Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Facing New Privacy Probe Over Safari Incident

Soulskill posted more than 2 years ago | from the hand-in-the-cookie-jar dept.

Google 134

An anonymous reader writes "Last month we discussed news of a controversial method Google was using to bypass Safari's privacy settings in order to enable certain features for users who were logged in to Google. Now, U.S. regulators are investigating Google's actions to see whether the search giant has violated the privacy protection agreement they signed last year that includes a clause prohibiting Google from misrepresenting how users control the collection of their data. 'The fine for violating the agreement is $16,000 per violation, per day. Because millions of people were affected, any fine could add up quickly, depending on how it is calculated. ... A group of state attorneys general, including New York's Eric Schneiderman and Connecticut's George Jepsen, are also investigating Google's circumvention of Safari's privacy settings, according to people familiar with the investigation. State attorneys general can have the ability to levy fines of up to $5,000 per violation.' European regulators are adding the Safari investigation to their review of Google's consolidated privacy policy."

cancel ×

134 comments

Sorry! There are no comments related to the filter you selected.

Fr1st P0st (-1)

Anonymous Coward | more than 2 years ago | (#39379011)

Frosty piss y'all!

Bug? (1)

Rik Sweeney (471717) | more than 2 years ago | (#39379017)

I still don't understand, isn't this a browser exploit that needs to be fixed? What's stopping another website from doing exactly the same thing?

Re:Bug? (4, Informative)

Dak RIT (556128) | more than 2 years ago | (#39379085)

It is a bug, and also seems very likely to be a (granted rather trivial) exploit. Google seems to be the primary target here, even though multiple sites have been identified using the workaround [webpolicy.org] , because of previous agreements it has made regarding privacy.

Re:Bug? (1)

Anonymous Coward | more than 2 years ago | (#39379101)

Yes, Apple announced they will be patching this. It still doesn't look good for Google to be exploiting a browser vulnerability, they are supposedly a reputable corporation.

Re:Bug? (1)

Dexter Herbivore (1322345) | more than 2 years ago | (#39379247)

Do No... errr, never mind.

Look at the monkey! (4, Insightful)

betterunixthanunix (980855) | more than 2 years ago | (#39379115)

Why fix security problems when you can just prosecute people?

Re:Look at the monkey! (-1)

Anonymous Coward | more than 2 years ago | (#39379519)

that's not a monkey. it's a nigger! easy to confuse I know

Re:Look at the monkey! (4, Informative)

Anthony Mouse (1927662) | more than 2 years ago | (#39379857)

The thing people are continuously forgetting about all of this is that the bug in question was in the open source Webkit, which both Safari and Chrome are based on, and Google had already submitted a patch to fix the bug before any of this even became an issue.

This all seems a lot more about this [falkvinge.net] than any sort of legitimate complaint the government has about what Google is doing. If the government had literally done nothing, the problem had already been solved before they became involved -- but now we have a big dog and pony show. Cui bono? Microsoft.

Re:Look at the monkey! (1)

Anonymous Coward | more than 2 years ago | (#39380777)

They submitted a patch and exploited it anyway. Exploiting privacy vulnerabilities is bad, bad, bad. I don't care if Joseph Kony funds the investigation.

Re:Look at the monkey! (2, Insightful)

Anthony Mouse (1927662) | more than 2 years ago | (#39380987)

Exploiting privacy vulnerabilities is bad, bad, bad.

That word...I don't think it means what you think it means.

Let me give you an example. If you want to jailbreak an iPhone, you have to find a security vulnerability. Like, a real one, not this "well if you submit a form then it isn't considered a third party cookie" grey area nonsense, a real root shell "exploit." Is the company that makes the jailbreak website then "exploiting privacy vulnerabilities" because having rooted the phone, the software could in theory then send all the user's pictures and web history to the jailbreak author and so on? No, not until they do something that actually impairs the user's privacy.

Adding a +1 button to a third party website doesn't exactly fall into the same category as stealing credit card numbers or turning on one's webcam without authorization.

Re:Look at the monkey! (1)

Your.Master (1088569) | more than 2 years ago | (#39381207)

Who said anything about stealing credit card numbers? You're conflating issues radically. This isn't a grand theft trial, and nobody is talking about taking root access to your PC. This is a probe into whether Google is adhering to privacy agreements.

My best guess is that you're objecting to the AC's use of the term "exploit" in the context of privacy (or maybe the term "vulnerability")? But what else do you call it if you say the hole is being used? It's a vulnerability, in the privacy field, which is being exploited.

As for whether it's a grey area, if Google submitted a patch to end this behaviour as you say, presumably they thought the behaviour was wrong. Otherwise, why did they submit the patch?

I expect this is a case where the left hand not knowing what the right hand is doing. But maybe the left hand was doing wrong, whether or not the right hand was doing right. So you slap the left wrist (or you don't, depending on the outcome of the probe).

Re:Look at the monkey! (0)

Anonymous Coward | more than 2 years ago | (#39381643)

Correct me if I'm wrong, but isn't this entire issue about the +1 / Like buttons that are proliferating across the Internet

Doesn't one have to CLICK INTENTIONALLY on the +1 or Like button to have their privacy "invaded"? It's not really an invasion because the person intentionally clicked it, no?

Re:Look at the monkey! (1)

Anthony Mouse (1927662) | more than 2 years ago | (#39381899)

As for whether it's a grey area, if Google submitted a patch to end this behaviour as you say, presumably they thought the behaviour was wrong. Otherwise, why did they submit the patch?

It's a pretty obvious false negatives vs. false positives trade off. There are a ton of legitimate uses for third party cookies, so over-blocking them breaks a lot of stuff. But they also get used by ad networks to track people between websites, which can be undesirable. The problem is that the dividing line between first and third party cookies is very blurry (e.g. is fbcdn.net 'third party' when you're on facebook.com?) and even trying to make the distinction is somewhat questionable. So you draw a line and everybody, both the providers of legitimate features and the ad network trackers, try to come in on the 'not blocked' side. Which is good when done to provide features and bad when done to track users. Then the browser vendors realize what happened and try to tighten things up against the tracking, hopefully in a way that makes it harder to track without breaking useful social network features etc.

You can think of it like spam filtering. Imagine you have a company that makes a spam filter and operates a mailing list. Messages with certain characteristics get blocked by the spam filter. Both the evil spammers and the good mailing lists adjust their messages so that they don't get blocked, and the company consequently updates the spam filter to try to keep blocking the spam. At this point you want to haul the mailing list operator into court for taking measures to make sure their legitimate, user-requested messages don't get flagged as spam by the spam filter? Why?

Re:Look at the monkey! (1)

znrt (2424692) | more than 2 years ago | (#39382685)

There are a ton of legitimate uses for third party cookies, so over-blocking them breaks a lot of stuff.

really easy: http://www.abine.com/dntdetail.php [abine.com]

Re:Look at the monkey! (1)

Anthony Mouse (1927662) | more than 2 years ago | (#39383319)

And...? What does that have to do with Microsoft lobbying the government to harass Google about ambiguous cookie settings?

Re:Look at the monkey! (1)

datavirtue (1104259) | more than 2 years ago | (#39381525)

I say the right to privacy is dead, antiquated, and probably never existed in the first place. If you want privacy then you need to consciously make an effort to protect your data. If you are not sure it is private, then assume it is not private. Don't be so beef-headed as to assume your life is private because you have not published it. I think the assholes are right, and we just don't want to admit it because of some ideological cognitive dissonance. There is no privacy on the internet. If information about you is travelling on wires all bets are off. If you want to keep something private do not send it over the wires. If you do, you must be diligent in obfuscating it.

Re:Look at the monkey! (1)

datavirtue (1104259) | more than 2 years ago | (#39381421)

Google refuses to play their little game so the "government" is always at their heels. Microsoft started sucking up to government a long time ago to make money. They now have a lot of pull because of this in Washington whereas Google has no political power--and it seems like they want to keep it that way. Yeah, I'm a Google fan boy, and I will be until they start playing the game. Maybe they want to track their user behavior, but the obvious treatment they receive from our Washington overlords makes it clear to me that they are not doing it for any overtly nefarious reason. I just wish Google would pull their head out of their ass and focus on core competencies. They need to prioritize and capitalize on the goodwill they have with users.

Re:Look at the monkey! (2)

hairyfeet (841228) | more than 2 years ago | (#39382039)

So if I submit a patch and they don't jump to it fast enough to suit me i can then pwn them consequence free? Don't think that is how it works friend. I would link to the former Google employee's "Why i quit Google" over on OSNews but since they guy took a job at MSFT nobody would read it anyway, but it is looking more and more like what he posted was correct. he said in the beginning they were an engineering company that made cool stuff that you could then sell ads on, he likened it to making a top rated show which then lets you make good money off its advertising because it is a quality show. but according to him the whole mood at google changed after FB showed up and started cutting into their business, suddenly all the cool engineering stuff was dropped unless it had the magical word "social" attached and it went from "How can we make this cool thing?" to "How can we monetize this and/or tie this in with our social schema". He said after trying to get his kid to use Google+ she finally told him "Its not about a product, its about people and the people just aren't there" and that was the cluebat that smacked him that the current direction was full of fail.

Sadly we have seen this happen time and time again, where a company gets tunnel vision and all the things that made them great go right down the shitter for this all consuming obsession with some market they can't seem to penetrate. We are seeing the same thing with MSFT at this very moment with mobile, as MSFT literally wastes billions of dollars chasing a market where none of their strengths come into play and its obvious they are going nowhere. Expect to see more dirty plays like this from Google as they get more and more desperate to get a footing into the social market because they feel threatened by FB just as MSFT feels threatened by Apple. Again sad to see, both companies were great in the niches they had but instead of focusing on what made them great, Google on the cloud and making cool ways to access it and MSFT on the desktop and business server roles instead they will alienate customers chasing a market that simply doesn't fit. i wonder how many have walked away from Google after the privacy changes? Bet its not a trivial number as there are a lot of geeks that care about privacy and influence those around them, just as i saw google recommend years ago so too am i seeing sites like duckduckgo recommended now. again its a shame but once a company develops tunnel vision it seems like its damned near impossible to get them to just stop.

Re:Look at the monkey! (1)

Gideon Wells (1412675) | more than 2 years ago | (#39380825)

The thing is a bit deeper than that. Analogy time.

Google had this agreement. According to Anthony Mouse below in the comments, Google knew of this problem. They submitted a bug fix. So the question for the prosecution and layperson is this, was there a way Google at this point could not abuse this bug?

Let's say there is gas pump at the only gas station in town. The pump are calibrated wrong and providing 1.5 gallons of fuel for every gallon "measured". In a fair world this would never have happened. In a fair world, if it did happen by honest mistake, Google would not be blamed for the free gas before reporting it.

The question becomes what happens after Google reported it, and seemingly kept using that pump until it was properly calibrated. Were there alternative means to not gather this data despite the bug (using a different, properly calibrated pump) or ways to weed out this data (performing the math to pay for the correct amount of gas)?

Re:Look at the monkey! (4, Insightful)

Anthony Mouse (1927662) | more than 2 years ago | (#39381473)

The question becomes what happens after Google reported it, and seemingly kept using that pump until it was properly calibrated.

You're making the "corporations are people" fallacy. Corporations are not actually, literally people. The people who work on Chrome and Webkit are almost certainly not the same people who work on Google+ and the like. They probably don't have any idea what the other is doing. It's not like every time anyone submits a patch to anything, they go running around to all the other departments to tell them about it.

On top of that, calling this a "vulnerability" or "exploit" is really pushing it. There is no obvious hard line between first and third party cookies. They have no obvious or official definition. Safari drew the line in a way that classified a lot of the borderline cases as "first party" cookies -- which actually makes a certain amount of sense, since they block third party cookies by default and over-blocking would break too many things.

So along comes, I don't know, everybody who uses cookies that would be blocked by Safari's defaults, and when they encounter Safari, they take steps to restore the original functionality. And since some (but not all) of those people are the sort of ad networks who track you in a way that made browser vendors consider an option to block third party cookies in the first place, Google submitted a patch to classify more of them as third party. Which breaks more legitimate stuff, because it's a trade off. It's not that the original default is bad, broken, or a vulnerability...it's that the line is a silly, ambiguous one to draw in the first place. What it's trying to accomplish is Do Not Track, but as a hack and consequently with a lot of collateral damage to legitimate features that everyone then scrambles to mitigate with work arounds like the one Google had been using.

So that happens, and along comes the Microsoft propaganda machine to point out that because Google is both a social network and an ad network, wouldn't it be nice to accuse the ad network of privacy violation as a result of a borderline cookie feature shared by all social networks? Give me a break.

Re:Bug? (3, Funny)

Anonymous Coward | more than 2 years ago | (#39379257)

If I leave my car door unlocked it's still illegal to steal it.

LOL the CAPTCHA for this post is "burglar".

Re:Bug? (3, Insightful)

bkaul01 (619795) | more than 2 years ago | (#39379331)

Of course, but patching the hole and going after people who create malware that takes advantage of it is not an either/or choice: both are necessary, generally speaking. Google, in taking advantage of a browser exploit, is essentially stooping to the tactics used by malware authors, even though unlike them it has signed agreements and generated official privacy policies saying it'd do no such thing.

Re:Bug? (1)

alen (225700) | more than 2 years ago | (#39379379)

yes it's a bug but in the end the user said dont do this to my computer and google still did it

my computer is my property and google shouldn't have the right to install software/files on it if i say don't do it

Re:Bug? (2)

TheRaven64 (641858) | more than 2 years ago | (#39379561)

It's a browser vulnerability, yes. Apple should fix it, absolutely. However, the existence of security holes has never been a valid defence for exploiting them. If it were, then there would be almost no computer-related crimes...

Re:Bug? (0)

Anonymous Coward | more than 2 years ago | (#39379917)

Since when are **Apple users** so concerned about privacy, they of their locked-down anal probe devices?

Re:Bug? (1)

larry bagina (561269) | more than 2 years ago | (#39380531)

Let's say you lock your car door. Someone comes along, unlocks your car door, and takes a shit on your front seat. Well, locks can be picked and people can shit in inappropriate places (cf Occupy Wall Street), so you can't prevent someone from breaking into your care and taking a shit. But that doesn't excuse anyone who does that. In fact, you could say that they, not the door lock, is the problem.

Re:Bug? (0)

Anonymous Coward | more than 2 years ago | (#39381769)

In your analogy, there would already be someone you authorized (in the fine print) to shit in your front seat (see: lockdown of ad network on i devices, GPS track, location "opt out" - even if you know where the option is [a website external the device, not linked anywhere] and / or you turn off Location services, you're still tracked -- albeit much less accurately).

Google submitting the patch would be akin to someone telling the owner of the car just as they leave "yo, your door is unlocked and there's a pile of shit on your front seat -- I guess you said it was okay?". The owner just shrugs, does nothing, and walks away.

Furthermore, rolling down a window so you could add one or two more pieces of shit on your front seat wouldn't make much of a difference to the pile of shit that's already there.

My ass is getting a privacy probe (-1)

Anonymous Coward | more than 2 years ago | (#39379033)

From some hot gay dick!

*licks lips*

Slashdot Groupthink (3, Insightful)

cpu6502 (1960974) | more than 2 years ago | (#39379041)

"Google did no wrong. Google is awesome."

Realthink:
I don't trust Google anymore than I trust Microsoft or Apple or any other megacorp. I hate corporations. (But I fear government.)

Re:Slashdot Groupthink (3, Funny)

Anonymous Coward | more than 2 years ago | (#39379199)

But but but, if people can't build their identity over corporate cheerleaderism, what will they do? You mean I'm really a middle-class IT drone and not a proud member of TEAM GOOGLE or TEAM APPLE? Impossible!

Ra ra my mega corp can beat up your mega corp! Apple is evil, Google loves me!

Re:Slashdot Groupthink (0)

cpu6502 (1960974) | more than 2 years ago | (#39379321)

Ha Ha!

Funny Anon. Coward. :-)

Re:Don't be Evil (1)

tripleevenfall (1990004) | more than 2 years ago | (#39379495)

It's okay for Google to do the same things Apple and Microsoft do, because Google has goodness in their hearts.

Re:Don't be Evil (0)

Anonymous Coward | more than 2 years ago | (#39380805)

Who cares what's in their heart? I only care about what's in their pants.

Re:Slashdot Groupthink (1)

datavirtue (1104259) | more than 2 years ago | (#39381609)

I hearby declare your post a sucker-punch. AC + bitchslap + dive back into the shadows = (sucker punch)

Re:Slashdot Groupthink (1)

jdgeorge (18767) | more than 2 years ago | (#39379499)

Looks to me as if the Slashdot Groupthink is currently a rant against Google posted from new iPads.

Re:Slashdot Groupthink (1)

the eric conspiracy (20178) | more than 2 years ago | (#39379511)

Hating corporations is a bit strong. They are a necessary part of an economy that is no government owned.

I'd say just realize that they are out after their own interests and you'll be on sound footing.

Re:Slashdot Groupthink (1)

schnikies79 (788746) | more than 2 years ago | (#39381393)

No, businesses are a necessity. Corporations are not.

Re:Slashdot Groupthink (1)

cpu6502 (1960974) | more than 2 years ago | (#39381719)

Exactly.

The ideal U.S. would not have an corporations..... just private-owned proprietorships or partnerships where the owners(s) are directly responsible for the actions of their company and managers/employees.

Re:Slashdot Groupthink (1)

datavirtue (1104259) | more than 2 years ago | (#39381577)

You are getting the two confused. Corporations morph into the acting governmental force. How is this eluding you? Google has not morphed into a governmental force, yet.

Do no Evil out the door! (4, Insightful)

stupor (165265) | more than 2 years ago | (#39379047)

If my boss asked me to do something like this, I'd fight it kicking and screaming. I'd probably quit too if the software was significant like a google.

Re:Do no Evil out the door! (2, Interesting)

Anonymous Coward | more than 2 years ago | (#39379129)

It's always been 'Do know evil'

Re:Do no Evil out the door! (0)

Anonymous Coward | more than 2 years ago | (#39379343)

Ha, ha... oh, wait, Google's motto is "Don't be evil", not "do no evil" [wikipedia.org] . You can go back to Al Gore and the Internet, now.

Re:Do no Evil out the door! (0)

Anonymous Coward | more than 2 years ago | (#39380881)

This is what puzzles me. Google has more than 30k developers which are at least, let's say, in the top 5%.

Do you really all these people are evil and would subject themselves to doing whatever their bosses tell them to do? Anyone leaving Google would have no issues finding another job. Why do you think there isn't a large number of Googlers leaving Google (by large, I mean at least some sizeable number like 5%, not just a few)?

Remember - people at Google are nerds who read Slashdot. Everyone cares for the same stuff you do.

Re:Do no Evil out the door! (1)

datavirtue (1104259) | more than 2 years ago | (#39381657)

Considering the recent productivity, they need to downsize.

Investigate Apple (2, Insightful)

haystor (102186) | more than 2 years ago | (#39379093)

Isn't Safari the one misrepresenting what the security settings do?

While I'm as shocked as the next person that google knows I've been buying windshield wipers, how is it that google is being held to the promises Safari has made to its users?

Re:Investigate Apple (0)

Anonymous Coward | more than 2 years ago | (#39379125)

Lower chance of success. AAPL has enough cash on hand to buy Congress, not just pay off a judge.

Re:Investigate Apple (0)

Anonymous Coward | more than 2 years ago | (#39379251)

You do realize you are proposing suing a vendor over a security hole. Should we sue Redhat for releasing a patched glibc slowly recently? No and no.

I get it, you love Google and Apple is for hipster turds. We've heard it before.

Re:Investigate Apple (1)

haystor (102186) | more than 2 years ago | (#39379457)

I'm being facetious about investigating Apple. If it's not the way it should be, close the hole.

Google has code that raises its presence on a page to the level where it can then attach a cookie to the browser.

I'm unfamiliar with the exact nature of this problem, but is it a matter of:

if (BLOCKED) { circumvent() }

or just:

doSomething(); # Safari should have blocked this

It is my understanding that it does something of the latter. It submits a form in order to set a cookie so that things like the +1 button can be set. In my mind this is part and parcel of using Google's services. The code works the same regardless of the privacy settings.

Re:Investigate Apple (1)

Anonymous Coward | more than 2 years ago | (#39379509)

Google imitated a legit form click. Blocking it in Safari will require a great deal of care to not break actual forms. This is why it's such a shit move on Googles part.

Re:Investigate Apple (0)

Anonymous Coward | more than 2 years ago | (#39380757)

That's why Google's motto is: "Don't get caught being evil". Why Larry Page tolerates shitheads like Vic Gundotra, Andy Rubin and David Drummond is beyond me.

--
I value my privacy, so I NEVER user any product from the arrogant Google assholes.

Re:Investigate Apple (0)

Anonymous Coward | more than 2 years ago | (#39381749)

Vic Gundotra: That explains the G+ clusterfuck, he has Microsoft disease.

Andy Rubin: Don't see anything wrong with this guy other than being a Jew.

David Drummond: I always like Different Strokes.

Re:Investigate Apple (1)

datavirtue (1104259) | more than 2 years ago | (#39381683)

gotta love hackers

Re:Investigate Apple (1)

gnasher719 (869701) | more than 2 years ago | (#39379719)

It is my understanding that it does something of the latter. It submits a form in order to set a cookie so that things like the +1 button can be set. In my mind this is part and parcel of using Google's services. The code works the same regardless of the privacy settings.

The only reason to submit this form is to circumvent Safari's security settings. If the user allowed cookies to be set without user interaction, then the form is not needed. It is needed because it tricks Safari into believing that there was some user action, when there actually wasn't one.

Your argument is basically "if they check whether the door is locked and climb through the window if it is locked, but go through the front door if it's not locked, that's bad. But if they always climb through the window, then it's fine". Well, that's nonsense.

Re:Investigate Apple (2, Interesting)

Rasperin (1034758) | more than 2 years ago | (#39380223)

I love Google as much as the next /. tard (and hate Apple to boot, I mean comeon, look at the evil deeds of each company and apple has so much more on it.) But Google purposely exploiting a security flaw in Safari is wrong. Plain and simple, however honestly I would like to wager Apple put it there on purpose to see if they could catch Google doing this. The reason I say this is, in chess (and corporate strategy is akin to Chess at times) one might allow themselves to lose a piece (reputation loss for Apple for having a security hole, def no more than a pawn) in exchange to turn the tables or even do substantial damage to ones opponent. We all heard they were doing this with IE before safari and all of a sudden Safari now has this exploit. Millions of users (lets say 10million) + let's say a year @ 16k each = $5,840,000,000. Also, even the slashdot community is turning on Google huge reputation loss.

A pawn for a queen, I'll take that any day. And if Apple did do this on purpose, I'm not saying they are evil, I'm saying they are smart. What I'm hoping is after this incident Google get's back on track to their 'Don't be Evil' motto. Google has been innovative, using there money to constantly make the world a better place, I can't think of the last time Apple did something truly good, but I can talk all day about Foxconn (cheapest vendor) and writing a 1500% markup on there devices with money just sitting in the bank and not really doing anything. When was the last time you heard of Apple Space, Apple with free anything, people are claiming they are contributing to the OS community but it's just ports so products work on there OS. So comparing the two, I always vote Google, even with this one evil truly evil deed. (I also don't think Microsoft was evil for forcing people to have IE, OH GOD NO... Oh wait you have to get Safari on apple, what's with that?). Googles really just a target because they don't pay off the right people it seems, and I really hope they start doing it or they're going to end up sinking the ship. I mean for gods sake Sony put a rootkit and your computer and they didn't get fined $5billion.

Re:Investigate Apple (1)

datavirtue (1104259) | more than 2 years ago | (#39381777)

I'm not saying they are evil, I'm saying they are smart.

You can be both.

Re:Investigate Apple (1)

Rasperin (1034758) | more than 2 years ago | (#39381981)

That is true, also I screwed up my multiplier (missed a 0) it's $58billion not $5.8billion.

Re:Investigate Apple (4, Insightful)

Richard_at_work (517087) | more than 2 years ago | (#39379575)

Google isn't being held to the promises Safari has made, Google is being held to the agreement it had with the DoJ because in the course of collecting data about the user they deliberately circumvented, admittedly fairly weak, restrictions the user placed on their actions within the browser.

There are two entirely different issues at hand here - Safari needs to be fixed somehow (although someone further down the thread suggests this isnt an easy fix) and Google got caught with its hand in the cookie jar when it probably shouldn't have had it there.

Just because your window is open doesn't mean people are allowed to climb through it to circumvent the locked door.

Re:Investigate Apple (1, Informative)

Anthony Mouse (1927662) | more than 2 years ago | (#39380079)

restrictions Apple claimed to have placed on their actions within the browser.

The user never decided anything. That's really half the problem: Apple created a stupid default that would have impaired significant functionality, and for the users who don't understand how to or are afraid to change browser settings, this was the only way to make that user-desired functionality actually work.

This would be a completely different thing if the default had been what it is in every other browser and it was being circumvented when the user had explicitly changed it, because in that case you have proof that the user knows how to change it and made a conscious decision. As it is they're just working around a bug in Safari that would otherwise break the functionality that users actually want.

Incidentally, do you see the damned-if-you-do-damned-if-you-don't problem here? Suppose they hadn't done this. So the functionality is broken in Safari, and for users who don't understand why or how to fix it, the easiest solution is to download Chrome. And the next thing you know they've got the antitrust authorities breathing down their necks because their service doesn't work with their competitor's web browser, even though there is a "standard" method of fixing it (namely the one they actually used) which is employed by various other similar websites.

Re:Investigate Apple (1)

gnasher719 (869701) | more than 2 years ago | (#39380153)

The user never decided anything. That's really half the problem: Apple created a stupid default that would have impaired significant functionality, and for the users who don't understand how to or are afraid to change browser settings, this was the only way to make that user-desired functionality actually work.

The problem is: Apple created a default that protects the privacy of its users. Google wanted functionality that could only be implemented by either a breach of the user's privacy or by getting the consent of the user, so they decided to exploit a loophole and breach the user's privacy.

Re:Investigate Apple (1)

Anthony Mouse (1927662) | more than 2 years ago | (#39380717)

The problem is: Apple created a default that protects the privacy of its users. Google wanted functionality that could only be implemented by either a breach of the user's privacy or by getting the consent of the user, so they decided to exploit a loophole and breach the user's privacy.

You're begging the question. The assumption you're making is that every possible use of third party cookies is inherently a privacy violation. If all they're using them to do is to see if you're logged into Google+ (so that they can give you a +1 button), how is that a privacy violation?

Re:Investigate Apple (0)

Anonymous Coward | more than 2 years ago | (#39380165)

The user never decided anything. That's really half the problem: Apple created a stupid default that would have impaired significant functionality, and for the users who don't understand how to or are afraid to change browser settings, this was the only way to make that user-desired functionality actually work.

Trolling or ignorant? It didn't break any Google functionality. This is just for ad tracking purposes.

Try Ghostery and see for yourself

Re:Investigate Apple (1)

Anthony Mouse (1927662) | more than 2 years ago | (#39380821)

It didn't break any Google functionality. This is just for ad tracking purposes.

Try Ghostery and see for yourself

You can't try it anymore because they've turned it off. But what had happened was that if you were signed into Google+, on third party websites it would check for that cookie and give you a +1 button. That doesn't inherently involve any tracking at all. The possibility exists that they were using the same cookies to also track you, but that happens on the server side, so there is no real way to know that -- all this noise about privacy violations is pure speculation.

Re:Investigate Apple (1)

Richard_at_work (517087) | more than 2 years ago | (#39383159)

Uhm, it is tracking because Google, by virtue of accessing that cookie, gets to know you visited that website - they get passed the unique cookie associated with your account and they also get the referrer ID of the website. Tracking.

If they didn't explicitly want to track you, they could implement a completely cookieless implementation of their Plus 1 button which only associates you with your account when you actually click it. But they didn't, because they want the info regardless of whether you clicked or not.

Re:Investigate Apple (1)

Anthony Mouse (1927662) | more than 2 years ago | (#39383275)

Uhm, it is tracking because Google, by virtue of accessing that cookie, gets to know you visited that website - they get passed the unique cookie associated with your account and they also get the referrer ID of the website. Tracking.

You're collapsing "can" and "do" when they aren't the same thing. The cookie could be used to track you, if every time you visit a website they record it in a database somewhere, but has anyone provided any evidence that they were intentionally doing that?

If they didn't explicitly want to track you, they could implement a completely cookieless implementation of their Plus 1 button which only associates you with your account when you actually click it. But they didn't, because they want the info regardless of whether you clicked or not.

Except that they would need to read your cookie to know if you're signed into Google+ to know whether to put the +1 there at all.

Re:Investigate Apple (1)

noh8rz3 (2593935) | more than 2 years ago | (#39381323)

hi Anthony, I am a Safari user. I explicitly chose to block 3rd party cookies. Google circumvented my explicit choice. Please send me my $16,000 per day that google owes me. (or is it $16,000 per cookie served per day?). thanks, noh8rz3.

Re:Investigate Apple (4, Insightful)

TheRaven64 (641858) | more than 2 years ago | (#39379621)

Apple released a browser that had a security hole. Google exploited the security hole. If OpenSSH ships with a vulnerability that allows someone to get root access on my server, should the OpenSSH team or the attacker be prosecuted?

Re:Investigate Apple (1)

Fahrvergnuugen (700293) | more than 2 years ago | (#39381885)

If you leave your front door unlocked and I let myself in, do you file a lawsuit against Kwikset or do you have me arrested?

Re:Investigate Apple (5, Insightful)

Americano (920576) | more than 2 years ago | (#39379907)

Isn't Safari the one misrepresenting what the security settings do?

It's an unintended side effect of how Safari handles third-party cookies: Safari blocks third party cookies, but makes an exception for sites the user interacts with (i.e., if you click on an ad, it will allow that ad to install a cookie). So what Google is doing is basically loading a no-op form element in an iframe and automatically submitting it - this tricks Safari into behaving as if the USER submitted the form (thus interacting with the ad), allowing Google to set the cookie.

Safari WOULD block setting of the cookie without this workaround being coded & inserted into the ads being served up by DoubleClick... so it's not a case of Google being held to account for promises Safari makes, it's that Google is being held to account for intentionally exploiting a loophole in the software to abuse users. People keep trying to turn this into an "Google vs. Apple" issue, and the real issue (and where it's eroding trust in Google) is that it's a "Google vs. Users" issue. I can't trust Google to honor those settings in my browser, can I trust them to honor any other settings and preferences I set in my browser, or register with them?

There's no reason Google couldn't have instead put up a page saying "We notice you don't allow third party cookies... this will mean you can't +1 things, blah blah blah," and include instructions on changing the setting if the user wishes to enable +1's and other tracking, rather than simply disregarding the users' settings and exploiting the loophole.

Re:Investigate Apple (1)

DJRumpy (1345787) | more than 2 years ago | (#39380131)

Perfectly stated. +1

Re:Investigate Apple (0)

Anonymous Coward | more than 2 years ago | (#39381303)

Isn't Safari the one misrepresenting what the security settings do?

The difference is intent. Apple didn't know that this particular bug existed. Google did knowingly and willfully exploit this to purposely mislead people.

I bet the gov (1)

future assassin (639396) | more than 2 years ago | (#39379097)

would change their mind if Google gave them access to that info. THEN it would be ok because the online safety of every citizen and restoring the consumable media market is paramount.

Re:I bet the gov (1)

oodaloop (1229816) | more than 2 years ago | (#39379175)

Yes, because the United States government is one unified whole, and the NSA and the FCC sit in the same office and have the same goals.

Safari Incident (1, Offtopic)

necro81 (917438) | more than 2 years ago | (#39379109)

Before the comprehension-side of the my brain caught up, for a moment I thought we were talking about Google going out for a hunt on the savanna.

Pot, meet kettle! New York State hypocrisy (-1)

Anonymous Coward | more than 2 years ago | (#39379147)

Pot, meet kettle!

> A group of state attorneys general, including *New York*'s Eric Schneiderman and Connecticut's George Jepsen, are also investigating Google's circumvention of Safari's privacy settings,

http://yro.slashdot.org/story/12/03/16/1428243/new-york-state-passes-dna-requirement-for-almost-all-convicted-criminals

> 'Lawmakers in *New York* approved a bill that will make the state the first to require DNA samples from almost all convicted criminals. Most states, including New York, already collect DNA samples from felons, according to the National Conference of State Legislatures. What's remarkable about the New York bill is that it would expand the state's database to include DNA from people convicted of almost any crime, even misdemeanors as minor as jumping over a subway turnstile.'

Re:Pot, meet kettle! New York State hypocrisy (0)

Anonymous Coward | more than 2 years ago | (#39379533)

Pot, meet kettle!

> A group of state attorneys general, including *New York*'s Eric Schneiderman and Connecticut's George Jepsen, are also investigating Google's circumvention of Safari's privacy settings,

http://yro.slashdot.org/story/12/03/16/1428243/new-york-state-passes-dna-requirement-for-almost-all-convicted-criminals

> 'Lawmakers in *New York* approved a bill that will make the state the first to require DNA samples from almost all convicted criminals. Most states, including New York, already collect DNA samples from felons, according to the National Conference of State Legislatures. What's remarkable about the New York bill is that it would expand the state's database to include DNA from people convicted of almost any crime, even misdemeanors as minor as jumping over a subway turnstile.'

If google had only been doing this to convicted criminals you might have had a point. Hint: don't try to construct analogies when you are in an emotional tizzy.

Re:Pot, meet kettle! New York State hypocrisy (0)

jdgeorge (18767) | more than 2 years ago | (#39379601)

What's remarkable about the New York bill is that it would expand the state's database to include DNA from people convicted of almost any crime, even misdemeanors as minor as jumping over a subway turnstile.'

Interesting. Of course, it would make sense to simply collect a DNA sample in circumstances where previously they would have collected fingerprints. Going beyond that is expansion of their tracking.

Keep in mind, it's not "the government" that's asking for this. It's the people who elect the government. Maybe not all of them, but most of them.

What Google did (5, Informative)

Animats (122034) | more than 2 years ago | (#39379263)

Google created an invisible form on a web page and then simulated a click on to bypass Safari's privacy controls. That didn't happen by accident. That's hostile code.

Safari treated a "submit" action as permission for the site to plant a cookie. It's hard to stop that in the browser without breaking some legitimate forms. As a result of this, all web forms which want to trigger a cookie event may have to have explicit "submit" buttons.

Re:What Google did (0, Flamebait)

Anonymous Coward | more than 2 years ago | (#39379393)

You must be confused. Apple is an evil corporation that sells shitty locked down devices to sheeple who'll buy anything. Google on the other hand, runs many of the internets greatest sites (for free I might add!) and a kick ass open mobile phone platform, the first truly successful mainstream Linux! Why would you believe Apple over Google. Fanboy much?

Re:What Google did (-1)

Anonymous Coward | more than 2 years ago | (#39379453)

Go fuck yourself.

Re:What Google did (1, Redundant)

TheGratefulNet (143330) | more than 2 years ago | (#39379469)

Why would you believe Apple over Google. Fanboy much?

let me tell you a story about the pot that called the kettle 'black'.

Re:What Google did (0)

Anonymous Coward | more than 2 years ago | (#39379973)

Pearls before swing, sarcasm boy. Pearls before swine.

Re:What Google did (1)

wfolta (603698) | more than 2 years ago | (#39381235)

What a zealot. You may disagree with Apple's view of its customers, but at least it views us end users as its customers. Google has no such illusions: their customers are carriers, and secondarily manufacturers. You know, those same carriers and manufacturers who have been screwing us for years?

So yes, when it comes to serving its customers, I believe Apple (me as a customer) over Google (my carrier as a customer, and my information as its asset) any day of the week. And twice on weekends.

Re:What Google did (0)

Anonymous Coward | more than 2 years ago | (#39382011)

AC who posted this here. It was an obvious troll, and look, I already got 4 dweebs replying to it seriously. Too easy guys...

Re:What Google did (0)

Anonymous Coward | more than 2 years ago | (#39380649)

First, submitting a hidden form is not "simulating a click". This type of thing happens all the time. I do it often. It's the heart and soul of a lot of ajax stuff. Nothing hostile about that.

Second, if Safari wants to treat a form submission as implicip permission to do something, then that security model is horrible broken. They might as well just pass an "X-Please-Done-Exploit" header in the HTTP request and rely on the honor system.

Re:What Google did (0)

Anonymous Coward | more than 2 years ago | (#39380817)

Ignoring the fact that submitting an invisible form is not not simulating a click, browsers can very easily tell if the action was user initiated or programatic. That's how popup blockers work, and Safari could easily ignore all cookies that came from an http request that wasn't user initiated.

Re:What Google did (0)

Anonymous Coward | more than 2 years ago | (#39381271)

The really sad part of this is that there was no need to do so and Google are to blame themselves if their reputation get worse every day due to arrogant stunts like this. I don't even use Safari but after this I'm going to stay away from all Google products.

What abt FB.. (0)

Anonymous Coward | more than 2 years ago | (#39379291)

Ever noticed that facebook history and cookies are stored irrespective of running Safari (5.1.3) in Private mode?

I consider that as a privacy breach .. what abt you guys?

Re:What abt FB.. (0)

Anonymous Coward | more than 2 years ago | (#39379765)

Ever noticed that facebook history and cookies are stored irrespective of running Safari (5.1.3) in Private mode?

I consider that as a privacy breach .. what abt you guys?

won't that be a bug with Safari?

Wouldn't want one (0)

Anonymous Coward | more than 2 years ago | (#39379487)

Not sure what a "privacy probe" is but it does not seem very pleasant.

Re:Wouldn't want one (0)

Anonymous Coward | more than 2 years ago | (#39379707)

Spoil sport. Live a little!

"Depending on how it's calculated", yeah. (0)

Anonymous Coward | more than 2 years ago | (#39379761)

So if it's counted in the only way that the "millions of people were affected" would be significant, that is one violation per user, then it would be 10s of trillions of dollars (depending on how many millions of people). -- one day would be sufficient to fix the US national debt, and two days would probably exceed the annual global GDP.

While I'm sure this makes certain Google-haters cream their panties, it's just silly talking about such numbers with a straight face.

Alert W3C posting exploit code! (3, Funny)

Lexx Greatrex (1160847) | more than 2 years ago | (#39380273)

I visited this rogue site that posts hostile code exploits and learned how to circumvent user privacy....

http://www.w3schools.com/jsref/met_form_submit.asp [w3schools.com]

Even worse, this malware generating site makes exploit code even easier...

http://api.jquery.com/submit/ [jquery.com]

And yes, I used the most evil and corrupt search engine ever invented (past and future) to locate these hacker havens

Re:Alert W3C posting exploit code! (1, Informative)

TheNinjaroach (878876) | more than 2 years ago | (#39380437)

Please don't confuse the World Wide Web Consortium [w3.org] with the shitty spam farm known as W3Schools.

Re:Alert W3C posting exploit code! (1)

Lexx Greatrex (1160847) | more than 2 years ago | (#39381667)

Please don't confuse the World Wide Web Consortium [w3.org] with the shitty spam farm known as W3Schools.

There is no confusion. The satire benefits from the brevity of the w3schools and jquery links rather than the firehose of information at http://www.w3.org/Submission/web-forms2/#for-javascript [w3.org] , for example.

Re:Alert W3C posting exploit code! (0)

Anonymous Coward | more than 2 years ago | (#39381987)

Uh... at no point did he try to confuse w3.org with w3schools.com? What are you, illiterate?

I used that site all the time when I needed a quick JS reference, and I don't understand why you would call it a spam farm. It looks just like every other site, is nicely formatted, and no popups.

Re:Alert W3C posting exploit code! (0)

Anonymous Coward | more than 2 years ago | (#39382697)

It must be tough being a virgin in our sex crazed world today.

The security mechanism suck (1)

morbingoodkid (562128) | more than 2 years ago | (#39380291)

It's like making a door without a key and a lock. Instead we post instructions on the door telling you when you are allowed to open the door and when not. We then sue people for by passing the security mechanism instead of simply adding a lock.

Very nice.

There's a word for that, you know (0)

Anonymous Coward | more than 2 years ago | (#39381313)

It's like making a door without a key and a lock. Instead we post instructions on the door telling you when you are allowed to open the door and when not. We then sue people for by passing the security mechanism instead of simply adding a lock.

Very nice.

Where I'm from, this is called "Trespassing," and is illegal.

Re:There's a word for that, you know (1)

bmacs27 (1314285) | more than 2 years ago | (#39382211)

Where you're from is there a traditional method for dealing with trespassers?

co3k (-1)

Anonymous Coward | more than 2 years ago | (#39382047)

your own beer r3cruitment, but since then. More Distended. All I GNAA (GAY NIGGER GNAA on slashdot,
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>