Laundry List of Sins
"[Data brokers are] outside the scope of this study, or of publication, at this stage," Davies said. "Part of the reason is that brokers are in some senses a separate category. Were talking about an industry in its own rights, which should be dealt with in its own way. Were concerned that there are countless companies proclaiming to protect privacy and that have privacy-friendly policies but which fail the grade. Were concerned about the deception that permeates the entire Internet. That was more our concern at this early stage. Im sure well deal with the brokers in due point." When asked why Googles privacy sins would stand out from those of other Internet giants such as eBay, Microsoft or AOL, for example, Davies pointed to Googles "lack of transparency lack of accountability [and] lack of user control."In fact, he said, the dismal privacy rankings of other companies have largely escaped notice. Microsofts privacy policies, for example, are in "disarray," Davies said, given the companys "fragmented structure," which "makes application of privacy structures very difficult." "Thats an area that should attract vigorous attention. We understand that ranking Google in black would be controversial, but we did expect there to be" more attention paid to the poor rankings of other companies, he said. Apple in particular gets a low privacy ranking, due in large part to its DRM efforts, he pointed out. PI ranked it red, for "substantial and comprehensive privacy threats." Some complaints about Apple from the PI report: "Kept quiet on the potential watermarking of DRM-free iTunes songs. Sought to disclose the names of sources to bloggers stories. Shares data with other companies to manage and enhance customer data. Collects clickstream data. Does not consider IP address as personal information. Also collect clickthrough data. Ministore collected list of music on home computers." Still, in comparison, Google got spanked. This is a partial list of what PI claims are the privacy sins Google is committing:
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
"These are areas where almost everybody falls short," he said.
- Google account holders that regularly use even a few of Googles services must accept that the company retains a large quantity of information about that user, often for an unstated or indefinite length of time, without clear limitation on subsequent use or disclosure, and without an opportunity to delete or withdraw personal data even if the user wishes to terminate the service.
Google maintains records of all search strings and the associated IP addresses and time stamps for at least 18 to 24 months and does not provide users with an expungement option. While it is true that many U.S.-based companies have not yet established a time frame for retention, there is a prevailing view amongst privacy experts that 18 to 24 months is unacceptable, and possibly unlawful in many parts of the world.
Google has access to additional personal information, including hobbies, employment, address and phone number, contained within user profiles in Orkut. Google often maintains these records even after a user has deleted his profile or removed information from Orkut.
Google collects all search results entered through Google Toolbar and identifies all Google Toolbar users with a unique cookie that allows Google to track the users Web movement. Google does not indicate how long the information collected through Google Toolbar is retained, nor does it offer users a data expungement option in connection with the service.
Google fails to follow generally accepted privacy practices such as the OECD Privacy Guidelines and elements of EU data protection law. As detailed in the EPIC complaint, Google also fails to adopt additional privacy provisions with respect to specific Google services.
Google logs search queries in a manner that makes them personally identifiable but fails to provide users with the ability to edit or otherwise expunge records of their previous searches.
Google fails to give users access to log information generated through their interaction with Google Maps, Google Video, Google Talk, Google Reader, Blogger and other services.