] titled "A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS)". The dadline to submit comments is October 10, 2012.

8/2. Rep. Kathleen Hochul (D-NY) introduced HR 6330 [LOC | WW], a bill regarding sentencing for identity theft. It was referred to the House Judiciary Committee (HJC) and House Financial Services Committee (HFSC).

7/20. The Copyright Royalty Board (CRB) notice in the Federal Register (FR) that announces a proceeding to determine the distribution of the digital audio recording technology royalty fees in the 2005, 2006, 2007 and 2008 Musical Works Funds. This notice also states that the deadline to submit Petitions to Participate in, and filing fees for, this CRB proceeding is August 20, 2012. See, FR, Vol. 77, No. 140, July 20, 2012, at Pages 42764-42765.

About Tech Law Journal

Tech Law Journal publishes a free access web site and a subscription e-mail alert. The basic rate for a subscription to the TLJ Daily E-Mail Alert is $250 per year for a single recipient. There are discounts for subscribers with multiple recipients.

Free one month trial subscriptions are available. Also, free subscriptions are available for federal elected officials, and employees of the Congress, courts, and executive branch. The TLJ web site is free access. However, copies of the TLJ Daily E-Mail Alert are not published in the web site until two months after writing.

For information about subscriptions, see subscription information page.

Tech Law Journal now accepts credit card payments. See, TLJ credit card payments page.

Solution Graphics

TLJ is published by David Carney
Contact: 202-364-8882.
carney at techlawjournal dot com
3034 Newark St. NW, Washington DC, 20008.

Privacy Policy
Notices & Disclaimers
Copyright 1998-2012 David Carney. All rights reserved.