Google faces a $22.5m fine (£14.5m) for breaching the privacy of iPhone and iPad users after bypassing cookie rejection settings on the devices, according to reports.
If confirmed, the fine would be the largest ever imposed by the US Federal Trade Commission (FTC) against a single company – and would be the second time this year that the search giant has fallen foul of regulators in the US.
The Wall Street Journal reports that the FTC and Google are close to agreeing a settlement over the privacy breach, in which Google circumvented Apple’s protections on the iPhone and iPad against the setting of third-party “cookies” – small text files stored on the user’s device – for tracking where users went on the web.
While the users had to press a link to ask for Google cookies to be set, the circumvention meant that cookies from Google’s DoubleClick ad network were also set on the their device – so that they would be tracked without their explicit consent. Apple’s browser settings would otherwise reject cookies from third-party sites such as DoubleClick.
The discovery of the circumvention, by Jonathan Mayer of Stanford University, was first revealed in February. Millions of users of Apple’s iOS software on iPhones and iPads could have been affected, said Mayer. Google declined a request from the Guardian to specify when it began the tracking.
Google’s likely payout comes amid increasing focus on both sides of the Atlantic on what some see as monopolistic and aggressive behaviour. Although it the penalty would be a tiny part of Google’s $40bn annual revenues and $10bn annual profits, it comes as the FTC is also investigating Google over whether it favours its own properties, such as YouTube and its Shopping service, over rivals.
However, Google may have escaped further prosecution for breaching an FTC consent decree over privacy that it signed in March 2011 because although the breach seems to have started in or before December 2011, the documentation in which Google explained what it would do dates back to 2009, before the decree, which covered privacy breaches caused by the Google Buzz social network, since closed.
Whether or not the FCC fines Google over the cookie infraction, it will also publish a report which would detail how it reached the decision, probably with documentation from Google about how many people were affected and for how long.
The revelation of the unauthorised cookies led to widespread condemnation of Google’s moves in February by groups including the Electronic Privacy Information Center in the US. Cory Doctorow, a columnist for the Guardian, said at the time that he thought pressure being put on staff inside Google to integrated “social” elements into its products was being done “at the expense of the quality of its other services”.
Google insisted at the time that the ad tracking was inadvertent and that the workaround to plant the Google cookie was feasible within Apple’s system. It said then: “The Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser [by other advertising companies using the DoubleClick network]. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.”
Asked whether a fine was imminent, Google responded: “We cannot comment on any specifics. However we do set the highest standards of privacy and security for our users. The FTC is focused on a 2009 help centre page published more than two years before our consent decree, and a year before Apple changed its cookie-handling policy. We have now changed that page and taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.”
Apple said at the time that “We are aware that some third parties are circumventing Safari’s privacy features and we are working to put a stop to it.”
In April the FTC fined Google $25,000 for impeding its investigation into whether the company broke the law in grabbing data from open Wi-Fi networks while collecting its Street View data. The FTC’s report, published at the same time as the fine was levied, revealed that managers and staff had been told that the Street View system would also collect data from open Wi-Fi networks as it passed.
Meanwhile the European Commission is considering a set of proposals from Google over concerns that it is using its monopoly in search – which is far greater in Europe than the US – to edge out rivals in “vertical” search for shopping. Google submitted its suggestions for ameliorating the EC’s concerns earlier this month, and the EC is expected to publish them for rivals to comment on if it finds them initially acceptable.
The FTC declined to comment ahead of the expected ruling.