Public Shaming as Regulation: Google’s Safari Bypass and the FTC
Google is on the verge of being fined $22.5 million by the the U.S. Federal Trade Commission for telling users of the Safari browser that it did not track them while at the same time bypassing a Safari setting to install cookies.
What’s interesting is that the fine hasn’t even been levied yet, but the process has played out very much in public.
Literally every step of the process has been leaked. In March, The Wall Street Journal — which first brought the issue to light — reported that regulators were looking into the matter. In April, the San Jose Mercury News reported that Google was likely to be fined by the FTC. Then, in July, it came out that a settlement of $22.5 million was near. Yesterday, Reuters said members of the FTC had voted to approve the settlement, and it would come out in days.
While neither the FTC or Google is admitting to any leaks, Google seems to have gotten so fed up with the coverage that it has made the rather unusual move of commenting specifically on the ongoing case.
The company now tells any reporter who asks, “The FTC is focused on a 2009 help center page published more than two years before our consent decree, and a year before Apple changed its cookie-handling policy. We have now changed that page and taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.”
Translation: The only issue they are pinning on us is that a help page was out of date. Please stop using scary words like “bypass” and “tracking.”
The FTC, meanwhile, says it does not comment on ongoing cases.
The “consent decree” Google is talking about is the agreement it made with the FTC over Google Buzz in 2011, in which it promised not to mislead users on privacy for 20 years, or else face consequences. So the FTC is upset that this outdated help page said one thing, while Google was doing something else (the specifics have to do with Google figuring out a trick to put little personalized “+1” buttons on ads).
The context for this is that Google faces all sorts of international regulatory scrutiny over various privacy incidents, some of them “inadvertent,” and some of them more complicated.
But as the Safari case moves behind (partially) closed doors to the court of public opinion, some stakes are very high and others are very low. While $22.5 million is small change in Google bucks, it would be the largest fine the FTC has exacted on a single company.
Plus, it doesn’t appear that Google will have to admit any wrongdoing. That might seem strange, but it’s actually standard practice. The Buzz agreement was the same way. The FTC has made a practice of securing no-fault settlements, something that has recently been contested in court for not being strong enough to defend consumers.
Given that Google won’t have to admit fault or pay a significant fine, the consistent press coverage of the company’s privacy slip-ups is probably the worst repercussion of the whole incident.
These privacy incursions are bound to keep happening, considering just how much data companies like Google have about all of us, and how complex their organizations have become.
So is this what the future of tech regulation looks like? Company gets in trouble, agrees to be audited but doesn’t admit fault, and then for years, regulators extract ticky-tacky fines over “inadvertent” errors? And then the cycle repeats itself.