EU Authorities To Demand Reversal of Google Privacy Policy

judgecorp writes "Google's privacy mechanism, which combines personal data from around 60 products, and gives users only one opportunity to opt out, was rolled out in March against requests from privacy regulators in Europe. Now they want the policy reversed, and user data from the different Google products, including Gmail, Search and YouTube, to be separated. The EU attack is lead by French regulator CNIL, which has historically taken a tough line on privacy matters."

French fight for our freedom?

The French may save us yet.

Re:French fight for our freedom?

Kudos to the privacy watchdog.

Don't use google. Don't use facebook. Don't buy apple. This will take you and us all a long way.

Re:French fight for our freedom?

[davester666]

No. The French may save French users of Google. Perhaps even for the rest of the EU. But DEFINITELY not for anywhere else.

Google will definitely [if they are forced to keep this information separate for some locations] recode their products to keep it separate for people in those locations and combined everywhere else.

Re:French fight for our freedom?

Keep in mind there is no strong IT industry in France, but many people dislike Google strongly here because they don't like the way new technology (which they see as "Google") forces them to adapt.

Make no mistake, the CNIL happily accepted the Hadopi law (three strikes and you're disconnected). It is NOT fighting for anybody's freedom. It's probably acting on someone's behalf, that someone being a group of interest which lobbied hard enough. (Yes, I'm writing this on an AZERTY keyboard).

Re:French fight for our freedom?

[Kergan]

I can see the privacy raminifications of using Google or Facebook. But Apple? Seriously?

Re:French fight for our freedom?

[e70838]

I live in France, and I work into the IT field. I have the complete opposite feeling than the post above. The CNIL has always demonstrated a very deep understanding of technology. Even if it is a state agency, it has provided very sound analysis and opinions on the recent laws (HADOPI, ...) that were demonstrating the stupidity of the proposed laws. The laws were adopted almost unchanged and all the analysis of the CNIL have been proven to be true.

The CNIL is not very powerful and can not go beyond its scope, but I have never been deceived by anything it has produced.

The main root of the CNIL is the history of France during the 2nd world war where some files were used against jews.

Re:French fight for our freedom?

[RaceProUK]

Is that what I said? Or did I actually say the EU would go after Google for shafting millions of users in some pathetic hissy fit?

"Are you a criminal?"

[aliquis]

"Yeah, so what if YouTube let you register with a user name before we bought it. We see you don't use a real name. WTF is up with that? Are you a criminal?

[x] My name is ___________________________
[ ] I'm a criminal."

Not an issue for me

[aNonnyMouseCowered]

Really, I don't see this as an issue if you're volunteering your personal info to Google anyway. I'm more worried by the tracking that Google does even if you're not logged in, say, via its ad and recaptcha services.

And I want a pony...

[O('_')O_Bush]

Really though, unlike with Intel or Microsoft, I've never felt like I have been wronged by Google, which is probably why my knee jerk reaction is that this is just another extortion racket and an organization hired to cause a stir.

Re:And I want a pony...

[TubeSteak]

which is probably why my knee jerk reaction is that this is just another extortion racket and an organization hired to cause a stir.

CNIL (Commission nationale de l'informatique et des libertés) translates to 'National commission on informatics and liberties'

Unlike America, European regulators take their privacy seriously.
They are mostly independant and don't have to bow down to political pressure.
You seem to be confusing "not captured by corporate interests" with "just another extortion racket."

Re:And I want a pony...

[Paradise+Pete]

I've never felt like I have been wronged by Google

Right now Google's not hurting, so they can be more selective in what thy do with that data. But when times get tough, and they probably will, Google will resort to all sorts of tricks to keep that cash cow mooing.

Re:And I want a pony...

Unlike Americans, Europeans are more worried about corporations spying on them than their governments.

Re:And I want a pony...

[MrDoh!]

Which is fair, but how will splitting the privacy policies back into various areas HELP privacy? Doesn't putting them all in one place for Google products make it easier? And even if split, do they not get how Google tracks everything anyway? Very strange way to help people I'd think.

Re:And I want a pony...

[tlhIngan]

Which is fair, but how will splitting the privacy policies back into various areas HELP privacy? Doesn't putting them all in one place for Google products make it easier? And even if split, do they not get how Google tracks everything anyway? Very strange way to help people I'd think.

Well, before, Google had a different privacy policy for every product. This resulted in your YouTube browsing habits not being able to be shared with your GMail history, Google homepage not being able to search your e-mail or possibly throwing up your email search results when you search, etc.

By unifying the privacy policy, Google made it easier to combine the data about you from many silos into one. Perhaps you were doing some Google searches about say, gay marriage. Now your YouTube ads for that next cat video can suggest gay marriage pastors. Or election ads about gay marriage.

Or perhaps you're trying to keep your online activities separate. Perhaps you enjoy downloading the latest music and movies, but keep that separated somehow from your other activities. Perhaps using another browser. Or perhaps another computer. Problem is, you use Google on both, and eventually Google links both your nefarious pirate ways with your real life ways, so the MPAA and RIAA can now positively identify you through Google. (Ask Jammie Thomas).

All the EU is doing is basically telling Google to put the data back in their individual silos and stop mising and churning it. Of course, law enforcement and IP lovers will be a lot less happy if they can't get at your user profile and prove that you are the person being accused through Google's profiling of your activities (the links are more tenuous when data is isolated. When they're combined, they're very powerful).

Of course, this also allows Google to aid in finding people who do bad things - they can link the searches to the youtube videos to the G+ postings and all that. Perhaps even to their facebook account and get a name/location/etc.

Oh yeah, trust me, it's not just advertisers/insurance people interested in your habits. And heck,one silo also means that false information can be rapidly corrected (yay!), alongside with notes on the false information in case you used it elsewhere, providing more linking data.

Re:And I want a pony...

Unlike Americans, Europeans are more worried about corporations spying on them than their governments.

As it turns out, any information you give to a corporation ends up at the government.

Re:And I want a pony...

[Solandri]

That's one benefit Google got from combining the privacy policies - obviously the one which makes Google look worst so it's the reason most commonly trotted out. The flip side is by having each service have its own privacy policy, users had to keep track of each separate privacy policy (and Google's employees working on multiple products were uncertain of what they could and couldn't do with the data). Subtle differences between policies got lost amidst the similarities. Consolidating everything into a single unified "Google policy" made it easier for users to know what they were getting and for Google to know what it could do.

There are pros and cons to either approach. Anyone telling you one is universally better than the other is selling you something. Stripped of any nefarious advertising and creepy privacy invasion overtones, the default condition would be for Google to consolidate them into one policy simply to reduce bureaucracy and paperwork. So I think the onus should be on those advocating separate policies to justify why the benefits of having them separate outweigh the drawbacks.

Re:And I want a pony...

[Sique]

Unlike Americans, Europeans are worried about both corporations and the government spying on them. In Germany, Data Rendition laws are suspended for now, and in Austria, they didn't pass the parliament for now.

Re:And I want a pony...

[Sique]

Actually, there are no European companies trying to compete with Google and failing. There are no European companies even trying. (I think, the last one was Telefónica, which bought Lycos years ago, but put it to rest in 2008). So which are those imaginary corporations you are talking about?

Re:And I want a pony...

I absolutely agree. It should also be noted that civic duty goes beyond simple compliance; sometimes it is one's duty as a citizen to disobey the law. Not only are we obliged as individuals to oppose legal evils and the illegality of goods, but we are also so obliged as citizens.

The grandparent poster's glib attitude towards legal conformism is a recipe for social stagnation and the worst excesses of what Aristotle accurately diagnosed as the democratic perversion of the common good: the majority may enslave the minority.

The balance is not easy to find, nor defensible with absolute certainty. But the alternative is no alternative at all.

Re:And I want a pony...

[AmiMoJo]

Why does having a common privacy policy necessitate sharing data between services? They can have a single policy that says they won't share data with other Google services.

Re:And I want a pony...

[xaxa]

Unlike America, European regulators take their privacy seriously.

No, they don't. European regulators like to cause trouble to US companies, while European governments and many European companies get a free pass.

No, they don't -- but I doubt the stories hit the US news.

http://positivepulse.co.uk/482/482/ (NHS, presumably, i.e. British government)
http://www.yourlocalguardian.co.uk/news/local/kingstonnews/9687652.Kingston_Council_faces_privacy_breach_claim/ (Local government near London)
http://www.belfasttelegraph.co.uk/news/local-national/uk/probe-into-airline-privacy-breach-16141298.html (British airline)

Of course, as with many local European issues, it's more difficult for me to find stories from other countries as they're usually in another language.
Here's some kind of summary from Ireland: http://www.algoodbody.ie/knowledge.jsp?i=1846
And here's one from Germany http://www.dw.de/deutsche-telekom-suspected-of-privacy-breaches/a-3357090-1 (German telecoms)

Seriously?

[ras]

All these web sites are owned by the same people. Are the EU saying a company can't mine the data the EU says it is allowed to collect? How on earth do you even police that?

Besides, it's a non-issue, as it is under the users control anyway. If you don't want Google tying the data together use different use names on each site. It is not like it is rocket science.

Re:Seriously?

My issue is that google is forcing me to broadcast my private stuff to strangers.
Google's issue is that people leave embarassingly shitty comments on videos.

The obvious solution is just to turn off all personalization and feedback. However, Google -- stupidly -- is trying to build their own social network to rival Facebook. Their strategy is stupid, because for years they've triumphed by being better and less evil than the other guy. My approach was just to boycott other google products in favor of youtube. Unfortunately, there is no alternative to it. However, I use it rarely. In exchange for my rare preference for funny vids, Google lost some important social contacts and private emails that have gone to Facebook. Real smart move on their part, huh? Well, maybe it was -- until a youtube killer comes out, Google is number one there. However, their business model has changed for the worse. It's only a matter of time until someone less evil than Google arises, and then Google is toast.

Re:Seriously?

[kqs]

The obvious solution is just to turn off all personalization and feedback.

Indeed. Much like some people commit fraud on the stock market. The obvious solution is to turn off the stock market. Brilliant!

I'm not sure how google is forcing you to broadcast private stuff; I don't think they're forcing you to comment, are they? If you comment, and you know that the comment will be tagged with your real name, then there is no force, you just make a choice.

Re:Seriously?

[Zemran]

"use different use names on each site."

and do not forget to use different computers for each site as well because they track your use and know if you are using a different name on each site. So you need one computer for Google, one for Gmail, one for Youtube, etc.

It is a big issue to a European that assumes a right of privacy but of course to an American who is only used to that right in name alone, this is not an issue. In Europe the data remains mine. I own it. They can use it only as I allow them to use my data.

Re:Seriously?

[Elldallan]

Well the EU might not in the end be able to restrict how Google use the data but they can make it very painful for Google to refuse compliance with the law, they can seize any and all Google property inside the EU(including the funds Google funnels through Ireland because the low corporate tax which is most of Google's global profits...), they can order funds frozen internationally and anyone other than the US who cares to have EU as a trading partner will probably comply, they can harass any Google executives who travels to/inside the EU, they can forbid any EU company or companies that does business in EU from doing business with Google.

If Google wants to do business inside the EU they had better comply with EU laws and right now EU law says YOU own your data and while that might not exactly be true in reality because you have no control of the data once it leaves your hands it means that you or the EU on behalf of it's citizens can make life very difficult for Google or anyone else for that matter if they break those laws.

Re:We could OPT OUT?

[kqs]

What does opting out of a privacy policy mean? "I refuse to be bound by this policy, so there is no policy and you can do whatever you want with my data"? "I refuse to be bound by this one policy, I prefer a different policy on every google service I use"? And do you expect google (or anyone) to maintain code to implement every privacy policy they've ever had? How would that work?

Opting out of a privacy policy means not using the service. Wanting to use the service but refusing the privacy policy is much like wanting to eat at a restaurant but not wanting to pay your bill.

Microsoft Policy

[hresult]

Interesting, why don't they also require Microsoft to reverse its recent privacy policy change which is essentially the same (unification of the company's services).

Easy you put into law

[aepervius]

We have had law about privacy and IT and database for about as long as it started to become a phenomenon, I think back in the 80ies. For example you may not in certain circumstance do a join on database, or have races, skin color, religion, political affiliation, or whatnot mentioned in some database (I don't recall exactly when it is allowed, but you can take for granted that in a commercial database it is msotly not allowed). There is something similar on EU level.

That you in the US (or any other country) don't care that you are the "product" is your problem. but if google want to have a commercial presence in EU it better respect our privacy laws. And No it is not YOUR responsibility to use different usernames, it is google responsibility to respect law and not join DB.

Re:Google 'safe browsing' cookie

Why does this need a session cookie? why does it need to update the list so incredibly frequently? Why send only partial keys?

Dude, take off the foil hat. I work at the big G (not on anti phishing) and all these concerns have been discussed publicly before. There is a cookie for anti-DoS purposes. Google has the ability to sink large amounts of HTTP traffic using smart load balancers which can handle way more requests than the backends they balance on to. During a DoS attack legitimate cookies that have been observed behaving in a non-abusive manner for a long time can be serviced whilst excluding requests that come in with no cookie or a freshly minted cookie. And let's face it - the anti-phishing system is designed to frustrate criminals, the kind of people who wouldn't hesitate to use DDoS attacks against a blacklisting service.

The list is updated frequently because phishing sites appear and disappear very fast.

If there was no partial server-side matching you could defeat the blocklist by simply using random filenames or ?q=abc suffixes on the phishing page (eg every spam you send with a phishing link could have a unique URL). Then a list of even a million URLs would be insufficient. By having partial/prefix matches that trigger a server side lookup more advanced logic can be used that doesn't require protocol changes to every client, in extreme cases you could even imagine hand crafted code that understands how to spot patterns in particularly tricky campaigns.

CAPTCHA: explains

Re:it's better to use many services anyway

[gl4ss]

uhh.. many of these services WERE different services, like youtube.

buying services and integrating data from them to google main db is googles business. that's not entirely within eu laws though.

Re:We could OPT OUT?

[psiclops]

say you were paying a certain amount of money to live in an apartment. now imagine each year the landlord wants to raise the the rent. suddenly the initial ratio of cost to benefit has eroded, yet moving out is not a trivial decision.

oh wait. that's kind of the standard rental situation.

Re:We could OPT OUT?

[foniksonik]

Moving out is a trivial decision though.

Just pack up and go. Tell your closest friends and family you've moved and where you've moved to. Set up an auto responder for the old address for a month or so that simply says "I've moved to [new address]". You can close the account or not (they dont care). Go update accounts that use the old email address. If you miss one it probably wasn't that important and you can check the old account occasionally.

It's not brain surgery.