2/17. Jonathan Mayer, a graduate student at Stanford University, published a paper on February 17, 2012, that explains how Google and three other companies used surreptitious code to circumvent the block third party cookies feature of Apple's web browser, Safari, thereby enabling these companies to track the web browsing of users of Apple iPhones and iPads, without their permission or knowledge, and contrary to Apple's and users' efforts to protect their privacy.

Google owns DoubleClick, whose cookies are placed on users' browsers when visiting Google AdSense partner web sites.

The Wall Street Journal (WSJ) also published a story on February 17 that that offers a short vernacular version of the disclosures contained Mayer's paper. It is titled "Google's iPhone Tracking: Web Giant, Others Bypassed Apple Browser Settings for Guarding Privacy", and is authored by Julia Angwin and Jennifer DeVries.

The WSJ story states that "Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.'s Web browser on their iPhones and computers -- tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked."

It adds that "The companies used special computer code that tricks Apple's Safari Web-browsing software into letting them monitor many users".

Mayer concluded that "When Apple's developers implemented Safari’s cookie blocking feature, they were balancing several conflicting design priorities. But one decision was clear: it should prevent advertising companies from tracking the user. ... Four advertising companies circumvented Apple's protection."

The Center for Democracy and Technology's (CDT) Justin Brookman stated in a release on February 17 that "technological workarounds to evade browser privacy settings are unacceptable ... We are severely disappointed that Google and others choose to place tracking cookies on Safari browsers using invisible form submission."

Sen. John Rockefeller (D-WV), the Chairman of the Senate Commerce Committee (SCC), promptly issued a release in which he stated that he would look into this matter. See, related story in this issue titled "Sen. Rockefeller to Look Into Google's Safari Circumvention".

Rep. Ed Markey (D-MA), Rep. Joe Barton (R-MA), and Rep. Cliff Stearns (R-FL) promptly sent a letter [PDF] to the FTC urging it to investigate. See, related story in this issue titled "Representatives Urge FTC to Investigate Google's Safari Hack".

Four Companies. Mayer's paper identified three companies other than Google (owner of DoubleClick) that are tracking users in a similar manner: Vibrant Media, Media Innovation Group and PointRoll. All four comanies are involved in online advertising.

These companies do not disclose in their web sites that they have circumvented Safari's third party cookie blocking in order to track users across web sites, and develop profiles to use for the purpose of delivering targeted advertising. However, their cryptic descriptions of their methods are not inconsistent with this.

Vibrant Media states in its web site that it provides "marketers the opportunity to deliver highly targeted advertisements".

Media Innovation Group calls itself a digital "delta force" that provides "data-driven marketing", with " "tweezer-like precision in targeting, timing, and placement".

It states the "soul of the enterprise is an enormously powerful data management system that understands how your brand users are responding to a myriad of digital experiences".

It boasts that its "One-of-a-kind data engines anonymously collect every click, filter out the noise, and produce what amounts to an MRI scan of an advertiser's entire marketplace as it is right now".

PointRoll touts advertising campaigns directed at iPhone and iPad users. It adds that "mobile executions must provide in-depth engagement metrics and analytics that allow marketers to track consumer actions".

Google's Circumvention Method. Mayer wrote that "Apple's Safari web browser is configured to block third-party cookies by default". However, four companies are employing a procedure that enables them to circumvent Safari's blocking of third party cookies.

He stated that the four ad companies "surreptitiously submit a form in an invisible iframe and place trackable cookies in Safari".

He wrote that "If an HTTP request to a third-party domain is caused by the submission of an HTML form, Safari allows the response to write cookies. This component of the policy was removed from WebKit, the open source browser behind Safari, seven months ago by Google engineers. Their rationale is not public; the bug is marked as a security problem. The change has not yet landed in Safari."

By using this procedure, Mayer wrote, "all doubleclick.net content is now immunized from Safari's cookie blocking policy".

2/19. Cookie technology is built into the design of web browsers and servers. A cookie is a text string of code that is generated and deposited on a web connected computer, including a mobile device such as an iPhone or iPad.

Web browsers include Google's Chrome, Microsoft's Internet Explorer, and Apple's Safari.

An individual user with a web connected computer or device accesses a web page by entering the URL of that web page, by clicking on a hyperlink that contains that URL, or by a related procedure. The user's browser sends a request for that web page which is routed to the web server for that web page. The browser and server use the Hypertext Transfer Protocol (HTTP) request response protocol. Then, the web server that serves that web page sends the HTML source code back to the user's browser that the user's computer and browser render as a web page; in other words, the user sees the web page on the monitor or screen.

This web server may also generate and deposit on the user's computer the code that constitutes a cookie. A first party cookie, among other things, contains information identifying that visited web site. Then, when that user's browser makes additional requests of that server (that is, when the user again visits that web page or other web page at that domain) the browser conveys cookie information to the web server. Thus, the web server knows, for example, that the user has returned.

Such first party cookies serve many critical and legitimate purposes, especially in facilitating the operation of e-commerce web sites. For example, cookies facilitate web sites' authentication of users, retention of user preferences, and storage of shopping cart contents.

A third party cookie is one generated by one domain accessed by a user, but which identifies, not that domain, but another, third party domain. When the operator of that third party domain, such as an advertising company, is able to have many web sites place its cookies on users' browsers as those users go from web site to web site, it receives information about those visits. The placement of third party cookies thus enable advertisers to learn and store the browsing history of  users across all the domains, or web sites, upon which the advertiser has footprints.

Browsers facilitate the use of both first party and third party cookies. However, with many browsers users can adjust settings to block either or both. For example, Microsoft's Internet Explorer allows users to choose to block either or both. To do so, select Tools from the menu bar, then select Internet Options from the drop down menu, then click on the tab Privacy, and then select the button Advanced.

Mayer wrote in his paper that the Android browser does not contain a third party cookie blocking option.

See also, Center for Democracy and Technology (CDT) paper titled "Browser Privacy Features: A Work in Progress", released December 9, 2010.

Apple Safari. Apple's Safari sets third party cookie blocking as the default setting. Apple states in its web page titled "Safari Features" that "Some companies track the cookies generated by the websites you visit, so they can gather and sell information about your web activity. Safari is the first browser that blocks these tracking cookies by default, better protecting your privacy. Safari accepts cookies only from the current domain."

Apple states in its privacy policy that "If you want to disable cookies and you're using the Safari web browser, go to Safari preferences and then to the Security pane to disable cookies. On your Apple mobile device, go to Settings, then Safari, and then to the Cookies section."

Google's Statements About Cookies. Mayer's disclosure does not pertain to Google's browser. Rather it is about how a Google ad company circumvents the third party cookie blocking feature of the Safari browser when users with devices running that browser visit web pages on which Google's ad company has a footprint.

Google states in its web page titled "Privacy Policy" that "When you visit Google, we send one or more cookies to your computer or other device. We use cookies to improve the quality of our service, including for storing user preferences, improving search results and ad selection, and tracking user trends, such as how people search. Google also uses cookies in its advertising services to help advertisers and publishers serve and manage ads across the web and on Google services."

Google defines cookies in a web page titled "Privacy FAQ" as "a small file containing a string of characters that is sent to your computer when you visit a website. When you visit the website again, the cookie allows that site to recognize your browser. Cookies may store user preferences and other information. You can reset your browser to refuse all cookies or to indicate when a cookie is being sent."

See also, Google web page titled "Advertising and Privacy".

2/17. The Electronic Privacy Information Center (EPIC) sent a letter to the Federal Trade Commission (FTC) regarding Google's circumvention of the Apple Safari feature that blocks third party cookies.

The EPIC is also the plaintiff in an action against the FTC that seeks to compel the FTC to enforce the October 2011 final Decision and Order [7 pages in PDF] in the FTC's administrative enforcement action against Google related to Google's Buzz.

The EPIC filed a complaint [9 pages in PDF] in the U.S. District Court (DC) against the FTC on February 8, 2012. See, story titled "EPIC Sues FTC to Compel Enforcement of Google Privacy Order" in TLJ Daily E-Mail Alert No. 2,338, February 16, 2012.

Marc Rotenberg, head of the EPIC, wrote to the FTC on February 17 after the Wall Street Journal published a story titled "Google's iPhone Tracking: Web Giant, Others Bypassed Apple Browser Settings for Guarding Privacy".

Rotenberg wrote that "The article describes the specific steps that Google has already taken to circumvent user privacy settings." He then discussed Google's changes to statements in its web site regarding tracking of Safari users. He explained that after "Google became aware that its tracking activities would be revealed", Google removed key language regarding tracking Safari users.

He elaborated that "The original Google statement that users of Safari who have not changed their privacy settings ``accomplishes the same thing as setting the opt-out cookie´´ is a per se misrepresentation. Not only did the company know this not to be true, it took elaborate measures to circumvent the Safari privacy safeguards, and it benefited from the misrepresentations by the commercial value it surreptitiously obtained. The fact that Google removed the evidence and made it no longer available by means of a Google search (think about that for a moment) is an admission by the company as to its malfeasance." (Parentheses in original.)

Back in 2007 when the FTC was reviewing the then pending acquisition by Google of DoubleClick, the subsidiary of Google at the center of this matter, the EPIC filed a complaint with the FTC urging it to block the merger on privacy grounds.

The EPIC later resorted to the extraordinary procedure of requesting the recusal of the then FTC Chairman from the proceeding. See, story titled "EPIC Seeks Recusal of Majoras in Google Doubleclick Merger Review" in TLJ Daily E-Mail Alert No. 1,688, December 13, 2007.

2/17. Sen. John Rockefeller (D-WV), the Chairman of the Senate Commerce Committee (SCC), stated in a release on February 17 that "According to press reports, Google circumvented consumer choice and may have paved the way for third-party ad networks -- including Google's own DoubleClick -- to track consumers against their will."

Sen. Rockefeller (at right) said, "If so, this practice may have violated the company's own stated privacy practices. I fully intend to look into this matter and determine the extent to which this practice was used by Google and other third parties to circumvent consumer choice."

The Federal Trade Commission (FTC) has determined that if a company publishes a privacy policy, and then violates that policy, this can constitute an unfair or deceptive trade practice in violation of Section 5 of the FTC Act, which is codified at 15 U.S.C. § 45. The FTC has brought many such enforcement actions.

This section provides that "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful."

The Congress has enacted no general privacy statute that governs the practices of web sites, such as Google's, that impact consumers' interests in privacy. However, there are privacy statutes directed at specific institutions, and specific types of web sites, such as the Children's Online Privacy Protection Act, or COPPA. Nor has the FTC promulgated any general privacy rules under Section 5 of the FTC Act. Although, it has statutory authority to write rules implementing Section 5.

Rather, the FTC has, in a series of actions, announced and enforced its understanding that if a web site operator publishes and then violates its privacy policy, that constitutes a violation the FTC Act. See, FTC web page with hyperlinks to pleadings in its Section 5 privacy cases.

For example, last year the FTC brought and settled an enforcement action against Google in connection with its privacy related practices associated with the initial launch of its Buzz social networking service. See, story titled "FTC Issues and Settles Complaint Against Google" in TLJ Daily E-Mail Alert No. 2,213, March 31, 2011. The FTC issued its final Decision and Order [7 pages in PDF] on October 13, 2011.

Washington's Birthday. This is a federal holiday. See, OPM list of 2012 federal holidays.

The House will not meet on the week of Monday, February 20, through Friday, February 24.

The Senate will not meet on the week of Monday, February 20, through Friday, February 24.

The House will not meet.

The Senate will not meet.

12:15 - 2:00 PM. The Federal Communications Bar Association's (FCBA) Engineering and Technical Practice Committee will host a brown bag lunch. The topic will be three federal advisory committees: the President's Council of Advisors on Science and Technology (PCAST), the NTIA's Commerce Spectrum Management Advisory Committee (CSMAC) and the FCC's Technology Advisory Committee (TAC). For more information, contact Steve Sharkey at steve dot sharkey at t-mobile dot com. Location: T-Mobile, Suite 800, 601 Pennsylvania Ave., NW, North Building.

12:15 - 2:00 PM. The Federal Communications Bar Association (FCBA) will host a brown bag lunch titled "The First Amendment in Telecom Law". The speakers will be Jacob Lewis (FCC Associate General Counsel), Chuck Tobin (Holland & Knight), Coriell Wright (Free Press), Megan Brown (Wiley Rein). For more information, contact Drew Shenkman at drew dot shenkman at hklaw dot com or Brendan Carr at Bcarr at wileyrein dot com.). Location: Holland & Knight, Suite 100, 2099 Pennsylvania Ave., NW.

Deadline for the Electronic Privacy Information Center's (EPIC) to file its reply to the Federal Trade Commission's (FTC) opposition to its Motion for Temporary Restraining Order and Preliminary Injunction [30 pages in PDF]. This action pertains to whether Google's new privacy policy, scheduled to take effect on March 1, violates the FTC's Decision and Order [7 pages in PDF] dated October 13, 2011. See, story titled "EPIC Sues FTC to Compel Enforcement of Google Privacy Order" in TLJ Daily E-Mail Alert No. 2,338, February 16, 2012.

Ash Wednesday.

The House will not meet.

The Senate will not meet.

The House will not meet.

The Senate will not meet.

10:00 - 11:30 AM. The Information Technology and Innovation Foundation (ITIF) will host an event titled "Eddie Lazarus Reflects on a Dramatic Tenure as Chief of Staff of the FCC". See, notice. Location: ITIF/ITIC: Suite 610, 1101 K St., NW.

1:00 - 2:00 PM. The American Bar Association (ABA) will host a webcast event titled "From Metatags to Sponsored Ads: The Evolution of the Internet-Related Trademark Infringement Doctrine". The speakers will be Chad Doellinger (Katten Muchin Rosenman), Jennifer Mikulina (McDermott Will & Emery), and Uli Widmaier (Pattishall McAuliffe). CLE credits. Prices vary. See, notice.

The House will not meet.

The Senate will not meet.

Supreme Court conference day. See, calendar. Closed.

8:30 AM - 4:00 PM. The Department of Defense's (DOD) Defense Intelligence Agency Advisory Board will hold a closed meeting. See, notice in the Federal Register, Vol. 77, No. 10, Tuesday, January 17, 2012, at Pages 2277-2278. Location: Boling Air Force Base.

8:45 AM - 1:30 PM. The George Mason University (GMU) law school will host a conference titled "The Digital Inventor: How Entrepreneurs Compete on Platforms". There will be two panel discussions, titled "Platforms, Modularity, and Complementary Goods" and "Patent Litigation: Software Patents, Licensing, and Mobile OS Platforms". There will also be several presentations and speeches, including "Design, Institutions, and the Evolution of Platforms" and "Why Walled Gardens Isn't Inconsistent with Open Innovation: Understanding How Ecosystems Management Promotes Progress". CLE credits. Prices vary. Location: GMU law school, 3301 N. Fairfax Dr., Arlington, VA.

Deadline to submit initial comments to the Federal Communications Commission (FCC) in response to its Public Notice (PN) [21 pages in PDF] regarding Auction 901, which will auction high cost universal service subsidies through reverse competitive bidding. It is also titled "Mobility Fund Phase I Auction". The FCC released this PN on February 2, 2012. It is DA 12-121 in AU Docket No. 12-25. See also, notice in the Federal Register, Vol. 77, No. 28, Friday, February 10, 2012, at Pages 7152-7162.

The House will meet. Votes will be postponed until 6:30 PM.

Deadline to submit initial comments to the Federal Communications Commission (FCC) in response the FCC's Public Notice (PN) regarding LightSquared's Petition for Declaratory Ruling. The FCC released this PN on January 27, 2012. See also, correction to this PN, also released on January 27. This PN is DA 12-103 in IB Docket No. 11-109 and ET Docket No. 10-142.

9:30 - 11:00 AM. The Information Technology and Innovation Foundation (ITIF) will release a report, and host a panel discussion, titled "Confronting Chinese Innovation Mercantilism". The speakers will be Sen. Jeff Merkley (D-OR), Robert Atkinson (ITIF), Morgan Reed (Association for Competitive Technology), and Alan Wolff (Dewey & LeBoeuf). Free. Open to the public. See, notice. Location: Room G11, Dirksen Building, Capitol Hill.

10:00 AM - 12:00 NOON. The House Science Committee's (HSC) Subcommittee on Research and Science Education will hold a hearing titled "An Overview of the National Science Foundation Budget for Fiscal Year 2013". The witnesses will be Subra Suresh (Director of the NSF) and Ray Bowen (Chairman of the National Science Board). The HSC will webcast this hearing. See, notice. Location: Room 2318, Rayburn Building.

12:00 NOON - 1:30 PM. Julie Brill (FTC Commissioner) and Anne Cavoukian (Commissioner of Canada's Office of the information and Privacy) will speak at an event hosted by the American Bar Association (ABA) titled "Privacy by Design: What All Companies Need to Do Now". No CLE credits. The price to attend is $50. See, notice.

12:00 NOON - 1:30 PM. The Federal Communications Commission's (FCC) Enforcement Bureau (EB) will hold an event at which EB Bureau Chief Michele Ellison and EB division chiefs and front office managers will speak. The FCBA states that this is an FCBA event. Location: Hogan Lovells, 555 13th St., NW.

2:00 - 3:15 PM. The President's National Security Telecommunications Advisory Committee (NSTAC) will meet by teleconference. The agenda includes an update from Gregory Schaffer (DHS Assistant Secretary for Cybersecurity and Communications), an update on the cloud computing from Mark McLaughlin, and an update on the national public safety broadband network scoping effort from Scott Charney and Michael Laphen. See, notice in the Federal Register, Vol. 77, No. 27, Thursday, February 9, 2012, at Page 6813.

6:30 - 8:30 PM. The Federal Communications Bar Association's (FCBA) Young Lawyers Committee and the Women's Bar Association of the District of Columbia (WBADC) will host an event titled "An Evening of Mentoring for Communications Lawyers". Prices vary. See, WBADC notice. Register at the WBADC web site, using the password FCBAMENTOR. Location: Hogan Lovells, 555 13th St., NW.

2/17. Rep. Ed Markey (D-MA), Rep. Joe Barton (R-MA), and Rep. Cliff Stearns (R-FL) sent a letter [PDF] to the Federal Trade Commission (FTC) urging it to "investigate" whether Google's Safari circumvention violates the Decision and Order [7 pages in PDF] in the FTC's administrative enforcement action against Google related to Google's Buzz.

The three Representatives cited and quoted the Wall Street Journal story of February 17 titled "Google's iPhone Tracking: Web Giant, Others Bypassed Apple Browser Settings for Guarding Privacy". See, related story in this issue titled "Google Tracked Users Online by Circumventing Apple Safari Browser's Blocking of Third Party Cookies".

They wrote that "Google's practices could have a wide sweeping impact because Safari is a major web browser used by millions of Americans. Safari, which is used on both iOS and OS X platforms, is installed on all iPhones, iPads, MacBooks, and Macs."

Rep. Markey and Rep. Barton are senior members of the House Commerce Committee (HCC), which oversees the FTC. The two have frequently acted in concert to query technology companies about, and urge the FTC to investigate, business practices that might adversely affect the privacy interests of their users and/or violate federal law. The present letter was also signed by Rep. Stearns (at right), another senior member of the HCC, and Chairman of its Subcommittee on Oversight and Investigations.

The three added the most recent revelations about Google come "as a major concern especially just two weeks after Google announced that the company plans to make changes to its privacy policies and terms of service that will allow sharing of users' personal information across its many products. This new policy and the omission of a consumer opt-out on a product-by-product basis raised a number of privacy concerns."

Back in 2007 when Google had announced its planned acquisition of DoubleClick, the subsidiary of Google at the center of this matter, Rep. Barton (at left) raised his concerns about the merger's impact upon consumer privacy. See, story titled "Rep. Barton Questions Google on Doubleclick Merger and Privacy" in TLJ Daily E-Mail Alert No. 1,688, December 13, 2007.

The letter only asks the FTC to investigate whether Google's just disclosed actions violate last year's FTC order. The letter does not ask the FTC to investigate whether Google's actions also constitute a new violation of the FTC Act, and particularly the ban on unfair or deceptive trade practices codified at 15 U.S.C.§ 45.

Nor does the letter ask the FTC to investigate whether Google's actions violate the ban on unauthorized access to a protected computer system of the Computer Fraud and Abuse Act (Act), which is codified at 18 U.S.C. § 1030. Nor does the letter ask the FTC to investigate whether Google's actions violate any of the bans on surveillance activities of the Electronic Communications Privacy Act (ECPA).

An unfair or deceptive trade practices investigation would lie squarely within the purview of the FTC. A CFAA or ECPA investigation would not. Although, acts that constitute a violation of the CFAA or ECPA might also constitute a violation of the FTC Act.

See also, FTC web page titled "A Brief Overview of the Federal Trade Commission's Investigative and Law Enforcement Authority", and FTC web page titled "Legal Resources -- Statutes Relating to Consumer Protection Mission".

2/17. The Federal Trade Commission (FTC) published a notice in its web site that states that the FTC's Bureau of Consumer Protection's (BCP) Business Center was hacked on February 17.

The notice states, in full, "The Bureau of Consumer Protection's Business Center website, run by the Federal Trade Commission, was hacked on February 17, 2012. The FTC takes this malicious act seriously. The site has been taken down and will be brought back up when we're satisfied that any vulnerability has been addressed."

The Washington Post published an Associate Press story on February 17 titled "US Federal Trade Commission and consumer rights websites hacked by Anonymous". It states that "The hacking group known as Anonymous has claimed a new series of hacks against the U.S. Federal Trade Commission and consumer rights websites."

The FTC Business Center web site had not been restored as of publication of this issue of the TLJ Daily E-Mail Alert on Sunday, February 19.

Tech Law Journal publishes a free access web site and a subscription e-mail alert. The basic rate for a subscription to the TLJ Daily E-Mail Alert is $250 per year for a single recipient. There are discounts for subscribers with multiple recipients.

Free one month trial subscriptions are available. Also, free subscriptions are available for federal elected officials, and employees of the Congress, courts, and executive branch. The TLJ web site is free access. However, copies of the TLJ Daily E-Mail Alert are not published in the web site until two months after writing.

For information about subscriptions, see subscription information page.

Tech Law Journal now accepts credit card payments. See, TLJ credit card payments page.

TLJ is published by David Carney
Contact: 202-364-8882.
carney at techlawjournal dot com
3034 Newark St. NW, Washington DC, 20008.

Privacy Policy
Notices & Disclaimers
Copyright 1998-2012 David Carney. All rights reserved.