A recent study on the privacy rankings of big internet search engine providers reveals that Google might have some ‘splainin to do, especially if Congress gets its way. In the process, its proposed merger/buyout with Doubleclick might be in trouble.
First, Google’s privacy problems, as defined by some privacy experts.
The September, 2007 study by Privacy International entitled “Race to the Bottom: Privacy Rankings of Internet Search Companies”, tracks the privacy practices of big Web search engine companies. The ranking lists the best and the worst performers both in Web 1.0 and Web 2.0 across the full spectrum of search, email, e-commerce and social networking sites.
Privacy International ranked Google dead last in terms of privacy compliance. I’ll let the technology consultancy explain its reasons why
“We are aware that the decision to place Google at the bottom of the ranking is likely to be controversial, but throughout our research we have found numerous deficiencies and hostilities in Google's approach to privacy that go well beyond those of other organizations. While a number of companies share some of these negative elements, none comes close to achieving status as an endemic threat to privacy. This is in part due to the diversity and specificity of Google's product range and the ability of the company to share extracted data between these tools, and in part it is due to Google's market dominance and the sheer size of its user base. Google's status in the ranking is also due to its aggressive use of invasive or potentially invasive technologies and techniques.”
Well, you won’t find that statement on any Google press releases - - although you might hear about it at the next Google shareholder meeting, if you’re lucky enough to own any.
But wait, it gets worse. Says the PI study
“The view that Google "opens up" information through a range of attractive and advanced tools does not exempt the company from demonstrating responsible leadership in privacy. Google's increasing ability to deep-drill into the minutiae of a user's life and lifestyle choices must in our view be coupled with well-defined and mature user controls and an equally mature privacy outlook. Neither of these elements has been demonstrated. Rather, we have witnessed an attitude to privacy within Google that at its most blatant is hostile, and at its most benign is ambivalent. These dynamics do not pervade other major players such as Microsoft or eBay, both of which have made notable improvements to the corporate ethos on privacy issues.”
The Privacy International Study points specifically to several alleged privacy violations on the part of Google. Chief among those include . . .
-- Google account holders that regularly use even a few of Google's services must accept that the company retains a large quantity of information about that user, often for an unstated or indefinite length of time, without clear limitation on subsequent use or disclosure, and without an opportunity to delete or withdraw personal data even if the user wishes to terminate the service.
-- Google maintains records of all search strings and the associated IP-addresses and time stamps for at least 18 to 24 months and does not provide users with an expungement option. While it is true that many US based companies have not yet established a time frame for retention, there is a prevailing view amongst privacy experts that 18 to 24 months is unacceptable, and possibly unlawful in many parts of the world.
-- Google has access to additional personal information, including hobbies, employment, address, and phone number, contained within user profiles in Orkut. Google often maintains these records even after a user has deleted his profile or removed information from Orkut.
-- Google collects all search results entered through Google Toolbar and identifies all Google Toolbar users with a unique cookie that allows Google to track the user's web movement.17 Google does not indicate how long the information collected through Google Toolbar is retained, nor does it offer users a data expungement option in connection with the service.
-- Google fails to follow generally accepted privacy practices such as the OECD Privacy Guidelines and elements of EU data protection law. As detailed in the EPIC complaint, Google also fails to adopted additional privacy provisions with respect to specific Google services.
-- Google logs search queries in a manner that makes them personally identifiable but fails to provide users with the ability to edit or otherwise expunge records of their previous searches.
-- Google fails to give users access to log information generated through their interaction with Google Maps, Google Video, Google Talk, Google Reader, Blogger and other services.
All in all, not an endorsement of Google's consumer privacy practices. Currently, Google has the Federal Trade Commission conducting due diligence over the company's proposed merger with Doubleclick.
In tomorrow's blog, I'll examine how that's going -- and why Google might have made a powerful enemy in Congress that could cut the Google/Doublick connection short.