Kendzior 1
Is Google a Threat to Online Privacy?
Ever since it burst onto the web-search scene in late 1997, Google has expanded its services and attracted more and more visitors. Internet users have increasingly been able to use
Google as their one and only web-service provider. Through services such as Gmail, Calendar,
Video, and Chat, Google is slowly increasing the depth of its services. As people begin to use
Google as their primary internet content provider, questions of privacy are becoming increasingly important. Should internet users permit Google to keep all of their sensitive data secure, or is trusting one company with this vast collection of data a bad idea? Google's users may be creating one of the largest and most vulnerable sources of private data imaginable, and without a clear and defined policy, there are no guarantees that any of this information is being kept private.
From the beginning, Google has striven towards one seemingly honest goal: "Don't be evil." Google's code of conduct famously explains this phrase: "... it's about providing our users unbiased access to information, focusing on their needs and giving them the best products and services that we can. [...] it's also about doing the right thing more generally -- following the law, acting honorably and treating each other with respect" ("Google Code of Conduct"). Nowhere in the basic premises of the code of conduct does Google mention user privacy; one can only assume that it falls under "treating each other with respect" ("Google Code of Conduct"). Either through deliberately giving priority to doing what is right or sheer chance Google has listed
"following the law" before "treating each other with respect" in their code of conduct: "Where user privacy and freedom of expression face government challenges, we seek to implement internationally recognized standards that respect those rights as we [...] respond to government Kendzior 2 requests to access user information or remove user content" ("Google Code of Conduct"). One of the biggest threats to privacy today is from governments requesting private data that they should have no right to. If Google gives individual states priority over users' privacy, their data isn't nearly as secure as most people today believe it is.
Further in the code of conduct Google formally addresses user privacy: "Our security procedures strictly limit access to and use of users' personal information. Know your responsibilities under these procedures, and access data only as authorized by them, our Privacy
Policy and applicable local data protection laws" ("Google Code of Conduct"). In short, Google tells users to know their privacy rights, and to act and use their services accordingly. The problem with this approach is that most users never read these often lengthy documents, and with the internet being in its infancy, its privacy policies haven't had adequate legal scrutiny. As such, the task of questioning them has been thrust into the hands of consumers. Advocacy groups are working hard to ensure that Google's privacy policies are in the best interest of its users, but until all of the wrinkles are ironed out, there are still opportunities for misuse.
One of Google's most controversial services is its advertising program. Website administrators can open a Google AdWords account and almost immediately place advertising on their website. One attraction of this service is its unobtrusiveness. In an age when internet advertising is flashy and oftentimes distracts from a user's browsing, Google offers simple text ads that can be customized to fit the layout of the website. This, coupled with the relevancy of the advertisements, has propelled AdWords to control over two-thirds of text-based advertising online ("Pay Per Click Marketing"). Google brought text-based advertising to a new level, but image-based advertising was overwhelmingly more popular. When Google acquired
DoubleClick, the largest seller of image-based advertisement online, their hold over internet Kendzior 3 advertising became overwhelming, reaching "nearly 80 percent of all spending on non-search ads" ( An Examination of the Google-DoubleClick Merger 8). The acquisition was even questioned by the Senate Antitrust Subcommittee, and issues of user privacy were thrust into the forefront of the discussion.
One extremely interesting point brought up by Marc Rotenberg of the Electronic Privacy
Information Center was concerning the 1991 acquisition of Abacus by DoubleClick. Abacus was a company that had a huge database of information on American consumers, and DoubleClick proposed to merge anonymous internet profiles (obtained through its advertising) with the detailed customer profiles contained in the Abacus database ( An Examination of the Google-
DoubleClick Merger 18). The deal was never stopped, and DoubleClick obtained very detailed private information about the users who viewed its advertising. After Google acquired
DoubleClick, they acquired the Abacus database as well as the additional information that
DoubleClick had gathered.
DoubleClick was no stranger to the US legal system. Shortly before the dot-com bubble burst, three class-action lawsuits were filed against it for alleged breaches of user privacy. All three cases were settled, and the courts sent DoubleClick away with an order to sponsor a 300- million-dollar advertising campaign informing internet users about privacy issues. The settlement also required them to purge all of their records that included personal information. They also had to obtain user permission whenever they wanted to link personal information with web-browsing information (Mariano). This was a great step forward in online privacy rights, and it was only possible because concerned users brought their complaints into the public forum.
Now that Google holds over 80% of web-based advertising, they can easily data-mine users and pair browsing data with sensitive personal information. Marc Rotenberg also fears the Kendzior 4 merging of Google's records with Abacus's personal information database: "After Google’s deal to acquire DoubleClick was announced, Google Deputy Counsel Nicole Wong stated that Google hopes to 'integrate the two companies' non-personally identifiable data in order to provide 'better and more relevant ads for consumers' " ( An Examination of the Google-DoubleClick Merger 20).
By merging all of this information, not only would Google have a huge database of user browsing data, but also profiles on those consumers. It is well within Google's legal rights to possess this data, but is it in the best interest of users and their privacy? The Subcommittee on
Antitrust and Consumer Rights seemed more concerned about the possible anti-trust issues with the merger, and beyond Marc Rotenberg's comments, the majority of the talk about privacy was met with Google insisting that they should be trusted with the data. Scott Cleland, President of
Precursor (an industry research and consulting firm), also voiced his hesitancy about the merger:
"What checks and balances would exist to Google-DoubleClick’s web of market power over the world’s information? The combined Google-DoubleClick merger would have little accountability to consumers, to competition, to regulators, or even third-party oversight" ( An Examination of the Google-DoubleClick Merger 12). Although these statements were strong, no oversights were instituted.
In March of 2009, Google began to offer user the option to "opt-out" of interest-based advertisement data mining (Chitu). By default, users store a cookie on their home machine, and as they browse, that cookie is associated with different categories based on the type of websites that they visit. Every website that has a Google advertisement on it (Google search, Yahoo search, etc.) will be categorized and recorded in a Google database (Milly). What this means is that Google is collecting and categorizing data from people who don't even have Google accounts and haven't accepted any privacy policy or other terms of services associated with Kendzior 5 creating an account. This gives Google access to an extremely large amount of data mining potential on unknowing internet users. What is more striking, however, is that because the average user doesn't realize this is going on, they have no way of forming an opinion and deciding to opt-out. The notion that Google, simply because it can implement such a mining system, has the right to collect data on users is disturbing, even more so because the majority of internet users have no idea it is going on. Because the average internet user is oblivious to
Google's policies on information gathering, the opt-out feature is only protecting technically savvy users. This leaves the majority of internet users unprotected. An opt-in system has been proposed, but so far, no action has been taken to further pressure Google to adopt a stricter stance on data mining without consent. Around the time of the merger, Google CEO Eric Schmidt mentioned the possibility of an opt-in system, but there has been no more recent talk from
Google on the matter (Olsen).
While advertisements represent the largest source of personal information available for
Google to data mine, Google also offers many services that offer access to much more personal user data. Gmail, one of Google's most popular services, offers users a free e-mail account with a huge amount of storage for their mail (over 7GB of space). In exchange, as with the majority of its services, Google offers targeted advertising to these users, and also requires them to fill in personal information before obtaining an account. This means that Google's advertising service has access to private e-mail addresses as a source for mining. Gmail's Privacy Policy also states that ”Residual copies of deleted messages and accounts may take up to 60 days to be deleted from our active servers and may remain in our offline backup systems" ("Gmail: Privacy"). If an e-mail is deleted, Google gives no guarantee that they won't keep it stored for corporate use indefinitely. In essence, Google is claiming ownership over every e-mail received via their Kendzior 6 service, and as such users aren't even able to control where their data is, and who has access to it.
Google has no data recovery option, so what could Google possibly want private e-mails for if they're not planning on using them? The same privacy concerns surround every one of Google's services. Advertisement keywords are gathered from the personal data that users supply through the use of the service, and these keywords are linked to that user for use when he/she browses internet websites using the Google advertising system. David Coursey sums it up extremely well in his article in PC World Magazine: " By giving us 'free stuff' like e-mail, voice mail, search results, applications, collaboration, analytics, etc., Google knows more about us than we may easily be able to remember about ourselves. And Google never forgets" (Coursey).
Recently Google released Google Health, a service that allows patients to upload health data, and to find doctors based on their conditions. In setting up this service Google displayed an immense amount of concern over the privacy of health records, and as such, the privacy policy for the Google Health service is actually adequate. Following Health Insurance Portability and
Accountability Act (HIPPA) requirements regarding medical records undoubtedly made a huge difference in the way Google went about formulating its privacy policy, which states: "You can completely delete your information at any time. Such deletions will take immediate effect in your account, and backup copies of deleted information may persist for a short time" ("Health").
Google Health also promises not to use targeted advertising methods to store keywords while someone is using the application. Unfortunately Google won't adapt such strict measures for its other services, but what they did here is definitely a step in the right direction.
Recently, Google has been in the news for their ambitious Google Books project, which aims to make a vast number of published books available online for customers to view. The past few years have been full of court cases between Google and book publishers, and the FTC has Kendzior 7 taken notice: "... it is important for Google to develop a new privacy policy, specific to Google
Books, that will apply to the current product, set forth commitments for future related services and features, and preserve commitments made in the existing privacy policy," said David
Vladeck, the director of the FTC's bureau of Consumer Protection (Bartz). Unfortunately, the
FTC has only suggested that Google change its policies, and it is doubtful anything groundbreaking will come out of the statement. The U.S. government has time and time again provided sound bites to make it appear that they are taking the flaws in Google's privacy policies seriously, but beyond the statements, little or no action has been taken.
Google has taken all of the criticism about its privacy policies and has come up with an interesting solution called Google Dashboard, which was recently released in response to the concerns voiced by its users. Google's Blog explains more about what the service ultimately does for its users: “It's a long answer to the question: 'What does Google know about me?'” (Chitu).
Google Dashboard can give a user all of the information associated with one Google account, and also provides links to the user if he or she wishes to remove that data. Dashboard also provides links to each of the application's privacy policies, which is a happy change, considering their reluctance to provide a link to their privacy policy at the bottom of their homepage (Chitu).
Dashboard allows its customers to view what data is being stored, but the larger question of how
Google analyzes and uses that data is never answered (Vilches). While Dashboard may reassure
Google users, it doesn't introduce any new privacy safeguards or guarantees, and in this respect changes nothing about how users' personal data is stored. It seems Google is further cementing its position that any and all personal data stored through their services is fair game for data mining and targeted advertising. Kendzior 8
One might ask why any of this matters. If Google is only using this information for advertising, which benefits everybody, doesn't everybody win? The fact remains that Google undoubtedly has access to one of the largest amounts of personal data ever known to mankind.
There are plenty of entities that would do almost anything to be able to get their hands on this data, and the scary part is, there aren't nearly enough safeguards put in place to ensure that the data is always secure. What would the United States do if there was another terrorist attack?
Remember what the telecom companies did after 9/11, releasing telephone records and allowing unauthorized wiretaps? Will Google turn into another source for information when we look for terrorists? Will subpoenas for user e-mails and browsing history become commonplace? Is it possible that a country could refuse to allow Google through national firewalls if they don't supply authorities information that they want? Already U.S. courts have forced Google to release sensitive user data. Viacom sued Google over copyright violations on their YouTube video-hosting website. As a part of the ruling, Google was forced to hand over data on every
Google account that viewed videos under Viacom's copyright, including IP addresses, Google user names, and a list of copyrighted videos watched by the specific users (Kirkpatrick). Viacom now has full access to this information, and Google users everywhere run the risk of being sued for watching these clips. Some of these fears may seem farfetched, but they are already becoming a reality. Until Google takes a much stricter stance on user privacy, the threats will only grow (Coursey) .
Google has an ethical responsibility to its users, a responsibility that it arguably hasn't
taken seriously. It seems that Google refuses to put users' privacy before its own profits. By
collecting data without being fully upfront about it, Google has been asking users to trade their
personal (sometimes private) information for access to Google services (which are touted as Kendzior 9 being "free"). Using act utilitarianism to judge Google's actions, we can weigh the benefits and harms arising through Google's current privacy model. Internet users are provided access to a wealth of applications and resources for no monetary cost. On the other hand, they are harmed by placing a vast amount of personal data in the hands of a third party which doesn't take stringent measures to protect their privacy. Google uses these services to collect data on its users, allowing it to provide better services to advertisers. Furthermore, if that data is somehow released, leaked, or stolen, it could cause significant damage to one's personal life. Credit card numbers may be released, personal photos and correspondence could cause public humiliation... the list goes on and on. The number of problems caused by such a leak would far exceed the services offered, and in this author's opinion the benefits do not outweigh the potential harms. This judgment hinges only on the possibility of misuse, but the danger is getting greater as the days go by, making this threat a serious one.
Google has no plans to stop pioneering. Starting with web search, Google has moved into the mobile phone and operating system market, and their growth seems to have no bounds. They are constantly releasing new products, and many of them bring up serious new questions about internet privacy. It seems that the rapid development of new technologies is outpacing our ability to fully understand the cost/benefit ratio, especially when it comes to how third parties collect, distribute, and use our personal information. Google's stance on privacy has allowed it to amass a vast amount of personal data, and with the introduction of new services the scope of the data becomes broader and broader. The U.S. government seems to be ignoring the serious threat that
Google's privacy policies pose for users. The only way Google will change its stance on privacy and aggregating mass amounts of data is if users become more informed about the problems with its unlimited access to personal information, and if they pressure governments to take action. Kendzior 10
Until then, people need to seriously consider how much they use Google and the internet for personal purposes, and they need to re-evaluate exactly how much information they are willing to let into the hands of for-profit entities. Google users need to be extremely wary of providing services such as Gmail, Google Calendar, Google Documents, and Youtube with sensitive information because of the serious privacy concerns that Google has yet to address. Google may not want to be evil, but they are poised to cause a great amount of harm to their users if their policies aren't changed. Kendzior 11
Bibliography
An Examination of the Google-DoubleClick Merger and the Online Advertising Industry: What are the
Risks for Competition and Privacy? Hearing Before the Subcommittee on Antitrust, Competition
Policy and Consumer Rights of the Committee on the Judiciary , U.S. Senate, 110th Cong., 1st
Sess., 16 (2007) (testimony of Marc Rotenberg)
Bartz, Diane. "FTC urges privacy policy for Google books." Montreal Gazette - Breaking News,
Quebec, Opinion, Multimedia & More . Web. 09 Nov. 2009.
ml>. Chitu, Alex. "Google Dashboard." Google Operating System (Unofficial Google Blog) . Web. 09 Nov. 2009. Coursey, David. "Privacy: Why Google Social Search Gives Me The Creeps - PC World Business Center." Reviews and News on Tech Products, Software and Downloads - PC World . Web. 13 Nov. 2009. ves_me_the_creeps.html>. Edwards, Eli. "Stepping Up to the Plate: The Google-Doubleclick Merger and the Role of the Federal Trade Commission in Protecting Online Data Privacy". April 25, 2008. http://ssrn.com/abstract=1370734 Emigh, Jacqueline. "Google Dashboard Bows to Users’ Privacy Concerns - PC World." Reviews and News on Tech Products, Software and Downloads - PC World . Web. 09 Nov. 2009. tml>. Kendzior 12 "EPIC - Google Books Litigation Page." Electronic Privacy Information Center . Web. 09 Nov. 2009. "EPIC - Privacy? Proposed Google/DoubleClick Merger." Electronic Privacy Information Center . Web. 09 Dec. 2009. "Gmail: Privacy." Web. 10 Dec. 2009. Goodin, Dan. "Google's DoubleClick spreads malicious ads (again) • The Register." The Register: Sci/Tech News for the World . Web. 09 Nov. 2009. "Google Code of Conduct." Google Investor Relations . Web. 09 Nov. 2009. Kirkpatrick, Marshall. "Google and Privacy: A History." ReadWriteWeb - Web Apps, Web Technology Trends, Social Networking and Social Media . Web. 09 Nov. 2009. Mariano, Gwendolyn. "DoubleClick able to settle privacy suits - CNET News." Technology News - CNET News . Web. 09 Dec. 2009. suits/2100-1023_3-919895.html?tag=mncol;txt>. Milly. "Anonymizing Google's cookie." Www.iMilly.com . Web. 10 Dec. 2009.