The public life of Google’s private data

A recent Reuters story showcases a British report that labels Google the biggest offender when it comes to privacy — and it could have an effect on the enterprise, according to a couple of privacy experts.

The British activist group Privacy International has released a report on the worst privacy offenders among the Internet service companies, and Google tops the list, due to its “entrenched hostility to privacy,” according to the report.

Ottawa-based counsel for the Public Interest Advocacy Centre John Lawford said that interest in Google’s privacy issues has been heating up for a while. “(Is Google) getting enough consent, or can (the users’) information slip through a wormhole to be given to third-party companies? The information could be inaccurate or telling (Google) more than they’d wish,” said Lawford.

David T.S. Fraser, a privacy lawyer with the Halifax-based McInnes-Cooper, is unsurprised that Google is coming under fire. Said Fraser: “This is probably inevitable because of their size and the diversity of their business interests: e-mail, social networking, search, classified ads, Google Documents.”

There are also no overarching privacy laws, comparable to PIPEDA, in the United States, according to the Vancouver-based Richard Rosenberg, president of the British Columbia Freedom of Information and Privacy Association.

Lawford said that Google’s business seems to be set up to cull the maximum amount of information about its users, and that he wouldn’t be at all surprised to find that Google was farming out profiled information to outside parties. Proving this can be difficult, according to Lawford. “Following the information through the chain can be hard,” he said.

Fraser suggests that Google’s privacy policies be made much more transparent, and that it tells its users as well just how long their information will be retained for (which, in North America, is indefinitely, according to Rosenberg).

Right now, the main problem is that this mass of information is squirreled away in Google’s repositories — and it could be subpoenaed by the government. In the case of information stored on American servers, according to Fraser, it could be commissioned at any time without prior notice, courtesy of the Patriot Act.

Lawford said means that the company has a one-size-fits-all privacy policy that applies across all its products, from search to e-mail to Google Documents. According to his understanding, users have to agree to have their data collected by Google if they want to use its services.

According to the Reuters article, Google claims that it does not release the information to third parties. But, Lawford pointed out, its privacy policies most likely state that their information can be released to its subsidiary or affiliate companies. “So sharing it with just Google could be like sharing it with 75 companies. Even if you keep the information in-house, it’s such a gigantic house,” said Lawford. Google also doesn’t offer the option to delete their profile, according to Lawford, despite a Google spokesperson’s statement that it, “offer(s) products that are transparent about what information is collected and empower(s) users to control their personal information.”

He has found that the possibility of information shared with one company in particular is causing somewhat of an uproar. A merger between Google and ad-tracking agency Doubleclick has been approved and is awaiting the go-ahead from the authorities. Lawford said that a combination of Google’s user profiles and ad sales, combined with Doubleclick’s click-through-measuring capabilities, could mean an even further invasion of privacy.

PIPEDA could be a weapon against Google, but the Privacy Commissioner can’t do anything about it, said Lawford, due to her lack of order-making capabilities.

This could leave the enterprise in the lurch, according to Lawford. Since Google’s privacy policy could be filled with loopholes, companies using Google products could be at risk. For instance, an Internet company recently got into trouble for an aggregated list of profiles and information that could be tracked back to the original users. Lawford suggests that aggregated information could be a way that Google could get around their stated policy of not releasing information to outside parties—this information could be sold to competing businesses, allowing them, for instance, to see what their competitors have been searching for in Google.

The only way to avoid these types of issues would be to refrain from using Google at all. Other options include using a proxy server, according to Lawford, while Fraser suggests utilizing a dynamic IP address. Rosenberg said that trying to disable cookies could work, but many Web sites now require them.

“There’s no way to negotiate a different regime from Google, so what can you do?” said Lawford.

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+