It’s a bad privacy day for Google, with Privacy International first accusing the company of having the worst privacy performance of any internet service company in a study it has just released and then accusing Google of conducting a smear campaign against it. But if you actually read the report, Privacy International itself comes off bad for putting out a haphazard condemnation of Google.
Let’s do the smear campaign accusation first. An Open Letter to Google from the group says that Google is talking to journalists and implying that Privacy International favors Microsoft:
Two European journalists have independently told us that Google representatives have contacted them with the claim that “Privacy International has a conflict of interest regarding Microsoft”. I presume this was motivated because Microsoft scored an overall better result than Google in the rankings….
According to our sources, your representative or representatives made particular reference to one member of our 70-member international Advisory Board. This man is a current employee of Microsoft. I can confirm that he joined our Advisory Board well before he was headhunted by Microsoft. At the time he was the director of a leading UK non-governmental organization and had more than six years extensive involvement in the work of Privacy International. He is a decent, skilled and honorable man who upon his appointment with Microsoft offered us his resignation. We refused to accept it, and he continues to serve on the Board in a private capacity. As an exceptionally skilled IT and security expert he is a superb resource in our day-to-day work across many fields of privacy. To infer that he in any way influences our decisions with regard to Microsoft is not just inaccurate but it is also insulting.
The letter never names the person in question, which is odd. Why be so secretive on this front, if everything is good and fine?
I assume the person is Caspar Bowden, the only Microsoft person listed on PI’s International Advisory Board page. Personally, I don’t think PI would be stupid enough to allow one person to influence a negative or positive rating based on their employment.
Then again, if PI is going to allow a privacy expert from Microsoft on the board, it’s not too absurd to assume perhaps Google or other major companies should have representatives, as well. And if Bowden is serving in a private capacity, then why is his Microsoft affiliation used?
As for Google’s action, it if was pointing to Bowden to discredit the report, that was a clumsy move. After all, why not just poke at the “study” itself as being pretty inept. Let’s get the overview of Google badness first, then I’ll dive in on how this was unbelievably determined.
The summary of the report tells us about Google:
We are aware that the decision to place Google at the bottom of the ranking is likely to be controversial, but throughout our research we have found numerous deficiencies and hostilities in Google’s approach to privacy that go well beyond those of other organizations. While a number of companies share some of these negative elements, none comes close to achieving status as an endemic threat to privacy. This is in part due to the diversity and specificity of Google’s product range and the ability of the company to share extracted data between these tools, and in part it is due to Google’s market dominance and the sheer size of its user base. Google’s status in the ranking is also due to its aggressive use of invasive or potentially invasive technologies and techniques.
The view that Google “opens up” information through a range of attractive and advanced tools does not exempt the company from demonstrating responsible leadership in privacy. Google’s increasing ability to deep-drill into the minutiae of a user’s life and lifestyle choices must in our view be coupled with well defined and mature user controls and an equally mature privacy outlook. Neither of these elements has been demonstrated. Rather, we have witnessed an attitude to privacy within Google that at its most blatant is hostile, and at its most benign is ambivalent. These dynamics do not pervade other major players such as Microsoft or eBay, both of which have made notable improvements to the corporate ethos on privacy issues….
The finding that Microsoft is a better privacy performer than Google is also likely to be contentious. Microsoft was awarded “orange” status, two bands better than Google’s position. However it is important, for the sake of clarity, to note that Windows Live Space received the more negative “red” rating, while Google’s Orkut avoided a black rating and was awarded red status.
The true difference between Google Inc and Microsoft Corp can be defined not so much by the data practices and privacy policies that exist between the two organizations, but by the corporate ethos and leadership exhibited by each. Five years ago Microsoft could reasonably be described as a fundamental danger to privacy. In more recent times the organization appears to have adopted a less antagonistic attitude to privacy, and has at least structurally adjusted to the challenge of creating a privacy-friendly environment.
It’s a pretty damning conclusion, especially when we are told it is based on a “six-month investigation into the privacy practices of key Internet based companies.” I eagerly opened the report. At last, someone was finally doing the very hard drill-down and a decent under-the-hood comparative look at how private data is handled, right?
Wrong. Looking at the report (PDF), I was pretty shocked that it appeared to be a mishmash of details that can’t be properly weighted against each other. But then I shouldn’t have been shocked. Going back to the summary of the report, it starts out saying:
The report was compiled using data derived from public sources (newspaper articles, blog entries, submissions to government inquiries, privacy policies etc), information provided by present and former company staff, technical analysis and interviews with company representatives.
Wow, lots of second-hand information there. No real feel or detail that they fully drilled-down anywhere. Indeed, one of the Google pushbacks on the report to the Associated Press complains the report was published without Google being able to provide feedback:
“It’s a shame that Privacy International decided to publish its report before we had an opportunity to discuss our privacy practices with them.”
Privacy International said it did try to contact Google earlier in the month but didn’t receive a response, so there’s an argument that Google got what it deserved.
Apparently, it was the only company or service of 23 that deserved a “black” rating: “Comprehensive consumer surveillance & entrenched hostility to privacy.” To understand why I find the verdict without much solid backing, let’s compare Google’s findings against companies that scored the best in the study: the BBC, eBay, Last.fm, LiveJournal and Wikipedia. These were all rated blue or “Generally privacy-aware but in need of improvement.”
Company administrative details
The study measured this, saying:
Does the company actually have a department or individual responsible for privacy compliance? The policy will have limited effect if users cannot question the processing of personal information. Some companies have designated privacy officials or embed privacy protection within the legal branch of the firm, while others do not even publish contact information.
Verdict: Google on par with the best.
About this criteria, the study says:
Assesses whether a company plays a strong public role in protecting and promoting privacy in the marketplace (this must be matched with authority and action, not just mere words), or whether the firm is a leader in the trend toward profiling, sharing and disclosure of customer data. We also looked into whether the company is using industry-recognised self-regulatory mechanisms (e.g. Trust-e) and whether the company has signed up for the Safe Harbor agreement between the EU and the U.S.
Aside from eBay, none of the “best” have anything mentioned in this area. eBay is noted for being a member of Trust-e. But Google is noted as being a member of Safe Harbor plus is singled out as rejecting the US Department Of Justice request last year for search records.
This was a big deal. Yes, Google has corporate interest in rejecting that request — but it was also the only of the major search companies in the US to say no. That it was the exception is not noted in the report, while the fact AOL, Microsoft and Yahoo did comply is omitted from their corresponding columns (instead, mention of this is done in the “Ethical Compass” areas.
Verdict: Google better than the best.
Data Collection and Processing
The study says:
What type of information does the site collect, with and without consent? On some sites the personal information submitted by customers is necessary (e.g. billing addresses) but there are many sites that collect information that may be unnecessary (age, marital status, home address, preferences, medical information, extraneous financial information) from customers without adequate information about why this information is needed and how it is used. Some companies may collect and mine other information, such as viewing habits and preferences (e.g. musical genre, lifestyle choices etc.)
Here, it is also important to note the status of ‘Internet Protocol Addresses’ (IP addresses). Many companies state that they see this data as non-personal – even anonymous – information, permitting them to collect and track users’ movements around the site to determine what a specific user reads. This approach permits profiling of a user’s habits and interests.
Sigh. Yes, let’s get all worried about still fairly anonymous IP addresses. Frankly, there’s a strong argument to skip worrying about IP addresses as an exercise that just wastes time, as I wrote about in my Google Search History Expands, Becomes Web History article in April:
Moreover, I’m actually pretty annoyed at some of the privacy advocacy groups. When Google announced it would anonymize server data last month, I still saw some old school concerns that fairly anonymous cookie data and IP addresses were a privacy concern. C’mon — you want to be concerned about something, you get concerned about the fact Google has — and is growing — real honest-to-goodness personally identifiable profiles of individual searchers. And if you want to get concerned about that, also get concerned that Yahoo and Microsoft have similar profiling — just not as visible to the searcher.
But how do things look? It’s really hard to measure up how Google is seen. Consider the Google write-up:
Describes data collected. IP addresses are not considered personal information.
They do not believe that they collect sensitive information.
Do sometimes track links clicked upon.
Shares information with consent, or to companies (subsidiaries, affiliated companies, trusted businesses or persons).
Now compare to the BBC:
Uses Nielsen and SageMetrics cookies to track readership.
Overall, it doesn’t feel like there was some standard checklist used for each company or service, to fairly assess them against each other.
Verdict: Nothing to measure as better or worse.
The study says:
Some companies delete the information they collect once it is no longer needed. Other companies are not quite so clear, and a few sites are quite open that they do not intend to delete personal information at all (or at least not until they are ready to do so). With increased consumer concern about information breaches from stolen and lost computing resources, or through malicious hackers gaining access to resources, companies need to be aware that the risk to their market position and customer base may be proportionate to the amount of personal data they store.
Google is listed this way:
Unclear but has stated 18-24 months as eventual outcome. Log history is retained after this period.
Well, Google Anonymizing Search Records To Protect Privacy from me explains in much more detail what’s happening. Log data is kept, but the IPs and associated cookies are made anonymous, so those fretting about IP data shouldn’t get worried. In other words, that “log history is retained” part sort of means nothing — the logs retained are anonymous. But then again, non-log based search history information is NOT destroyed, as my article explains and which the PI report seems to not understand, making me again concerned about the comprehensiveness of this report.
Meanwhile, the good? BBC:
Declares in some cases how long personal information is kept.
Oh, in some cases but not all? In those cases where not all are declared, can I assume it’s not destroyed at all?
eBay and Last.fm have no information on data destruction provided; LiveJournal keeps some info even if an account is closed; Wikipedia apparently has no destruction policy.
Verdict: Google at least on par with the best.
Openness and Transparency
It is fair to say that most organisations have now created privacy policies. These privacy policies often say much but disclose relatively little about a company’s true practices. Some companies also cover up or refuse to engage publicly about privacy concerns. Here we rate these companies on how open they are to the public about their actual practices. We look at their privacy policies to assess whether they are merely a collection of disarming words (that usually starts with ‘At [company X] we take your privacy seriously’) with little detail, or which even highlight contradictory practices.
Disappointingly, many of the privacy policies seem to have been written with the same goal: to say very little but in as complex a way as possible. Yet there are also some policies that are exemplary in their eloquence and detail, describing every element of information and how it is processed by the company.
Google gets described as:
Remarkable level of information about how data is shared.
I have a feeling that Google also shares a similar level to what eBay does but that this information is simply not listed on one single page. But I don’t know this — I haven’t at all tried to do a deep drill down on both policies, so I won’t declare it so.
Others are among the good are said to have clear or thorough policies. Giving PI the benefit of the doubt….
Verdict: Likely not as good as the best.
The overview from the study:
Disarming statements about privacy do little to compensate for the lack of responsiveness to consumers who have privacy concerns. We are in a continuing process of contacting companies to see how they respond to privacy queries and concerns and whether those concerns are dismissed (as we have seen in some remarkable situations where in one case a company told us ‘Life is too short (to worry about privacy)’ or obfuscated (where companies respond with platitudes but disclose very little).
We look back over the history of the company to see how they responded to privacy problems and when those were brought to their attention, to measure the sincerity of these companies in protecting their customers’ information. We also assess whether a company allows users to access and correct their personal information through ‘subject access requests’ or similar mechanisms.
Most of the good players have nothing listed for them in this criteria at all. eBay has this:
Very responsive to privacy concerns: changed practice to allow for customer account deletion.
Google, in contrast, has this:
Generally poor track record of responding to customer complaints. Ambivalent attitude to privacy challenges (for example, complaints to EU privacy regulators over Gmail).
Hmm. Over the years, Google has been constantly attacked at a privacy monster, many times without solid backing for those claims or singled out when others do the same or worse (see 14 “Is Google Evil?” Tipping Points Since 2001 for more on this).
Saying it doesn’t agree with privacy challenges issued by some privacy groups is not the same as suggesting it isn’t responsive. Google has actually been responsive in several ways, including the shift to anonymizing data (an actual time limit that many privacy groups have long wanted) or releasing new tools to get material out of the search engine (see Google Releases Improved Content Removal Tools).
As for customer complaints, I actually don’t recall that many well publicized complaints from actual Google customers that Google wasn’t responsive somehow in dealing with private data about them held by Google. Generally, the biggest “customer” complaint I hear are people are concerned that Google lists private data that has been placed out on the web itself by others.
Overall, Google is probably not as responsive as any privacy group would like, and I’m sure it could do much more, but I suspect it’s not as bad as described.
Verdict: Better than described.
The study says about this:
Have these companies encountered ethical challenges and how have they dealt with them? Have they co-operated with problematic warrants and access contentious requests from law enforcement agencies and foreign governments? How have they responded to customers’ concerns? These actions go some way to explaining how seriously a company treats their customers’ personal information.
None — NONE — of the “best” have anything describing their ethical compasses, neither good or bad. As for Google:
Privacy mandate is not embedded throughout the company. Techniques and technologies frequently rolled out without adequate public consultation (e.g. Street level view).
I’m split here. I agree, Google often rolls things without seeming to understand some of the privacy concerns that might come up, with Gmail being the classic example. But then again, other companies do the same (no one screamed about Yahoo recently expanding email to unlimited storage — that’s just a boring issue, now). Are you really telling me everything the BBC has done online had no privacy implications that perhaps needed public discussion? Or is it no one worries about the BBC as being so evil as Google?
And Street Level View as a concern? Wow — this is a six month study, but we’ll get knee-jerk about that? Yes, Street Level View maps have privacy concerns (see Google Street View Raises Privacy Questions: Amusing To Some, Upsetting To Others for more on this). But so does Microsoft’s Birds-Eye Views and street level views of its own. So did Amazon’s A9 street level mapping.
Frankly, I’m more annoyed with privacy groups than Google over street level photo views. Two years after concerns about these were first raised with A9, I don’t recall any major push to figure out how to deal with the inevitable explosion of street level photography that was to come. Should Google have done more than provide the picture removal tools it provided at launch? Perhaps, but then again, this was hardly a campaign plank of any of the privacy groups that it could easily see. Plus, there’s the entire problem of how much privacy can people expect when pictures are shot in public places?
I’m going to hang with PI on this, however. I think Google’s problem is that it far too much believes its “Don’t Be Evil” philosophy without realizing it’s a big company that people simply aren’t going to trust. In the years I’ve dealt with Google, the culture is one of “we’d never be bad.” That should change to one of “how might we be bad, and how do we prevent it.” Google should assume the worst about itself, not the best. Doing that will help ensure that by the time it does launch something, the right protections should be in place.
Verdict: Better than described, but valid gut-level concerns.
From the study:
In our earlier research and campaigns we identified a number of companies that were unwilling to let customers delete their accounts. This widespread practice is not only problematic for privacy (in that your data can never be deleted) but also calls into question whether companies are properly marketing themselves as ‘x million customers’ when in fact there are only ‘x thousand’ active customers.
User control in the age of advanced customer activity (such as in social networking sites) should also allow customers the ability to control who has access to personal information, whether this access can be limited and even, when possible, when it should be anonymized. There has been a remarkable level of activity in this area since the security concerns over social networking emerged and we are optimistic that new protections will emerge.
Additionally, we assess whether customers can choose for themselves what types of information they disclose.
From among the best, it’s a mixed bag of things such as you can close your account (LiveJournal) to eBay allows rejection of cookies, though things might not work right if you do this.
As for Google:
Customers have a right to amend personal details held by Google but does not allow search history to be removed. Most services do not permit user access to specific or aggregated disclosure or tracking data.
Frankly, this hardly covers it. There are SO MANY things you can have with Google. What happens to my analytics account, if I close it? To my AdSense account? Is my email really destroyed or still sitting on some archive disks.
This goes to the inability to remove search history. Not true. Well, sort of. If you use the actual search history feature, all that data can easily be wiped out (and exported, if you want), at any time. But there are archives, as I’ve written:
Web History data is also archived. These archives are not “retrievable in real-time by end users,” Google told me. But the data is ultimately retrievable. If Google itself decided it needed to pull the archives and check something, it could — even though you deleted the data in the “live” system. Similarly, a government agency could potentially legally compel Google to go to its archives and recover information that was deleted off a live system. In addition, while toolbar tracking data won’t be part of a Google server log, that data is being logged in some way — and archives of that data could be recovered. In short, if you really, really don’t want data recorded, don’t think deleting it after the fact is enough.
Overall, I don’t feel the customer control aspect was properly researched. But had it been researched, it probably would have found more could be provided.
Verdict: Badly researched, but probably right.
Fair gateways and authentication
The study describes this as:
Online services increasingly require individuals to create accounts in order to gain access to services, whether to look at itineraries, read articles or conduct searches. Sometimes these access controls are privacy enhancing, where they can aid individual consumers in preventing the trawling of their personal profiles by unwelcome visitors. However we are concerned at the increased profiling of customers’ preferences based on the resources companies gain access to (e.g. profiling individuals based on the material they read). We have also taken into account scenarios where a decision to block any form of surveillance may intefere with the resulting level and quality of service.
Google is described as:
Opt-out possible for some services.
Some services may not work well without cookies. May access essential resources without account but when account is created it is sticky.
Well, the main service people want from Google is to search. You can search without cookies. Many of the other services with privacy implications are also hard to offer unless Google knows who you are. I mean, you want to send and receive email? Guess what — you’re going to be having some sensitive information going through Google.
As for the “best,” it’s a mixture of nothing mentioned or notes ranging from being able to do some or all things without authenticating.
Verdict: If you just want to search, Google’s as good as the best.
Privacy enhancing innovations and Privacy invasive innovations
Some companies have implemented advanced techniques to protect privacy through advanced use of encryption (beyond simple SSL) and identity management technologies, amongst others. But ‘innovation’ need not only be technology-based, but could also reflect advanced and progressive attitudes toward information processing, such as promoting the use of pseudonymous accounts. We highlight these practices where such information is available.
Well, PI doesn’t like the Google-DoubleClick deal in particular, writing:
Will utilise Doubleclick’s “Dynamic Advertising Reporting & Targeting” (DART) advanced profiling system.
That’s it? Really, I mean that’s all you’ve got — that Google might use a system it doesn’t even own? Citing this continues to make this feel like a knee-jerk report aimed to prop up PI’s DoubleClick concerns rather than proper research.
Everyone Fears Google (Again) & Will The Last Googler To Leave Turn The Lights Out? from me last month covers more why it’s hardly DART that needs to have the privacy advocates concerned:
Wait — what about tracking you across sites! As if tapping into AdSense and Google Analytics data wouldn’t be enough, go back and read my Google Search History Expands, Becomes Web History post. Forget FeedBurner. Heck, forget the DoubleClick purchase. The change Google made already, on its own, is pushing it right along to further tracking of people.
But how about the best? For the BBC, we’re told, “No information readily available.” Shouldn’t PI get that information? Perhaps the BBC will be tracking people through the YouTube channels it operates, and if so, are there issues there?
LiveJournal is described as:
Uses “physical, electronic, and procedural safeguards”.
Well OK then! I mean if they say they have safeguards, what’s to worry about? And in that case, Google’s repeatedly said it has safeguards as well.
eBay is mentioned as:
Uses web beacons. A lot of the cookies are only session cookies. Anonymised or deidentified information is shared.
I suppose that eBay purchase of StumbleUpon also helps eBay track people as they surf the web, which potentially is a privacy invasive innovation, but let’s not mention that. I mean, it’s too new — not like mention Google Street View maps that happened even more recently than the StumbleUpon purchase. Just keep looking over yonder at Google.
Overall, looking at just the performance of the best companies PI found shows that Google measures up well — and thus ranking it the worse simply doesn’t seem fair. But the bigger issue is that the report itself doesn’t appear to be as comprehensive or fully researched as it is billed.
Frankly, about the only thing saving Privacy International from many more companies or services being upset over this report is that they singled out Google as the worse. That’s almost guaranteed to make players like Microsoft and Yahoo shut their mouths and point at this silently as vindication they aren’t so bad.
As for Google, the reality is it can expect much more of this type of treatment as it continues to monitor much of what we do (see Google: Master Of Closing The Loop?) and wants to especially get more personal with us (see Google Ramps Up Personalized Search, Google Search History Expands, Becomes Web History and iGoogle, Personalized Search And You. And lest I’ve come off as a Google fanboy in this write-up, I’ll remind everyone of what I said back in April when Web History was launched:
With today’s announcement, part of me wants to ring the alarm bell and shout “Uninstall your toolbar! Delete your Google account!” Because let’s face it. Google’s getting big, huge, giant. It’s no longer a joke that the once small, lovable company wants to conquer the world. The Google monster company really is gobbling it up, with no barriers seemingly left….
I remember when Google was a search engine, with a philosophy that said, “Google does search.” Now it puts ads on TV, in radio, in print — serves as a payment platform, provides web analytics, pitches software “packs” to us and more. Does it really need to have our web surfing histories as well? When’s enough enough?
To save itself, I’d like to see Google appoint a privacy czar, someone charged with, as I’ve suggested above, assuming the worst about the company and diligently working to ensure users have as much protection as possible.
For others discussing this weekend’s privacy news, be sure to check out discussions via Techmeme. Also, I’ll plan to follow up with both Google and Privacy International on things I’ve covered in this article and will either postscript or link to a fresh reaction piece.