«

»

Google moves its privacy offering from Abysmal to Appalling as EU regulators force change

957By Simon Davies

You’ve probably seen numerous media reports on Google’s new privacy dashboard. In essence, this is a facility where Google consolidates all its spin about the need to collect more information on its customers. Users who can navigate the anti-privacy rhetoric on those pages have an opportunity to improve their privacy level from abysmal to appalling.

Overall, media have given the launch a cautious thumbs-up, but – with rare exceptions – journalists seem to have overlooked the rather substantial fact that the company had to be dragged kicking and screaming by EU regulators to make these changes. And even then, the advertising giant has adopted the lowest possible standard of privacy protection.

Privacy dashboards notwithstanding, it’s important to remember that Google isn’t just an advertising company, it is also a company specialising in surveillance of its users.

The scale of the privacy risk associated with Google’s gargantuan enterprises is sometimes easy to understate, even though privacy has become the company’s most famous failing.

Looking back over the the past three years, I’m astonished at how many incursions of privacy the company has engineered. Deceptive web tracking, breaches of data protection, unlawful email interception, unlawful wifi interception, antitrust investigations – the list goes on.

The scale of the privacy risk associated with Google’s enterprises is sometimes easy to understate, even though privacy has become the company’s most famous failing. Even with the coolest product offerings, the company has found the knack of generating controversy. It’s as if Google has now given up and decided that it can’t make an advertising omelette without breaking some privacy eggs – so it will simply break the eggs, reap the dollars and accept the legal consequences.

There was a time when such activities could be laughed off like some boisterous adolescent puppy sweeping the glassware off the shelf with its excitable tail, but those days are gone. The reality has set in that this is an advertising company, not a cool public service.

Anyone wanting to drill into the violations and risks can explore this blog – or countless other sources – but in the meantime my eyes were drawn today by an exceptional analysis by Robert Epstein published in US News & World Report a couple of years ago. It is rare to find such a comprehensive overview of the many issues associated with Google’s products, so I’m taking liberty of setting out a slightly abridged version of the article here.

It’s as if Google has now given up and decided that it can’t make an advertising omelette without breaking some privacy eggs

Watch this space. Articles such as this will appear with increasing frequency as the company moves to a more aggressive revenue model for its products.

The search engine. Every search you conduct using Google’s ubiquitous search engine – for medical or mental health information, an update on your favorite mayoral candidate, the schedule of your church’s potluck dinner, how to handle kids’ tantrums, the cure for halitosis or the latest sex toys – allows the company to track your interests and, over time, build a detailed dossier that describes virtually every aspect of your character, food preferences, religious beliefs, medical problems, sexual inclinations, parenting challenges, political leanings and so on. In other words, when you use Google’s search engine.

Even if the company doesn’t know your name, it can still track your searches by reading codes, such as your IP address, that are unique to your computer or current location. Through cross-referencing, the company can eventually find your name, address, and telephone number, too. When you use the search engine or most any other Google product, Google also installs an identifier cookie on your computer that makes you easier to track. And get this: Google reads and stores every letter you type into its search bar as you are typing (think: m-a-r-i-j-u-a), so even if your good judgment suddenly kicks in and you don’t hit “enter,” the company still records what it thinks you were looking for.

Through cross-referencing, the company can eventually find your name, address, and telephone number, too.

Google uses your search history to send you personalized ads. That’s how it survives, after all. About 97 percent of the company’s revenues are from advertising. Google justifies this business model, which could be viewed as fundamentally deceptive, by insisting that it’s providing a unique and valuable service: sending vendors your way who precisely fit your current needs and interests.

Email. When you use Gmail, Google’s email service, the company scans the content of your emails and the email addresses of your correspondents. Google’s Gmail system also scans your incoming emails, even the ones coming from Yahoo and Hotmail. If you feel safe because you’ve deleted emails you regretted sending, think again. Google never erases its own copies, even copies of the drafts you decided not to send – even copies of incomplete messages you didn’t save as drafts. And then there are those Google servers, which route the emails of thousands of companies that apparently don’t mind running the risk that their emails will be scanned. So whether you use Gmail itself, write to someone who uses Gmail, or, in many cases, simply email, Google’s gotcha.

Google+. If you use Google+, you are voluntarily telling Google a great deal about your personal life, including, at times, current and intimate details. Yes, the same is true with Facebook, but when it comes to dossiers, Facebook is a toddler at play compared with Google.

Chrome allows Google to track your activities in areas of your life that are so well established that you don’t need to research them

Chrome. This is Google’s browser, introduced in 2008 to compete with Internet Explorer, Safari, Firefoxand other browsers. Why did Google bother to introduce yet another free browser into a somewhat crowded market? Because with Chrome, Google can track every website you visit directly – that is, without first passing through its search engine. The search engine on its own left a significant gap in the company’s knowledge about you; it only revealed areas in which you needed more information. Chrome allows Google to track your activities in areas of your life that are so well established that you don’t need to research them – the regular contact you have with your bank or employer, for example. Google might never have been able to track those kinds of activities without the help of Chrome.

Even in so-called “incognito” mode, Google has programmed ways to track you. If, for example, you use Chrome to put a link to one of your favorite websites on your desktop, when you click directly on that link, the window that opens is not in incognito mode.

Firefox. What? How can Google track you when you’re using a competing browser maintained by a non-profit organization? It can do so because before Firefox takes you to your destination, it first checks to see whether that website is on Google’s blacklist, an ever-changing list of about 600,000 websites that Google’s bots have identified – sometimes mistakenly – as dangerous. No government agency or industry association ever gave Google the authority to maintain such a list, but it exists, and Firefox uses it. Thus, Google is alerted when you visit websites through Firefox. Even more disturbing is the fact that Mozilla, the organization that maintains Firefox, receives 85 percent of its $163 million in annual income from… that’s right, Google. In return, Firefox makes Google its default search engine.

When you’re online, Android can upload whatever Google tells it to, and when you’re offline (which, these days, is hardly ever for mobile devices), Android can store whatever Google tells it to store for later uploading.

Safari. In 2012, Google was fined $22.5 million by the Federal Trade Commission for illegally tracking users of Apple’s iPhone, iPad and Macintosh computers by essentially hacking Apple’s Safari browser. The big fine solved the problem, right? Not at all, because Safari, like Firefox and other browsers, uses Google’s blacklist to check the safety of websites.

Android. And why did Google develop its own mobile operating system, in this instance competing primarily with operating systems developed by Research in Motion (for Palm devices) and Apple (for the iPhone)? Because operating systems are even more deeply embedded into computing devices than browsers. Everything you type, touch, and swipe runs through the operating system, which gives Google full access to your digital activities. When you’re online, Android can upload whatever Google tells it to, and when you’re offline (which, these days, is hardly ever for mobile devices), Android can store whatever Google tells it to store for later uploading.

YouTube. Google, Inc. bought YouTube in 2006 for $1.65 billion, almost certainly because YouTube unveiled yet another set of insights into consumer preferences. When you spend hours on YouTube skipping from right-wing manifestos to horror movie trailers to Lady Ga Ga videos, Google’s gotcha.

Google Analytics. More than half the world’s most popular websites use Google Analytics to collect data about who is visiting their pages. Visitors have no idea that Google Analytics is even present, but Google is tracking every one of them. To put this another way, if you visit, well, most any website – that’s right, Google’s gotcha.

Google AdSense. In an attempt to monetize their web pages, millions of website owners now sprinkle small ads provided by Google throughout their legitimate content. The ads are, in theory (but often not in practice), related to whatever news story, food recipe or celebrity bio you’re reading, making it somewhat likely that you will eventually click on one of them. Okay, I know what you’re thinking: When you click on one of those ads, Google’s gotcha, right? Not so. Google’s gotcha the moment you load a page containing an AdSense ad. When you click on an ad, the company just gets more detailed info.

As if those little ads weren’t enough, Google also now allows website owners to embed targeted Google ads into words scattered throughout their textual content.

Google AdWords. As if those little ads weren’t enough, Google also now allows website owners to embed targeted Google ads into words scattered throughout their textual content. When you load a page that contains any of those words, Google’s gotcha, and when you click on any of those words, Google’s got more.

Widgets. They’re everywhere and multiplying like tribbles: tiny icons that allow you to notify your friends on Facebook or your colleagues on LinkedIn that the web page you’re on is worth visiting.

Google Street View. Google vehicles have now traveled millions of miles in 48 countries to take pictures of homes and businesses – visual information that’s easy to cross-reference with the dossiers of home and business owners.

For a long time, though, the real treasure trove for Google was not in the photos but in the information its Street View teams were skimming from unencrypted Wi-Fi networks: passwords, emails, browsing histories, financial information and more. After the Federal Communications Commission discovered in 2010 that Google had been collecting information this way for at least three years in more than 30 countries, it secured a promise from company officials to discontinue the practice and fined Google $25,000 (yes, that’s all) for impeding its investigation. More recently, the attorneys general of 38 states settled a lawsuit against Google for its Street View snooping for $7 million.

For a long time, though, the real treasure trove for Google was not in the photos but in the information its Street View teams were skimming from unencrypted Wi-Fi networks: passwords, emails, browsing histories, financial information and more.

Google Maps. They’re embedded on about a million websites. And when Google is present on a web page, it can track people who visit that page.

Google Glass. Due out in time for Christmas 2013, this is a mobile computer mounted on the frames of eyeglasses which will follow your verbal commands and help you make sense of what you see by, say, displaying reviews of a restaurant that’s within your field of vision. In other words, Glass will give Google access to what you say, what others around you are saying, and what you see.

As for the future, think science fiction. The company’s recent ingestion of the startup company Behavio will soon give it the power to track your location 24 hours a day, as well as to predict where you will be and who will meet you there – hours, days, or even weeks into the future. And then there are those little DNA projects: Google’s recent takeover of key search and storage operations for the Sequence Read Archive, a massive public repository of DNA data, as well as its funding of at least two Silicon Valley companies that provide DNA mapping services for consumers. When DNA profiles become part of people’s dossiers, Google will have crossed a potentially frightening threshold: it will know far more about people than they know themselves – what diseases people are likely to get (think of the marketing opportunities), what their racial origins are, which dads have been cuckolded. The possibilities are endlessly outrageous.

If you think I’m overstating Google’s intrusions or misrepresenting Google’s motives, think again about the revenue model. Virtually all of Google’s income is from targeted advertising. Every major company expenditure, therefore (think YouTube), almost certainly has to feed the beast. In the consulting work I’ve done from time to time, I’ve more than once had the breathtaking experience of sitting in on high-level planning sessions. Revenue concerns come first. Top executives don’t sit around saying, “Golly, what’s the next cool product we can develop.” Instead, in Google-land, the conversation is probably more like: “We now know A, B, and C about people. How can we find out about D?” A question like that would prompt answers such as: “Simple – let’s buy YouTube” or “No problem – let’s develop a browser” or “Let’s call in the product people and see what they’ve got that can help us.”

Is all this tracking legal? Here is what a Google executive might say: “We are protected by our Terms of Service agreement, which in turn incorporates our Privacy Policy – legally binding contracts that are easy to access on our website. We realize that almost no one has ever read these documents, but, hey, no one ever reads their mortgage documents or credit card contracts either, and they’re certainly valid. Our agreement states that when you use any of our products or services – even if you’re not aware you are using them – you agree to let us track you. It’s that simple.”

We can release a dossier about you as thick as a phone book

In other words – silly you – you gave Google permission to track you simply by engaging in activities that allowed it to track you.

The terms of service agreement also says that the information you give the company “and those we work with” (who’s that, exactly?) can be used for almost any purpose. And the privacy policy states that Google can share your dossier with just about any individual or agency based on the company’s “good faith belief” that doing so is required by law or, incredibly, that doing so will “protect…the rights, property or safety of Google.”

In other words, piss us off and we can release a dossier about you as thick as a phone book (figuratively speaking). Could such a contract be valid – one that is all at once so invisible to users and so maddeningly all-encompassing or even threatening? This is for judges and regulators to decide in coming years.