Google scheduled a privacy discussion for reporters and bloggers at its San Francisco offices a couple of weeks ago. The timing turned out to be unexpectedly ironic.
The idea was to “walk through a short presentation about [Google's] guiding principles for privacy, how we use data and some of our comprehensive privacy efforts over the past year.” In the interim, between the invitation and the meeting however, Buzz launched and the privacy concerns and complaints forced this meeting in part of be about that product.
Google Managing Product Counsel Mike Yang — he’s part of a team Google attorneys who consult on privacy, copyright and other issues during product development — and Google’s head privacy engineer Alma Whitten were present. Yang described a process in which privacy counsel get involved “fairly early” in product development to flag potential issues and concerns. He said that this process has been in place at Google for “at least five years.” The process sounded to me pretty coherent and thoughtful. How then, in the words of one of the reporters present, did “Google get it so wrong with Buzz.”
Yang defended the decisions that the product team made about the “opt-out” configuration of Buzz at launch. He also said that Google had been using the product internally for months before launch without incident or concern. I asserted in a question that the central problem was user confusion over what was and wasn’t public. Yang agreed and said that some of the early critiques had gotten it wrong when they said that lists of followers and contacts were automatically exposed to public view.
He admitted that while internal Google users didn’t have concerns about privacy with the product that the company failed to fully appreciate the wide range of differing privacy expectations that Buzz (within Gmail) would confront at launch. Since launch Google has been tweaking, changing and refining Buzz to address these privacy concerns.
The rest of the meeting was devoted to a general discussion of what data Google collects and why. There was considerable detail, as illustrated in this slide discussing cookies:
Currently, as the slide indicates, Google retains query data associated with IP addresses for nine months and cookie data for twice that duration. During Q&A I raised the fact that Microsoft said it would comply with an EU request to cut data retention to six months. The Google response was that the company would not match that and felt that its current policies were driven by legitimate engineering considerations and the need to learn and improve search and fend off malevolent bots and general “bad guys.”
The discussion included Google’s Privacy Dashboard and its innovative approach to behavioral targeting in “interest based ads.” The notification aspect of these ads, allowing people to click through and change settings, express preferences or opt out, is likely to be adopted as a standard by the IAB and in the industry — to ward off FTC regulation.
Google shared some interesting data about these ads and said that for every 15 people who click through to the privacy controls and preferences that “four users edit preferences, one opts out and 10 do nothing.”
Clearly something went wrong with Google’s process in the Buzz launch. And in fairness to Google the company has been working diligently to address the corresponding confusion and privacy questions.
In general however Google is very strong on privacy, as some of the examples above indicate. There are many conspiracy theories and considerable suspicion swirling around Google because of its sheer size, dominance in search and the way in which it continues to expand its reach into new areas.
People are afraid of Google and the potential abuses that come from so much power. Google CEO Eric Schmidt has also made some remarks about privacy and search that don’t help Google’s cause particularly either.
I’m less afraid of Google’s misuse or abuse of my data than of third party governments or law enforcement that want access the data to monitor or otherwise investigate or persecute individuals or groups. Frankly that’s a larger concern in my mind.
I asked Google about this issue in the context of the DOJ/Bush Administration subpoenas of search engines a few years ago (Google was the only company that resisted by the way). Google said that it must comply with applicable law but that it does everything it can to protect user interests, including notifying affected individuals so that they can defend against any unwarranted inquiries.
Google needs to be held to a high standard but it also needs to be given credit for its efforts to protect privacy and provide transparency, which it is in fact doing.