Privacy, “The Creepy Line” And Beyond: It’s Not Just About Google

Most of you have seen the recent and now semi-infamous quote from Google CEO Eric Schmidt about how Google goes right “up to” what it considers a taboo boundary — “the creepy line” — but not beyond:

“There is what I call the creepy line,” he said at an event at the Newseum. “The Google policy on a lot of things is to get right up to the creepy line and not cross it.”

If you look at the slightly larger context of this comment you see that it’s intended to be a joke of sorts. But the degree to which this quote was repeated and blogged about reflects the sensitivity (and fear) that exists around Google’s data collection and targeting practices.

Last month a former Federal Trade Commission official filed a privacy complaint against Google. According to the Wall Street Journal:

The complaint was filed September 6 by Christopher Soghoian, who worked until August as a technologist with the FTC’s Division of Privacy and Identity Protection. It calls on the agency to investigate Google and to “compel Google to take proactive steps to protect the privacy of individual users’ search terms.” The complaint alleges Google shares with third parties users’ search queries, including those that contain personal information.

The complaint, which is extensive and highly technical, alleges deceptive business practices in that Google shares search queries with third parties (publishers/webmasters). The complaint argues this misleads the public because it goes against Google’s pledge not to share personally identifiable information. According to the complaint (“in relevant part,” as lawyers would say):

• Google’s practice of allowing (and enabling) the leakage of private search query data to third parties is a deceptive business practice . . .
• Google’s privacy policy misleads consumers, and assures its customers that it will only share their personally identifying information with third parties under a limited set of circumstances.
• This policy does not reflect the fact that the company knowingly and actively assists in the leakage of this data to third parties.
• Allowing users’ search terms to leak via the browser’s referrer header to every web site that the user clicks on from a Google search results page simply does not qualify as a “limited circumstance.”
• Google may also attempt to argue that search queries are not personal information as it has narrowly defined the term in its privacy policy. However, company has previously acknowledged that search queries often contain personally identifiable information.

The two big questions are whether the practice of sharing search query data contradicts Google’s own privacy policy and whether the query data constitutes “personal information.” A statement provided to the WSJ by Google contends that Google does nothing out of the ordinary here:

Google said its passing of search-query data to third parties “is a standard practice across all search engines” and that “webmasters use this to see what searches bring visitors to their websites.” The statement added, “Google does not pass any personal information about the source of the query to the destination website.”

What the complaint, its allegations and discussion reflect is how arcane and inaccessible online privacy and data collection are to the majority of people. Most people won’t read privacy policies, let alone understand them. But those who do on both counts will have no insight into behind-the-scenes data sharing going on or how it may or may not affect their privacy.

The amount of data now available to ad networks and being provided through search retargeting and behavioral targeting is staggering. Yet it is not more invasive than offline targeting practices that have gone on for years without concern or regulation — largely because they’re unknown and opaque to the public.

For example, there are many more consumer databases operating and interacting in the traditional media world (e.g., direct mail) than online to date. The information being shared online is mostly presented in the aggregate and is anonymous. However the complaint above argues that anonymous isn’t really anonymous when it comes to search queries.

Google is frequently the focus of complaints because it’s the biggest target and the object of various conspiracy theories. (Facebook more recently has taken some of the privacy heat away from Google.) However as I’ve argued in the past, Google has been largely proactive on privacy and ad targeting, in a number of circumstances, and doesn’t really get credit for those efforts.

The company’s privacy/account dashboard is an almost unique personal data management tool among the major search engines and portals. Although, after many missteps, fits and starts, Facebook now has a similar though less extensive privacy dashboard.

Google’s more transparent approach to behavioral targeting — allowing users to click and opt-out of all targeting — was essentially adopted by Yahoo and became something of a model for the online advertising industry’s most recent effort at self-regulation.

Why is privacy important?

It’s important for its own sake and not simply as a utilitarian value. However privacy must be safeguarded to prevent people from being denied services, privileges, jobs and loans by unscrupulous third parties seeking to maximize profits or manage risk. Because I got drunk at a party in college and a friend posted a picture on Facebook, I shouldn’t be denied a job. Because I searched on “loan modification” or “bankruptcy” I shouldn’t be denied a mortgage or car loan. Because I searched on “hypertension” I shouldn’t be denied life insurance or see my health insurance premiums raised.

These are the very real risks, however, in this age of unprecedented data collection and profiling. I’m not so much concerned about Google or Facebook using data or behavior to target advertising. I’m much more concerned about others getting access to information that can be used against me — to deny or prevent me from obtaining something I want or need. That’s the real risk and what’s at stake in this whole data/privacy debate. It’s not really about and shouldn’t be focused on whether I see the ad for Cancun vacations or Ford Fiesta.

Google shouldn’t be singled out here; the issues are industry wide. And Google should be lauded for many of its privacy efforts that are more progressive than its rivals. I believe Google is sincere in taking user privacy seriously. The “creepy line” comments do reflect however, if unwittingly, the tension within Google around data collection and targeting.

Accordingly I’m a believer that there must be scrutiny and vigilance from professional privacy advocates and even the threat of regulation to keep everyone honest. The incentives in the “system” and larger economy motivate companies to collect as much data as they can and use it to further their own economic interests. Indeed it’s not until the threat of regulation started looking real that the IAB and its sister groups “got their act together” and proposed a self-regulatory scheme.