FTC To Monitor Google's Privacy Practices For 20 Years

Rambo Tribble writes "As reported in TPM, the Federal Trade Commission has reached an agreement (PDF) with Google that will include the agency monitoring the company's privacy practices for the next 20 years. Whither, Facebook?" Oddly enough, another article details a surge in government requests for user information from Google. In a blog post, the company explained that they wanted to provide more transparency with regard to government requests, and have updated their Government Requests tool to do so.

Re:So which is less evil?

[Sarten-X]

Would you have the same objection to an individual person taking a single picture in public, or a store salesman recommending a product that fits your needs? Does it matter that the guy taking a picture of your house is a Google employee, rather than a random person from the next town over? On a more global scale, does it matter that somebody in Tunisia can now know what color your front door is? Google, like many companies that are now assaulted for "violating privacy" like it was some innate right, just did often what is perfectly fine to do rarely.

What I would consider evil are actions like buying up competitors, only to shut them down to preserve one's own market share. I find it wrong to knowingly mislead people into investing in something that will never bring a return. It offends me to see people (including executives, managers, and shareholders of a company) attacked because they provide a service for a profit.

Doing something neutral extensively is not evil.

Re:Is Google required..?

[Lockyy]

Could go with the tactic of emailing everyone who has had information requested an email that states that they are required by law to not inform anyone who has had their information requested. And ONLY emailing the people who have had it requested.

Re:So which is less evil?

[Sarten-X]

You mean like they do all the time with the "preferred shopper" cards and such? The ones where they aggregate the data, correlate milk sales with cookie sales, and offer promotions to correspond with buyer habits to maximize order efficiency and therefore profits? I like them. They make things cheap right when I'm about to buy them. Yes, sometimes the brands change, but I'm not particularly loyal to brands, so I really don't mind that.

If I may take the liberty of bring up literature, I would like to compare this situation to Aldous Huxley's novel Brave New World. In short, civilization is optimized to make people happy. Needs are provided for, and people are manipulated into being whatever is needed of them for the good of society. The underlying evil in the society is simply that there is no way out. A rebel who does not want to be a part of the massive self-improving system cannot live a life on their own.

Coming back to the grocery store analogy, it is perfectly possible to opt out of the system. Pay with cash, and do not use any identification cards. Likewise, you can opt out of using Google's services by blocking traffic to their servers and refusing to do business with their partners. I do agree that any entity that wants to collect significant information about someone should be subject to increased scrutiny, but the extreme privacy-above-all view is just as bad as a devil-may-care attitude.

Re:So which is less evil?

[tlhIngan]

Likewise, you can opt out of using Google's services by blocking traffic to their servers and refusing to do business with their partners.

You also forgot to "forgo the smartphone". A lot of apps (Android especially, but also iOS) use AdMob, which is owned and operated by Google now. (Ironically, it was Apple's iAds that let the DoJ to approve Google's purchase of AdMob - and iAd's failure could spell antitrust issues ("Even APPLE couldn't compete against Google") over it). AdMob is a company specializing in in-app advertising. and able to tell which app, and other usage statistics.

Plus, location awareness on Android sends tracking data to Google, but at least that's epecified.

Best to stick with a dumb phone though.

Re:So which is less evil?

[DJRumpy]

Actually to go through your examples, many people dislike pictures of them taken if they are somewhere in which they don't want to be observed. Given the pervasiveness of Google as a search tool, email, docs, chat, and social network, that's a lot of data to entrust a company with who's sole purpose is to sell such data for profit. Given that, I don't think most care if their house is photographed (a few but I'd consider them a minority). Others were more concerned about the automated photos that caught people doing things that they may not particularly have wanted on the web and accessible to millions/billions of people.
Regarding the salesmen, you actually go to a salesmen when you want to buy something, not when you want something taken from you and sold, or if you want to trade something of value for something else. Not a great example. The pictures of a house from a street are a non-issue to me and I would think to most except for a few prudes.

I think the storing of wireless information was more relevant. At some point someone had to look at such data, see that they were collecting info they shouldn't be, and stopped the practice, or better yet, set proper parameters on what to collect beforehand. It was irresponsible on Google's part. Something I would expect of a startup, not a company of Googles size and experience. It would extremely tempting to abuse such data to for a company based in data mining.

In Google's case it's far more likely that they have their hands on so much personal info, ranging from common web use, to location info, search info, interests, email, contacts, items you purchase, sites you visit or browse with any frequency, where you shop, sexual interests, dirty web habits, etc.

If Google is not doing anything wrong they they have absolutely nothing to fear, but blind faith that a corporation will always do the right thing is foolish, especially when you invest such faith in a for-profit company who's sole purpose is to sell your data.

Re:So which is less evil?

[DJRumpy]

One more thing, although I hate replying to my own posts; it appears that Google Buzz is what prompted this.

The FTC case was prompted by the now-defunct Google Buzz social networking service. Google tried to tack Buzz onto Gmail users’ e-mail accounts, enabling them to provide status updates and to share photos and videos, but it created an uproar when it made users’ Gmail contacts public by default.

The commission charged that Google engaged in unfair and deceptive practices in 2010 when it launched Google Buzz by leading users of its Gmail system to believe that they could easily opt-out of the social network. The controls that would enable them to do that were ineffective, the FTC charged at the time.

Also the tools that Google created to enable users to limit the sharing of users’ personal information were confusing and difficult to find, the agency alleged.

In its complaint, the FTC said that Google had enrolled some Gmail users in Google Buzz even after the users had clicked on a tab to decline to use the service, and that the identities of people that Gmail account holders most frequently communicated with were made public by default. Worse, when users tried to get out of the service, they weren’t fully removed.

In short, Google badly handled the data they did have, they implemented infrastructure without protecting user data, misled users to believe that they could easily opt out, and failed to inform them as to what data would be shared.

Basically they fucked up, and badly. All this will do is have a review/audit of their privacy practices. The government has always had access to tools to request user data form Google and this doesn't change that at all. This is strictly relating to an audit of their privacy practices and policies. Given their fumbles recently, I think it's warranted.

Re:Who's paying the bill for FTC monitoring?

[swillden]

Well, what the FTC discovered when they investigated was that Google had stepped over the line, but had already recognized it and put policies in place to address the issues, policies which exceeded what the FTC would have imposed. That being the case they couldn't really justify a lot of fines or any significant interventions, so they fell back on "okay, we'll watch you for 20 years".

As for who's paying, I don't know, but I doubt it costs that much. They don't really have to monitor everything Google does, they just have to monitor Google's policies, which is easy to do, and to randomly spot check policy compliance. Honestly, I doubt they really even need to do that... Google is full of geeks so there are lots and lots of internal watch dogs, and Google is a very bottom-up organization where it's really easy for any employee with a pointed question to get attention from the very top -- and to spread his or her complaints widely if Larry doesn't address them.

Google's privacy errors weren't a result of evil plans, they were a result of people not paying attention to the issue. Now, it's a big deal, and would be even without the FTC oversight, because Google had its nose publicly rubbed in some privacy mistakes.

These days every design document is required to have a privacy impact analysis, and there are pretty stringent requirements for having things reviewed by the privacy office. In addition to that, there are mandatory privacy training courses for all new hires, mandatory annual privacy education for all employees, an annual privacy week with many privacy education, analysis and review events held throughout the week and a direct communication channel for any employees to report privacy concerns to the privacy office, who acts aggressively on them. And even without that, any Googler who's really worried can always just call the FTC. So, no, I don't think the FTC has to spend a lot of money on monitoring.

Note that none of this privacy focus means that Google will stop trying to collect information about people. Rather the focus is on (a) ensuring that information is only used in ways that the users have agreed to (though the agreement is often implicit), (b) providing users with control of their data, including visibility into what Google collects about them, the ability to export it and/or delete it, and to opt out if they prefer (see google.com/privacy, and especially google.com/privacy/tools) and (c) ensuring that data does not leak (necessary for (a)). Google's hope is that they can provide you with so much value in exchange for your data that you'll want to give it to them, and that you'll trust them to manage it responsibly.

(Disclaimer: I am a Google Engineer. I'm not in PR, I don't work in the privacy office or make privacy policy decisions -- though as an engineer with an extensive security and cryptography background much of what I do is related to privacy assurance -- and I'm not speaking for the company, or disclosing anything that isn't already public information. I'll also say that as someone who's always been a bit of a security and privacy zealot, including making it the primary focus of my 20-year software career, I'm personally quite impressed with the way Google handles privacy issues. In the 15 years I worked as a security and privacy consultant I saw huge problems at nearly every company I worked with, on an almost daily basis, while in the 8 months I've been with Google I've yet to see a bad decision. Further, I have full confidence that if I ever do see a bad decision my complaints will be heard. Compared to the banks I consulted for, who were paying $300 per hour to hear my opinions and then proceeded to completely ignore them, Google is privacy/security geek nirvana.)