Google’s New Privacy Policy Causes Controversy

by Zack Kaldveer, CFC Communications Director, Privacy Revolt

A bit of a firestorm was sparked by Google changing its privacy policies rather abruptly, while making opting out of the massive amount of data sharing that will take place if their proposed folding 60 of its 70 existing product privacy policies under one blanket policy and breaking down the identity barriers between (to accommodate its new Google+ social network software) nearly impossible.

In other words, Google will combine data from all its services, so when users are signed in, Google may combine identity information users provided from one service with information from other services. The goal is to treat each user as one individual across all Google products, such as Gmail, Google Docs, YouTube and other Web services.

One one hand, this didn’t strike me as something they weren’t already probably doing…but that doesn’t make it okay, either. By the least, Google’s ability to create an incredibly detailed digital dossier of every one of us, with little to no control on our part, would be enhanced beyond what it already can do.

As John Simpson, director of the the nonprofit, nonpartisan Group’s Privacy Project stated, "Google has eliminated its last pretense that it protects consumer privacy – the walls are torn down. Instead of a privacy policy Google has finally admitted they have a profiling policy – and every Internet user is a target to be spied on."

Peter Eckersley, the Electronic Frontier Foundation’s Technology Projects Director points out that the search giant’s disclosure that it will track what you do across all Google-owned services that you partake of — on your PC and mobile devices — comes across more like a confession than a bold new move.

Google of course is claiming it will simply and improve the users experience…but they also admit it will also make it impossible for users to opt out of having their identities applied to dozens of Websites they might not have agreed to use.

Common Sense Media CEO James Steyer wrote in a statement emailed to eWEEK:

"Google’s new privacy announcement is frustrating and a little frightening. Even if the company believes that tracking users across all platforms improves their services, consumers should still have the option to Opt Out’especially the kids and teens who are avid users of YouTube, Gmail and Google Search."

More than anything, this kind of "cross personalization", from video to email, would be a boon for advertisers and marketers…which is what this is really all about. Already though, lawmakers and the the Federal Trade Commission are looking into Google’s search business practices – a company that has already been ordered to submit to 20 years of audits after breaching user privacy with its Google Buzz feature.

So what exactly is different with this policy? Peter Eckersley of EFF explains, ""It has always been the case that Google kept effectively linkable records of our uses of Gmail, Search, Maps and Market for Android, and other services,. Only very sophisticated users have ever been able to remove any of that linkability, and that remains the case today. In a couple of cases, Google had some internal practices of not linking your browsing history, and YouTube history, to other data — and those internal walls at the company are now gone."

We should also consider Google’s sordid privacy history when determining whether to believe their initial defense, from Google Books  to the loss of "Locational Privacy" to the company’s lobbying efforts in Congress, to its cloud computing, to its increasing usage and expansion of behavioral marketing techniques, to Google StreetView cars gathering private information from unaware local residents, to the company teaming with the National Security Agency (the agency responsible for such privacy violation greatest hits as warrantless wiretapping) "for technical assistance" to the infamous Google Buzz to the company’s recent admittance that it gets THOUSANDS of requests from the government for information about its users to claims that the company manipulates its search results to favor its own products.

AS reported by Wired Magazine: The number of U.S. government requests for data on Google users for use in criminal investigations rose 29 percent in the last six months, according to data released by the search giant Monday. U.S. government agencies sent Google 5,950 criminal investigation requests for data on Google users and services from Jan. 1 to June 30, 2011, an average of 31 a day.

That’s compared to 4,601 requests from July 1 to Dec. 31, 2010, the company reported Tuesday in an update to its unique transparency tool. Google says it complied in whole or part with 93% of such requests, which can include court orders, grand jury subpoenas and other legal instruments…According to Google, the numbers do not include National Security Letters, a sort-of self-issued subpoena used by the FBI in drug and terrorism cases. At their post’Patriot Act peak, the FBI issued more than 50,000 such letters a year, nearly all with gag orders attached to them. The use of such letters dipped for a time after the Justice Department’s internal watchdog unveiled widespread abuses and sloppy procedures, but are on the rise again. Also not included are national security wiretap and data requests, known as FISA warrants, that are approved by a secret court in D.C. to combat spies and threats to national security.

In other words, I view ANYTHING Google says or apparently does when it comes to privacy with a huge grain of salt.We are living in a brave new cyber world in which nearly everything we do can be monitored, sold and stored. And, let’s remember, we have yet to establish the kinds of privacy protections demanded in this new information age. And that is not by accident, last year Google spent a record $9.7 million on lobbying

Let’s also remember the bigger picture, and why we need a set of ironclad privacy protections for internet users, including opt-in (and by the least opt-out), as well as Do Not Track…to name a few.

In a recent op-ed in the San Diego Union Tribune, Beth Givens, Executive Director of the Privacy Rights Clearinghouse lays out this larger issue of privacy on the net:

Individuals are increasingly using the Internet as their primary information source, often seeking information on sensitive matters such as finances, health, personal relationships, divorce, sexuality, workplace difficulties and legal conflicts. But few individuals realize the extent to which they are being tracked by companies that create rich profiles of their web-browsing activities. The 2010 Wall Street Journal series, ‘What They Know,’ reported that the nation’s top 50 websites installed an average of 64 pieces of tracking technology onto each visitor’s computer. Tracking tools go beyond the cookies many of us routinely delete. Some companies deploy ‘Flash cookies’ or other ‘supercookies’ that are not only extremely difficult to delete but can also be used to reinstall cookies that a user has removed.

Such data-gathering and profiling activities are largely invisible, except that they can result in the real-time display of behaviorally targeted ads. You might ask, ‘What’s the harm in receiving ads based on my web-surfing history’? In a legislative primer presented to members of Congress by 10 organizations, including ours, several potentially harmful effects of behavioral tracking and targeting were identified: (1) targeting economically distressed individuals with payday loans and subprime mortgages; (2) sending ads for bogus cures to individuals with serious medical conditions; (3) engaging in discriminatory pricing in which some people are offered products or services at higher prices than others; and (4) targeting children who lack the judgment capacity of adults. Further, profiles compiled originally for the ad industry may be sold to non-advertising third parties such as insurance companies.

Harms aside, let’s not forget, simply, the right to privacy. The definition of privacy that guides my organization’s work is the ability of individuals to control the use of their personal information. Everyone has a different comfort level regarding the collection and use of their personal information. We believe individuals’ choices must be respected, no questions asked.

However, studies show that robust profiles generated from anonymous data can be matched with other data sources, offline and online, to determine individuals’ identities. These days, the anonymity argument is largely a myth. Another myth is that young people are not concerned about privacy. These ‘digital natives’ have not known a world without the Internet, so the argument goes, and they are not worried about their personal information being revealed online. However, a 2009 academic survey found there are no significant differences between young adults and older individuals regarding online privacy concerns. While some believe that in a generation or two, concerns about online privacy will vanish, we at the Privacy Rights Clearinghouse are not so quick to accept that argument.

In closing, effective online privacy protection requires a multipronged approach involving policymakers, industry, nonprofits and consumers. It must not be lost to bogus arguments and unfounded myths.

Legislators Taking Action

The good news is legislators are asking Google some tough questions. Rep. Jackie Speier, a longtime privacy stalwart, has co-authored a letter (PDF) asking the company to respond to a series of sternly worded questions about its plans to simplify privacy policies into one more-or-less standard one. Currently Google has more than 70 individual privacy policies.

The letter states, "We believe that consumers should have the ability to opt-out of data collection when they are not comfortable with a company’s terms of service and that ability to exercise that choice should be simple and straightforward."

Other members signed on include Cliff Stearns (R), Henry Waxman (D)–plus veteran Google antagonists Joe Barton (R) and Ed Markey (D). Google has until February 16th to respond.

Interestingly, there happens to be a major privacy conference taking place in Europe right now. Here’s how the Europeans are addressing some of these same concerns (it goes without saying they’re taking a much more PRO privacy stance):

The European Commission proposed these key changes in the data protection law that went into effect in 1995 when only 1 percent of Europeans were on the Internet:

—A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
—Companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
—Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
— People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
— EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.

While we can’t expect such protections here in America, they do provide a blueprint for what could be done, and some places to start.

Conclusions

The ramifications of Google’s new policy aside – and I’m not saying I know exactly what they are yet – the fact is, there’s been a virtual explosion in data collection, data analysis and use of behavioral marketing on the internet without the requisite privacy protections to go along with it. Billions of dollars at stake, and your private information is the currency.

As I have written on this blog in the past: We know for instance, and they have been sued for it, companies like Google, Yahoo, Microsoft and other Internet companies track and profile users and then auction off ads targeted at individual consumers in the fractions of a second before a Web page loads.

That in itself, may not be all that threatening to most. But it raises some interesting questions: What kind of control should we have over our own data? And, what kind of tools should be available for us to protect it? What about ownership of our data? Should we be compensated for the billions of dollars being made by corporations from their tracking of us? And of course, what of the government’s access to this new world of data storage?

The argument from privacy advocates has largely been that this massive and stealth data collection apparatus threatens user privacy and regulators should compel (not hope that) companies to obtain express consent from consumers before serving up "behavioral" ads based on their online history.

As I have also written before, its not by accident that we are told by the same interests that profit off our information that privacy is dead, and people don’t care about it anymore, or that it will "kill business". Well, that’s easy to say when you are the ones developing the complicated and difficult to find privacy settings consumers have to deal with – and profiting off our personal information without our consent.

More to the point is the simple, unavoidable fact that consumers should have MORE control, not less, over what information of ours is used, shared, and profited off. This basic principle is at the heart of the ACLU’s DotRights campaign.

There remains an interesting dichotomy in all this: While people seem to "care" about privacy on one level, they tend to do very little to actually protect it. Which in my mind, makes easy to use, clear options to protect privacy so paramount. Once people are given such a choice, not only will more people choose to "not be tracked", I think more people will become more AWARE of just how all pervasive such monitoring of nearly everything we do has become.