Hard on the heels of being fined $25,000 for allegedly blocking a federal privacy investigation, Google (GOOG) is enmeshed in a second federal probe into its privacy practices that could soon bring a more painful hit to the search giant’s pocketbook, this newspaper has learned.
The Federal Trade Commission is deep into an investigation of Google’s actions in bypassing the default privacy settings of Apple’s (AAPL) Safari browser for Google users, according to sources familiar with ongoing negotiations between the company and the government.
Within the next 30 days, the FTC could order the Mountain View search giant to pay an even larger fine in the Safari case than the penalty the Federal Communications Commission hit Google with Friday, say the sources, who spoke on condition of anonymity.
The FCC fined Google $25,000 after finding that the search giant “deliberately impeded and delayed” its investigation into a 2010 privacy breach involving its Street View cars.
The FTC investigation focuses on whether Google violated the terms of an existing settlement involving privacy problems with its ill-fated “Buzz” social network in 2010,
and could carry sanctions as large as $16,000 per violation per day, adding up to a penalty that could dwarf the fine imposed by the FCC.
FTC spokeswoman Claudia Bourne Farrell declined to comment on the Safari case Monday, but the main threat for Google is that the FTC is investigating the Safari matter as the violation of an existing consent decree that resulted from alleged previous privacy violations, which gives the agency the resources to unleash a division of lawyers who enforce existing orders.
That is allowing the FTC to move much more quickly in the Safari case than it could in a stand-alone complaint about deceptive trade practices. As part of its agreement signed last year with the FTC after the Buzz incident, Google agreed to undergo 20 years of outside reviews of its privacy policies and promised not to misrepresent its privacy practices to consumers. Google did not acknowledge breaking the law by agreeing to the Buzz consent decree and did not pay a fine.
Millions of violations?
While Google would have the ability to contest any FTC fine in federal court, the financial sanctions in the Safari case could be sizable, particularly if the FTC were to define “a violation” as each person affected. The government is trying to determine just how many people were affected by the Safari breach, and people familiar with the case say it could easily run into the millions of iPhone, iPad and Mac users.
As with the earlier Buzz and Street View privacy cases in 2010, Google has said the Safari breach was inadvertent. In a statement released Monday to this newspaper, Google said: “We will of course cooperate with any officials who have questions.”
Google has acknowledged it changed the default settings in Safari browsers to allow the “+1” button connected to its Google+ social network to work with Apple’s browser. It said those changes inadvertently resulted in Google’s advertising tracking software becoming attached to the browsers of many iPhone and iPad users — even though Google’s own website had told Safari users that if they took no action, they would be protected from having their travels across the Web monitored and shared with advertisers.
“We used known Safari functionality to provide features that signed-in Google users had enabled,” Google said. “We created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for personalized ads and other content. However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser.”
Unlike the FCC, the FTC elected to not sanction Google over the Street View privacy breach. A key reason the FTC passed on a penalty, the agency said in an October 2010 letter to Google, was that the company promised it had not used any of the personal data it collected in any of its products.
The sharing of private user data with third parties is a “litmus test” for the FTC in determining whether a violation has occurred, according to sources familiar with the agency’s thinking. It may be difficult for Google to prove that no personal data were shared if the software “cookies” implanted in Safari users’ browsers allowed Google to sell advertising that was better targeted and therefore more valuable.
After giving Google a pass on the Street View case in 2010 — despite that Google’s cars pulled in the contents of entire email messages, website addresses and account passwords from private Wi-Fi networks — the FTC is not inclined to avoid action again on Safari, according to sources familiar with the agency’s thinking.
The fact that the FCC sanctioned Google in the Street View case may up the ante even more for the FTC to act on the Safari breach, observers said Monday.
“I think it does put a little bit of pressure on them,” said Steve Pociask, president of the American Consumer Institute, who serves on the FTC’s Consumer Advisory Committee.
In the wake of the strongly worded statement that accompanied the FCC fine Monday, Pociask was among a number of consumer advocates who called for more investigation.
Google clearly tried to delay the investigation in the Street View case, he said, and the public has a right to know what was found.
“The public should know that,” he said. “If it’s not going to come out, maybe members of Congress should try to get to the bottom of this.”
Contact Mike Swift at 408-271-3648. Follow him at Twitter.com/swiftstories or Facebook.com/mike.swift3.