Security & Privacy + Security News

Safari Users Line Up to Sue Google for Tracking Web Browsing

Posted on March 30th, 2015 by

Google and Safari
In 2012, Google was found to be doing something very naughty to users of Apple's Safari browser.

It was discovered that the search giant was bypassing Safari's privacy settings, apparently "tricking" the browser into allowing users to have their online browsing habits tracked through third-party advertising cookies.

Here is how the Wall Street Journal described what Google did two years ago:

Google added a feature to put the +1 button in ads placed across the Web using Google's DoubleClick ad technology. The idea: If people like the ad, they could click "+1" and post their approval to their Google social-networking profile.
 
But Google faced a problem: Safari blocks most tracking by default. So Google couldn't use the most common technique—installation of a small file known as a "cookie"—to check if Safari users were logged in to Google.
 
To get around Safari's default blocking, Google exploited a loophole in the browser's privacy settings. While Safari does block most tracking, it makes an exception for websites with which a person interacts in some way—for instance, by filling out a form. So Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.

In short, you thought Safari was doing a pretty good job of preventing you from being tracked online, but, in fact—without your knowledge—Google was trampling over your privacy settings.

Safari privacy preferences

Perhaps predictably, a lot of folks weren't very happy about the so-called "Cookiegate" scandal and some turned to the courts for compensation.

In the last few days, Google has lost an appeal in the UK High Court where it was trying to stop Brits from suing the Internet giant over the alleged privacy breach. Google had been arguing that the UK courts had "no jurisdiction" to hear the case, and that no financial harm had been incurred by users, but the courts have now said that the case can proceed.

In its judgment, the Court of Appeal declared that the privacy invasion was serious and that extremely personal information about users' browsing habits were snooped upon:

"These claims raise serious issues which merit a trial. They concern what is alleged to have been the secret and blanket tracking and collation of information, often of an extremely private nature... about and associated with the claimants' internet use, and the subsequent use of that information for about nine months. The case relates to the anxiety and distress this intrusion upon autonomy has caused."

It appears that the Safari Users Against Google's Secret Tracking group's victory in the courts is bad news for Google, and might mean that some extra cash is going to come the way of British Safari users (and before you think that Safari isn't that popular, remember that it is the dominant browser on iPhones and iPads).

Certainly, an example has been set in North America, where Google has paid out $40 million over this incident, after being fined by the FTC and regulators from 38 different states.

In a Facebook post, the Safari Users Against Google's Secret Tracking group announced to followers that it would soon be launching its website, bringing together Safari users who wish to take on the Internet Goliath.

Facebook group

Some commentators believe that an important precedent may have been set by the UK High Court's ruling which could impact more action in future from UK customers against North American technology firms. I wonder if we might also see the citizens of other countries concerned that their privacy choices have been ignored, taking action against Internet giants like Google.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • tddial

    A bit of background would be useful and maybe interesting to USians unfamiliar with UK law. The questions that occur to me immediately are:
    1. Is there a statute that covered the behavior and if so, why does this seem to concern a civil lawsuit rather than a criminal charge:
    2. Assuming a civil lawsuit is the appropriate vehicle, is there in UK law something similar to class action lawsuits in the US that allow consolidating the complaints of those who were affected into a single lawsuit?