We'll pay your fine, but we won't admit we did anything wrong.
Those are the terms Google agreed to in its record-breaking settlement with the Federal Trade Commission, which announced Thursday it had penalized Google for the second time in a year for violating privacy promises made to its users.
Google's failure to cop to any wrongdoing has sparked dissent within the FTC and outcry from privacy advocates, who call the settlement "woefully insufficient." While Google hasn't assumed liability for any transgressions, the explanations it has offered are troubling themselves.
First, some background: Google has agreed to pay a $22.5 million fine for violating a consent decree signed with the FTC and misrepresenting privacy settings to users of Apple's Safari browser. The FTC faulted Google for using "cookies" that tracked Safari users online, despite Google's assurances that it would not do so.
The FTC order states that the defendant, Google, "denies any violation of the FTC Order, any and all liability for the claims set forth in the Complaint, and all material allegations of the Complaint save for those regarding jurisdiction and venue." In a dissenting statement, FTC commissioner J. Thomas Rosch expressed concern that allowing the company to deny liability in these circumstances was "unprecedented" and could set a troubling example for other firms.
The FTC's (second) reprimand is a major blow to Google's pro-privacy messaging and "don't be evil" image. But Google's response to the whole matter, as well as to past privacy issues, is no doubt doing some damage on its own.
When accused of a transgression, Google has repeatedly attributed issues to internal oversight or error. Just a little mix up, and all that. And here, once again, Google has answered regulators' fingerpointing with what amounts to an "Oops, we didn't mean to." That's our personal information they're "oops-ing" with, and not just once or twice, either. Intentional or not, Google's string of privacy oversights, and disquieting attempts to explain them as "by accident," are cool comfort from a company we're supposed to trust with our emails, questions, contacts, and, increasingly, whereabouts.
In Thursday's announcement, Google didn't go so far as to say that there weren't any cookies tracking user activity, or dispute facts laid out by the FTC, but seemed to dismiss the regulators for getting hung up over some technicalities.
"The FTC is focused on a 2009 help center page published more than two years before our consent decree, and a year before Apple changed its cookie-handling policy," a Google spokesperson said in a statement. "We have now changed that page and taken steps to remove the ad cookies, which collected no personal information, from Apple's browsers."
Google's response when Stanford researcher Jonathan Mayer first noted the Safari breach essentially amounted to a "shucks, sorry, that wasn't supposed to happen." In a statement released in February of this year, Google blamed the presence of Google advertising cookies on a "functionality" in the Safari browser that activated them, adding that it "didn't anticipate that this would happen." Not one person in Google's army of the world's best and brightest engineers could anticipate this would happen? One of the world's top tech companies -- which is worth more than $200 billion, has pioneered groundbreaking technology and is entrusted with millions of users' personal information -- essentially chalked up the incident to technical difficulties.
Google has been embroiled in another public relations nightmare, with slip-ups seemingly at every turn, following its admission that its Street View team accidentally collected personal information, such as emails and passwords, via Wi-Fi networks.
First, Google told the world in 2010 that the Wi-Fi data free-for-all was "quite simply...a mistake," and pinned the "inadvertent" data collection on a single "engineer working on an experimental WiFi project." That engineer wrote some code that Google's mobile team later included in its software, though Google said the team didn't specifically intend to capture personal data. This effort to contain the problem by pointing fingers at one engineer only raises more questions about how carefully the company is considering the public's privacy. Do people often slip code into products without oversight? And no one took a look at this progammer's code?
Turns out a few people did. The FCC's investigation of the matter revealed that that lone engineer actually shared his work with the entire Google Street View team. And two years after promising to delete the data it collected by "mistake," Google has admitted to regulators in Europe that due to an "error," it still had some of that data in its possession.
Google is an enormous, innovative company forging new ground in numerous fields. It also has a lot on its mind -- competitors, investors, advertisers, regulators, and, somewhere on that list, us. But judging from what Google has told us itself, it doesn't seem to be able to multitask all of that successfully. Wanting to position itself as privacy conscious with our best interests in mind, Google chalks up its missteps to "mistakes," "errors," and unanticipated consequences. Would it be better to hear that the company messed up with our privacy because it reached a bit too far, as with Google Buzz, than to hear one more time that something slipped through the cracks? With these "mistakes," it's our personal data that's often being put at risk.
Do companies mess up? Yes. Yet from the user's vantage point, it appears that out of all the things Google is trying to juggle, it's dropping the ball when it comes to our information.