Given the importance of privacy self-help—that is, setting your browser to control what it reveals about you when you surf the Web—I was concerned to hear that Google, among others, had circumvented third-party cookie blocking that is a default setting of Apple’s Safari browser. Jonathan Mayer of Stanford’s Center for Internet and Society published a thorough and highly technical explanation of the problem on Thursday.

The story starts with a flaw in Safari’s cookie blocking. Mayer notes Safari’s treatment of third-party cookies:

Reading Cookies Safari allows third-party domains to read cookies.
Modifying Cookies If an HTTP request to a third-party domain includes a cookie, Safari allows the response to write cookies.
Form Submission If an HTTP request to a third-party domain is caused by the submission of an HTML form, Safari allows the response to write cookies. This component of the policy was removed from WebKit, the open source browser behind Safari, seven months ago by Google engineers. Their rationale is not public; the bug is marked as a security problem. The change has not yet landed in Safari.

Mayer says Google was exploiting this yet-to-be-closed loophole to install third-party cookies, the domain of which Safari would then allow to write cookies. After describing “(relatively) straightforward” cookie synching, Mayer says:

But we noticed a special response at the last step for Safari browsers. … Instead of responding with the “_drt_” cookie, the server sends back a page that includes a form and JavaScript to submit the form (using POST) to its own URL.

Third-party cookie blocking evaded, and users’ preferences frustrated.

Ars Technica has published Google’s response, which doesn’t seem to have gone up on any of its blogs, in full. Google says they created this functionality to deliver better services to their users, but doing so inadvertently allowed Google advertising cookies to be set on the browser.

I don’t know that I’m technically sophisticated enough to register a firm judgement, but it looks to me like Google was faced with an interesting dilemma: They had visitors who were signed in to their service and who had opted to see personalized ads and other content, such as ‘+1’s but those same visitors had set their browsers contrary to those desires. Google chose the route better for Google, defeating the browser-set preferences. That, I think, was a mistake.

I wonder if there isn’t some Occam’s Razor that a Google engineer might have applied at some point in this process, thinking, “Golly, we are really going to great lengths to get around a browser setting. Are we sure we should be doing this?” Maybe it would have been more straightforward to highlight to Safari users that their settings were reducing their enjoyment of Google’s services and ads, and to invite those users to change their settings. This, and urging Apple to fix the browser, would have been more consistent with the company’s credo of non-evil.

Now, to the ideological stuff, of which I can think of two items:

1) There is a battle for control of earth out there—well, a battle over whether third-party cookie blocking is good or bad. Have your way advocates. I think the consuming public—that is, the market—should decide.

2) There is a battle to make a federal case out of every privacy transgression. An advocacy group called Consumer Watchdog (which has been prone to privacy buffoonery in the past) hustled out a complaint to the Federal Trade Commission. I think the injured parties should be compensated in full for their loss and suffering, of which there wasn’t any. De minimis non curat lex, so this is actually just a learning opportunity for Google, for browser authors, and for the public.

Kudos and thanks are due to Jonathan Mayer, as well as ★★★★★ and Ashkan Soltani, for exposing this issue.

[Cross-posted at Reason.org]

This week Google announced that it is grouping 60 of its Web services, such as Gmail, the Google+ social network, YouTube and Google Calendar, under a single privacy policy that would allow the company to share user data between any of those services. These changes will be effective March 1.

Although we have yet to see it play out in practice, this likely means that if you use Google services, the videos you play on YouTube may automatically be posted to your Google+ page. If you’ve logged an appointment in your Google calendar, Google may correlate the appointment time with your current location and local traffic conditions and send you an email advising you that you risk being late.

At the same time, if you’ve called in sick with the intention of going fishing, that visit to the nearby state park might show up your Google+ page, too.

The policy, however, will not include Google’s search engine, Google’s Chrome web browser, Google Wallet or Google Books.

The decision quickly touched off discussion as to whether Google was pushing the collection and manipulation too far. The Federal Trade Commission is already on its back over data sharing and web tracking. With this latest decision, although it’s not that far from how Facebook, Hotmail and Foursquare work, just more streamlined, Google, some say, is all but flouting user and regulatory concerns.

Continue reading →

Over at TIME.com, [I write that](http://techland.time.com/2012/01/17/why-googles-biggest-problem-isnt-antitrust-with-search-plus-your-world/) while some claim that Google Search Plus Your World violates antitrust laws, it likely doesn’t. But I note that Google does have a big problem on its hands: market reaction.

>So if antitrust is not Google’s main concern, what is? It’s that user reaction to SPYW and other recent moves may invite the very switching and competitive entry that would have to be impossible for monopoly to hold. … Users, however, may not wait for the company to get it right. They can and will switch. And sensing a weakness, new competitors may well enter the search space. The market, therefore, will discipline Google faster than any antitrust action could.

Read [the whole thing here](http://techland.time.com/2012/01/17/why-googles-biggest-problem-isnt-antitrust-with-search-plus-your-world/).

By Berin Szoka, Geoffrey Manne & Ryan Radia

As has become customary with just about every new product announcement by Google these days, the company’s introduction on Tuesday of its new “Search, plus Your World” (SPYW) program, which aims to incorporate a user’s Google+ content into her organic search results, has met with cries of antitrust foul play. All the usual blustering and speculation in the latest Google antitrust debate has obscured what should, however, be the two key prior questions: (1) Did Google violate the antitrust laws by not including data from Facebook, Twitter and other social networks in its new SPYW program alongside Google+ content; and (2) How might antitrust restrain Google in conditioning participation in this program in the future?

The answer to the first is a clear no. The second is more complicated—but also purely speculative at this point, especially because it’s not even clear Facebook and Twitter really want to be included or what their price and conditions for doing so would be. So in short, it’s hard to see what there is to argue about yet.

Let’s consider both questions in turn.

Should Google Have Included Other Services Prior to SPYW’s Launch?

Google says it’s happy to add non-Google content to SPYW but, as Google fellow Amit Singhal told Danny Sullivan, a leading search engine journalist:

Facebook and Twitter and other services, basically, their terms of service don’t allow us to crawl them deeply and store things. Google+ is the only [network] that provides such a persistent service,… Of course, going forward, if others were willing to change, we’d look at designing things to see how it would work.

Continue reading →

By Geoffrey Manne and Berin Szoka

Back in September, the Senate Judiciary Committee’s Antitrust Subcommittee held a hearing on “The Power of Google: Serving Consumers or Threatening Competition?” Given the harsh questioning from the Subcommittee’s Chairman Herb Kohl (D-WI) and Ranking Member Mike Lee (R-UT), no one should have been surprised by the letter they sent yesterday to the Federal Trade Commission asking for a “thorough investigation” of the company. At least this time the danger is somewhat limited: by calling for the FTC to investigate Google, the senators are thus urging the agency to do . . . exactly what it’s already doing.

So one must wonder about the real aim of the letter. Unfortunately, the goal does not appear to be to offer an objective appraisal of the complex issues intended to be addressed at the hearing. That’s disappointing (though hardly surprising) and underscores what we noted at the time of the hearing: There’s something backward about seeing a company hauled before a hostile congressional panel and asked to defend itself, rather than its self-appointed prosecutors being asked to defend their case.

Senators Kohl and Lee insist that they take no position on the legality of Google’s actions, but their lopsided characterization of the issues in the letter—and the fact that the FTC is already doing what they purport to desire as the sole outcome of the letter!—leaves little room for doubt about their aim: to put political pressure on the FTC not merely to investigate, but to reach a particular conclusion and bring a case in court (or simply to ratchet up public pressure from its bully pulpit). Continue reading →

[I am participating in an online “debate” at the American Constitution Society with Professor Ben Edelman.  The debate consists of an opening statement and concluding responses.  Professor Edelman’s opening statement is here.  I have also cross-posted the opening statement at Truthonthemarket and Tech Liberation Front. This is my closing statement, which is also cross-posted at Truthonthemarket.]

Professor Edelman’s opening post does little to support his case.  Instead, it reflects the same retrograde antitrust I criticized in my first post.

Edelman’s understanding of antitrust law and economics appears firmly rooted in the 1960s approach to antitrust in which enforcement agencies, courts, and economists vigorously attacked novel business arrangements without regard to their impact on consumers.  Judge Learned Hand’s infamous passage in the Alcoa decision comes to mind as an exemplar of antitrust’s bad old days when the antitrust laws demanded that successful firms forego opportunities to satisfy consumer demand.  Hand wrote:

we can think of no more effective exclusion than progressively to embrace each new opportunity as it opened, and to face every newcomer with new capacity already geared into a great organization, having the advantage of experience, trade connections and the elite of personnel.

Antitrust has come a long way since then.  By way of contrast, today’s antitrust analysis of alleged exclusionary conduct begins with (ironically enough) the U.S. v. Microsoft decision.  Microsoft emphasizes the difficulty of distinguishing effective competition from exclusionary conduct; but it also firmly places “consumer welfare” as the lodestar of the modern approach to antitrust:

Continue reading →

[I am participating in an online “debate” at the American Constitution Society with Professor Ben Edelman.  The debate consists of an opening statement and concluding responses.  Professor Edelman’s opening statement is here.  I have also cross-posted this opening statement at Truthonthemarket.]

The theoretical antitrust case against Google reflects a troubling disconnect between the state of our technology and the state of our antitrust economics.  Google’s is a 2011 high tech market being condemned by 1960s economics.  Of primary concern (although there are a lot of things to be concerned about, and my paper with Geoffrey Manne, “If Search Neutrality Is the Answer, What’s the Question?,” canvasses the problems in much more detail) is the treatment of so-called search bias (whereby Google’s ownership and alleged preference for its own content relative to rivals’ is claimed to be anticompetitive) and the outsized importance given to complaints by competitors and individual web pages rather than consumer welfare in condemning this bias.

The recent political theater in the Senate’s hearings on Google displayed these problems prominently, with the first half of the hearing dedicated to Senators questioning Google’s Eric Schmidt about search bias and the second half dedicated to testimony from and about competitors and individual websites allegedly harmed by Google.  Very little, if any, attention was paid to the underlying economics of search technology, consumer preferences, and the ultimate impact of differentiation in search rankings upon consumers.

So what is the alleged problem?  Well, in the first place, the claim is that there is bias.  Proving that bias exists — that Google favors its own maps over MapQuest’s, for example — would be a necessary precondition for proving that the conduct causes anticompetitive harm, but let us be clear that the existence of bias alone is not sufficient to show competitive harm, nor is it even particularly interesting, at least viewed through the lens of modern antitrust economics.

Continue reading →

by Berin Szoka & Geoffrey Manne

In advance of today’s Senate Judiciary hearing, “The Power of Google: Serving Consumers or Threatening Competition?,” we’ve assembled a list of fallacies you’re likely to hear, either explicitly or implicitly:

  1. Competitors, not Competition.  Antitrust protects consumer welfare: competition, not competitors.  Competitors complain because a practice hurts them, but antitrust asks only whether a practice actually hurts consumers. The two are rarely the same.
  2. Big Is Bad. Being big (“success”) isn’t illegal.  Market share doesn’t necessarily create market power.  And even where market power does exist, antitrust punishes only its abuse.
  3. Burden-Shifting. Google, like any defendant, is presumed innocent until proven guilty.  So Google’s critics bear the burden of proving both that Google has market power and that it has abused that power to the detriment of consumers.  Yet, ironically, it’s Google at the table defending itself rather than the antitrust agencies explaining their concerns.
  4. Ignoring Error Costs. The faster technology moves, the greater the risk of a “false positive” and the more likely “false negatives” are to be mooted by disruptive innovation that unseats incumbents.  Thus, error costs counsel caution.
  5. Waving the Magic Wand.  Google’s critics often blithely assume that Google is “smart enough to figure it out” when it comes to implementing, or coping with, a wide range of proposed remedies.  But antitrust remedies, like all regulation, must be grounded in technological reality, and we must be realistic about real-world trade-offs.

Continue reading →

Republished from The Mark News

Privacy advocates are attacking Google again, this time for requiring that field-testers of its new, invite-only Google+ social network use “the names they commonly go by in the real world.” After initially suspending Google+ accounts flagged as pseudonymous, Google has clarified that such users will be given four days to add their real names to their profiles. Users who don’t like the policy can export all data they’ve put into Google+ and leave.

Cyber-sociologist Danah Boyd calls “real name” policies “an authoritarian assertion of power … [by] privileged white Americans … over vulnerable people [like] abuse survivors, activists, LGBT people, women, and young people.” In 2003, she denounced the “Fakester genocide” perpetrated by Friendster, the first major “real name” social network. Facebook later faced similar criticism from her and others for its purge of “Fakebookers” – those using fake names on the popular social network.

Boyd and others are right that anonymity can be “a shield from the tyranny of the majority,” as the U.S. Supreme Court has said while striking down laws requiring speakers to identify themselves. But, like the rest of the First Amendment, the right to anonymous speech limits government, not private actors. In other words, while the First Amendment bars government from forcing us to identify ourselves, those who sign up for Google+ must play by Google’s rules.

Boyd wants to regulate social-media giants as public utilities, but – unlike government bans – we can opt out of these services. Google and Facebook merely offer trusted communities that compete with sites like Twitter, where pseudonyms thrive alongside real names. With over 200 million users, Twitter has met the very demand Boyd cites –but she’s not satisfied.

As a gay activist myself, I’m sympathetic to her privacy concerns. But, as much as I respect Boyd, I find her obsession with “privilege” unhelpful. The engineers who design new social-networking tools may indeed tend to under-value the concerns of particularly privacy-sensitive users or groups. But their critics under-value authenticity’s benefits even more – or simply refuse to acknowledge that privacy is in tension with civility and usability, among other values. Continue reading →

I started to see hints of it last week, but I now believe Google+ is in full stumble-mode over user identity and naming. It looks as though they’ve taken common sense—everyone has one name—and woven it into their terms of service. You can’t use a non-traditional name on Google+. But naming and identity are more complex than that.

In my book, Identity Crisis, I wrote that an identity is a collection of information other people and institutions have about a person. Others use identity information they have to distinguish you from other people (or to group you) in their minds or records. This makes identity a gating mechanism: you can allow people into a part of your life by making them privy to the relevant set of identifiers, or keep them out by denying them that information.

Commonly, people use varied identities to exclude others, for social or professional reasons, such as when they open a social network account in a false name to keep their parents or their students from accessing parts of social life that are not meant for them to see. Sometimes identity is varied for political reasons, such as when an account opens in a pseudonym for the purpose of avoiding reprisal. This is an area where Facebook’s “real names” policy has stepped in it. The further one lives from conventional life in a given society, or the more contrarily to power, the more important it is to control identity.

Identity Woman—who tells her story at the first link above—uses her non-traditional identity in a non-traditional, but completely reasonable, way. It’s just the name that identifies her better to the community she plans to reach on Google+. But Google+ thinks that the name she is supposed to use is the same one her parents gave her, is the same one on her tax return, is the same one on her college degree, is the same one on her driver’s license.

Google+ has smartly replicated the real-world concept of social circles in its “circles” function. But they haven’t replicated real-world practice in terms of naming and identity. Why? Among other reasons, because doing so would allow users to decide which “circle” Google itself is in. Google doesn’t want that. Like Facebook wants to be your super-friend, Google wants to be your super-circle.

Google+ is seeing like a state, vastly simplifying the use of identity on its platform to serve its purposes. That will be a continuing discomfort and an impediment to its fullest success. But the fullest success of social networking will probably not be on an owned platform anyway.