Privacy International recently compiled a report on the privacy practices of the big Internet companies (Thanks Mashable!). It’s a pretty important report, especially given that these companies are capable of knowing more about us than almost any other organisations in the history of business. It’s a risk that is only growing with every photo, blog, video, social network, phone call, online purchase, search or email that we move online.
Who came out on the bottom? Google.
Why? Well, this might be a surprise to a few people, but Google actually has the greatest motivation to know as much as they can about everyone and anyone using their services. In fact their CEO recently suggested that they want to know what we want to do tomorrow, creepy (I guess they wanted to go one better than the “Where do you want to go today?” line Microsoft used for years).
The thing to remember is that Google makes most (almost all) of their money from advertising, and like all advertising companies the amount they make grows in proportion to how well they can target their adverts, in Google’s case via their famed algorithm.
Here is a quick list of the criticisms leveled by Privacy International:
- Google account holders that regularly use even a few of Google’s services must accept that the company retains a large quantity of information about that user, often for an unstated or indefinite length of time, without clear limitation on subsequent use or disclosure, and without an opportunity to delete or withdraw personal data even if the user wishes to terminate the service.
- Google maintains records of all search strings and the associated IP-addresses and time stamps for at least 18 to 24 months and does not provide users with an expungement option. While it is true that many US based companies have not yet established a time frame for retention, there is a prevailing view amongst privacy experts that 18 to 24 months is unacceptable, and possibly unlawful in many parts of the world.
- Google has access to additional personal information, including hobbies, employment, address, and phone number, contained within user profiles in Orkut. Google often maintains these records even after a user has deleted his profile or removed information from Orkut.
- Google collects all search results entered through Google Toolbar and identifies all Google Toolbar users with a unique cookie that allows Google to track the user’s web movement.17 Google does not indicate how long the information collected through Google Toolbar is retained, nor does it offer users a data expungement option in connection with the service.
- Google fails to follow generally accepted privacy practices such as the OECD Privacy Guidelines and elements of EU data protection law. As detailed in the EPIC complaint, Google also fails to adopted additional privacy provisions with respect to specific Google services.
- Google logs search queries in a manner that makes them personally identifiable but fails to provide users with the ability to edit or otherwise expunge records of their previous searches.
- Google fails to give users access to log information generated through their interaction with Google Maps, Google Video, Google Talk, Google Reader, Blogger and other services.
The report also covered Microsoft, which of course is no saint, however it is absolutely true that Microsoft learnt the lessons that I think Google is only now about to start learning. The best example of this was Microsoft’s “Hailstorm” initiative, which failed catastrophically *because* everyone (its potential users) were concerned about privacy. I certainly noticed (while on the inside) a shift in policy that meant products began shipping with privacy turned on by default, and Privacy International also noticed this:
The true difference between Google Inc and Microsoft Corp can be defined not so much by the data practices and privacy policies that exist between the two organizations, but by the corporate ethos and leadership exhibited by each. Five years ago Microsoft could reasonably be described as a fundamental danger to privacy. In more recent times the organization appears to have adopted a less antagonistic attitude to privacy, and has at least structurally adjusted to the challenge of creating a privacy-friendly environment.
Interestingly, Bill even referred to privacy while mentioning new features in the interview I posted yesterday with Steve, almost out of reflex, it shows these concerns made it all the way to the top (or vice versa). Given Eric Schmidt’s comments (linked above), and it seems a campaign to attack the credibility of Privacy International, I’m not sure the same is true at Google.
Everyone seems to “trust” Google right now, letting them do things we would not let any other company do. It makes me wonder, what will happen to the business models they are building upon that trust, once it starts to disappear. One thing is for sure, that trust will disappear. They are just another big corporate, for example, they don’t “Do no evil” anymore, it’s “Search, Ads and Apps”.
A Race to the Bottom: Privacy Ranking of Internet Service Companies
Final note….
With my involvement in a small Internet startup I’m now constantly having to think about what impact new features might have on a users privacy. Since I trust myself, the people I’m working with and “Our Principles“, I’m often tempted to implement those feature even if there is some privacy concern. It’s important we stop at this point, and that we realise, we have to “say no” to the feature, and that we have to do this to protect us from ourselves.