Google is all about information.
Its become the No. 1 tool people use to find information on the Internet. More troubling to privacy experts, though, is the amount of information Google has accumulated about us.
The Mountain View, Calif., company is continually raked over the coals regarding the massive amounts of PII (personally identifiable information) it collects, what it does with it, how long it retains the data and what the company might do with it if its merger with DoubleClick goes ahead.
Thats been ratcheted up to fever pitch during the past few weeks with two new privacy headlines: complaints being voiced about the new Street View services photographs getting too close for comfort and Privacy International flunking Google on its privacy policies and procedures in a report published June 9.
On the other hand, Google recently warned the German government that it will shut down the countrys access to Gmail rather than go along with a law, now being debated, that would require e-mail providers and ISPs to store users data in such a way that they can be identified.
Its this kind of action that Googles defenders say exemplifies the search behemoths dedication to doing no evil to PII.
However, similar to Googles refusal to hand over search results to the U.S. government last year, the move doesnt convince privacy advocates. Every step Google makes to protect privacy is matched by a multitude of sins—with both sins and good deeds dependent on what they mean to Googles bottom line, privacy advocates say.
Key question
It boils down to one question: Is it OK for Google to own us? The ways in which it owns us are laid out in a complaint filed by Washington-based Electronic Privacy Information Center and other privacy groups with the Federal Trade Commission over Googles proposed merger with targeted advertising company DoubleClick. The services at issue at some point will likely include Google Gears, now in beta, an open-source browser extension that uses Java-Script APIs to allow users to work on Web applications when theyre offline.
Then there are the sins that Google commits with all that data, according to Privacy International. These include forcing account holders to accept that the company retains a large amount of data about users and that Google maintains records of all search strings and associated IP addresses and time stamps for as long as two years (though Google has announced it will only retain data for 18 months).
The company also collects all search results entered through Google Toolbar and identifies users with a unique cookie that allows Google to track their Web movement. Google also fails to follow generally accepted privacy practices, such as elements of the European Union data protection law, according to Privacy International.
Do no evil
At issue is whether Google can be trusted not to do evil with that laundry list of PII. The Google faithful point to the companys refusal to comply with the Department of Justices demand for log entries on its searches—something Google competitors AOL, Microsoft and Yahoo obeyed as the government investigated how often children might stumble upon pornography while using search engines.
Privacy advocates credit Google for not complying with the subpoena, but say the fact that the DOJ subpoenaed the data in the first place proves that government officials are hungry to track peoples Internet doings.
“We supported [Google] when they made that decision” to refuse the subpoena, said Marc Rotenberg, executive director of EPIC. “We also said we thought it was a mistake for Google to retain so much user information [in the first place]. As long as they do retain it, privacy will be at risk.”
When it comes to privacy, Google insists its being misrepresented, saying that the Privacy International report had inaccuracies and mistakes.
In an interview with eWEEK, Google Deputy General Counsel Nicole Wong couldnt specify any mistakes in the report but said Google was unfairly portrayed. For example, Wong pointed to Googles decision to make its search logs anonymous after 18 to 24 months. Privacy International and other privacy groups didnt think much of the move and were equally unimpressed with Googles more recent decision to trim that number to 18 months.
Beth Givens, director and founder of the Privacy Rights Clearinghouse, said European meta-search engine Ixquick is an example of a search company that does fine without lengthy retention of data. Ixquick states on a privacy policy page that it deletes users privacy data within 48 hours.
Googles rationale behind keeping the data so long is that it uses the information to improve services and protect them against security and other abuses, Wong said.
To what extent does Google go to improve search, such that it needs more than a year to squeeze the pulp out of PII?
Google keeps its work on mathematical algorithms close to the vest, though it gave The New York Times a rare inside look at a department called search quality. According to the Times in a June 3 article, Googles search quality team makes an average of a half-dozen major and minor changes weekly to the vast nest of mathematical formulas powering the companys search engine.
Danny Sullivan, a blogger who concentrates on search at searchengineland.com, has refuted most of the charges against Google in the Privacy International report, pointing out the reports weaknesses, including a reliance on subjective, unmeasurable input such as newspaper articles.
But even Sullivan considers personally identifiable profiles of individual searchers to be a legitimate concern to privacy advocates—more so than so-called old-school issues such as fairly anonymous cookie data and IP addresses.
However, he said, if privacy advocates are going to be concerned about those individual profiles, they should also worry about similar ones kept by Microsoft and Yahoo, both of which passed the Privacy International privacy ranking.
Privacy advocates would like to see Google get a privacy czar. One of Privacy Internationals complaints was that nobody at Google responded when contacted about privacy concerns. If Google had, privacy advocates say, the company likely would have done better in the report.
Google officials pointed to not only on-staff privacy experts but to the product development life cycle now in place at Google—instituted when Wong was brought on board—in which every product launched includes a lawyer trained on privacy issues on its team. ´