FTC Commissioner J. Thomas Rosch: FTC Commissioners Never Intended for Google to Retain Hacked Safari Data
Posted in: Uncategorized
On Friday, Judge Susan Illston approved the settlement between Google and the FTC regarding Google’s hack of the Safari browser. In doing so she gave Google the right to retain and use the data it secretly obtained by tricking the Safari browser into thinking users had given permission to track them, contrary to what users were told in Google’s privacy agreement.
Many news reports recount that in court, Illston had concerns about Google’s ability to retain the illegally obtained data of up to 190 million Safari users as part of the settlement. As I wrote on Friday:
“The Commission considers Consumer Watchdog’s concern to be unlikely, because old data is of negative value” said the FTC counsel Adrienne Fowler, who maintained that Google anonymizes IP addresses after nine months and can no longer associate it with individual users, rendering the data useless.
Something about that didn’t ring true to me. Consumer Watchdog’s case was basically built on the dissent of FTC Commissioner J. Thomas Rosch (PDF), who made no mention of the fact that Google would be able to retain the data in his opposition to the settlement agreement. Surely Rosch would have mentioned that elephant in the room if he knew about it at the time.
And, it turns out, he didn’t — and neither, he says, did any of the other commissioners.
I emailed Commissioner Rosch yesterday and posed the following questions:
I am curious to know if you were aware at the time that you wrote your dissent that Google would be allowed to retain and use the data they obtained when they violated their privacy agreement with Safari users.
If so, are you in agreement that it is fair to let them continue using the data? And why was no explicit mention of this part of the agreement made to either the courts or in the press?
If not, can you tell me when the commission became aware that the terms of the agreement allowed Google to continue exploiting the data, and if there was consensus at the time the government responded to Consumer Watchdog’s amicus curiae brief, making it explicit that Google could do so?
Commissioner Rosch responded to my email today:
The answers to your questions in order are: No. No. No, In other words, neither I nor anyone else at the Commission was aware of the cookie issue until the plaintiffs brought it up before Judge Illston.
According to Rosch, when the FTC wrote the settlement agreement, it was neither contemplated, discussed nor intended that Google be able to retain the data.
How did this happen? It’s hard to tell. You can read a history of this rather confusing court case here. Basically, the court had to approve the settlement reached between the FTC and Google. The independent group Consumer Watchdog, represented by noted Silicon Valley antitrust attorney Gary Reback, filed and amicus brief in opposition to the settlement. The Department of Justice, representing the FTC, filed a response to Consumer Watchdog’s brief. When Reback read it, he amended the CW brief because he was extremely concerned that it implied Google would be able to retain and use the illegally obtained data in the future under the terms of the somewhat opaquely-worded settlement. To which the DoJ lawyers did not object.
Why is this important? Because Judge Illston justifies her decision to approve the settlement based on claims made by Google and the FTC that the concerns raised by Consumer Watchdog about Google’s future use of the data were considered and dismissed by the commissioners (PDF):
At the hearing, both the FTC and Google asserted that these concerns had been considered and dismissed in the course of negotiating the settlement. The parties state that Google would be unlikely to use the information from the Safari cookies for several reasons. First, because the data is old, it contained data — or outdated — information of very low value. Further, Google has now ‘anonymized” the IP addresses, and there fore the data cannot reliably be linked to individuals. More generally, the FTC considered and rejected many more stringent injunctions because the risk that they would hamper Google’s ability to protect consumers from data security and malware vulnerabilities outweighed the benefits to the public. (my emphasis)
But according to Commissioner Rosch, none of that ever happened. He emphatically says that “neither I nor anyone at the Commission was aware of the cookie issue until the plaintiffs brought it up before Judge Illston.”
In the government’s response to CW’s amicus brief, they claim that Google has already profited $4 million from the use of the illegally obtained data. And the Judge just gave them the right to continue using the data based on representations from both Google and the FTC’s lawyers that this is what the Commissioners intended.
It appears that when the issue came up, Google decided they wanted to keep using the data, and the FTC staff didn’t go back and check with the commissioners. Instead, both went into court and misrepresented the history of the settlement deliberations to the judge.
It’s extremely disconcerting that Google is going to be allowed to retain data it obtains illegally as part of the settlement. But it’s even more troublesome to see how easily Google can manipulate the only watchdog they really have. If the FTC’s lawyers are reflecting what Google wants, rather than its own commissioners, it doesn’t bode well for the upcoming antitrust settlement.