From Cnet/Declan’s blog:
A top Republican in the House of Representatives is demanding that Google answer a barrage of questions about privacy, some of which are related to the company’s proposed purchase of the DoubleClick advertising firm.
Rep. Joe Barton, who has positioned himself as a privacy advocate and previously criticized the merger last month, complained in a letter to Google CEO Eric Schmidt that the company had initially agreed to let his aides visit the so-called Googleplex in Mountain View, Calif. but then didn’t confirm a date. Barton is the senior Republican on the House Energy and Commerce Committee, which has Internet regulation as one of its responsibilities.
Interesting to see what Barton wants to know about, his letter to Google outlining his requests about the company’s information use and technology is very, very extensive. Snippets:
To help us better understand the privacy and consumer protection implications of this transaction, please respond to the following questions:
1. Please describe Google’s retention policy with respect to the following data. Include in your response a description of the type of data retained (for example, URL, Internet Protocol [IP] address, date, time of connectivity); the length of time the data is retained; where the data is retained; who has access to the retained data; and how the data is removed, deleted, or anonymized once the retention period lapses.
a. Search queries on Google search;
b. Search queries on Google maps;
c. Search queries on Google news;
d. Search queries on Google images;
e. Email sent, received, or drafted on Gmail;
f. Information or data collected or retained through a website’s use of Google Analytics;
g. Information or data collected or retained from an individual’s use of Google Desktop Search, including the Google Desktop Search feature, Search Across Computers;
h. Google Maps for Mobile;
i. Google Web History Program for registered Google users/Google users with sign-in accounts;
j. Information or data collected or retained from an individual’s use of Picasa;
k. Information or data collected or retained from an individual’s use of Calendar;
l. Cookies.
2. Please explain how Google uses the information or data described in Question 1(a) – (l), including, but not limited to, the following uses: perfecting Google’s search algorithm; operating Google’s advertising programs such as AdWords and AdSense; and research or analysis of user activity on www.google.com.
… 5. In particular, please explain whether Google Maps directs advertisements to IP addresses based on that user’s Google Maps search query history.
6. Please explain how and why information is combined or shared across platforms when consumers opt-in for personalized services and whether Google first requires consent prior to such information-sharing. (For instance, whether search query data is shared with or linked to a user’s Gmail account.)
…. 11. In Google’s privacy policy, “personal information” is defined as “information that you provide to us which personally identifies you, such as your name, email address, or billing information, or other data which can be reasonably linked to such information by Google.”
a. Please describe how Google interprets “reasonably linked.”
b. Please explain in what circumstances Google links information
such that an individual can be identified.
c. Please explain whether Google considers an IP address to be “personal information.”
d. Please explain whether technology exists to personally identify or determine the personal characteristics, including, but not limited to, name, email address, physical address or location, age, gender, or ethnicity of an Internet user based on that user’s IP address.
e. Please explain whether Google is capable of identifying or determining personal characteristics, including, but not limited to, name, email address, physical address or location, age, gender, or ethnicity of an Internet user based on that user’s IP address.
…. 20. If the merger of Google and DoubleClick is approved, please describe what use Google plans to make of the data retained and collected by DoubleClick (for example, data from DoubleClick’s tracking cookies or DoubleClick click-stream data), and whether Google plans to combine or merge DoubleClick’s data with data Google retains from individual search queries and other user activity on www.google.com.
a. If Google does not intend to merge or combine the data Google retains with the information or data retained or collected by DoubleClick, please describe the efficiencies of the Google-DoubleClick merger. (emphasis mine) b. If Google does not intend to merge or combine the data Google retains with the information or data retained or collected by DoubleClick, please explain how the information will be segregated.
…24. The House passed the Securely Protect Yourself Against Cyber Trespass (SPY ACT) in the current and prior two Congresses. The SPY ACT, H.R. 964, sponsored by Representatives Mary Bono and Adolphus Towns, mandates an opt-in privacy regime by prohibiting the collection of personal information from a computer without a user’s notice and consent prior to the execution of any information collection program. H.R. 964 also demands that a user be able to easily remove or disable the information collection program. Please explain whether Google’s applications are subject to H.R. 964’s consent requirements. If the answer is no, please explain why these programs, which collect personal information, are not subject to the consent regime established by H.R. 964.
I for one and very, very happy Rep. Barton has laid this out, and very eager to see what response will be given.
Update: Henry speculates that this may be the work of MSFT.
Wow, a very succinct and direct set of questions; it’s high time for straight answers to “what exactly do you do with my data, and what are your intentions going forward”.
…and, from a Texas-based republican! wonders never cease!
Yet FB can lie about an Opt-In/Out policy (never mind that you’ve no idea what behavioral info they’ keeping and for how long).
Then FB can “apologize” for screwin’ up and they’re still not clear about what info is retained , LET ALONE PEOPLE WHO DON”T EVEN USE FB, YET, VISIT A PARTNER SITE AND HAVE THAT DATA SUBMITTED TO FB !!!!
And you happy Barton has laid out questions to Google about Click…Why are none of you A-List bloggers with access to FB asking FB what the hell they’re doing collecting info on people who are not even registered users of the FB site.
From a true fan of yours, John, I’m shocked at the passes FB is getting from those who have the ability to question.
J
Me, less than thrilled. I swear John, if I had time, I’d rip him a new one. Seriously — an interesting set of questions? Like more than half of them he can find easily answered by Google online through blog posts, public statements and even flipping videos that they’ve done for the general public.
Do you have a privacy policy link on your homepage? Seriously? Dude — go to f’ing Google.com and look for yourself.
I’d far rather see a politician do a little basic homework first, rather than assume the world drop dead at his feet, then ask some intelligent and new follow-up questions with real substance. And perhaps, you know, ask Yahoo and Microsoft and a few ISPs the same thing, if he’s really into privacy.
This isn’t substantial. This is grandstanding to say look at how I poked at Google. I’ll be interested the day our representative shut the hell up in public and just hunker down in a room, do real work, real research and come up with some actual laws designed to protect our privacy in general.
Very interesting questions, but why aren’t the same questions posed to ISP’s, the other search engines, social networking sites and apps developers? Should the Google/Doubleclick situation be singled out when there are other data collectors gathering the same, if not more, data about their users and not always being upfront about it?
Personally, I’m much more concerned about what Comcast (my ISP) knows about me than Google. I can choose to avoid Google products but I can’t bypass Comcast packet sniffers to access the internet.
You have a good point, Danny, but we can’t ignore the fact that by being as large, as strong, and as vocal (very, very vocal), Google is the best target for folks like Rep. Barton. Best as in best for a politician. It’s not pretty, but it’s sausage, and it’s getting made…
Danny, I have to say there are worse things that could happen than *anyone* taking a look at Google even if it is just a surface check. Google’s PR is so positive when a lot of what they do is less than honorable anymore. Even if this is just grandstanding at least there is a perceived value to looking deeper at Google’s activities. That’s a lot more than we would have seen a couple years ago and a step in the right direction.
Of course I bet Google will answer the obvious questions and let Rep. Barton know where he can stick the rest.
In my opinion, these are well-formed, relevant and sufficiently pointed questions which make me think wow, we actually have some politicians that are on the ball here and there.
I don’t think it matters that various answers could be arrived at via fragmented bits and pieces across the Web. The more fragmented the answers, the less accountability? (or at least the greater the opportunity for spin)
I think a lot of people (myself included) would like the CEO of GOOG to issue in ONE place an answer to ALL of these questions. That would be far more powerful, and the ball is in his court …
I also think FB is next, given their obvious coupling of PII with distributed browsing behavior.
Jordan at http://kickstand.typepad.com
I’m actually impressed by the questions, Danny. I know you make a living being cozy with Google but let’s be real here. DoubleClick and Google combined could be a menacing force if unchecked. The government is never going to block this deal. What they can do is to get Google to clarify lots of stuff — on the record — a more gentile way of getting Google to modify their ways in certain areas like use of cookies, etc.
The one thing that Google does that they will need to stop is their use of restrictive, anti-competitive language in publisher contracts. I’ve heard that they used to, and still might, basically prevent publishers from working with certain other companies because they’re working with Google. That is NOT appropriate behavior and is really something that you’d expect to hear coming from Microsoft.
Danny writes: Like more than half of them he can find easily answered by Google online through blog posts, public statements and even flipping videos that they’ve done for the general public…I’d far rather see a politician do a little basic homework first, rather than assume the world drop dead at his feet, then ask some intelligent and new follow-up questions with real substance.
Jordan writes: I don’t think it matters that various answers could be arrived at via fragmented bits and pieces across the Web. The more fragmented the answers, the less accountability? (or at least the greater the opportunity for spin)
I think have to strongly agree with Jordan, here. So long as all the pieces of the Google puzzle are fragmented, outdated, inconsistent, scattered, changing, and otherwise not nailed down in any accountable way, Google has room to wiggle, avoid, change, spin, deny, and otherwise avoid accountability.
Note here that I am not claiming that Google necessarily has any accountability to avoid. They may not. But if so, then, like Jordan says, the CEO of GOOG should put the answers all in one place, answer them at one time, and make it very clear to anyone who uses any Google-owned service when any of those policies change.
Because otherwise, Danny, the approach you advocate means that, if Google breaks any policy that they have supposedly written in some blog post, or talked about in some YouTube video, they retain a “plausible deniability” in that they can say that the employee that wrote that post or made that video was not authorized to do so.
Or, they can claim that the inferences that you or I made, when culling together all the disparate puzzle pieces, were not correct inferences. Certainly you have to agree that there are conceptual or informational gaps in Google’s blogpost answers to many of the Congressman’s questions, eh? So when you or I pull together various blogposts, and try to infer what Google is actually doing, try to fill in the gaps, we might not necessarily get it right. So what is so wrong with asking for a full, complete statement?
Do you ever listen to “This American Life” on NPR? You should download this week’s (last weekend’s) episode. It recounts the 10-month long experience that one woman had with her phone company, trying to deal with billing charges that were mistakenly levied against her. Over and over, she calls up the phone company, and gets a different story from almost every employee she talks to. Something that appears to be set in stone one week turns out never to have been a policy the next week. By the end of the story, some of the information that she has gleaned from her interactions (“basic homework”) does turn out to be true, but a lot of the information is not. How much easier would her life have been if she had just had the proper information to begin with?
So what is wrong with wanting all the relevant information officially culled by Google, directly and (more importantly) officially?
If Google really has set out its policies in all these blogs and public statements and videos, and there really are no gaps or conceptual missing areas between all these pieces of information, then Google should have zero trouble with simply packing all that info together into one bundle, right? I mean, Google is an information organization company. Its job is to keep things like that organized.
I agree with Danny Sullivan. I’d note this as a huge waste of tax payers’ money and a representative’s time. I’d certainly enjoy a free (government sponsored) trip for myself and a few friends to the Googleplex. Why not, if the government is apparently just handing them out? Barton is trying to score points with someone and it’s painfully transparent. Certainly our politicians could spend time on more pressing and less costly issues.
I completely agree with John and DISAGREE with Danny. Google is hording data. The Congress has passed laws to protect our privacy…and in a day and age of an Executive Order happy President that expands the power of the Federal Government to infringe on our private rights, why should Google (and its M&A activity) not face the huge scrutiny. Or should this transaction just get rubber-stamped because Google is Google?
I think not, and applaud someone who represents all the common people who do not work in the tech industry to at least have an interest and take the time to ask Google some hard questions.
John, definitely understand Google is a big target, but watching a politician ask belatedly about search privacy issues raised by others years ago, and wasting time to get “answers” to things an intern could get, remains a waste of that politician time and my tax dollars. I want them to ask better questions.
R McCarley: It’s not over if there are “worse” things that could happen. Google’s had this surface check already by many others, plus some of the things being asked aren’t even substantial. Read the questions again. I don’t want a “perceived” value to be doing something. I want something to actually be done of substance.
Jordan: I guess if you’ve been covering search privacy issues as long as I have, you realize that most of what’s asked has been answered plus there’s a lot that should be asked that isn’t covered. I want the politician to have educated themselves beforehand, ask substantial questions, and do a proper review. This kneejerk, oh, we didn’t get to meet so answer this stuff in six days is stupid. Call a committee together on search privacy in general, and when you have hearing, let’s talk about the entire footprint of what happens to search logging from your desktop (do you have desktop search privacy rights?) through your ISP (no one ever mentions them, and they see all), to Google and other search engines.
As for answering things in one place, I along with others have suggested that Google beef up their privacy area, and they’ve actually made some progress. And it is well within the capabilities of this congressman to find it. But I might very well do another open letter to show it myself.
Stone: I make a living writing about search, to an audience that depends on me. I was writing about search before Google existed, and I don’t need to be cozy to them in any way, shape or form. I won’t drop a million links here, but I’ve covered in some detail that Google is already menacing without DoubleClick, so if that’s a concern, the congress reps should just get on with things. And back to being cozy, this is what I said the last time we had a bunch of lameness from congress:
“Indeed, so instead of blowing the wad of investigating Google-DoubleClick, why not investigate whether Google is trampling laws by both being a leading traffic source for some web sites while also being their leading revenue generator? Or whether Google simply has too much insight into the web that gives it an unfair advantage; i.e., if it offers free tracking tools, ads, free wireless, free web acceleration tools, and more, does that mean it effectively knows everything happening on the web operating system, so that it can improve the quality of its search and other products in a way that no one else can match.”
http://searchengineland.com/071120-100056.php
That’s substance. That’s something they aren’t looking at. This let’s ask about 1999 cookie issues is tiring, not when issues have progressed so far beyond that.
JG: I didn’t advocate any policy other than a politician shouldn’t waste time asking for answer that have already been given. That’s time they are not spending getting into real issues. I totally agree — there’s nothing wrong with this information being given officially by Google. The thing is, much of it has been. They can organize it better, but I can’t stress enough how much of it is not difficult for this congressman to already find, so that he can GO BEYOND THE OBVIOUS.
Nice response, Danny. I do not question your sincerity.
But what do you mean by “go beyond the obvious”? Most Americans do not even realize that search engines track their activity, much less the issues around the wide base of cookies that the DoubleClick merger allows. It might be obvious to you, it might be obvious to me, what the potential pitfalls are; but it is not obvious to the average Joe, and probably not obvious to lawmakers. They’re not experts on these sorts of things. And they’re not experts on knowing which places to look to find all the answers.
So I honestly do not ask this question as any sort of rhetorical challenge. I ask because I do not understand. What do you mean for the congressman to go beyond the obvious?
JG, let me try to spin up an article next week to show you more of what I’m talking about. I’ll try to take the points the congressman raised, show where they are already answered but also highlight some of the things he should be asking. But you might look at this:
http://searchengineland.com/070612-041042.php
Toward the end, I have a section called “Beyond The Obvious” and point out some things like:
“That’s just some of my accounts. If I delete my web history, I know that data is destroyed, though what’s kept on offline archives currently is not destroyed, from what I was last told. If I go to the Gmail privacy FAQ (far more useful than the Gmail privacy policy, which fails to link directly to the FAQ), I’m told deleting my mail really deletes it, even off backups, though that might take time. But then again, are these deleted from online backups only? What about offline?”
Most of the privacy groups — as does the congressman — seem stuck in this what do you do with cookies and IP world that made sense in the 1990s. Today, it’s much more about the data collected from when you are logged in. That’s data Google and others collect with a much better idea of who you are. How do you kill it? How long is it retained (with Web History at Google, forever until the user themselves decides to kill it). If the company changes management, can you keep control of your information?
We need a comprehensive look at the type of data gathered about online activities — not just by Google — and probably some federal laws backing up our protection. I wouldn’t mind seeing some better protection of our much more personal data in the real world, as well.
Great, I look forward to reading your expanded article on the subject.
There are even a couple more issues in this area I would be interested in learning/hearing more about. The first area related to 3rd parties and privacy. In this day and age of web services and mashups, what happens when more than one company is responsible for your privacy information? How are privacy conflicts resolved? Who is responsible, ultimately, when there is a muck-up?
For example, you remember the kerfuffle last year around AOL’s release of “anonymized” search data. Well, while it is true that searchers went to AOL’s site to do the search, the search itself was a Google search. Complete with Google branding, right there on the AOL page. When I see the Google logo, and I see the search box, there is an expectation that my searches will be held in the utmost Googalian privacy respect; because I am using the Google engine, Google will fight for the privacy of those searches, like when they stood up to the DOJ.
And yet Google was 100% unable to keep AOL, their partner, from releasing this data. Most of the blogosphere counted this as a AOL screwup, not a Google screwup. But given the strong Google branding of the search box itself, it is not unreasonable to expect that Google is going to protect my privacy. Protect it from AOL as much as from the DOJ. But Google did not.
So, again, how should privacy operate in this era of distributed web services and multiple companies through which your data passes?
And the second issue is not completely unrelated. Hand-in-hand with data privacy is data ownership. Companies make money off of the data they collect from us, whether by reselling that data directly, or by using it to tune their algorithms to better target ads. And this is not just search data; it is web-page visiting data, AdSense click data, etc. Either way, that data is gold. And yet, we are not seeing any of that money. We are at least co-owners, if not solitary owners, of that data, correct? So how do we ensure that we get paid?
Some may argue that free search services are payment enough. Maybe that’s true; maybe that is a fair trade. But what if I never use Google search, or any other Google product? Google would still be collecting data about me through their Analytics and AdSense services. I am still not seeing any money from my data. I never had the chance to agree to that deal. I never signed any agreement, entered into any contract. My data is still used and profitted from.
So hand-in-hand with privacy is the issue of data ownership and data reuse and profit made from that data. I’d be interested in learning more about the issues around both of those areas.
One thing that is rarely mentioned is user tracking via adsense delivery.
I look at Site A and it has adsense on the page. Google knows my IP when it serves the advert to me. Later, I look at Site B, and Google serves me another advert on the page. They know it is me again, without me ever having been near a Google search box.