Google Privacy and Enterprise Licensing

Stephen Arnold's picture

 

In mid-February 2012, another Google privacy cyclone roiled the datasphere. The allegation was that Google was bypassing Apple Safari privacy settings. The purpose of the hacker-like action was to track the browsing of Apple Safari users. The story broke in the Wall Street Journal in mid February and within a few hours, privacy experts and even some elected officials were commenting about the Google activity. The February 17, 2012, story “Google's iPhone Tracking” http://goo.gl/a9GDb by Julia Angwin and Jennifer Valentino-Devries revealed:

 

Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.'s Web browser on their iPhones and computers — tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked. The companies used special computer code that tricks Apple's Safari Web-browsing software into letting them monitor many users. Safari, the most widely used browser on mobile devices, is designed to block such tracking by default. Google disabled its code after being contacted by The Wall Street Journal. 

 

When the Wall Street Journal’s information became known to Google, allegedly Google removed the function. Clever? The newspaper continued:

 

Google's tracking of Safari users traces its roots to Google's competition with social-network giant Facebook Inc. After Facebook launched its “Like” button — which gives people an easy way to indicate they like various things online — Google followed with a “+1” button offering similar functionality on its rival social network, known as Google+... But Google faced a problem: Safari blocks most tracking by default. So Google couldn't use the most common technique —installation of a small file known as a “cookie” — to check if Safari users were logged in to Google. To get around Safari's default blocking, Google exploited a loophole in the browser's privacy settings. While Safari does block most tracking, it makes an exception for websites with which a person interacts in some way — for instance, by filling out a form. So Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer. 

 

On February 20, 2012, Microsoft’s IEBlog ran a lengthy article whose title exacerbated the revelation: “Google Bypassing User Privacy Settings.” http://goo.gl/D7kBs Microsoft’s analysis was highly technical, but the key point of the write up was, Google’s approach to third-party cookies seems to have the side effect of Safari believing they are first party cookies.” In short, Google exploited a privacy “standard” to track those who did not want to have their travels around the Internet known. 

 

Not surprisingly, when clever people do clever things, those less clever find themselves talking about something that one cannot demonstrate or easily explain. The idea that a Web browser can block small chunks of code is difficult for some people to grasp. The code is called a “cookie” and the name makes this type of code seem innocuous. How dangerous is a “cookie”? The Google work around is also code. Google sent the Safari users a snippet of code to work around Apple’s code and to put Google code into the user’s browser. Got that? The Wall Street Journal employed a nifty Web 2.0 style graphic to explain what is to me a particularly difficult technical operation. You can view the Wall Street Journal graphic at http://goo.gl/a9GDb. 

 

Most people will not know what Google did, why Google took the action, nor what happened when the Google work around was implemented. The cleverness of the Google engineers is little appreciated by Apple. I would assert that most of those with oversight of Google’s privacy policies are probably going to have to do some noodling to figure out the implications of what was done and then removed from the Google system. Slippery stuff the Google system. 

 

As you may recall, Google agreed in 2011 to 20 years of privacy policy oversight by the US Federal Trade Commission. The trigger for this oversight was Google’s handling of Buzz, its 2010 social network. You can read the original complaint on the FTC’s Web site at http://goo.gl/V0H9C. In that document, the FTC wrote: “Certain personal information of Gmail users was shared without consumers’ permission through the Google Buzz social network.” Buzz was a commercial flop, but the blow back from the misstep was the 20 years of “oversight.” 

 

The media reactions to the Apple Safari event were swift and, in the US, short lived. Google seems to have embraced a method which involves [a] taking an action which is implemented without much if any warning, [b] benefiting or learning from the action, [c] if exposed, apologizing, and [d] looping back to taking another action. 

 

Google’s own statement articulated by Rachel Whetstone, senior vice president, communications and public policy at Google. I was unable to locate a copy of the statement using Google’s search system on February 20, 2012, which was probably due to an interesting system glitch. Silicon Republic did include this snippet from its source: 

 

“We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information,” she said. 

 

“Unlike other major browsers, Apple's Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as 'Like' buttons.” 

 

Whetstone drew upon how Google last year started using this functionality to enable features for signed-in Google users on Safari who had “opted” to see personalized ads and other content. This included the ability to “+1” things, she indicated. 

 

“To enable these features, we created a temporary communication link between Safari browsers and Google's servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization.” 

 

Whetstone said Google had designed this type of personalization so that information passing between the user's Safari browser and Google's servers was “anonymous”, with the aim of “effectively creating a barrier between their personal information and the web content they browse”. 

 

She said the Safari browser, however, contained functionality that then enabled other Google advertising cookies to be set on the browser. Source: Carmel Doyle, “Google Issues Statement on Safari and User Privacy,” Silicon Republic, February 20, 2012 at http://goo.gl/INS5S 

 

Silicon Republic’s “Google Issues Statement on Safari and User Privacy” http://goo.gl/INS5S exemplifies the handling of this hot potato: “Google has issued a statement to clarify its position in light of the Safari cookies debacle that started last week.” No commentary. No analysis. No nothing. 

 

Without meaningful consequences, Google’s method seems to be effective in making it easy for the company to expand its grip on markets which it controls or seeks to capture. The privacy gaffe took place at the same time Google’s grip on the search market was increased. CBR’s “Google Sites Top the US Search Market Again” http://media.cbronline.com/news/google-sites-top-the-us-search-market-ag...? reported, “Google Ad Network topped the January Ad Focus ranking with a reach of 92.9 percent of Americans online... Google Sites yet again ranked as the number one property in January with 187.4 million visitors, followed by Microsoft Sites with 179.2 million and Yahoo! Sites with 177.2 million.” Google’s dominance of the European market is more difficult for me to obtain.

 

Business Insider, in July 2011 http://articles.businessinsider.com/2011-07-13/tech/29976444_1_experian-..., pegged Google’s market share at 90 percent. Google, not surprisingly, is not saying. 

 

Working through the numerous posts about the Apple Safari issue, I noted a story in the gizmo blog Engadget. The headline was one that caught my attention: “Google Quietly Launches Latitude Leaderboards, Threatens Foursquare under Its Breath.” You can find this article at http://goo.gl/uKqCP. I must admit the notion of “reporting” my location to my “friends” seems peculiar to me.

 

However, unlike some online users I have worked on sensitive police and intelligence projects. The last thing I want to do is to make it easy for someone to know where I am either intentionally or unintentionally. I will remember fondly the mortar attack in Bogota several years ago. Fascinating stuff for some 20 somethings, just not for me. The idea of this new service is immature, but Engadget noted: “we still haven't found a way to pull up the leader board without first registering our location.” 

 

PC World’s response to the Apple Safari issue was a story with the chilling headline: “Google Unlikely to Back Down at Privacy Lawsuits http://goo.gl/5PfeX.” How PC World’s Christina DesMarais knows that Google will adopt a pit bull approach to privacy is outside my comprehension. Nevertheless, she asserts: 

 

Google's privacy practices are under fire from lawmakers in Washington, civil liberties groups, and the average Joe mobile phone owner -- the latest attack is a lawsuit from an Illinois man worried about how his personal information is used -- but don't expect the Internet search leader to back down. Targeted advertising means big bucks for Google, so that means it will continue, perhaps even step up, its efforts to glean data about its users so it can push marketers their way and prompt lots of clicks. 

 

She points out that Google is paying people for their browsing information. Even more fascinating was this statement: 

 

Google recently started asking people to add a Chrome browser extension that will share their Web-browsing behavior with the company. In exchange, users will receive a $5 Amazon gift card when they sign up and additional $5 gift card values for every three months they continue to share. 

 

At the same time the Google exploitation of the Safari browser’s privacy policy surged, then dissipated, Datamation revealed that Roche Group was shifting 90,000 employees to Google Apps, one of the Google enterprise services. Roche Holdings (revenues in 2011 of about $21.1 billion) owns the Roche Group. You may be more familiar with some of the companies in the firm’s portfolio; for example, Genetech and Illumina or the pharmaceutical Avastin, a drug to treat breast cancer. Roche executives have little concern that Google’s privacy policies will compromise the firm’s business. 

 

Is an enterprise making a decision based on a careful analysis of the risks associated with Google’s methods? Are enterprise procurement teams savvy enough to determine how the actions Google implements will affect the enterprise services? In my own experience, most technologists are not current on Google’s fast-moving flow of features, functions, tweaks, adjustments, and services. 

 

Several observations: 

First, in the last year, Google has become increasingly reluctant to make clear what its systems and methods permit the company to capture from its online customers. The online customer is the pivot point on which Google’s advertising revenue swings. In the firm’s most recent quarterly report, the firm revealed that its rocket ship flight path was changing. With those somewhat disappointing financial results, the upticks in “clever” actions seems to have increased. My hypothesis is that advertising revenues are not delivering the pay out Google requires. Instead of Apple style innovation, Google is making “clever” shifts to pump up revenue. 

 

Second, because the enterprise revenues have not exploded, the enterprise unit may be under increased pressure to generate more revenue and grow more quickly. When sales and marketing professionals face growth pressure, creative license can become more important than some technical details. For example, the present version of Google’s spreadsheet program does not handle some macros created for Excel spreadsheets. Some formatting is not translated correctly when importing or exporting a Word document in a “round trip” type of operation. “Round trip” means that a document begins in Word, makes a pass through Google’s cloud word processing system for changes, and is then exported in a format Word can read. Annoying? Yes. But for a person on a deadline, glitches can become a problem. Because certain shortcomings of Google’s enterprise applications have persisted for months or years, the question of priorities must be asked. The product’s functions in a corporate environment answer those questions in a direct, verifiable manner. 

 

Third, Google’s fix-it-on-the-fly approach makes sense in today’s always-on, real-time world. The problem for me is that in an enterprise, the licensee does not know what back doors, bugs, and undocumented “features” are operating at any point in time. I have been critical of the bugs in Microsoft SharePoint. But Microsoft has a reasonably good track record of documenting issues and making fixes available. In the wake of the Apple Safari issue, I now am formulating the view that Google may be, intentionally or unintentionally, creating services which increase a licensee’s risk. Who knows? A 20-year-old superstar programmer working in Google’s Moscow or India offices? 

 

The Apple Safari matter extends beyond the consumer market. With General Electric shifting to Apple iPads, the notion of consumerization is an important one. When consumer systems find their way into the enterprise and vendors exploit “short cuts”, are traditional ways of thinking about enterprise solutions kicked to the side of the road? I think not.

 

Stephen E Arnold, February 21, 2012

 

*Stephen E Arnold is a consultant providing strategic information services. His blog is located at www.arnoldit.com/wordpress. His most recent monograph is The New Landscape of Enterprise Search, published by Pandia.com in Oslo, Norway.