Computers, Privacy & the Constitution

"Safarigate" and Challenges to Protecting Browser Privacy Settings

-- By KristenLovin - 18 Mar 2012

On February 17, the Wall Street Journal announced that Google purposefully circumvented the privacy settings of Safari users, allowing it to “track[] the Web-browsing habits of people who intended for that kind of monitoring to be blocked.” In response, Matthew Sobel filed a class action against Google, alleging violation of the Wiretap Act, the SECA, and the CFAA. Although it seems the suit was meant to be a punitive strike against Google for its “illicit activities,” its ability to fill this capacity is doubtful.

I thought it was a move to provide some public attention for the lawyer who filed it, and a possible settlement if Apple will provide assistance to enable him to hang on through the initial round of expense-raising by Google's counsel. I think they won't.

Problematic Legal Theories

As a preliminary matter, the complaint’s legal theories have a number of technical problems that rob it of efficacy.

Article III Standing

Sobel may have difficulty establishing Article III standing. At least one district court has denied standing to users whose personal information was collected through the use of tracking cookies. Persuasive to the court was the idea that collection of personal information foreclosed no user from a “value-for-value exchange” and an S.D.N.Y. finding that “website visitors do not suffer a cognizable ‘economic loss’ from the collection of their data.” However questionable these assumptions are, a court could apply this same line of reasoning here.

SECA: Cookies are not “Electronic Storage”

Further, Google’s use of cookies may insulate it from SECA liability. In re DoubleClick held that cookies are not in “electronic storage,” and are thus not covered by the SECA. According to the court, the SECA was meant to protect electronic communications that are stored temporarily while they are in the process of delivery; cookies, by contrast, are stored indefinitely and therefore are not covered under the act. Because Google’s cookies expire in 12-24 hours, Google may be able to distinguish this case. However, this seems unlikely as In re Doubleclick requires that plaintiffs allege the accessed storage is “temporary.” Soble has not done this.

Wiretap Act: “+1” Clicks Provide Consent

Finally, Google may also avoid Wiretap Act liability by raising consent as a defense. Unlike most third-party cookies, Google’s cookie is only installed after a user clicks the “+1” button on a Google Ad. The “+1” button is Google’s equivalent of the Facebook “like,” and Google+ users will recognize this as a means of associating voluntarily submitted preferences with their profile. Accordingly, such “surrounding circumstances” could conceivably be enough to “convincingly show that the party knew about and consented to the interception,” thus evading liability under the Wiretap Act. Berry v. Funk.

Right to Privacy?

Even more problematic than the legal theories, though, is that the complaint seems animated by some background assumption of a right to privacy in the web browsing space. Default browser policies toward third-party cookies (which, by the way, most users are oblivious to) are a long way off from the traditional chalk circles that dominate 4th Amendment jurisprudence. If we get into a discussion about hard drives and SRAM arrays, it may be possible to say that cookies have a physical dimension. However, their amenability to 4th Amendment protection ends here. When users say they want their browsing history to remain private, they aren’t saying they want to protect individual files on their personal computers from outside access. Rather, they are saying they want the information contained in these files to not be discovered by others.

No, not only. They are also saying that they want routing data in third party hands and web server log data in the hands of the operators of websites they visit to be somehow enough "theirs" to be attached to their legal interests, and thus neither available to government nor saleable. That's a tall order. This is an easier problem to solve technologically.

This, however, is well beyond the scope of the 4th Amendment. Even if a web browser could block tracking cookies under some supposed right to privacy, websites can use other techniques, such as IP tracking, web bugs, and CSS sniffing, to discover user browser history. Moreover, the aggregation of information often creates new information that plugs holes: just because one third-party cookie is blocked on one user’s machine does not mean an advertiser could not use other users’ browsing histories to uncover that user’s preferences and interests. The 4th Amendment can do little to stop any of this.

Caselaw analogizing computers to closed containers also provide little help in extending a right to privacy to third-party cookies. Courts have generally held that a reasonable expectation of privacy extends to electronic files stored on personal computers. See, e.g., United States v. Andrus; United States v. Heckenkamp. However, this expectation ends when a person shares that information in some way, such as connecting to a military network or posting information to an electronic bulletin board. Not only do third-party cookies share information across a network, they are not even files created personally by the user. Rather, the user’s computer simply operates as a repository for third-party generated information: in allowing the generation of third-party cookies, the user has effectively given that company the key to one of his storage lockers and said “put anything you want in here.” An expectation of privacy hardly seems reasonable in this case.

This is drawing conclusions on the basis of metaphors. Why not say that each cookie is a hat-check ticket in the web site's coat rack? If you give it to them next time they'll remember something about you and give you your hat. If you destroy the ticket, which you are completely free to do, they'll forget all about you and you won't be able to push your shopping cart around their store. They also won't be tracking you anywhere else. How about that?

Remaining Recourse?

Thus, if neither federal statutes nor the 4th Amendment can do much to assert browser privacy preferences, what recourse do users have? In this particular case, the answer is simple: don’t click the “+1” button. Google only installs its tracking cookie after the first click of this button, so no click means no cookie. Obviously, Google has plenty of other ways in which it can monitor user behavior, but this at least maintains the no third-party cookie preference set up by Safari.

But in the more general case of web browsing history, the answer is less clear. Protective measures such as in-private browsing or use of proxy servers only prevent the flow of some information, but aggregation often provides enough to fill in holes. Perhaps the ultimate answer is we cannot prevent discovery of our web browsing behavior, but we can at least use measures like browser settings to shape how it is done. Much like the incantations the 4th Amendment requires for government search, users can tell companies that they cannot collect web browsing history without taking certain steps. This does not protect the underlying information, but it at least gives some voice to an otherwise powerless (and mostly clueless) mass.

Why wasn't the first question, why am I using Safari? Just switch to Firefox. End of the original problem, and in addition to not being abused by Google, you're not being abused by the undead corpse of Jobs, either. You can have true AdBlocking, and NoScript, and TrackMeNot, and FoxyProxy, and all the other wonderful Firefox privacy add-ons, as well as great research tools like Zotero. Why are you using Safari? Because you were bitten by the vampire, and now you're supposed to remain undead too. But you can have all the freedom you want. OS/X is just free software that's been kissed by the Undead. And if you want privacy, don't "like" things in anybody's system.

Remind me why we needed to go to the Supreme Court again?


Webs Webs

r3 - 11 Jan 2013 - 21:48:51 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM