I had the opportunity to speak with Silicon Valley antitrust lawyer Gary Reback yesterday, who filed the amicus brief on behalf of Consumer Watchdog opposing the proposed settlement between Google and the FTC over the Safari hack. He will be in court tomorrow presenting arguments before U.S. District Court Judge Susan Illston.
Reback has been on Google’s back for a while, but he is perhaps best known for his work in the late 90s in which he basically embarrassed the Department of Justice into taking over the FTC’s stalled investigation of Microsoft. Wired Magazine called him “the Robin Hood of the rich” and said “if there is one man Bill Gates fears – and there may be only one man Bill Gates fears – it is Gary Reback.”
The Google honchos can’t be sleeping too easily at night knowing that Reback may be doing the same thing once again.
This week FTC chief Jon Liebowitz gave Google a 2 week deadline to come up with a proposed settlement in the agency’s antitrust investigation, which is roughly the equivalent of handing your errant teenager a beer and an Xbox and telling him he has 2 weeks to suggest his own punishment.
“I can’t help but see the parallels here,” says Reback of the Google and Microsoft cases. “We are all painfully aware that the FTC has Google under investigation.” He sees the weak settlement crafted over the Safari hack as “a proxy for the slipshod job the FTC will do in the Google antitrust case — a meaningless settlement with a big press release.”
In the amicus brief filed on behalf of Consumer Watchdog, Reback chides the FTC for its “halfhearted and ineffectual attempts to make Google respect the privacy of Internet users.”
He lays out the history of the agency’s weak oversight of Google’s numerous recent privacy violations:
After Germany busted Google in 2010 for collecting personal internet content on non-password protected WiFi networks as they drove past houses collecting photos for Google’s mapping service, “the lights remained off at the federal government,” says Reback.
Google initially claims that it was not intentional, and that they didn’t capture passwords, private email messages or other “payload” data. But when the German Data Protection Authority demanded an audit, they found that Google not only captured such data, but retained it. Despite requests for an investigation by Ed Markey (D) and Joe Barton (R), cochairs of the Congressional Bi-Partisan Privacy Caucus, the FTC declined to investigate.
The FCC investigated, however, and contra Google’s claims that the capture was just the result of a rogue engineer, they found that Google senior management was aware and approved of what was going on. Google admits that “entire emails and URLs were captured, as well as passwords.” The FCC assessed them maximum fine possible, $25,000, and published a report saying that Google “deliberately impeded and delayed ” the investigation. They closed the case without filing charges, however, because “the Google engineer in charge of the project refused to talk to federal investigators, so the FCC could not make necessary factual determinations” according to Reback’s brief.
“No formal investigation was undertaken; no charges (either in the FTC or in the courts) were filed; no order to regulate future conduct was entered; no fines were assessed,” Reback scathingly concludes.
2. Google Buzz
In 2010, Google also launched the social networking service Google Buzz in order to compete with Facebook. Since Google Buzz had no users, “Google decided to kick start it,” says Reback, “by taking personal information provided by registered users of Google’s popular online email service, Gmail, including first and last names and email contacts, and publicly integrating information into Buzz without permission.”
Imagine the shock of people who woke up to find that all the world could now see they had a circle of “friends” including their bookie, their dominatrix, their abusive ex-husband, prospective employers, their shrink or that special someone they’ve been cheating on their spouse with. Not really anything you gave Google permission to do when you signed up for Gmail in the first place.
The FTC reached a settlement with Google, which had no fine and did not force Google to admit that they had broken the law. Google did, however, agree to restore their prior policy of getting permission before using consumer information in a manner different than the purpose it was collected for.
In 2012, “likely before the ink was even dry” on the FTC Google Buzz settlement, Google announced that it was changing its policy to exactly what they promised they would not do in the Google Buzz consent decree — “combine personal information from one service with information, including personal information from other services” without getting your permission first.”
The bipartisan co-chairs of the Privacy Caucus once again write to the FTC saying “WTF,” but the FTC declines to investigate.
4. Safari Hack
In February 2012 Google was busted for using a code that “tricks” Apple’s safari browser into thinking the user has given permission for it to send tracking data back to Google’s servers. The Department of Justice, on behalf of the FTC, filed a complaint alleging that this violated the Google Buzz consent decree. At the very same time, they filed the settlement agreement — which had already been negotiated with and agreed to by Google.
Once again, Google gets to skate without any admission of wrongdoing. (And weirdly, in their reply to Consumer Watchdog’s amicus brief, Google still maintains that it was all just a happy accident, the unfortunate result of the way the Safari browser interacted with DoubleClick cookies. Seriously, Google?) They agree to pay a fine of $22.5 million, the largest fine ever assessed by the FTC, and the awkwardly-worded statement implies they will delete their ill-gotten data.
However when the government filed their response to Reback’s amicus brief, it became clear that Google was not being forced to delete the data from the Safari hack. “I expected the government to come back and say ‘no, you’re reading that wrong,’ says Reback. “But they didn’t.” In their response “all they cared about was ‘don’t let him talk about it in court.'”
Reback blasts the government for allowing Google to keep and continue to profit from the data they collected from 190 million users with the Safari hack:
Basically, the proposed remediation requires Google to “expire” the cookies it set in violation of the Buzz Decree, but permits Google to keep the data those cookies collected (including IP addresses) and to sue that data in its ongoing business, thereby continuing to profit from its misconduct. The government is either unaware of this result or has simply neglected to mention it to the court, the press and the public….We are mystified as to why the government did not point out to the Court Google’s ability to continue to use improperly-collected data in the future.” (my emphasis)
He alleges that the government has “relied too heavily on the defendant in crafting the settlement,” because the FTC contemplated an injunction against Google but pulled it at the last minute. He says that the court is permitted to consider this when determining whether or not to approve the settlement.
Tomorrow’s court appearance
What does Reback anticipate will happen tomorrow in court?
“The other side wants to argue the legal standard and we want to argue the facts. Which isn’t surprising, since they can’t argue the facts,” he says.
Reback asserts there is legal precedent for a district judge to question a consent decree because the defendant is not required to admit guilt. He points to the FTC’s settlement with Circa Direct, in which the district court repeatedly asked them to submit a briefing on whether the FTC’s failure to obtain an admission of liability meets the standard of the court’s public interest analysis.
“The denial of liability goes beyond Circa Direct,” says Reback. “The fact that what happened was confusing makes it difficult for people who want to protect their privacy in the future to understand that they can’t rely on Google.”
What would he like to see come out of the hearing?
“My initial hope was to just get a hearing,” said Reback. “In particular I hoped the legal press would start saying ‘what’s going on here, why is this significant?’ Now that I’ve gotten that, it turns out that there’s such bad stuff going on here, maybe I can get the decree conditioned. I got that when I was challenging the AT&T/SBC merger. ”
At the very minimum, he hopes Judge Illston will say “I can’t approve this as-is, I need more information. At minimum, you’ve got to destroy the data.”
Secondly, he hopes she demands that the government be candid. “Did you just not tell me they don’t have to destroy the data, or did you just not know?”
He says he thinks Illston is “a very good judge,” who has previously written an opinion in which an environmental group challenged a PG&E consent decree, which she eventually approved.
“Does she feel she’s constrained by that opinion? I don’t know,” he says. “She’s not going to want to open a hornet’s nest. The only way I’m going to be able to get her on my side is to demonstrate that there are so many deviations [in the agreement] that it’s off the charts and needs to be swatted down.”
“That’s been something many counsel have observed about Google: once they’re in litigation they change the thing so the court can’t examine it. I don’t know how she’s going to respond. She might be outraged, I don’t know.”
The FTC and the Google Antitrust Case
What does he think the FTC should do in the Google antitrust case?
“The antitrust problem is occasioned when somebody has gotten control of a platform,” says Reback. “The FTC is going to try to file under Section 5 of the FTC Act, which is not well-suited because it is intended to proscribe particular things.”
“The FTC is going to try to stop them from scraping Yelp restaurant reviews. Stopping them from doing things they’ve already done doesn’t help you. They need to fix the underlying problem. You have to proscribe their next anti-competitive step, and we don’t know what that is.”
He believes the only way to do that is to force Google to divest, particularly its verticals like travel and shopping. Although Bing and Yahoo have similar verticals, they are run by independent vendors.
He isn’t hopeful this is a solution currently being entertained by the FTC, however. “All Jon Liebowitz is looking for is a fig leaf proposal. It’s hard for me to imagine Google won’t give it to him,” says Reback.
The parties will be in court tomorrow morning in San Francisco some time about 11:00 am pacific time. It’s somewhat unusual for a judge to call such a hearing in a case like this, so it will be interesting to hear what questions she will pose to the parties.