99 comments

[ 3.5 ms ] story [ 118 ms ] thread
Hopefully the latest regulatory fad in Europe will shift focus away from promoting diesel cars and gmo free crops
Why is it that most of your comments are talking shit about EU? I'd understand if you were living in the EU and frustrated with your life, but given that you're not don't you have anything more interesting to think about? Regardless of how much merit there is to your statements, it's a bit strange that's the one thing you talk about.
I'm interested in it so I click on mostly GDPR articles, I think about other things but those are outside of the hacker news article scope for the time being
What does "bypassed privacy settings of Apple’s Safari browser" mean? Ignoring the DNT header? Setting third party cookies? Something about ITP?

This article has practically no details about the actual accusation.

It seems it's related to the same issue the FTC went after Google for: https://www.ftc.gov/news-events/press-releases/2012/08/googl...
Yeah, the facts seem identical.

I'm actually a little surprised it wouldn't be over the statute of limitations, but i also don't know all the filing details here.

For what it's worth, their FAQ says

« If this happened in 2011, why is the claim only being brought now?

In 2015, three individuals brought a claim against Google claiming their privacy rights had been breached by Google using the Safari Workaround. That case, Vidal Hall v Google, settled on confidential terms, but the Court found that the claim raised serious issues which merited a full trial. That case opened the door to holding Google to account by bringing an action on behalf of the millions of iPhone users affected by Google’s actions and claim the compensation they may be owed. »

The current case seems to have been filed in November 2017.

> Specifically, Google used a bit of JavaScript code – the workaround – to bypass Safari’s default blocking of third-party cookies (set by domains other than those being visited) in order to allow sites within its DoubleClick ad network to track users.

https://nakedsecurity.sophos.com/2017/11/30/google-sued-over...

While I don't condone bypassing a users intent, I'm struggling to see the damage claim here. So some Safari users got more targeted ads than they would otherwise have seen. Does that merit financial compensation?
> So some Safari users got more targeted ads than they would otherwise have seen. Does that merit financial compensation?

Given that the way it occurs is by allowing Google to more accurately profile the users, I'd say yes.

It's more about being tracked and profiled through third party cookies than just seeing targeted ads. In my view, it merits compensation for the users and stiff penalties and punishments for the perpetrator (Google, in this case).
On the other hand, does violating human rights (such as the right to privacy) deserve punitive litigation ? Yes, certainly.
> So some Safari users got more targeted ads than they would otherwise have seen.

So, some users had their browsing habits illegally harvested, stored, analyzed, and sold to an unknown number of parties for an unknown number of purposes, many of them adverserial in nature to the well-being of the individual. So what?

It will be interesting to see how many of the items on that list the plaintiffs can prove in a court of law, as such proof would be necessary to claim of damages... Well, in US law at least, as I understand it. I'm a lot less familiar with the UK.

But even under a civil-court "preponderance of evidence" standard, wouldn't you have to prove some material harm to be eligible for damages (not just the potential of the data perhaps maybe being misused possibly)?

prove it. and when i say prove it - you actually need to show damage and harm done, that's what the law requires. If you can't prove a single occurrence of the "adverserial in nature to the well-being of the individual", then there is no real grounds to sue on. legally speaking.
Buying things that are not needed harms the persons economy. And gambling practically always a bad deal. Taking medicine that is not needed can be bad for the individual.
Before you get a response about personal responsibility and all that, everyone should have the psychological side of marketing and advertising firmly in mind. People are not in complete control of their responses to advertisements.
... but from a legal standpoint, personal responsibility is basically a cornerstone. We throw out a lot of legal fundamentals if we re-frame the decision to purchase a product voluntarily as "the ads mind-controlled you."

There might be some precedent in the space (cigarette ad campaigns were severely curtailed during the "Big Tobacco" crackdown in the US), but ads in general? Good luck.

I've always thought this needs to be much more prevalent in any conversation about how ads should be used.

I assume ads targeted towards children would be a good case study.

First of all, screw this attitude of "prove it in court". If you or your company is so sociopathic that you can't see the wrong here, well, just screw.

Second the problem statement I made above itself shows harm.

The fact that consumers have to worry about who got their private information, what was done with it, what harms happened that they aren't aware of, such as not getting a job, housing discrimination, loan discrimination, etc. is itself a harm.

That these things happen, in general, is eminently provable and that fact causes worry, anxiety, and changes in behavior which is itself a harm.

Compensation?

Probably not. But how about a fine? Something in the 5 - 10 Billion € range?

That may help to cool a few hot heads who think pulling off shit like that is a good idea.

> Does that merit financial compensation?

to me, this seems like the wrong question.

in a broad sense, it makes more sense to ask how harsh the penalty should be. generally, for actions like this, the penalty is expressed as a monetary forfeiture.

whatever the penalty is, the relinquished funds have to go somewhere, and those who can demonstrate being harmed seems like a sensible destination.

"Does that merit financial compensation?"

It merits Google being punished. And really, the only way to punish a large company is by fining them.

> Specifically, Google used a bit of JavaScript code – the workaround – to bypass Safari’s default blocking of third-party cookies

IMHO this clearly breaks their "Don't be evil" principle.

Google: "Being evil is now officially an option."
"Don't be evil" is discriminatory against evil persons. As long as you don't break the law, being evil is not illegal.

They have a right as anyone else not to be discriminated against or presented in a bad light.

I applaud the courage of Google to increase diversity by appealing to and allowing evil persons in it's midst.

I applaud these steps, and I hope they include concrete plans for addressing the good-evil hiring gap in their next diversity report. Perhaps a community outreach program to get middle schoolers more interested in becoming evildoers?

Not enough companies are addressing this issue!

The new principle is "Don't get caught".
Playing the devil’s advocate here: Depending on whether you think that 3rd party tracking cookies are a feature that should be opt-out or a bug that should be opt-in, it‘s just as plausible to classify this move as a fair defense against Apple, who unilaterally decided to both not allow any other browser on „their“ ecosystem (in case you don‘t know, iOS Chrome is basically just another skin on a decelerated version of Safari because that‘s all they allow) – and then generally blocking all third-party cookies in order to sabotage their competitors.

Apple‘s behaviour here is clearly the protectionism of an ecosystem monopolist that’s just as misguided, thinly disguised as privacy feature.

Some prior art was when Microsoft made the Do-Not-Track header opt-out instead of opt-in in order to get a consumer edge. The ad industry as a whole decided to ignore the flag just for IE, but there wasn‘t ever a legal case on that disregard of intended behavior IIRC.

I‘m not sure though who‘s more evil here and if this kind of circumvention was fair game or went too far.

It's been a long time since this incident occurred, but from what I remember, Safari had/has a (non-default?) setting that blocked third party cookies, but allowed them upon user interaction. At some point Google added +1 buttons to their ads, and some aspect of how they implemented that tricked Safari into thinking the user interacted with the ad even when they didn't and allowed cookies to be sent. After this was pointed out Google updated the +1 buttons to no longer trigger this behavior in Safari. (Correct me if I'm wrong; this all happened years ago so I may be misremembering.)
> After this was pointed out Google updated the +1 buttons

Has Google ever claimed that the code had an innocent purpose and the privacy-bypass was purely accidental in nature? The descriptions of the code imply that not breaking Safari's privacy features required much less and much simpler code than what was in place.

If they didn't, then it wasn't so much as having it "pointed out" as "found out".

The context at the time (as best I recall) was this came on the heals of the wifi-snooping street view cars that cracked weak wifi encryption and recorded traffic, so maybe people weren't in the mood to listen to any defense.

This is one of those things that make me very pessimistic about the future of our civilisation.

Instead of empowering common folk and accelerating our potential as a species what is happening is our thoughts, interests, fears, relationships and most intimate secrets gradually become a commodity in the hands of a few powerful companies.

The trend is clear and I am really fearful for my children's future.

It's really depressing to watch the world change into something many of mankind's greatest thinkers feared the most.

It is extremely depressing seeing the likes of Google, Facebook, Microsoft etc have already headed down this direction.

Over my 20 or so years in IT, it's devolved into scummy rent-seeking and a consumer hostile VC hot mess.

That's one of the reasons my children don't exist.
Yeah, but whose fault is it? Big companies offering these abusive services or the common folk's who agree to use these services without giving a fuck about their personal information?
Most people think they are in control and don't realize how much personal information they're giving away. They know facebook has their posts but they don't realize facebook knows every site they visit that has a like button. The fact that this is even possible is because your browser developer doesn't care about your privacy.

Then there is the issue that they don't realize what companies can do with their data. They thinks it's all relatively innocent and don't realize it can be used for things like price discrimination.

So users might be partly responsible, but big tech is still doing a lot of un-consented to tracking.

That's not a new question:

* whose fault is it? Tobacco manufacturers' for making products which cause cancer, or the common folk's for agreeing to smoke cigarettes without "giving a fuck" about their health?

* whose fault is it? Pharma companies' for making drugs with terrible side-effects, or the common folk's for taking those drugs without "giving a fuck" about their health?

There are many examples, but in all of them the government stepped in and stopped the abuse of the big companies, just like it must do for Google, Facebook & co which take advantage of the common folk's inability to understand the very complex mechanisms those companies designed to deceive them.

Pretty simple.

I like the analogy here. I'd love to see this handled in exactly the same way that governments handle smoking, with huge tax penalties and government health warnings all over apps that abuse your data.
Pharma companies don't intentionally make medicine which cause side effects. It just happens to be hard to design medicines that don't given the complexity of biological systems. I don't see how this claim is relevant to whatever point you're making.
The companies fault, definitely.

It is unrealistic to assume that the average person is going to know everything they need to to protect themselves against such a company, especially when they have billions in revenue and armies of lawyers to weasel their way through the spirit of the law.

Protecting the consumer comes in the form of regulation and precautionary principle. Regulate the ever-loving shit out of companies like Google in my opinion.

Publicly traded companies may have a responisibility to their shareholders, but they also have a responsibility to society, which I consider much more important.

There has not been a bigger sellout in history than the tech community. What makes it insufferable is the posturing and hypocrisy.

Companies like Google and facebook continue to be glorified inspite of their creepy obsession with stalking everyone 24/7 and legitimizing surveillance.

If privacy laws worked it would not come to this. Without regulations depending on goodwill and ethics in the face of greed has never worked. It just leads to a self serving clique who will handwave and legitimize anything for profit.

Antinatalism, embrace it -- don't be a loser.
And no engineer at Google said “hey, should we be hacking our way around the user’s privacy settings?”, or blew the whistle?
Certainly no one who had any power to stop it blew the whistle.

"Move fast and break things", including user privacy settings

I wonder how many engineers are trained, even a bit, in ethics...
At least in Canada, to be labeled as a professional engineer, even if it's a computer engineer, there are mandatory codes of ethics you have to follow. I had an ethics class during my time at college for their computer engineering technologist, and you definitely do get taught these things. In Ontario, we have a group called OACETT, if you want to label yourself as a certified engineer, you have to be a part of this organization and vow to follow certain codes of ethics. The only problem is, software developers don't count, and many people who are hired to write code, myself included, are never required to have this certification. I wish we were treated more like electrical engineers, structural engineers, etc, but for some reason code still isn't considered to be a safety risk to humans like a bridge or wiring in a house is.
You'd think somewhere around the point people started controlling nuclear reactors with software that software development should've fallen into this category. Which is long before now, where we control everybody's cars with software.
What does ethics training even look like?

I have a set of ethics, probably mostly derived from my upbringing and environment.

Would a module and a few lectures at college change my ethics? I don't see how it could...

An ethics program consists, at the very least, of:

1) a shared understanding of what is definitely acceptable and what is definitely unacceptable (e.g. accepting a $1000 dinner from a vendor in a location with plenty of $100 or $50 dinner arrangements is unacceptable in many industries). Courses and training will at least define the lines for the industry in question. In finance, for example, ethics training includes issues like soft-dollar arrangements.

2) a set of procedures for inquiring about and responding to ethical quandaries. Many companies in the post Sarbanes-Oxley era have a chief ethics officer and a clear reporting chain specifically to define and standardize company ethics and to ensure that lower-level employees can make informed decisions.

I studied (non-software) engineering in Australia which had a mandatory ethics course.

The lectures focused around:

- Regulatory compliance (codes of practice, state laws etc) - Legal responsibilities (I.e liability, disclosure, whistleblowing etc)

We were given different case studies to research each week and we spent time in class Tutorial groups discussing the case studies the next week: I.e. What ethical issues were involved and what an engineer's responsibilities could entail in each case. The Tutor mostly asked leading questions and class argued about possible responses.

Some particular cases I remember we discussed were: Genetic Modification, Challenger Space Shuttle Explosion, CFC's, Asbestos and Kansas City Walkway Collapse.

Considering ethics as a field of study has been a thing since at least Ancient Greece I would say yes, it probably would have some effect on you.
there are two levels of ethics: personal ethics (what do you personally find acceptable) and professional ethics (what does the industry find unacceptable). The former varies wildly from individual to individual. The problem is that the industry has no standard professional ethics, hence no IT workers would have been trained in ethics. Other engineering fields have actual ethics training and some of them integrate that into licensure.
(comment deleted)
It only takes one or two unethical engineers to implement it, even if most of engineers don't want to.
On a broader scale, the NSA had William Binney implement a way of vacumming up data, but the system include Constitutional protections and required a warrant to access.

Once it was implemented, the NSA took him off the project and put other people on to remove the controls.

It only takes one or two bad apples to spoil the whole barrel.
Perhaps open source licenses should prohibit their use for adware, spyware and surveillance.

Apart from a plethora of open source projects to build its websites Google is using Android to hoover user data and open source should not be used to support a surveillance state.

This is a can of worms and probably not enforceable but it's worth it just for taking a stand.

I think the fact that Google is now officially removing the Don't Be Evil principle from its code of conduct is a hint to all of those principled people that are still working there that "hey, we don't want you, so why don't you get lost?"

Silently removing the Don't Be Evil principle may have been subtle, but I'm sure it was a loud and clear message to everyone at Google, especially as it happened right after many protested the company's work on autonomous killer robots (okay, okay, the "killer" part will be added later, so that Google can plausibly claim utter ignorance).

Those who protested Google's work with the Pentagon specifically mentioned the Don't Be Evil mantra. And now Google is getting rid of it. I think that clears everything up about the type of company Google is turning into.

Given the nature of the breakage (tripping over a non-w3c standard heuristic in one browser with no obvious and visible error resulting), I'd assume no engineer knew the code could trigger problematic behavior for some users until I see evidence of intent to the contrary.
I dunno, a JS workaround for clients with third party cookies turned off seems kinda deliberate...
(comment deleted)
Unless the workaround was done to enable Google+ functionality (responding directly to user intent to allow a +1 button click to work instead of failing with some kind of "LOL, your third-party cookies are disabled" error) and the breaking of the third-party disable heuristic as it related to general ad tracking was just an unintended side-effect.
Nobody asked for a +1 button, and I'm pretty sure you don't need 3rd party cookies to make it work anyway.

Also pretty sure a company whose bread and butter is pervasive tracking doesn't break a user opt-out method by accident.

Another reason to scrap class-action lawsuits - other than they clog up the courts with mostly frivolous claims seeking payoff and that lawyers get the bulk of the winfall while dividing the scraps among their clients - it would also do away with plaintiffs' lawyers overselling their cases and supplying newspapers with a steady stream of clickbait.
Genuinely curious: what recourse exists for folks who aren't google-sized with google-sized legal teams to push back against bad-faith/illegal actions like this particular one. It seems clear that they acted against their users interests, even if the legality has yet to be determined. Google's de-facto monopoly on web advertising means that there's no other good option, though (and it's not as easy to avoid 'all ads served by google' the way it is to, say, stop buying Nike shoes because you don't like their business practices).
The relevant regulator not the courts. Also in this case there was no harm done and certainly the plaintiffs can't prove any.

Google acknowledged the bug that was fixed back in early 2012!! this lawsuit is a money grab, most of them are.

you didn't really answer my question, and it also seems like the claim that there was no harm done is a bit specious, enough users to form a class certainly seem to feel harmed.
Feeling harmed and actually being harmed are different things.

There is also something to be said about the general societal ill of feeling entitled to compensation for the slightest of perceived harms.

(1) If the 'you are the product' maxim is true, then this behaviour of GOOG is equivalent to breaking, entering and stealing the product.

(2) This is not an imaginary slight, a corporation wrote a piece of code with a clear intent to bypass a security setting on a user's device. Would the roles be reversed, charges would be brought against human without the need to prove harm or harmful intent -- DCMA is broad enough for that. Why should GOOG be less burdened by its unethical behaviour?

Still haven't answered my question about how individuals can pursue legal recourse against a large company without allowing class actions to exist.
(comment deleted)
> Feeling harmed and actually being harmed are different things.

this seems almost non-sequitur. either way, it is the court's purpose to ascertain harm and any consequent penalties (if any).

Exactly this: If one group feels harmed and another group asserts that there was no harm then the courts exist to solve this exact problem.
"The relevant regulator not the courts"

Here in the US, that's a non-starter.

I feel like the UK parliament is creating ane enforcing archaic privacy rules because they realized they can not compete on the technology front with US companies. Their plan is literally to sue US companies in order to gain a small footing/edge. I think what they are going to get is increasingly blocked. China is looking way more open an profitable to do business in comparitively.
This is that same tired, old accusation of protectionism in the UK and EU, and it's totally baseless.

US tech giants are behaving unethically and in some cases illegally. As soon as the countries in which they do business decide enough is enough, people (Americans I assume) cry out about protectionism.

How about just follow the fucking law in the countries in which you do business?

And here I was, on HN last week, getting downvoted to oblivion for mentioning that each Google embedded service is a cog in a much more nefarious machine.

It's getting like reddit around here, where the most controversial comments about SV misdoings are usually the most objective.

Google doesn't need a cookie to track you. The real culprit is the multitude of sites relying on javascript hosted by Google to do mundane things.
> Google was fined $22.5m for the practice by the US Federal Trade Commission in 2012 and forced to pay $17m to 37 US states.

So it's the consumers who were violated. But were they compensated?

It's the state who wants to claim that the consumers were violated, because they stand to gain control, which in turn leads to sweeter lobby perks.

This is what the libertarians in your life are complaining about.

One could make the argument that the State receiving the income from these fines would go back to fund public services, benefiting consumers.

Additionally, the state pursuing issues like this helps 'keeps the bastards honest' and prevents more consumers from being violated in the future. It's like how a murderer going to jail doesn't result in the victims from being compensated.

> It's like how a murderer going to jail doesn't result in the victims from being compensated.

Often there is a separate case for compensating the successors to the victims.

Everyone gets so outraged about this, and yet one glance on Stackoverflow shows it was a common concern at the time: https://stackoverflow.com/search?q=Set+3rd+party+cookies+saf...

Not arguing that Google was right to do this, but some of the “pessimistic about our civilisation” arguments on this page seem slightly overblown IMHO.

(comment deleted)