Google Pays $17 Million Over Privacy Breach: How And Why Google Exploited Safari

Google Inc. (NASDAQ:GOOG) agreed to a settlement with 37 states and the District of Columbia on Monday after a two-year probe into the company’s circumvention of privacy settings in Safari, which is Apple’s first-party Web browser and default browser for the popular iPhone and iPad.

The Mountain View, Calif.-based search giant will pay $17 million for secretly tracking Safari users by placing special digital files within Safari that allow cookies to be installed on the device without users’ knowledge or consent. Google agreed to a similar settlement last August with the U.S. Federal Trade Commission for circumventing Safari’s privacy settings.

“Consumers should be able to know whether there are other eyes surfing the web with them,” New York Attorney General Eric Schneiderman said in a statement. “By tracking millions of people without their knowledge, Google violated not only their privacy, but also their trust.”

How Google was caught

Safari was built to automatically prevent the installation of any “cookies,” or files that can track a person’s Web browsing habits and report that data to third-parties like ad networks. But last February, Google was caught using special computer codes that tricked Safari into letting it track its users by a Stanford researcher named Jonathan Mayer; the same codes independently confirmed by Ashkan Soltani, a technical adviser to the Wall Street Journal.

The discovery of Google’s hidden code directly contradicted a Google webpage that said (before Google altered its language) Safari users could rely on Safari’s privacy settings to prevent tracking by Google, and thus, they had no need to opt out of Google tracking.

“Safari is set to block all third-party cookies,” Google said at the time. “If you have not changed those settings, this option effectively accomplishes the same thing.”

Why did Google exploit Safari?

Ads are the main reason, but it also has to do with data. Google believed it could tie together its services with a service that could beat Facebook at its own game, so Google used its DoubleClick ad technology to help introduce its new social network, Google+, by placing “+1” buttons within DoubleClick ads so if users like them, they can approve the ads directly in their social network. This would be a great way for Google and its advertisers to extract more data about their customers and how they interact with ads, which only improves their respective businesses.

But Google ran into a problem when adding the “+1” button to mobile ads, particularly on the iPhone and iPad, because of Safari: Since Apple’s Web browser automatically blocks cookies, Google would have no way of knowing if Safari users were logged into Google, which is necessary to use the “+1” button.

How Google exploited Safari

Google found a loophole: Safari blocks all cookies from being installed automatically, but at that point in time, Safari allowed for advertisers to place cookies in the browser as long as the user interacts with the actual ad. So Google decided it would trick Safari, albeit temporarily, by sending invisible forms that made it appear as if the user was interacting with the DoubleClick ads.

In turn, Safari would allow the ads to install temporary cookies that could track users’ browsing activities. Now the cookies are temporary to begin with, but because of a technical decision within Safari at the time, companies could easily add more cookies as long as there’s one cookie already installed, which is obviously problematic for users’ privacy. Three other ad companies, including Vibrant Media Inc., PointRoll Inc. from Gannett Co. and Media Innovation Group from WPP PLC, were found using similar techniques, according the the Wall Street Journal.

The state attorneys general said Google’s circumvention of Safari’s privacy settings was a violation of consumer protection and computer privacy laws, as the company misled Safari users with its earlier statement and failed to inform those users correctly and sufficiently.

As part of the settlement, Google will pay $17 million to the District of Columbia and the other 37 states, including Alabama, Arizona, Arkansas, California, Connecticut, District of Columbia, Florida, Illinois, Indiana, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Nebraska, Nevada, New Jersey, New Mexico, North Carolina, North Dakota, Oklahoma, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington and Wisconsin. Google also agreed to only use its special code capable of overriding browser settings for security, technical, or fraud issues only -- not advertising. Google also agreed to provide Internet users and consumers with more information about cookies and how they work for the next five years.

But the $17 million payout, in addition to the other requirements in the settlement, is a slap on the wrist for Google at best. Google’s quarterly ad revenue far exceeds this million-dollar fine; ad revenue is a big reason Google raked in $50 billion in revenue last year, and why Google’s revenue is expected to hit record highs this year. Meanwhile, Google Plus is more popular than it was a year ago, if only because YouTube users are extremely irritated with the new requirement that they use their Google Plus accounts, whether they have one or not.

Follow Dave Smith on Twitter