Skip to main content

Did Google intentionally track you?

By Chester Wisniewski, Special to CNN
updated 1:15 PM EST, Tue February 21, 2012
Google says giving online advertisers the ability to track users was an accident.
Google says giving online advertisers the ability to track users was an accident.
STORY HIGHLIGHTS
  • Google and other companies bypassed privacy protections to track users
  • Chester Wisniewski: Google's actions reflect what is becoming the norm on the Internet
  • He says Google is emulating Facebook's frictionless sharing, which is scary
  • Wisniewski: We can look to the Digital Millennium Copyright Act for a smart law on privacy

Editor's note: Chester Wisniewski is a senior security adviser at Sophos Inc., Canada. He researches computer security and privacy issues and is a regular contributor to the Naked Security blog.

(CNN) -- A few days ago, controversy erupted when news broke that Google and other online advertising companies bypassed privacy protections in order to track users of Apple's Safari web browser and iOS mobile devices.

This is not the first time, nor likely the last time, that Google finds itself in hot water for questionable behavior. At a time when many companies (notably Facebook) try to come up with ingenious ways to hoard personal data about consumers for lucrative ends -- undermining users' privacy along the way -- Google's actions reflect what is becoming the norm in this hypercompetitive space.

Many compare tailored Internet advertising to the old small-town butcher, grocer and tailor. As relationships with these merchants developed over time, they learned about your preferences and were able to provide you with a higher level of service.

Chester Wisniewski
Chester Wisniewski

But this is a broken analogy, for several reasons.

I grew up in a small town, and guess what -- you have no privacy in a small town. It wasn't until I moved to a large city that I developed an appreciation for not being judged, spied upon and tracked by my community. When I moved to the city, I had a clean slate and something akin to true anonymity.

Similarly, the companies tracking your every move on the Web don't stop tracking when you visit a new website, or even when you change Internet providers, computers or browsers.

In the nondigital world, this would be like having the butcher, grocer and tailor follow you to your workplace, your home and your family vacation destination. They bring along their children and some of their friends -- not saying who, just people they know.

This might result in the perfect cut of meat for your mood, a recommendation for spring vegetables that just came in, and some really awesome workout clothes for your new Pilates classes -- but I don't think any of us would really find this an acceptable tradeoff.

Google knows too much about you

Google tracks unknowing Apple users
Google gets new privacy policy

Google stopped using the offending technique after it was reported, although Microsoft is now reporting that Google is using a similar technique to bypass protections in Internet Explorer 9. Google said it had circumvented the protections against third-party cookies in Safari to allow Google+ users to click "+1" (instantly share) when they like an advertisement. That this technique allowed advertising tracking cookies to be placed as a result was just an accident.

Google further defends itself by saying the trackers were not collecting personal information. They were simply checking whether you were logged in to Google and what your preferences were with regard to its advertising.

The problem is that, as a result of this circumvention, Google's ad networks were also able to start tracking users -- an unintentional side effect, according to Google.

Therein lies the problem. Google and other advertising networks chose to circumvent built-in privacy technologies that were designed to prevent the very thing they were trying to do. Google's own engineers recognized this as a security flaw in the browser code last summer and submitted a fix to the Webkit project.

It is hard to understand how this mistake could have happened, considering the intense scrutiny Google's privacy policy has received in recent weeks. Clearly the testing of this code was either cursory or nonexistent.

I choose to use Gmail, but that doesn't mean I expect Google to undo other privacy choices I've made in order to make social sharing more convenient. Google is heading in a direction that sounds a lot like Facebook's frictionless sharing, which automatically shares your activities on the Web through social apps -- and that's scary.

The bottom line is that defining privacy using technical specifications will always lead to clever circumventions. Isn't it time to take a page from the laws meant to restrict our digital freedoms and use that broad language to instead write laws that defend our privacy?

In the United States, the Digital Millennium Copyright Act restricts our ability to break digital locks like copy protection and encryption. It is illegal to bypass a "technological measure that effectively controls access to a work."

Basically, this means if the author of a protected work intended to protect it, you must have a darn good reason to break that protection.

Shouldn't this be the way privacy works? If I take an action that indicates my intention to avoid being tracked, shouldn't you be required to honor it, even if you suppose it will diminish my "experience" with your products?

Jonathan Mayer, the researcher who described how these cookies exploited the Safari bug, concluded his disclosure by calling privacy protections a "cat and mouse game" or "arms race" with advertising companies.

Average Americans shouldn't have to stay one step ahead of advertisers by understanding the complexities of how cookies work and the intimate details of how they are used.

Perhaps we should take a piece of advice from Howard Beale from the movie "Network":

"I want you to get up right now, sit up, go to your windows, open them and stick your head out and yell -- 'I'm as mad as hell and I'm not going to take this any more!' Things have got to change. But first, you've gotta get mad!"

Privacy isn't dead, it's just being pulled out from under our feet.

Follow CNN Opinion on Twitter.

Join the conversation on Facebook.

The opinions expressed in this commentary are solely those of Chester Wisniewski.

ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT