Why we need a criminal investigation to finish the job the FTC couldn’t
By Doug Miller
By just about any accepted definition, Google’s overriding of default security settlings and unauthorized intentional access of Apple’s Safari web browser on users’ systems that led to the recent FTC investigation and settlement should be considered illegal hacking that warrants criminal investigation. That is, Google surreptitiously loaded executable code onto users’ devices, ran that code to weaken the browser’s security settings, and then used the weakened security environment to load third-party cookies to enhance the relevance of ads displayed to the user. This was done to provide Google with revenue from the additional ads. Since advertising generates 96% of Google’s revenue, the motive for hacking seems clear. Hacking for profit is against the law. Google should not get a pass for what is a criminal act.
While most of the FTC’s focus has been related to misrepresentations to consumers, there are major communities of Safari users who are not consumers. In addition to business users, there are large numbers of Apple devices, including iPads, iPhones and Macs in use in the public sector. This includes hundreds of thousands of Apple products used by government agencies such as NOAA, military branches such as the Air Force, educational institutions and law enforcement. The fact that virtually all of these devices were accessed and manipulated by Google means this was probably one of the largest, deliberate attacks on government computing systems to have ever taken place. Add to this that the perpetrator was Google, a well-known US corporation, and that makes this case truly exceptional.
There are multiple laws in place to protect government computing assets. Given the security implications of these actions, the Department of Homeland Security should investigate how this happened and how it may have affected national security. This is especially relevant given that DHS is a major user of Apple products. Given the government regulations that are in place to prevent this type of action against government-owned assets, the Federal Bureau of Investigation should determine whether these actions broke federal and state laws and take appropriate action.
The Safari hack isn’t just an isolated incident. Google is under investigation or has been called out in over 35 situations around the world. This pattern of behavior needs to be addressed, and until Google’s management is made criminally responsible for the company’s actions it is just going to continue. In fact, Commissioner J. Thomas Rosch’s Dissenting Statement made the point that it is wrong that Google should be allowed to deny “any violation of the FTC Order, any and all liability for the claims set forth in the Complaint.”
How is it that government watchdogs have repeatedly fined Google for its behavior yet government institutions ignore these actions when evaluating and procuring government cloud solutions from Google? Why is it that not a single government agency has expressed concern or launched its own investigation? Given all the breaches of trust to date, how can institutions entrusted with protecting taxpayer data hand Google personal data, sensitive communications and government documents? Google has misrepresented and concealed its bad acts from consumers and it is doing likewise with our government. Someone needs to take action. If our government won’t take this seriously then maybe it is time taxpayers and citizens to push for real remedies to get Google to respect our privacy and the rule of law.