iPhone tracking: Is Google breaking its privacy pledge?

iPhone privacy feature was circumvented to allow Google to track what iPhone users were doing, privacy researcher says. Google settled another privacy case in October.

Rep. Ed Markey (D) of Massachusetts speaks on Capitol Hill in Washington earlier this month at a subcommittee hearing. Mr. Markey is one of three congressmen who have written the Federal Trade Commission asking whether it will investigate new allegations that Google has circumvented a privacy feature on a Web browser on the iPhone.

Manuel Balce Ceneta/AP/File

February 19, 2012

Google Inc. is under fire once again after allegations that it circumvented privacy protections built into the iPhone in order to track what users are doing online.

A privacy researcher at Stanford University said Friday that the Internet search giant had made an end run around a privacy feature in Apple Inc.'s Safari browser, the default Web-surfing software for tens of millions of iPhone, iPad and Macintosh users.

Graduate student Jonathan Mayer's report could deal a serious blow to Google, which in October reached a settlement with federal regulators who had alleged that in the company's 2010 attempt at social networking it used "deceptive tactics and violated its own privacy promises to consumers." Google's binding agreement with the Federal Trade Commission "bars the company from future privacy misrepresentations."

Now a group of federal legislators is asking if Google may have violated those terms by allowing advertisers to track Apple users' online behavior even when those users believed such tracking was disabled.

"Google's practices could have a wide sweeping impact because Safari is a major Web browser used by millions of Americans," Reps. Edward J. Markey, D-Mass., Joe Barton, R-Texas, and Cliff Stearns, R-Fla., wrote in a letter to the FTC. "We are interested in any actions the FTC has taken or plans to take to investigate whether Google has violated the terms of its consent agreement."

If Google is found to have violated its agreement with the FTC, the company could face fines of up to $16,000 per day for each violation.

Google's latest privacy stumble came at the end of a bumpy week for the tech industry's best-known companies, with Apple, Twitter, Facebook and Path drawing criticism over the way the social media companies collect user address data from iPhones.

Federal lawmakers are also questioning Apple after several social networking companies acknowledged that they were retrieving smartphone users' contacts without explicit permission.

Can Syria heal? For many, Step 1 is learning the difficult truth.

Apple's Safari browser is designed to prevent websites from adding tracking files _ called "cookies" _ to phones until a user specifically visits the site. For instance, visitors to the Los Angeles Times' website could find a Times cookie on their iPhones but should not automatically have cookies from the sites of Times advertising partners.

But Mayer, the Stanford researcher, said Google used a method that could load users' phones with cookies from advertising sites other than Google.

Google spokeswoman Christine Chen said the company did not intentionally place advertising cookies on Safari users' devices.

"We didn't anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers," she said. "It's important to stress that, just as on other browsers, these advertising cookies do not collect personal information."

Chen declined to comment on whether the issue might mean a violation of Google's FTC settlement.

Privacy advocates criticized Google for what they viewed as a serious misstep, which they said was inexcusable for a company with its resources and technical know-how.

"Why were they in such a rush to push this product out that they didn't get it properly vetted?" said Justin Brookman, the privacy director at the Center for Democracy and Technology.

"They have this brand that they should be bending over backward to protect," he said, but "they may be cutting corners."

Google's FTC settlement last year focused on the launch of the social networking service Google Buzz in 2010. An early version of Buzz made users' private contact lists public, in some cases exposing the email addresses of Google users' friends, family and professional contacts without the users' knowledge.

Google also came under fire that year when its camera-equipped cars were discovered to have also been gathering huge amounts of data from people's private Wi-Fi networks, including passwords, personal emails and Web browsing histories. Google has said it didn't realize it had been gathering that data and said it would erase the information as soon as possible.

Stanford's Mayer said in his report that privacy researchers have referred to the tension between browser makers and advertisers such as Google as a "cat-and-mouse game."

"This research result regrettably affirms that view as reality _ for, quite possibly, millions of users," Mayer wrote.