Wired recently ran a ProPublica report detailing how Stanford grad student Jonathan Mayer seemed to discover before the
Federal Trade Commission that Google was circumventing Safari users'
no-tracking settings.
The piece, "Your FTC Privacy Watchdogs: Low-Tech, Defensive, Toothless," shows how FTC staff are hampered by the office's technology -- including computers with filters
that prevent people from accessing key sites. At least one FTC employee reportedly investigates Web companies on his personal laptop, which he tethers to an iPhone.
The FTC takes issue with portions of the report -- especially the part about Mayer "scooping" the commission. "Since FTC
investigations are non-public from the beginning, there is no way ProPublica could know when the FTC learned of this issue," FTC spokesperson Cecelia Prewett wrote to ProPublica. "And in fact, very often we learn about alleged violations well before others, and that never gets reported."
While
Prewett's criticisms and ProPublica's response make for interesting reading, in many ways the debate about whether the FTC was scooped is beside the point. The fact is, Google came up with a way to
circumvent Safari's no-tracking settings and didn't stop doing so until it learned that Mayer's report was about to be published. (Google said at the time that it developed the workaround in order to
enable users to say they liked ads via the +1 button -- not to track them throughout the Web.)
The FTC might well have been investigating Google's workaround before Mayer called attention to
it. But if so, the slow pace of official investigations allowed Google to continue circumventing users' settings while the government built its case.
In fact, questionable privacy practices
often don't seem to get revised until someone exposes them -- and these days, it's often independent developers, grad students and hobbyists who do so.
Google's Safari workaround is hardly the
only example. Consider these others: Late last year, developer Trevor Eckhart reported that mobile software company Carrier IQ was logging keystrokes. Last
September, Australian programmer Nik Cubrilovic publicly accused Facebook of tracking users -- including ones who have
logged out -- via the 'Like' button.
In early February, developer Arun Thampi posted that the mobile social network Path was uploading users' address books
without their knowledge. And last summer, Ashkan Soltani co-authored a report stating that the analytics company Kissmetrics
used eTag technology to track people who attempted to protect their privacy by deleting their cookies.
In all of those cases, the companies landed in privacy firestorms -- and in litigation --
after the researchers brought the practices to light. The companies also revised their practices.
Government watchdogs might have already been investigating those companies as well at the time
of the reports, but that doesn't change the fact that it was independent developers and bloggers who drove public discussion about the privacy glitches.