By Jeff Gould
My friend and co-blogger Doug Miller argues below that Google’s cunning hack of Safari to circumvent the Apple browser’s default blocking of third party cookies was not just a bad act, but criminal mischief.
Some readers might find this claim a little too strong. Granted, they will say, Google broke the rules. But where’s the harm? After all, the only bad consequence was that some Safari users got tracked by DoubleClick and served some targeted ads they otherwise might not have seen. Perhaps Nike sold a few more pairs of shoes than they had a right to expect. But no state secrets were lost. So why all the talk about criminal action?
Well, here’s why. It’s easy to excuse Google on the grounds that “after all, the hack was only about serving ads, that’s not really evil”. But suppose the exact same hack had been perpetrated by Chinese government hackers? Would we still be asking where the harm was? I don’t think so.
Suppose, to flesh out this scenario, that Chinese hackers infiltrated and took over a small U.S. ad serving company and started using that firm’s third party cookies to track and profile the browsing behavior of certain U.S. government employees. They could do this by placing ads on selected web sites known to be read by Federal employees working in, say, the Department of Defense (think of all the web sites devoted to covering news of defense procurement and contracting). If the hackers placed their ads and tracking cookies on a wide enough range of web sites, they could eventually build up user profiles that allowed them to identify specific named individuals [see footnote below]. They might even lure some of these users to web pages that downloaded malicious code to the users’ computers. It isn’t hard to see how such a scenario could lead to a Federal government security breach of epic proportions.
In short, while Google’s Safarigate hack may have been motivated by nothing more evil than good old greed, the technique that the web advertising giant used could be far more dangerous when wielded by more hostile parties. It’s time for Google to clean up its culture of rule breaking. This is the kind of thing that will hurt us all one day if they don’t fix it.
FOOTNOTE: Remember, research shows that zip code, birthdate and gender are enough to identify 87% of people in the U.S. uniquely. See Latanya Sweeney, Simple Demographics Often Identify People Uniquely. And a disturbing number of web sites transmit data such as these contained in web registration forms to third party advertisers. For a fascinating and frightening discussion of how many leading web sites knowingly or unknowingly leak user information to third party advertisers, see Jonathan R. Mayer and John C. Mitchell, Third-Party Web Tracking: Policy and Technology.