Updates to this story
The Federal Trade Commission let Google off the hook for its data breaches, and as every news outlet will tell you, they were pretty significant data breaches. Why?
The FTC has come down like a ton of bricks and other cliches on companies that have done far less to threaten the consumer. Google's investigation is closed and it is getting away with nary a fine. What on Earth is going on? It has stopped short of taking any action for similar cases. Let's take a look.
Back in 2002, the FTC shouted at Microsoft for misrepresenting its Passport services and the information kept. Passport actually collected personal information for a limited period of time. It also ruled that Redmond did not develop a way to detect unauthorised access and made little attempt to monitor for vulnerabilities. Nothing came of it, but the FTC brought the hammer down anyway.
Then, in 2006, it hit out at a company called ChoicePoint. There were security lapses that meant customer information was easily accessible - and potentially could be used for identity theft. In the same year the FTC filed a complaint against CardSystems Solutions which, it said, failed to assess vulnerabilities in its network which could lead to leaks of personal information.
The FTC said CardSystems failed to implement safeguards and failed to use readily available security measures for its applications online. As with Redmond, it did not take the correct precautions to make sure unauthorised access was blocked.
2008 saw the US District Court for the Middle District of Florida grant an injunction against a company called CyberSpy Software. The FTC was behind it, whinging that the business had collected personal information witout knowledge or consent - and later stored the information on its servers, disclosing it to third parties.
Last year, CVS Caremark Corporation was charged for slacking on protection toward data it had farmed. The company failed to train employees to respect data security, the FTC said, and there was a serious absence of security policy compliance.
In the same year, 2009, it charged Sears Holding Management Corporation on similar lines. Additionally, Sears' software tracked “the text of secure pages . . . and select header fields that could show the sender, recipient, subject, and size of web-based email messages” and that Sears “transmit[ted] nearly all of the monitored information . . . to [its] remote computer servers.”
Just this year there was the high profile Twitter case. The end user, said the FTC, was at risk of losing personal information. The lapses in data security on the social networking site also allowed unauthorised administrative control. Lower profile but similar was a mortgage broker who discarded sensitive financial information - without taking security into account - and was brought to book.
In all of the above cases the companies or individuals were actually charged. Google was not charged. In Twitter's case, the FTC pressed charges because it put customer privacy at risk. Google has not only risked privacy, but violated that trust by farming information.
When Google's in the room - or watching you from the room next door with the secret observation mirror - the odorous stench of something fishy begins to creep in.