Google sued for bypassing cookie-blocking security features

March 13, 2012

Google BypassLast November, I wrote a blog post about a lawsuit that Facebook was facing.

That lawsuit alleged that Facebook was unlawfully intercepting cookies in violation of the Wiretap Act, which prohibits the “intentional interception” of “electronic communications.”

The post reached the conclusion that these “interceptions” weren’t violations of the Wiretap Act since Facebook was the intended recipient of the cookies, regardless of whether the user sending them was aware of their transmission.

But what happens if a user believed that he had blocked the transmission of such cookies, and an online party had found a way to bypass this to get those cookies anyway?

This poses a very interesting legal question, and luckily, it isn’t going to stay confined to the realm of the theoretical.

In response to a report released last month, Google is being sued for circumventing a security feature built into the Safari internet browser that purported to prevent third-party tracking cookies, such as the ones used by Google.

True, Safari is not made by Google so the search giant perhaps wouldn’t be inherently responsible for the browser’s security flaws, but, prior to the publication of the report, Google had assured its Safari users that the browser’s security features were effective in blocking Google’s tracking cookies.

This assurance was a bit misleading, since Google intentionally inserted code into many of its products to bypass this security feature.

The first legal question here is whether these actions amount to a violation of the Wiretap Act.

This question is problematic: Google was the intended recipient of the cookies, but the cookies’ transmission themselves was unauthorized and initiated against the user’s intentions.

This is a close call.

It’s very questionable as to whether Google was actually the “intended recipient” of the cookies, since the user intended to block their transmission altogether.

Fortunately, the complaint doesn’t hang all of its hopes on the Wiretap Act – it also alleges violations of 1984’s Computer Fraud and Abuse Act (CFAA) and Stored Communications Act (SCA).

The CFAA prohibits the intentional and unauthorized accessing of a computer, “or to exceed authorized access, and thereby obtain information from any protected computer.”

Though “protected computer” means a computer “which is used in or affecting interstate commerce,” the original intent of the CFAA was to protect the data of government and financial institutions.

The plaintiff’s computer would probably qualify as a “protected computer” under a broader reading of the Act, but mainly because the Act is woefully out of date and the Congress of 1984 never anticipated the advent of the Internet.

Thus, if the plaintiff’s computer is considered a “protected computer” under the CFAA, then every other Internet-connected computer would be, too.

Though this would herald welcome consumer privacy protections, it would be well beyond the scope of the original intent of the Act, and it’s uncertain whether a judge would be comfortable taking such action.

This same problem of unintended expansion is also present in the SCA claim.

Specifically, the SCA was intended to prevent the disclosure of communications held by third-party Internet service providers (see this post for more on the SCA).

Such providers are defined as organizations that provide internet access or facilitate electronic communications.

The complaint is trying to interpret a “facility through which an electronic communication service is provided” to mean the plaintiff’s own computer.

This reading isn’t necessarily incorrect, but it would entail a broader interpretation than was intended by Congress and has since been espoused by the courts.

As you can see, then, none of the laws cited by the complaint are completely pertinent.

The problem, though, is that these are the three most pertinent laws to address Google’s actions, which, although not clearly illegal under existing laws, seems like they really should be.

Somehow, the analysis of this complaint has led me back to the same conclusion that I’ve reached on nearly every other post on electronic privacy laws:

Our current laws for dealing with these issues is pathetically out-of-date, and either Congress or the courts need to step up and provide an effective legal framework to address online privacy concerns, which are becoming increasingly prevalent.