A U.K. privacy group has issued a scathing report on large Internet players privacy records, going so far as to flunk Google altogether.
Privacy International, a privacy NGO, spent six months working on the report (PDF), titled “Race to the Bottom? 2007.” The group says it based its rankings on data derived from public sources including newspaper articles, blog entries, submissions to government inquiries and privacy policies; information provided by present and former company staff; technical analysis; and interviews with company representatives.
PI Director Simon Davies insists that news accounts and the blogosphere have been overly focused on Googles poor rating since it was published on June 9. But on a color scale ranging from green (privacy-friendly and privacy-enhancing) to black (comprehensive consumer surveillance and entrenched hostility to privacy), PI draped black crepe only around Google.
The report is sketchy, and the means by which it arrived at its conclusions are anything but apparent. PI says that because its rankings are a “precedent,” its regarding its initial effort as a “consultation report” meant to open up dialogue. The group plans to publish a full report in September that will take into account “any new and relevant information,” it said on its site.
“Over the course of the next two and a half months, our aim is to extract an unprecedented quantity of data about the full extent of whats happening to our privacy. I have a feeling in my bones that privacy is going to come front and center as an issue, and companies wont be able to hide behind [the rationale of business models],” the Davies said in an interview with eWEEK.
One rationale the group gives on its spreadsheet report for flunking Google is that a privacy mandate “is not embedded throughout the company. Techniques and technologies frequently rolled out without adequate public consultation (e.g. Street level view).”
That, in particular, is a complaint thats been circulating widely. Googles online map service, “Street View,” has been accused of snapping photos too close to peoples private homes and of people on the street who dont know theyre being watched.
Indeed, PIs report is only the most recent of a barrage of criticism leveled against Googles treatment of user information.
A European Union panel on privacy rights in May launched an investigation into whether Googles practice of storing and retaining user information for up to two years abides by the EUs privacy rules. Google is due to address these concerns before the panels next meeting at the end of June.
Privacy groups in particular have targeted Google over its proposed merger with DoubleClick. EPIC on June 6 beefed up its original complaint (PDF) with the Federal Trade Commission over the deal, adding to the argument its reasons why the FTC should consider consumer privacy interests when mulling over the merger between “the Internets largest search profiling company and the Internets largest targeted advertising company.” The complaint, filed by multiple privacy groups, claims to show evidence about Googles and DoubleClicks business practices that fail to comply with generally accepted privacy safeguards.
The complaints against Google go on. Wikipedia even has an entry devoted to “Criticisms of Google” in which privacy concerns constitute one of the largest sections.
Google replied to the PI report by saying in a statement that the company is “disappointed” that the report is “based on numerous inaccuracies and misunderstandings about Googles products and services.” Google had not responded to a request for specifics on what PIs inaccuracies and misunderstandings are by the time this article was posted.
Google also cried foul about the surprise nature of the attack. “None of these allegations were shared with us prior to publication, so we did not have the chance to correct any of them,” said a spokesperson in an e-mail exchange. “User trust is central to our business, and that is why we aggressively protect our users privacy. We stand by our record for protecting user privacy and offering products that are transparent about what information is collected and empower users to control their personal data.”
Googles Privacy Policies
To its credit, Google has stood fast against the U.S. governments subpoenas requesting query data when its competitors—AOL, Microsoft and Yahoo—caved. In early 2005, while investigating the likelihood of children stumbling upon pornography when searching the Internet, the Department of Justice filed a motion in federal court to force Google to comply with a subpoena for “the text of each search string entered onto Googles search engine over a one-week period (absent any information identifying the person who entered such query).”
Google was the only search company subpoenaed that fought the subpoena, citing concerns about users privacy. The court went on to recognize the privacy implications of enforcing the subpoena and ruled partially in Googles favor.
That incident is only one pointed out by Matt Cuts, head of Googles Webspam team, in a posting on his personal blog (which expresses his own views and not those of his employer) that took the PIs report to task.
“AOL, Microsoft, and Yahoo all gave some amount of users queries to the Department of Justice,” Cutts wrote. “… no queries from Google users were given to the DOJ. But Yahoo, Microsoft, and AOL got better grades in this report than Google.”
Cutts also pointed to a March announcement in which Google said it would begin anonymizing its logs 18 to 24 months after searches are conducted.
“Google has continued to communicate on the issue, including a post on the Google blog in May discussing the reasoning behind that decision. In fact, we talk a lot about privacy, from blog posts to Op-Ed pieces in the Financial Times. To the best of my knowledge, no other major search engine has followed suit in a plan to anonymize user logs,” Cutts wrote.
But, as pointed out by Google Watchs Steve Bryant, privacy groups arent necessarily satisfied with such data being kept for up to two years, particularly given the fact that both Google and AOL have inadvertently released search data online. “Googles privacy practices came under some scrutiny last year when an error at AOL caused personally identifiable search data to be released online,” Bryant writes. “At that time, Google CEO Eric Schmidt promised data breaches would never happen at Google, only to be proven wrong this January when Google accidentally released some users banking data.”
As for the rest of the report, Cutts says, it “just baffles” him.
“The report claims (I am not making this up) that Every [Google] corporate announcement involves some new practice involving surveillance. I know that my years of working at Google may bias me, but does that sound impartial?”
Cutts also pointed out that a more useful approach for a privacy group would be to look into ISPs that actually sell user data, such as credit bureau Experian, which announced in April that it would purchase Hitwise. Hitwise collects and aggregates information from more than 25 million Web users and keeps an eye on nearly 1 million sites.
Davies defended PIs focus, saying that the group wanted to go after companies that claim to protect users privacy—at least initially.
Laundry List of Sins
“[Data brokers are] outside the scope of this study, or of publication, at this stage,” Davies said. “Part of the reason is that brokers are in some senses a separate category. Were talking about an industry in its own rights, which should be dealt with in its own way. … Were concerned that there are countless companies proclaiming to protect privacy and that have privacy-friendly policies but which fail the grade. Were concerned about the deception that permeates the entire Internet. That was more our concern at this early stage. Im sure well deal with the brokers in due point.”
When asked why Googles privacy sins would stand out from those of other Internet giants such as eBay, Microsoft or AOL, for example, Davies pointed to Googles “lack of transparency … lack of accountability [and] lack of user control.”
“These are areas where almost everybody falls short,” he said.
In fact, he said, the dismal privacy rankings of other companies have largely escaped notice. Microsofts privacy policies, for example, are in “disarray,” Davies said, given the companys “fragmented structure,” which “makes application of privacy structures very difficult.”
“Thats an area that should attract vigorous attention. We understand … that ranking Google in black would be controversial, but we did expect there to be” more attention paid to the poor rankings of other companies, he said.
Apple in particular gets a low privacy ranking, due in large part to its DRM efforts, he pointed out. PI ranked it red, for “substantial and comprehensive privacy threats.”
Some complaints about Apple from the PI report: “Kept quiet on the potential watermarking of DRM-free iTunes songs. … Sought to disclose the names of sources to bloggers stories. … Shares data with other companies to manage and enhance customer data. Collects clickstream data. Does not consider IP address as personal information. Also collect clickthrough data. Ministore collected list of music on home computers.”
Still, in comparison, Google got spanked.
This is a partial list of what PI claims are the privacy sins Google is committing:
- Google account holders that regularly use even a few of Googles services must accept that the company retains a large quantity of information about that user, often for an unstated or indefinite length of time, without clear limitation on subsequent use or disclosure, and without an opportunity to delete or withdraw personal data even if the user wishes to terminate the service.
- Google maintains records of all search strings and the associated IP addresses and time stamps for at least 18 to 24 months and does not provide users with an expungement option. While it is true that many U.S.-based companies have not yet established a time frame for retention, there is a prevailing view amongst privacy experts that 18 to 24 months is unacceptable, and possibly unlawful in many parts of the world.
- Google has access to additional personal information, including hobbies, employment, address and phone number, contained within user profiles in Orkut. Google often maintains these records even after a user has deleted his profile or removed information from Orkut.
- Google collects all search results entered through Google Toolbar and identifies all Google Toolbar users with a unique cookie that allows Google to track the users Web movement. Google does not indicate how long the information collected through Google Toolbar is retained, nor does it offer users a data expungement option in connection with the service.
- Google fails to follow generally accepted privacy practices such as the OECD Privacy Guidelines and elements of EU data protection law. As detailed in the EPIC complaint, Google also fails to adopt additional privacy provisions with respect to specific Google services.
- Google logs search queries in a manner that makes them personally identifiable but fails to provide users with the ability to edit or otherwise expunge records of their previous searches.
- Google fails to give users access to log information generated through their interaction with Google Maps, Google Video, Google Talk, Google Reader, Blogger and other services.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.