• http://sethf.com/ Seth Finkelstein

    “… plus is singled out as rejecting the US Department Of Justice request last year for search records. … This was a big deal.”

    It was a big PRESS HYPE deal. Huge. Enormous.

    It was not at all a big deal in terms of the legal issues involved.

    Google has been riding the public-relations win there for entirely undeserved amounts of credit, giving the impression they undertook some altruistic civil-liberties battle, for what was at heart a mundane business trade-secret case.

    See my article on _Google Blogoscoped_

    The Google Search Subpoena in Perspective

    [Note – if Matt Cutts appears, I know he disagrees – Matt, I read through your objections on this topic, but I didn’t write a rebuttal because nobody was going to read me]

  • http://sethf.com/ Seth Finkelstein

    A big problem with both the report and the critique, is distinguishing the trivial from the serious, and being rational about it.

    For example, people get really scared about cookies and government sites, far more than is reasonable.

    But company X uses cookies, company Y uses cookies, what’s the difference, overlooks the problem of cominations. If company X has a huge database of personal profiles that they can tie to the cookie via IP, and then use the cookie to link to other data. Companies which have such databases are FAR FAR more of a privacy threat when using cookies than companies which don’t. Even though if when viewed in a narrow sense they’re doing the “same thing”.

  • http://www.mattcutts.com/blog/ Matt Cutts

    You’re right, Seth, I do disagree. I spent large chunks of February last year working on my declaration in the Department of Justice case because I did think it was important. I do think it’s notable that the DOJ sent subpoenas asking for *two months* of all users’ queries. And I think it’s notable that out of 30+ companies, Google was the only company to fight the subpoena in court, and that as a result we set a strong precedent that Google will fight for our users when someone goes on a fishing expedition with an overly broad subpoena. I believe that the action we took last year will give someone pause before making such unwarranted requests in the future.

  • http://sethf.com/ Seth Finkelstein

    Small example – line by line rebuttal (look how complicated this can get)

    MC: “I spent large chunks of February last year working on my declaration in the Department of Justice case because I did think it was important.”

    SF: I don’t dispute Google thought it was an important case. But the reason was almost entirely Google’s infamous (trade) secrecy, than user privacy.

    MC: “I do think it’s notable that the DOJ sent subpoenas asking for *two months* of all users’ queries.”

    SF: No, in fact it’s not very notable, in the sense where it’s being used as a component of a scare-story. That’s part of where the press failed miserably, in not explaining the difference between what’s posturing and what’s serious. It’s pretty standard procedure for lawyers to start out asking for the sky, moon, and stars, on the theory it’s a lot easier to go “down” than “up”. You omit how low they went down in negotiations, to very few items.

    MC: “And I think it’s notable that out of 30+ companies, Google was the only company to fight the subpoena in court,”

    SF: I actually agree, though not in the way you mean it. I think whoever realized that this could be spun to Google’s huge PR benefit, as not “Google obstructs research to Protect The Children From Porn”, but rather “The FEDS, the FEDS, OH MY GOD the FEDS ARE COMING – and Google is fighting a lonely battle to stand up for YOUR PRIVACY!”, and then convinced upper management to play that game – that person really earned their pay. It takes guts to do *that*.

    MC: “and that as a result we set a strong precedent that Google will fight for our users when someone goes on a fishing expedition with an overly broad subpoena.”

    SF: There was no “fishing expedition”. The issue was aggregated data. And your conlcusion rests upon disputed facts, to put it mildly (if this was a PR stunt, it doesn’t mean anything about how Google would react to serious quandaries)

    MC: “I believe that the action we took last year will give someone pause before making such unwarranted requests in the future.”

    SF: Nah. Far, far, worse stuff goes on with financial records. The terrorism/”SWIFT” financial story is a pretty good example there. Futzing around with search studies is just not considered all that important.

    SF: Note I do think the AOL data-release debacle poisoned the well for academic researchers into search. That’s a shame.

  • http://searchengineland.com Danny Sullivan

    Seth, to me it was a big deal that Google said no before there was any press about the DOJ request at all. The others said yes.

    I readily acknowledge they had trade secret reasons, as well, as said in my article. But those weren’t the only reasons. When the company is so often accused of being a privacy monster, I think acknowledging a significant pushback they did that their peers did not is deserved.

  • http://sethf.com/ Seth Finkelstein

    Danny, I understand what you’re saying, but my whole argument is that you’ve got a misconception created by some very bad reporting. When you write “Google said no before there was any press” – the point is that Google *created* that press. They took a low-level business-records case, one which DID NOT have major privacy implications, decided they didn’t want to comply, almost entirely for trade-secret reasons, and then spun it as they were being privacy freedom-fighters. Frankly, as someone who has done a lot of freedom-fighting, it angers me because it’s so transparently manipulative and cashing-in on hype.

    Look at it this way – if every other search engine complied, including Microsoft which has major privacy public relations issues, then consider, just for the sake of discussion, that they aren’t all weaklings cowed into submission by the might of the Department Of Justice (for a statistical study!), versus Google being a brave dissenter. But rather, that there really wasn’t anything deeply problematic here, and Google used it for their own PR purposes. I would never claim this to be dispositive reasoning. But it seems worth following that thought and seeing if it leads somewhere.

    That is, they set out to create exactly the sort of reaction you’re talking about – “Privacy monster? Who, us? No, no, look, look, we STOOD UP TO THE FEDS! We told ’em, we’re so tough, you can’t touch our precious crown jewels of trade-secrets, err, USER PRIVACY. We went to the wall, fought tooth and nail, to protect the sacred trust of our competitive statistics, I mean, your private information. Surely that deserves a mention when we’re about to swallow a major ad firm …”

    Let’s turn it around – Danny, how much have you heard about all the *other* subpoenas Google receives, ones where it doesn’t go shouting to the press about what a hero it is? Think you can pry any information about that out of anyone?

    P.S.: Take a look at this:
    “Google is looking for motivated individuals who have a passion for providing top-notch support in the area of subpoena compliance”
    Hmmm: “Written and spoken fluency in Mandarin, Cantonese or Japanese a plus.”

  • http://searchengineland.com Danny Sullivan

    Good points, Seth — and goodness knows, I wrote and felt that after standing up to the US government, it was a huge pullback to submit to China. Google instantly lost a lot of goodwill that it had won.

    The fact remains, though, they said no. Sure, they publicized saying now. But it wasn’t the Google PR machine that generated that reaction from the public. They’re good, but not that good. Many in the public disliked that much data being requested.

  • http://sethf.com/infothought/blog/ Seth Finkelstein

    The public ended up with a sensational story about the government wanting to data-mine Google searches to catch criminals. Philipp Lenssen has a compilation of all the yellow journalism, I could go find it if that mattered.

    By the time it became an issue in the press, they’d negotiated down to one million URLs and one million random queries. But that was barely mentioned, since it worked against the hype.

  • http://searchengineland.com Danny Sullivan

    So we’re going to disagree on this one, Seth — I understand the PR angle you see them playing and agree with some of it. But no, the reaction didn’t happen because Google just said “OK press, sound the alarms, go do our bidding.” The press itself, as were many people, were indeed alarmed that the government wanted so much data.

    As for the negotiations, yes, this describes that this happened:

    The legal documents also explain that Google still decided not to comply with this. And it became an issue in the press only after Google refused to comply in anyway, causing the government to act. Or am I missing something?

  • http://sethf.com/infothought/blog/ Seth Finkelstein

    It’s not that the press is Google’s slave, that would be silly. But Google really was able to take advantage of the sensationalism. It’s like when someone sues for a jillion gazillion dollars in damages. The headlines will read “Lawsuit For A Jillion Gazillion Dollars”. But that’s just posturing, it’s very clear that the case will never get anywhere near that amount. Of course people will be alarmed – because the press casts it in the most alarming light, without giving the proper context. Some of the worst legal Urban Legends have been created by that process.

    Before the motion to compel, they’d gone down to one million random queries


    Then they went up, for the motion itself. And that became the “story”. But that’s the “jillion gazillion dollars” aspect. Both parties knew by then that the real amount was not going to be that high. Indeed, when it came down to actual court, the number had gone to 5,000 queries. Five thousand. Much less than a jillion gazillion.

  • Jonah Stein


    Thanks for the excellent analysis and for being the leading voice of reason in this debate.

    Rather than jump into the fray in the debate between Seth and Matt, I want to turn attention to a point that Matt raised a in his April 25th, 2007 post on Google and Privacy: Google and Privacy.

    First, I believe Google does more to protect our users’ privacy than any other major search engine. Second, I believe other companies such as ISPs have a superset of the data that Google has, plus they have verified payment/identity, plus they know which IP addresses you are on, even if you switch IP addresses.

    It is easy to dismiss Google’s DOJ defense as a publicity stunt and view Matt as the magician trying desperately to keep us from looking behind the curtain. The reality is that Matt raises some very valid points about privacy and the second issue he raises have been essentially absent from the debate.

    Google has set its sights on 1-to-1 marketing and they appear to be making great strides. Matt has no reason to fear Google so he is surprised that the rest of us do. Consumers and many search professionals, on the other hand, are less trusting and more cynical. Even Gord Hotchkiss, a proponent of behavioral targeting, found his first experience with personalization to be “creepy.”

    Privacy International and The Electronic Privacy Foundation have raised some very important concerns about privacy while taking shots at an easy target. They are certainly not above a little link bait…

    The failing grade on privacy should be on everyone’s report card. Until we stop pointing at individual companies and start building privacy into our infrastructure, we will continue fight the good fight while losing the war. The solution is not to take shots at the leader, the solution is to develop technology and business models around protecting privacy.

  • http://www.securityusa.info/ BODY GUARDS

    Matt has just posted a passionate response on his blog. It is a must read to gain a full perspective


  • http://blog.vortexdna.com Kaila Colbin

    I have to agree with Jonah and Danny here, neither of whom seems to be taking the ‘Google is either all evil or pure sainthood’ approach. In fact, the primary point that I got from this piece is not that Google should have scored superbly on the privacy front, but that PI should be using more rigorous methodology to conduct its studies.

    Are there any widely accepted international privacy standards? And, if there aren’t, shouldn’t we be developing them? Danny’s privacy czar can get together with counterparts from Microsoft and Yahoo, with a couple of independent third parties and usergroup representatives thrown in to keep things honest, and figure out exactly what we should be rating these companies on.

    In the meantime, Seth, isn’t it a good thing that actions to protect privacy are aligned with Google’s PR and commercial motivations? Imagine the uphill battle if they weren’t!

  • http://www.feedthebot.com feedthebot

    Seth, I think your original ida of responding to Matt would have been a good one and people would have rad it.
    My take of what Matt said and why it makes logical sense to me:

    MC: Google didn’t leak user queries

    In this past year, AOL released millions of raw queries from hundreds of thousands of users. Within days, a journalist had determined the identity of an AOL user from the queries that AOL released. But AOL got a better grade than Google.

    ME: This makes sense to state this, he isn’t saying Google was the god of goodness here, he just stated that Google did not release data that other companies scoring higher in Privacy Protection did.

    MC: Google didn’t give millions of user queries to the Dept. of Justice

    In 2005/2006, the Department of Justice sent subpoenas to 34 different companies requesting users’ queries and other data. In fact, the original subpoena requested all queries done by users for two full months. AOL, Microsoft, and Yahoo all gave some amount of users’ queries to the Department of Justice. Google fought that subpoena (full disclosure: I filed a declaration in that case). The judge sided with Google; no queries from Google users were given to the DOJ. But Yahoo, Microsoft, and AOL got better grades in this report than Google.

    ME: This makes sense to state this, he isn’t saying Google was the god of goodness here, he just stated that Google did not release data that other companies scoring higher in Privacy Protection did.

    MC:Google will anonymize query logs

    In March, Google announced that it would begin anonymizing its logs after 18-24 months. Google has continued to communicate on the issue, including a post on the Google blog in May discussing the reasoning behind that decision. In fact, we talk a lot about privacy, from blog posts to Op-Ed pieces in the Financial Times. To the best of my knowledge, no other major search engine has followed suit in a plan to anonymize user logs.

    ME: That is true, and has references.

    MC:Misc bits

    Other parts of the study just baffle me. The report claims (I am not making this up) that “Every [Google] corporate announcement involves some new practice involving surveillance.” I know that my years of working at Google may bias me, but does that sound impartial? Let’s test that claim. Here’s a Google corporate announcement we made on our blog in March. Google expanded our support for open-source in our third annual “Summer of Code”:

    ME: The report does state that and that is clearly part of this report that is wrong and inaccurate.

    Matt makes a very good argument through examples and documented cases. He never says that Google is wonderful and makes no claims to the motivations for Googles actions, he just states those actions and compares them to the actions of other companies mentioned in this report.

  • http://tech.am Mike Puchol

    “…Sigh. Yes, let’s get all worried about still fairly anonymous IP addresses. Frankly, there’s a strong argument to skip worrying about IP addresses as an exercise that just wastes time…”

    Right. But this changes when you have:

    1. Detailed surfing habits from said IPs on millions of sites that use Google Analytics.

    2. Detailed information about the content of emails sent and received by users of Gmail, who also have an IP address, which gets tracked by Analytics too.

    3. Backlogs of search queries by said IPs, tied together with the information from #1 and #2.

    I won’t mention all the other services, but those three are already scary…

  • http://www.feedthebot.com feedthebot

    Seth, I am sorry, I meant to also state that you raised some interesting and valid points, but I just did not see the relevance of those points to the accuracy or lack of accuracy of this report.

  • http://www.thegooglecache.com rjonesx

    I believe there is a pervasiveness issue that goes hand-in-hand with the results presented in the study. While I do not intend to defend their methodology or the hodge-podge of evidence they present in their report, a relaxed privacy standard at Google affects a much broader spectrum of users and a much deeper set of information.

    I visit the BBC website perhaps once a month. I run Google Toolbar, use Gmail, Google Search (of course), Google Docs, and visit countless sites that run either AdSense, Analytics or both. I also run AdSense, have AdWords accounts, etc. With the vast amounts of data Google has acquired (and their stated intent to index the worlds information), they ought to be held at a higher standard – which it appears they may have been in this report.

  • http://blog.thinkaboutsearch.com/ S Haar

    Its funny, because one of the measurements used in the PI study was news articles. As a methodology, this is very poor, as faster growing companies tend to get disproportionate press. Therefore Google would naturally register more frequently. The blogs are following this trend regarding the PI study itself.

    That however, is not the real issue. PI’s generally shoddy methodology and subjective conclusions shed a poor light on our industry’s ability to address this issue – that should be the focus. At this point, any conclusion from the PI study is relevant only in that it gets PI more press. It does nothing to further a substantive solution to online privacy.

  • http://www.naturalsearchblog.com Silver

    Seth, I think it’s pretty hard to try to ascribe primarily selfish motivations to Google’s resistance to turning over the usage data to the DOJ.

    While you’re suggesting that Google notified the press to get promotional value out of the resistance, I think it’s likely that it was done to help bolster support in resisting the data request. Wouldn’t it be stupidly limiting to not try to enlist the public to support one’s resistance to the government’s demands?

    Other companies that apparently turned over data with no resistance perhaps appraised the situation and decided they’d have more to lose than to gain. Google could’ve easily concluded that as well — after all, doesn’t Google want the government to support them in various initiatives? Google wants a more open market for wireless spectrum and how about the importance of their cause in favor of net neutrality?

    I think it’s easier to argue that Google’s resistance of the government’s demands was more altruistic than selfish, even though they undoubtedly benefit from public perception in doing so.

    I think that action alone probably should’ve given them a “get out of jail free” card where the Privacy International report comes in.

  • Peter

    how do you defend a corporation against evildoers?

    write, like, a lot of…stuff, and hope it convinces someone that, like, there’s probably some meaning in all of those, you know, words.

  • http://www..searchmarketing.pt NunoH

    Talking about taking sides…

  • http://www.weboptimist.com WebOptimist

    Wow, lots of info. My main concern is that Google makes opting out extremely difficult and confusing. The way it is set up now, you can be surfing while logged into your Google account and not know it. That little notice at the top right of the page is hardly visible.

    I really don’t want Google deciding what they think I want to see based on my search history. On the other hand, I like having the toolbar.

    So, it would be nice to have a more obvious way to opt out of services I don’t want to participate in. Doing so now is a lesson in frustration. Just try to find an “opt out” option…

    And, I really don’t like the idea of a Google van driving by and taking pictures of me scratching myself in my living room!

  • http://www.cumbrowski.com Carsten Cumbrowski

    Regarding collecting consumer information like crazy.

    Check out my post from April about Experians Acquisition of Hitwise. This makes Google look like a joke in comparison.

  • http://www.cumbrowski.com Carsten Cumbrowski

    Oops, can’t fix the URL, here it is again.

    The article.

    Sorry for that.

  • http://www.cumbrowski.com Carsten Cumbrowski