Sending a message: The meaning of Google’s privacy fine

In Information Security ByTeam Acumin / 23rd August 2012

The fine levied by the Federal Trade Commission (FTC) on Google for violation of privacy laws was either in proportion to the billions of dollars the multinational tech company makes every year or so big as to send a message that such abuses will not be tolerated by other organisations.

Either way, the $22.5 million (approximately £14.4 million) is humongous. What was the crime? Well, according to the FTC, which exists to ensure that consumers are protected from dishonest, manipulative and unfair practices, Google basically “misrepresented privacy assurances” to users of Apple’s Safari browser.

This is a huge indictment of a company known for its motto “don’t be evil”. In the preface of its code of conduct, Google explains that it’s “about doing the right thing more generally – following the law, acting honourably and treating each other with respect”.

The FTC concluded that the influential company was anything but honourable in its assertion that tracking cookies would not be placed on users’ computers. This it did, which in turn meant that peoples’ browsing habits could be monitored without permission. Targeted ads could then be deployed.

“The record setting penalty in this matter sends a clear message to all companies under an FTC privacy order,” stated Jon Leibowitz, chairman of the FTC. “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”

It’s a statement of magnitude because it reinforces the importance of privacy, which has had its foundations shaken ever since the internet began to find its voice, so to speak, and when people began to “live, socialise and exist” in a virtual world. Without privacy – or the option to preserve it as we so choose– we risk being exploited and the internet becomes a playground for this

“At the bottom, the elimination of spyware and the preservation of privacy for the consumer are critical goals if the internet is to remain safe and reliable and credible,” Cliff Stearns, the US representative for Florida’s 6th congressional district, once said. You can’t dispute that argument.

An attorney from the IT Law Group says that companies should not pay lip service to privacy and if they have a practice, to stick to it. Speaking to BankInfoSecurity, Francoise Gilbert, who has far-reaching and detailed experience with data protection and information security, said that while a privacy policy is a good thing, if it’s not adhered to, it becomes inessential.

Google, while accepting the fine, didn’t have to accept any wrongdoing. It’s a strange thing given that the fine is unprecedented, and resulted in one judge dissenting on the decision. His colleagues however argued that denial of liability is not inconsistent with the “imposition” of a civil penalty. So long as Google pays the fine, then that is all that matters.

The FTC accepts that the fine may be perceived as insufficient, but to kind of steal a quote from Heath Ledger’s Joker in the Dark Knight, it’s not necessarily about the money, it’s about sending a message. The fine is part of that message: you abuse privacy, you will be hit hard. Google’s reputation might be intact given how useful it is to our lives, but other companies might not have that luxury.