New Google Privacy Policy and Understanding “Do Not Track”

by Zack Kaldveer, CFC Communications Director, Privacy Revolt

7/29/2015: For more recent news on Do Not Track protections, read our updated California Online Privacy Protection Act (CalOPPA) post.

Being that its been such a disastrous few weeks for Google in the privacy violation department I thought I’d go back to the topic of its new privacy rules as well as get into some of the important technicalities associated with Do Not Track protections in light of the President’s proposed Privacy Bill of Rights.

First, let’s go to reigning anti-privacy global champion Google, who is changing its privacy policies this week, placing 60 of its 70 existing product privacy policies under one blanket policy and breaking down the identity barriers between (to accommodate its new Google+ social network software) them as well. In other words, Google will combine data from all its services, so when users are signed in, Google may combine identity information users provided from one service with information from other services. The goal is to treat each user as one individual across all Google products, such as Gmail, Google Docs, YouTube and other Web services.

Then we find out that Google has been bypassing the privacy settings in Apple’s Safari browser. This is of particular concern and importance because that system, and those users, are specifically INTENDING that such monitoring be BLOCKED.

So that was the “Google” backdrop for a few other related stories. First, the President proposed a Consumer Privacy Bill of Rights that has some potential, though numerous pitfalls (I’ll get to that later). And second, while Google has agreed to offer a kind of “Do Not Track” mechanism on Chrome, this didn’t stop The Electronic Privacy Information Center (EPIC) from attempting to make Google obtain its users permission BEFORE sharing their private information as a result of its new privacy policy.

Unfortunately, U.S. District Judge Amy Berman Jackson said the court had no authority to force the FTC to keep Google in check. As detailed by Courthouse News, this isn’t Google’s first brush with the law: In June 2011, a federal judge approved an $8.5 million class action settlement brought by 31 million Gmail users who sued Google for exposing their personal information through its recently discontinued email feature, Google Buzz. In their lawsuit, users called the feature, which automatically shared their information with their email contacts, an “indiscriminate bludgeon” that could reveal the names of doctors’ patients or lawyers’ clients, or even the contacts of a gay person “who was struggling to come out of the closet and had contacted a gay support group.”

The judge also made it clear that her ruling should not be taken as an endorsement of Google’s privacy policies or her opinion on whether they violate the consent order.

So what does Google’s new policy mean to you and what are some ways to better protect your privacy?

CNN.com suggests – in an article entitled “How to prepare for Google’s privacy changes“- the following:

Don’t sign in

This is the easiest and most effective tip.Many of Google’s services — most notably search, YouTube and Maps — don’t require you to sign in to use them. If you’re not logged in, via Gmail or Google+, for example, Google doesn’t know who you are and can’t add data to your profile.

But to take a little more direct action …

Removing your Google search history

Eva Galperin of the Electronic Frontier Foundation has compiled a step-by-step guide to deleting and disabling your Web History, which includes the searches you’ve done and sites you’ve visited.
It’s pretty quick and easy:

— Sign in to your Google account
— Go to www.google.com/history
— Click “Remove all Web History”
— Click “OK”

As the EFF notes, deleting your history will not prevent Google from using the information internally. But it will limit the amount of time that it’s fully accessible. After 18 months, the data will become anonymous again and won’t be used as part of your profile.

Six tips to protect your search privacy (from the EFF)

Clearing your YouTube history

Similarly, users may want to remove their history on YouTube. That’s also pretty quick and easy.
— Sign in on Google’s main page
— Click on “YouTube” in the toolbar at the top of the page
— On the right of the page, click your user name and select “Video Manager”
— Click “History” on the left of the page and then “Clear Viewing History”
— Refresh the page and then click “Pause Viewing History”
— You can clear your searches on YouTube by going back and choosing “Clear Search History” and doing the same steps.


Click here to read more.

Interestingly, just as the White House pushes a privacy bill of rights its new online privacy legislation for Congress to consider, Google (in the wake of its privacy invasions) decided to get behind “Do Not Track,” for Google Chrome. As Computerworld defines it, and how such a mechanism is eventually defined and operated is critical to its usefulness, “Do Not Track” is a “technology that relies on information in the HTTP header, part of the requests and responses sent and received by a browser as it communicates with a website, to signal that the user does not want to be tracked by online advertisers and sites.

In the browsers that now support the Do Not Track header, a user tells sites he or she does not want to be tracked by setting a single option. In Mozilla’s Firefox, for instance, that’s done through the Options (on Windows) or Preferences (Mac) pane by checking a box marked, “Tell web sites I do not want to be tracked.”.” That of course…just how well it does that and how is the million dollar question.

So what did Google just agree to by adding its support for Do Not Track to its Chrome browser? Computerworld has more:

So, when I tell my browser to send the Do Not Track request, no one will monitor my movements?

Hold on there, pardner. Thursday’s commitment by Google to support Do Not Track in Chrome may have been a clear win for the specific way that request is communicated, but there’s no such clarity on what websites do — or don’t do — when they receive that signal.

“On the technology side, this is an unambiguous win, but on the policy side there is still a lot of work to be done,” Mayer said yesterday. The Electronic Frontier Foundation (EFF), an online privacy advocacy organization, said much the same. “While today was a great advancement on the Do Not Track technology, it did not meaningfully move the ball forward on the Do Not Track policy,” said Rainey Reitman, the EFF’s activism director, in a Thursday blog.

What have sites agreed to do with Do Not Track? 

They’ll stop using cookies to craft targeted ads, the kind pointed at you based on your past surfing and other online behavior.

But the companies that lined up Thursday to support Do Not Track — the ad networks, websites and corporations who belong to the latest online ad industry trade group, the Digital Advertising Association (DAA) — haven’t promised to actually stop tracking users’ Web movements. Instead, they’ve pledged to not use tracking data to serve targeted ads — which the DAA calls “behavioral advertising” — or use that tracking information “for the purpose of any adverse determination concerning employment, credit, health treatment or insurance eligibility, as well as specific protections for sensitive data concerning children.” (IDG, the parent company of Computerworld, is a member of DAA, according to the association’s list of participating companies and ad networks. Other media firms that will hew to the DAA’s behavioral ad guidelines around Do No Track include Conde Nast, ESPN, Forbes and Time.)

What? So Do Not Track doesn’t mean just that?

Right, which is why privacy groups are pushing for a stricter interpretation. The EFF, for one, is leery of the advertising industry’s sincerity.

“Historically, the DAA has eschewed providing users with powerful mechanisms for choices when it comes to online tracking,” said EFF’s Reitman. “The self-regulatory standards for behavioral advertising have offered consumers a way to opt out of viewing behaviorally targeted ads without actually stopping the online tracking, which is the root of the privacy concern.”

Reitman worried that the DAA would mess with the simplicity of Do Not Track, and try to turn it into “slippery legalese that doesn’t promise to do much of anything about tracking.”

Anything else about the Do Not Track promises made by the advertising industry I should know?

Yep, one interesting aspect: The DAA said it would not honor the setting if “any entity or software or technology provider other than the user exercises such a choice.” EFF’s Reitman interpreted that as a pre-emptive strike against browser makers that may want to turn on Do Not Track by default. (None do at this point…. It’s off in Firefox, IE9 and Safari until the user manually changes the setting.)

Click here for more.

With that, let me take you to the New York Times article that delves deeply into the Do Not Track concept, while offering a glimpse of where the expected battle lines will likely be drawn: separating those that want privacy, and more control over their own data, versus those that want to profit off violating that privacy, and selling that data.

The issue of digital privacy, especially how users’ data is collected online and then employed to show those users ads tailored to them, has been hotly debated for years. The announcements represent the attempt to satisfy consumer privacy concerns while not stifling the growth of online advertising, which is seen as the savior of media and publishing companies as well as the advertising industry. According to the Interactive Advertising Bureau, digital advertising revenues in the United States were $7.88 billion for the third quarter of 2011, a 22 percent increase over the same period in 2010.

The industry’s compromise on a ‘Do Not Track’ mechanism is one result of continuing negotiations among members of the Federal Trade Commission, which first called for such a mechanism in its initial privacy report; the Commerce Department; the White House; the Digital Advertising Alliance; and consumer privacy advocates.

Until now, methods for opting out of custom advertising varied depending on the privacy settings of a user’s browser or whether a user clicked on the blue triangle icons in the corners of some digital ads. Under the new system, browser vendors will build an option into their browser settings that, when selected, will send a signal to companies collecting data that the user does not want to be tracked.

The agreement covers all the advertising alliance’s members, including Google, Yahoo, AOL, Time Warner and NBCUniversal.

Privacy advocates complain that the mechanism does not go nearly far enough in part because it affects only certain marketers. Many publishers and search engines, like Google, Amazon or The New York Times, are considered ‘first-party sites,’ which means that the consumer goes to these Web pages directly. First-party sites can still collect data on visitors and serve them ads based on what is collected.

Some consumer privacy advocates, while offering measured praise for the new privacy option, saw the move as an attempt to thwart a more restrictive stance on data collection. Jeffrey Chester, the head of the Center for Digital Democracy, which is pushing for more restrictions on data collection, called the move a win for the advertising lobby.

In a statement, Mr. Chester said: ‘We cannot accept any ‘deal’ that doesn’t really protect consumers, and merely allows the data-profiling status quo to remain. Instead of negotiations, C.D.D. would have preferred the White House to introduce new legislation that clearly protected consumers online.’

But advertisers have plenty to fear if consumers use Do Not Track in large numbers. ‘If there’s a high rate of opt-out, it’s an issue,’ said George Pappachen, the chief privacy officer of the Kantar Group, the research and consultant unit of WPP. ‘Our position is data should flow,’ Mr. Pappachen said, adding that data helps drive innovation and newer commercial models.

And there are still unresolved technical issues regarding Do Not Track, including what defines tracking and how that would apply to first-party and third-party Web sites. Over the last few months the World Wide Web Consortium, an international group that sets voluntary technical standards for the Web, has been working with representatives from companies like Microsoft, Google and Nielsen, along with academics, privacy advocates, legislators and digital advertising groups, to define the technical standard of Do Not Track.

The consortium is also considering whether sites like Facebook, whose ‘like’ button is used across multiple Web sites, would be considered first-party or third-party sites.’I do think you will see a lot of contention going forward about what Do Not Track means,’ said Thomas Roessler, the technology and society domain leader at the consortium.

Whether any companies should be allowed to collect data and follow users online, regardless of who they are, remains ‘the million-dollar question,’ said Alex Fowler, the global privacy leader at Mozilla, the nonprofit organization that created the Firefox browser. Firefox was one of the first to include a Do Not Track option.’When you look at user testing, the expectation for the user for Do Not Track means, don’t behaviorally target me and also don’t collect information on me,’ Mr. Fowler said.

Click here to read more.

Stay tuned…