Google’s Privacy Dilemma: Damned If They Do; Damned They Don’t

Google Welcome Sign

A few days ago, I received an email from an advocacy group alerting me to the fact that Google was causing trouble again on the consumer privacy front. Like any good Internet populist, I immediately went to sharpen my pitchfork and grab a torch to join the masses in public outrage. Unfortunately, my pitchfork was broken and I was all out of torches. Dismayed I went online to buy new ones. Unfortunately, when I tried to search online for “pitchfork”, the top search results directed me to a music blog and a music festival named “Pitchfork.” Slightly discouraged, I then searched for “torches.” But again, I received search results taking me to information about an album called “Torches” from the band “Foster the People” and some restaurant called “Torches” in New York. Stymied by Google again! If only a search engine knew enough about its users to be able to return relevant results…

To recap, Google announced last week that it plans to consolidate over 60 privacy policies for individual products into a single policy. For the most part, data governed by Google will be consolidated and managed by a single policy linked to a user’s Google account. This means that consumer data from products like Search, Gmail and YouTube can be used together to offer better services to users. For example, Google might make sharing a video easier on YouTube by allowing you to share a video with a set of contacts from your Gmail account with fewer clicks. Another of the touted features is better personalized search. The idea is that Google will be able to better tailor search results based on your interests, including your search history (mobile and desktop), email and videos watched on YouTube. For example, if you search for “jaguar,” are you searching for a cat or a car? If you search for “puma,” are you searching for a cat or a pair of shoes? If you search for “cougar,” are you…well you get the idea.

To be clear, Google has not made any radical changes to its privacy policies. Google still does not sell personal information to third parties. Google is not collecting more or less information than before. Google still does not have people in its company reading through people’s email or search history. And Google still offers users the ability to control their data through various tools including the Google Dashboard, an opt-out feature for personalized ads, and the Data Liberation Front which allows users to export data from Google services. More importantly, users can simply opt to not use Google products. As great as Google is, there are plenty of alternatives if users choose to leave. This includes areas like search (e.g. Bing, Yahoo, etc.), email (e.g. Hotmail, Yahoo Mail, Zoho, AOL, Hushmail, GMX, etc.), video (e.g., Blip.tv, Vimeo, Veoh, etc.), and mobile OS (iOS, Symbian, Blackberry OS, Windows Phone). And users have plenty of time to learn about this change and decide. The proposed changes will not go into effect until March 1, and Google has been sending email notices and displaying pop-up reminders about this change across its products to ensure its users are aware of the change.

For those who follow online privacy issues, the latest uproar among privacy advocates about Google changing its privacy policy is coming as no surprise. It seems that no company, especially if it is named Google or Facebook, can do anything new or innovative that involves consumer data without privacy advocates immediately attacking them. For example, after the recent announcement from Google, John Simpson at Consumer Watchdog complained “Google has eliminated its last pretense that it protects consumer privacy – the walls are torn down. Instead of a privacy policy Google has finally admitted they have a profiling policy – and every Internet user is a target to be spied on.” And at the urging of these groups, members of Congress sent Google a letter asking the company to respond to their privacy concerns. Today, Google responded and reiterated that these changes were created to make privacy policies simpler and offer better services.

While privacy groups continue to complain about these changes, it is worth remembering that these complaints are neither new nor unusual. Google is a company that has not only developed new products and services internally, but also assimilated others through acquisitions. For example, much of Google Apps (e.g. Google Docs, Google Calendar) comes from technology it acquired from other start-ups (e.g. Writely, JotSpot, Deja News) and sites like YouTube were not originally part of the Google family. Naturally, many of these pre-existing products came with their own unique privacy policies and practices. As with most acquisitions, eventually the parent company tries to harmonize policies across all organizational units. In 2010, Google did just that and implemented a similar consolidation among privacy policies for Gmail, Google Docs, Google Calendar and Google Talk. Doing so allowed them to reduce the number of privacy policies and better integrate services across these products (such as easily sending Google Calendar invites to Gmail contacts). Privacy advocates were similarly outraged by these changes two years ago. Writing in 2010, a coalition of privacy advocates claimed that the change would “reduce privacy safeguards for hundreds of millions of users of Google’s Internet-based services.” Yet here we are two years later and I have yet to hear of an example of how this change hurt a single Google user.

What these privacy advocates would like is for Google to create artificial barriers between its products and services and build data silos that compartmentalize every piece of data. Moreover they are strictly opposed to a unified user-experience across products and services. Yet there is no reason to create a distinction between different products and services when doing so would limit the ability to create an integrated service for users. At best, these advocates want a “HIPAA-notice” regime for the Internet where users are constantly bombarded with meaningless privacy notices. At worst, they want to erect roadblocks to innovation by forcing users into an opt-in regime for any change in the governance of consumer data.

These privacy advocates want Google to treat each user as a new visitor as they navigate from one Google service to another. They are like teenagers who ask their parents, “When we’re in public, can you pretend that you don’t know me?” But Google and other companies should be allowed to consolidate data and offer better services to users across products because this is an important step in innovation. Imagine if tech companies were unable to buy new start-ups because regulators would stop them from integrating new technology and services with existing products. We would put the brakes on new development and make investors hesitant to support start-ups whose path to profits lies with acquisition rather than an IPO.

I understand that people do not like change, but these over-the-top claims are baseless. Google has provided more than sufficient notice to users and users have plenty of options if they disagree with this change. Moreover, Google is making consumers better off by simplifying their privacy policies and making them easier to understand by writing them in plain English. Regulators and privacy advocates often complain of dense privacy policies that the average consumer cannot understand. For example, the FTC has called for privacy notices that are “clearer, shorter, and more standardized.” It is ironic that when companies respond appropriately to address these concerns, the privacy advocates are so caught up in an anti-Google fever they cannot recognize progress when it happens.

The sad reality is that companies dealing with consumer data will always be criticized no matter what they do to improve consumer privacy. Had Google not made this change, these critics would have just been complaining about the burden on consumers of having to read over sixty privacy policies just to use Google. Rather than trap companies in a catch-22, policymakers should be encouraging companies to take pro-active steps like this that make data practices more transparent.

Print Friendly

About the author

Daniel Castro is a Senior Analyst with ITIF specializing in information technology (IT) policy. His research interests include health IT, data privacy, e-commerce, e-government, electronic voting, information security and accessibility. Before joining ITIF, Mr. Castro worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies. He contributed to GAO reports on the state of information security at a variety of federal agencies. He has a B.S. in Foreign Service from Georgetown University and an M.S. in Information Security Technology and Management from Carnegie Mellon University.