On 17 February, 2012 the Wall Street Journal published a story claiming that Google had bypassed Safari web-browser security settings on Mac and mobile devices in order to track users that did not wish to be tracked. This information led to an investigation by the Federal Trade Commission deemed “Safari-gate”, resulting in the largest FTC penalty for the violation of a commission order, $22.5 million dollars.

Although the FTC classified the settlement as “an appropriate remedy”, on 16 November the US District Court for the Northern District of California will ultimately judge the settlement’s appropriateness. The reason Google was bypassing security protocols to track users was to collect data used to optimize online advertisements. Although the practice of tracking users online is common in Web 2.0, there still remain several very important privacy questions regarding the user data that is collected.

At a recent panel discussion on behavioral advertising and privacy law Jonathan Mayer, a graduate student in law and computer science at Stanford (and the person who caught Google’s Safari-gate code), gave a presentation on the intricacies of tracking individuals online for the purpose of advertising (see also, a similar presentation). The presentation began with Netscape’s invention of ‘cookies’ in 1994, through the founding of DoubleClick (an ad tracking company acquired by Google), to the vibrant contemporary landscape of online tracking. Mayer presented a glimpse into the ecosystem of companies that track users around the Internet and collect information on a user’s web history and habits. For the most part this tracking occurs far from the view of the average user and is authorized by lengthy and often ignored privacy policies. The information collected is usually used to tailor ads to a user’s specific interests, however sometimes this information is used for more questionable purposes.

See this comprehensive video from the Wall Street Journal on how ad tracking and cookies work.

In some cases, the information that these third parties collect can be very sensitive material, such as search query history, browser history, health information, financial information, and shopping history. Although many of the companies claim that the information they collect is completely anonymous, Mayer and his colleagues have another theory. In his presentation, Mayer stated that the information collected by trackers is pseudonymous (opposed to anonymous), in the sense that if any piece of the collected data is linked to a specific individual, then all of the data can be linked to that specific person. As an example, this becomes problematic when applying Canadian privacy law because raw pseudonymous data may not qualify as “personal information” as per section 2 of PIPEDA, but this depends on how the information is handled. This becomes even more problematic when you consider that companies can begin to collect information on individuals as young as 13 years old (see also, for Canada).

There are several companies that offer products that either expose third party trackers or protect against information collection. Products such as Disconnect, Collusion, and Ghostery provide user-friendly browser add-ons that protect against third-party trackers. As well, products such as HTTPS Everywhere are striving to facilitate more secure connections between users and the sites they visit. A final product is the addition of Do Not Track opt-out functions in most consumer web browsers, however many major trackers have decided to ignore these requests. These fixes cannot be seen as complete solutions to third-party tracking issues. Blocking trackers is comparable to a very technical cat and mouse game. Blocking products require constant software updates and often involve some technical knowledge outside the range of most casual Internet users.

The ultimate way to regulate online trackers is to establish regulations via legislation (see Part 6.2.5). There are various institutions such as the Electronic Frontier Foundation and W3C that advocate for more comprehensive privacy laws online, but until this is done companies are left to regulate themselves.

Although some users may agree that having the use of Google’s fantastic products such as, Gmail, Google search, Blogger, etc. is an appropriate trade-off for having their movements tracked online, this agreement should be confirmed in a fair and transparent manner, not through security hacking code. Ultimately, it’s up to the courts to decide whether $22.5 million dollars is an adequate sum for Google to pay for ‘Safari-gate’. However, when this fine is compared to the $37.9 billion in revenue Google made in 2011 (96% came from advertising), the fine begins to resemble a monetary slap on the wrist.

Maximilian Paterson is is a JD candidate at Osgoode Hall Law School and is currently enrolled in Osgoode’s Intellectual Property Law and Technology Intensive Program.  As part of the program requirements, students are asked to write a blog on a topic of their choice.