Business Messages from Google Q&A relating to data & security February 2021
Background:
Business Messages is a messaging product from Google. It can be thought of as an ‘inbound’ channel, where a user initiates a conversation with a business. It is most commonly used for customer service, commerce, acquisition and marketing use cases.
Users discover a business from an ‘entry point’ and then open up a ‘conversational surface’ to chat to the business. The business connects (directly, or through a CRM/CS partner) through an API that Google provides.
More information can we found at https://businessmessages.google/ Developer documentation can we found at https://developers.google.com/business-communications/business-messages/guides?hl=en
Entry points Include, but are not limited to: Search results pages (SERP) of different types Map pages Phone/dialer app on android Widgets or other devices that might be placed on a website or in app Weblinks
Confidential & proprietary. Please don’t share without permission
Confidential & proprietary. Please don’t share without permission
Conversational Surface The messaging channel is delivered over IP, not through mobile carriers networks. It is not related to SMS or MMS or RCS, and is independent of any 3rd party OTT messaging applications that the consumer might use.
Each Partner connecting to the Google API is governed by a Terms of Service for Business Messages , and A cceptable Use Policy.
Google does not enter into custom or supplementary agreements regarding Business Messages.
Objectives
The purpose of this document is to provide answers to common questions relating to Business Messages data security and associated topics.
1. What is the messaging architecture and flow for Business Messages? Which elements are encrypted?
Messages sent between users and businesses are encrypted between a user’s device and Google’s servers and between Google’s servers and the CRM/CSP through the Google Business Messaging API.
Confidential & proprietary. Please don’t share without permission
2. What is the implication from the Business Messages Terms of Service that Google and the partner are both Independent Data Controllers?
Since the user journey starts on a Google surface (e.g., search results page) and/or the conversation takes place on a Google conversational surface, the information passed in the consumer to business conversation falls under the Google Privacy policy. Since the consumer is passing information to the business, the conversation also falls under the Privacy Policy of the business - which is linked from the top-right menu of all consumer-to-business conversations.
Confidential & proprietary. Please don’t share without permission Note that (in addition), the Business Messages T erms of Service includes clause 9. Data Protection
3. Why won’t Google entertain custom agreements for Business Messages?
Just like Google Play, Business Messages is scaling to a very large number of user experiences, and this requires uniform legal agreements. We have purposefully designed very partner friendly terms that we believe provide ample protection for businesses and their users.
4. Our business is subject to regulations that mean that its providers must be available for audit. Will Google co-operate with this?
We have teams that are dedicated to responding to law enforcement and regulator inquiries in accordance with applicable law.
5. Will Google use customer’s data outside of Business Messages?
Google’s use of customer data is governed by Google’s privacy policy.
Things we WILL do with user data: ● Improve Business Messages ● Measure performance of Business Messages ● Improve results by understanding when and why users click on message buttons ● Optimize the positioning of message buttons ● Detect and prevent spam and fraud ● Protect users ● Analyse user intent through NLP techniques ● Provide automated responses to the user where appropriate (for example opening hours of stores)
Things we WON’T do with user data: ● Sell advertising based on, or otherwise monetize, message contents ● Share unaggregated data or message content with any third parties or competitors ● Violate our privacy policy
See also this o p-ed from Google’s CEO:
Confidential & proprietary. Please don’t share without permission “To make privacy real, we give you clear, meaningful choices around your data. All while staying true to two unequivocal policies: that Google will never sell any personal information to third parties; and that you get to decide how your information is used.
6. Is persistent storage used for this service, and where is the information stored (conversations, materials for the agent, etc.)
Mobile Originated (MO): Stored on ‘store and forward’ basis (meaning Google stores until it has been able to connect to the user’s device and deliver the message), for not longer than 35 days..
Mobile terminated (MT): Typically held for 35 days on store and forward basis..
MT: Held encrypted at Google for maximum 31 days, solely for spam detection.
Agent Materials (logo, name, description, etc): Persistently stored in global Google storage.
Messages are stored on a user’s device perpetually, unless the user chooses to delete them.
Google stores (encrypted) messages to allow them to be synchronized between a user’s devices (and to ensure old messages are shown on a new device). These stored messages cannot/will not be shared with any third party. Access to the messages is only available using the user’s Google ID (only that specific user can gain access to their data). The identical storage system is used for user data for YouTube, Photos, Stadia, Gmail, Chat, and other Google products and services.
7. If a message is not delivered, how would the business be notified that the message hasn’t been delivered?
We report the status of each message - sent and delivered.
8. Are messages stored encrypted?
Yes - messages are stored encrypted at Google.
9. Can a business control the encryption keys for its messages stored at Google?
Unfortunately not, because Google needs to scan Business Messages messages for spam to protect all users.
Confidential & proprietary. Please don’t share without permission
10. Is Business Messages certified by any 3rd parties?
Yes. Business Messages has received ISO 27001, SOC 2 and SOC3 certification. Please ask if you’d like copies of certificates.
11. What audit rights do we have?
See this section from the Business Messages T erms of Service:
Each party will perform the following testing of the services, systems, devices, and media used to perform services pursuant to this Agreement using employees qualified to perform such testing, or a qualified independent security assessor:
1. regular vulnerability scans using an industry standard vulnerability scanner at reasonable intervals, but in no event, less frequently than once every quarter; 2. penetration testing at least once per year; and 3. annual audit of that party’s Safeguards under an audit standard appropriate and applicable to the actions that party performs pursuant to this Agreement.
12. How does Google handle data breaches?
Please refer to Exhibit B, section 6, of the Business Messages Terms of Service, for Incident Response:
Incident Response. Each party will maintain an incident response program to respond when that party has reason to believe that has been or will be unauthorized access to, use or loss of personal data or other Confidential Information. A party will promptly notify the other party if it identifies such an incident involving personal data processed by, for, or on behalf of the other party.
13. What does the customer see when the Business Messages service is unavailable?
When a message cannot be sent (for any reason), we display “Not sent * Tap to retry”
14. What reporting does Google see on Business Messages agents (the business to consumer interactions)?
Google has internal reporting for the gross number of users, messages, and responses for each agent, based only on the last 31 days data. We use this for diagnostics and system improvements. Beyond 31 days we store only aggregate reporting data.
Confidential & proprietary. Please don’t share without permission
15. Does the Privacy and Security section of the Business Messages Agreement limit a brand’s ability to collect and use information about its own customers?
We do not intend to restrict a business’s ability to serve its own customers. A conversation between a user and a business that is created through the Business Messages API can be stored by the business, according to the terms of its own privacy policy with its users.
16. What data is stored on the user’s device?
Message history is stored within the user’s phone.
We plan to offer features in the future that will help users transfer sensitive information—e.g. SSNs, credit card numbers—to businesses in a safe and secure manner. For instance, we may use special webviews or other message types specifically for gathering this type of info.
17. What is meant by: “Do not use any information about the user’s online or offline state for any reason except to directly provide the services to the user, and under no circumstances in a manner that may surprise or disturb a user (including, but not limited to, sending a promotion or advertisement based on them coming back online)”
Some features are provided to allow businesses to choose the correct channel to message a business - not to build a profile of offline vs. online status for a user, nor to provide a trigger to deliver a message based on a change of online status for a particular user. The Agreement specifically prohibits a business from using information about the user’s state for any of these purposes.
18. Explain “C ompany will provide a clear and conspicuous privacy notice to such individuals that accurately describes how Company collects, uses, and protects that information.”
We expect all businesses using Business Messages to supply a privacy policy and offer guarantees that they will not use/share user data without specific user permission.
19. Does Google ever read messages between consumers and businesses?
Google cannot and does not read messages, expect in one specific scenario.
Confidential & proprietary. Please don’t share without permission
In some CSAT surveys, users are told that, if they submit a rating, Google will review their conversation. This is done to help us improve the value that users and businesses derive from Business Messages, and review is done using ML algorithms (which are sometimes trained by humans). The ‘Learn More’ link above leads to the following explanation and privacy policy:
What happens when you submit a rating Submitting a conversation rating helps Google make business chats more helpful over time. Specifically, this lets you help Google develop a special algorithm -- a machine learning model -- designed to bring the best of Google assistive smarts to your business chats. As part of submitting a rating, the content of your conversations with the business is used by Google employees with temporary, restricted, and audited access, to train and develop this model. We take steps to protect your privacy as part of this process by allowing manual review only without any identifiers attached, using an automatic tool that makes best efforts to redact personally-identifiable information from the conversation content. This lets Google understand problems that may arise during your chat with a business, as well as the kinds of questions you are asking businesses.
How we protect your data
Confidential & proprietary. Please don’t share without permission A machine learning model can help identify useful patterns in large datasets. Like fixing an engine of a car, small adjustments need to be made to the model to understand if it’s working as efficiently as it can. In this case, Google is building a model to analyze and improve the helpfulness of businesses when you chat with them, as well as predicting the types of questions users ask certain types of businesses, so we can provide questions to start off your chat (for example, “what hours are you open today?”), and smart replies over time.
Models eventually run automatically and without human review, but as part of the initial training, human review will be limited to making sure the models are trained, without seeing your identity or the identity of the business. Here’s how it works: 1. A Google engineer adds “tags” or labels to a conversation based on words or phrases indicating how helpful the business was in answering your particular question, as well as what questions you had initially. The human tagging will be used to develop and improve our initial machine learning model, eventually allowing the machine learning model to do the tagging on its own. 2. Next, we’ll compare the human tagging to the machine learning tagging and make adjustments, so that eventually, only the model will review message content.
Access is audited and scoped to Google full-time employees working to improve the product, who will only have access to chats for 35 days. Your contribution will help ensure the models run without human access, improving business messaging for everyone -- including helping businesses provide useful info to you more quickly, so you can get stuff done, stay healthy, and get on with your day.
To learn more about the controls Google has in place to protect your data, including how technologies keep your information safe, visit policies.google.com.
20. What information about a user does Google pass to the brand?
When a user starts a conversation with a brand, we pass the user’s First and Last name for most users. No other information is passed. A unique identifier for the conversation allows the brand to know it is the same user in future exchanges.
In the future we may pass more information and/or provide tools for the user to make it easier to share information like address, email, and phone number with a brand.
Confidential & proprietary. Please don’t share without permission