The Price of Privacy

Talk of a $22.5m fine for Google over Safari user tracking has thrown the search giant into the spotlight once more, with opinion split over whether the proposed penalty fits the misdemeanor. The sum – which, if approved, would be the US Federal Trade Commission's biggest fine to-date – is a drop in the pond for Google, and it raises questions over whether quick checkbook fixes are encouraging cavalier attitudes toward privacy.

It's hard not to see $22.5m, even if a vast amount by individual standards, as being little more than a mild rap on the knuckles for Google. The company made that much in the space of five hours in 2011, based on its overall income, and it represents a tiny slice of the sums Google execs are used to dealing with every day.

FTC regulations permit a potentially far more challenging penalty. Going by the book, the agency can apply a fine of $16,000 per violation, per day. That's a tough thing to face if you're a small business with one or two personal data spillages to cough up for, but Google's privacy gaffe covers possibly millions of users over an extended period.

So, if the FTC had wanted, it could have presumably pushed for a significantly tougher punishment than the one it apparently "negotiated" with Google. Exactly why it did not is unclear; Google has always maintained that the tracking behavior was the inadvertent side-effect of it legitimately using Safari functionality that kept browsers logged into its services, and not an intentional workaround for tracking. It's possible that Google's protestations to that affect were what swayed the Commission into diluting the sanctions.

Undoubtedly it's worse to have deliberately tracked users who wanted to opt out of such monitoring rather than to have unwittingly done so. However, there remain questions as to whether "I didn't realize" is sufficient excuse to justify watering down a fine to the point where it's all but negligible to a company. Google may not have meant to violate Safari users' privacy, but it did, and you could well argue that further testing of the log-in system at fault could have identified the flaw prior to it being rolled out publicly.

Does the FTC have a responsibility to levy fines that dissuade beta-style software and subpar testing, when there's user-rights at risk? That's a question the FTC commissioners still to approve the $22.5m penalty will have to decide, lest they set a precedent that undervalues individual privacy.