«

»

LSE governance roundtable hears that “Safari-gate” has exposed Google to UK civil claims

By Simon Davies

An expert meeting on website tracking held last month at the London School of Economics, heard that Google could be exposed to a wide spectrum of UK civil law claims over its’ manipulation of privacy settings in the Safari browser.

The roundtable – the first in the “Under the Scalpel” series sponsored by the LSE’s Information Systems & Innovation Group and organised by the Privacy Surgeon – focused on accountability and governance issues that arose from the case.

A video of the event can be found here and a partial transcript is available here.

Where was the oversight over this whole code? Where was the training and internal ethical compass about it, making sure that this sort of thing didn’t happen.

In July the United States Federal Trade Commission levied a record $22.5 million fine against Google after the company had deceptively tracked users of iPhone, iPad and Mac computers by circumventing privacy protections on the Safari web browser (see previous blog for more details and references).

The Commission stated that Google had exploited a technical loophole in Safari to mislead users into believing they were protected against third-party advertising. Instead of such advertising being blocked by default, the browser privacy settings were surreptitiously altered and millions of users found themselves tracked by cookies planted by Google’s DoubleClick advertising company.

One of the keynote speakers, Dan Tench, a Partner at Olswang Solicitors, provided a legal assessment and explained that the Safari case might expose Google to several categories of civil claim. The most interesting of these (taking aside better known legal avenues such as breach of contract and breach of data protection) is a possible claim under the Law of Confidence. (34.20 into video)

Tench told the meeting that he felt a civil claim under Confidence was quite feasible and that – most importantly – such an action would force discovery of internal Google documents (unlike a criminal case, which cannot require such disclosure). He went on to provide examples of cases where such discovery had fed other avenues of activity such as parliamentary inquiries and investigation by regulators.

“You may bring a civil claim and then get information on the back of that, which you can then feed into the media debate, and then the media debate can perhaps get parliamentary action, and then from the parliamentary action a select committee may want to have an investigation and use its particular powers to get further information, which then feeds back into the civil claims…”

Google have said that its mission is to organise the world’s information – including all of ours -and I think if Google wants to organise the world’s information it’s going to need a lot of trust and I think we should hold it to that high standard

Stanford University researcher Jonathan Mayer, who discovered the loophole, also spoke at the meeting and expressed his concern over issues of accountability and oversight within the company. While outlining his view that it was plausible that Google didn’t intend to set their ordinary ad-tracking cookie, he was scathing in his criticism of the company’s response to the incident.

“First being, how exactly did this happen? How did some Google engineering – so many Google engineers – decide it was OK to circumvent a privacy feature into one of the world’s most popular web browsers. Where was the oversight over this whole code? Where was the training and internal ethical compass about it, making sure that this sort of thing didn’t happen. Where was the monitoring so that if something like this did happen it didn’t actually get so far as going to the users – and even if it did go all the way to the users – how do Google make sure that it wasn’t public for very long and that they caught the problem and fixed it. It seems like this went on for roughly half a year before it was called to their attention (28.40 into video)

“So are they going to open questions about how exactly this happened? I think Google’s response, also, raises a lot of troubling questions. I think Google should have accepted responsibility for what happened. I think it should have been very transparent about what exactly happened – and why – and I think it should have committed to internal improvements so this didn’t happen again. (29.33 into video)

this situation was of particular concern when a company sells its products to government on the assurance that proper code oversight had been instituted.

“Google have said that its mission is to organise the world’s information – including all of ours -and I think if Google wants to organise the world’s information it’s going to need a lot of trust and I think we should hold it to that high standard I articulated, and instead, what I think this episode showed is a company looking to minimise the adverse impact, however possible, denying fault and significantly misleading on the underlying facts.” (29:54 into video)

Two senior LSE academics, Professor Chrisanthi Avgerou and Dr Edgar Whitley also expressed concerns about governance issues, with Whitley (56.40 into video) describing the episode as a “very scary scenario” in which either the company had made a strategic commercial decision to go down that path, or it was unaware of what its engineers were doing on a day to day level. He warned that this situation was of particular concern when a company sells its products to government on the assurance that proper code oversight had been instituted.

Professor Avgerou stressed that the Safari incident exemplified the primacy of governance within large corporations and it provided a stark illustration of the importance of a better understanding of how key industries go about the decision-making process.

Google was invited to attend but was unable to field a representative.