By Doug Miller
On February 17th, the Wall Street Journal reported that a researcher working for them discovered that Google ran hidden code designed to circumvent the security settings on Apple devices that use the Safari web browser. While much of the coverage of this revelation has focused on consumers and whether the action may have violated laws or the consent agreement between the FTC and Google, little has been written about the impact for public sector customers. Public sector customers are big users of Apple devices and these users are governed by a strict set of unique regulations and laws. Given the circumstances of the events here, the question needs to be asked: did Google break any of the laws or regulations that restrict entities from accessing or changing government computing systems?
Google is once again in the news for privacy issues. Last week we learned of the FCC fine for obstructing the investigation into the StreetView Wi-Fi data collection scandal. This week Google released documents that show this was not the work of a single rogue insider but instead a known collection tool that was in place for years. Only a couple of weeks ago, it was announced that the FTC was looking into the “Safari-gate” scandal where Google admittedly ran code from some of its online ads that changed the security settings on Apple Safari browsers to allow tracking cookies to be placed on user’s devices without their knowledge.
Both of these situations are serious but in many ways the Safari issue is a more serious one for government agencies – and Google. Before explaining how this impacts public sector users, it is worth reviewing what the facts are.
What are the facts?
On February 17th, the Wall Street Journal broke the story that a researcher working for them discovered that Google had circumvented the default security settings in Apple’s Safari Internet browser. Safari by default does not allow third-party cookies and Google essentially ran code through the browser that tricked the browser into thinking the user wanted its DoubleClick third-party cookie downloaded to the user’s device. This took place behind the scenes without the user’s knowledge and without user interaction. The original WSJ story contains a lot of background information on exactly how this was accomplished and highlights the issues with what Google did.
After this news broke, and users and lawmakers around the world expressed outrage, the WSJ published another story on March 16th stating that U.S. and European regulators were reportedly looking into the matter.
More recently, the San Jose Mercury News published a story stating that an FTC investigation into the Safari exploit was imminent.
How this impacts public sector users
The issue here that should be cause for concern for public sector users is not that Google is loading advertising cookies on users’ computers, tablets and phones but that Google took deliberate steps by running hidden code to circumvent the security settings on Apple devices that use the Safari web browser. This action potentially impacted all users of Apple devices that use Safari – including Macs, iPads and iPhones. The code payload that Google wrote, downloaded and executed on users’ devices was designed to operate without the user’s knowledge and to “trick” the browser into thinking that the user had clicked on a submit button thereby allowing the placement of a DoubleClick third-party cookie on the user’s device. Once the cookie was loaded, this opened up the device to other Google third-party cookies even though the user assumed that the device was safe from third-party cookies. The fact that Google used an invisible web frame, an invisible form and simulated a user action through submitting the form without user involvement clearly shows that this was an intentional, deliberate and deceptive act. The original WSJ article includes some excellent graphics to illustrate what was done.
Not only was Google installing cookies unbeknownst to users, but the tracking Google was able to do via these cookies was not anonymous if users were logged into a Google account. According to the original research and a follow on post by Jonathan Mayer, a grad student at Stanford, “the circumvention behaviors affected all users, independent of whether they had a Google account, were logged into a Google account, or had made a choice about social advertising.” But for users logged into a Google account, the tracking was directly tied to their Google credentials. In Mayer’s words, “Identifying and identifiable information was collected. Google’s social advertising technology is designed to identify the user.” Keep in mind that all users of Google Apps for Government (such as the GSA and NOAA) have a Google account which they need to be logged into in order to use Google services such as Gmail.
Most of the coverage on these issues has focused on the impact to consumers who use Apple products. However, there has been no focus on how this premeditated action to circumvent security and subsequent tracking may have impacted public sector users.
For example, Apple devices are widely used in the Federal government. USASpending.gov lists the various Apple Federal contracts, valued at close to a quarter of a billion dollars, with the following agencies as users:
- National Aeronautics and Space Administration
- Department of Defense
- Department of the Navy
- Department of the Army
- Department of Homeland Security
- National Oceanic and Atmospheric Administration
- General Services Administration
- Federal Acquisition Service
- Department of Health and Human Services
- U.S. Secret Service
If these users were using the Apple Safari browser (which is the default browser on Macs, iPads and iPhones) and if these users were using the default browser security settings (which prevents third-party cookies) then these users had their system security compromised if they visited a website, such as YellowPages.com, with a DoubleClick-enabled ad. Moreover, if these government users of Apple products were also logged into their Google Apps for Government accounts (such as GSA and NOAA employees) then the cookies installed on their Macs, iPads or iPhones were also gathering personally-identifiable information.
What’s the harm?
While these actions are serious breaches of trust, was there any harm? After all, advertising and third-party cookies are a fact of life on the Internet.
The issue is not with advertising, or even third-party cookies, but with the way the code for enabling the advertising cookies was installed. This was a deliberate, intentional, premeditated action to download and run unauthorized hidden code in ads presented by Google, on government computing systems with the sole purpose of circumventing the security settings on Safari and enabling advertising features from which Google profited. As many have stated before, Google earns 96% of its revenue from advertising so it is logical that it would do whatever it could to optimize ad revenue potential on any user’s Internet browsing sessions.
Normally this type of software exploit would be called malware or a computer Trojan horse.
Was this intentional?
An obvious question that could be asked is whether Google did this intentionally or was this the work of a lone over-zealous engineer? The WSJ article points out that this code was added last year so it had been in place for some time. The code itself very clearly shows a chain of instructions that were designed to operate without the user’s knowledge and to simulate a user action. Google claims that it wrote the code to enable functionality that they believe Google users would want to have. Google’s full statement was published at the end of Mr. Mayer’s second article. Google stated it “created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization.” Google also stated that “these advertising cookies do not collect personal information.” Finally Google states that “the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers.” However, as Mr. Mayer points out, the whole point of checking whether Google users were logged in or not was to in fact associate the cookie with the user’s Google account so the cookie was tied to personally-identifiable information. It is also hard to imagine that a company as smart as Google could credibly not “anticipate that this would happen.”
Google admitted that it did place the code on these devices however it stated it had a perfectly good reason for why it was done – to deliver more personalized ads. Whether it believed it was reasonable or not is not the point. The point is that Google’s code was downloaded and run without the user’s knowledge or permission and resulted in compromising the security settings on the user’s device. This is potentially a major issue at it relates to government computing regulations and anti-hacking laws.
Were laws broken?
US government users are protected by the US Computer Fraud and Abuse Act (and other laws). This act states, among other things, that it is a crime if someone:
“…intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States”
The USA PATRIOT Act, Title VIII calls for punishment for:
“attempted illegal use or access of protected computers” and
“for attempting to damage protected computers through the use of viruses or other software mechanism.”
All Apple devices would have potentially been impacted. We are talking about hundreds of thousands of users with Apple devices purchased by the government in agencies such as the Department of Defense, not to mention employees who bring their own Apple devices to work. Whether a government employee was issued an Apple device or brought his or her own to work, they all thought that by using the default Safari browser that prevented third-party cookies they would be safe from tracking by any advertiser but, in fact, they were wide open to tracking by Google.
While individual citizens and non-government organizations have no standing to prosecute these actions on behalf of the public sector, government agencies that use Apple products should carefully consider whether these actions, which compromised the security on their systems, broke the laws that are designed to protect our government’s IT infrastructure. Congressmen Edward J. Markey (D-Mass.), Joe Barton (R-Texas), co-Chairmen of the Bi-partisan Congressional Privacy Caucus, and Cliff Sterns (R-Fla.) have called for a full investigation into Google’s actions and have sent a letter to the FTC. Based on the Mercury News story it appears the FTC is taking this matter seriously on behalf of consumers.
The question is, who will step up to investigate these actions on behalf of government agencies?