Updated with comments from Jonathan Mayer.
The Federal Trade Commission may levy its first multimillion dollar fine against Google over a security breach initially uncovered by a Stanford student, according to an anonymous source cited by Bloomberg.
Critics say the FTC is more bark than bite. But a hefty fine against Google for “unfair and deceptive” business practices would indicate that the agency is stepping up its efforts to safeguard consumers’ online rights. The agency has relied on a citizen vigilante army of hackers working on the front lines to detect security breaches and inform government response.
“The FTC has been sending signals for a number of years now for tech companies to clean up their act. Soft touch diplomacy has not yielded the results that agency wanted,” said Jonathan Mayer, the Stanford researcher who uncovered the privacy breach in February.
“The message would be that there’s a cop on the beat. For a long time, there hasn’t been,” he added.
The world’s largest search company originally found itself in hot water when Mayer, a graduate student in law and computer science, detected “cookies” that were planted on Apple’s Safari Internet browser to evade built-in protections. This is how Mayer characterized the breach in a blog post, dated Feb. 17:
Apple’s Safari web browser is configured to block third-party cookies by default. We identified four advertising companies that unexpectedly place trackable cookies in Safari. Google and Vibrant Media intentionally circumvent Safari’s privacy feature.
By circumventing Safari’s privacy settings, Google could launch targeted advertising to Safari users on desktops, iPads, and iPhones. Mayer said he intended to find some evidence of online advertisers circumventing privacy settings, but had not anticipated that Google would be involved. “We had to check our results again and again that Google was doing this. It was not something we expected in the slightest.”
At the time, Google issued the comment that it “didn’t anticipate this would happen” and that it would promptly remove the offending files. Google’s spokesperson emphasized that the advertising cookies do not collect personal information.
It’s now the job of the FTC, a body responsible for protecting Internet users, to determine the extent of Google’s wrongdoing. If convicted, the company could face fines amounting to over $10 million, according to the Bloomberg report.
The investigation puts the issue of Internet privacy firmly in the spotlight. Experts say a hefty fine could send a clear signal to Internet companies around the world. “Silicon Valley Internet companies are in stiff competition, and we will see these privacy issues pop up again and again unless regulators take a firm stance,” said Pieter Gunst, fellow at Stanford University’s Center for Legal Informatics (CodeX).
“The major implication of this decision could be to put to rest the criticism that the FTC is toothless and they do mean business when it comes to online privacy,” said Mayer.