Privacy Group Gives Google Lowest Possible Grade

The Washington Post is reporting on a finding by London-based group Privacy International. In a new report, they find that Google has some of the worst privacy-protection practices anywhere on the web, giving them the lowest possible grade. "While a number of other Internet companies have troubling policies, none comes as close to Google to 'achieving status as an endemic threat to privacy,' Privacy International said in an explanation of its findings. In a statement from one of its lawyers, Google said it aggressively protects its users' privacy and stands behind its track record. In its most conspicuous defense of user privacy, Google last year successfully fought a U.S. Justice Department subpoena demanding to review millions of search requests."

Links for nerds on stories that matter

The Privacy International article - The Privacy International article [privacyinternational.org]

Their report (interim rankings only) [privacyinternational.org]

Final rankings won't be available until September. Wonder what they'll be dicking around for three months for....

Re:Links for nerds on stories that matter

Google seem to be taking it seriously enough to accuse Privacy International of being in bed with Microsoft, which is a laughable accusation.

Privacy International responded via an open letter here. [privacyinternational.org]

Re:Links for nerds on stories that matter

Google seem to be taking it seriously enough to accuse Privacy International of being in bed with Microsoft, which is a laughable accusation.

Well.... if anyone would have the information to prove this link, Google would! But what does that say about Google's privacy practices?

Re:Links for nerds on stories that matter

Well, there is one, albeit small, link to Microsoft. From the "About Privacy International" page, UK advisory board:

Caspar Bowde ~ Privacy specialist, Microsoft, EMEA UK

Re:Links for nerds on stories that matter

according to a watchdog group seeking to intensify the recent focus on how the online search leader handles personal information about its users.

Seems to me that the goal of the study was to make a single company look bad and not to scientifically evaluate the privacy and then interpret the results.

Re:Links for nerds on stories that matter

Actually, if you look at the preliminary report, they seem to have done a pretty good job. For example, Google does not consider IP address as personal information. This is OK if you are conneccting from a local coffee shop, but sucks if you have a static IP, or even do DHCP over a small range of addresses. It also points out that they don't always consider privacy implications before releasing information such as Street-level view. With the amount of data that Google gathers, analyzes, utilizes and releases (both publicly and its corporate partners), these kind of actions are a bit disturbing.

I'm not trying to say this report is perfect, or that there is enough information provided to evaluate it independently. However, seeing a conspiracy targeted at Google because a group got upset about some of their practices, and decided to do a study (which included a lot more companies than just Google), is a bit premature.

Re:Links for nerds on stories that matter

Google does not consider IP address as personal information.

And yet Gmail is the only public webmail service I know that does not include the IP address of the browser (HTTP client) in the mail header fields.

Re:Links for nerds on stories that matter

My point was that they don't reveal your IP address to third parties. There seems to be a bit of clouded thinking on this issue. Privacy is not about how much the company knows, but how much it keeps secret. I share information with Google, and they promise to keep it a secret. So long as they do that, they have upheld their end of the bargain. I'm in control of how much information I decide to give to Google, but I have to trust them not to share it with others. Most webmail services reveal the HTTP client IP to the recipient as a matter of course, using either a "Received:" trace field or the informal "X-Originating-IP:". Google keeps this a secret. They seem to understand the concept of nondisclosure quite well, and have more respect for privacy than I've seen in any other company of its type.

A suggestion...

Google last year successfully fought a U.S. Justice Department subpoena demanding to review millions of search requests.

Very nice, but how long until either Google loses some legal fight, or it simply decides not to fight?

One solution to the privacy problem, in my oppinion, would be granting users, besides the ability of not surrendering more information than necessary for a given transaction, some effective way of deleting their personal data once done with Google, Yahoo, Amazon or whoever else.

The Future of Google: Total Surveillance

The problem is they keep all your search results, with tracking cookie. Google is in bed with the CIA: http://www.disgrunt.com/blog/2006/10/27/former-int elligence-agent-says-google-in-bed-with-cia/ [disgrunt.com] Have any of you guys seen the new gmail? I won't use it...it has a built in calendar, word processor, and of course, permanent email storage, converge this with permanent tracking cookies, logs of all search requests from your IP, and of course google earth/maps (will go live eventually as the technology changes) and you have the recipie for total uncontrolled surveillance.

Re:The Future of Google: Total Surveillance

Why mod this down? I rarely put on the tinfoil hat, but they can have an awful lot of data for people who choose to use many/all of their services. It is an aggregate of many people's lives. Not saying that they are doing it, but the guy deserves more than a -1 for his thoughts.

You can't

You have two choices. in one corner, you have a nice, stable, secure ASP that hosts your email / calender/ etc. They have redundant filesystems and/or make regular backups.

Your other choice is being able to delete your profile with a click.

People who think that the idea of being able to delete your profile is in any way simple or trivial are deluding themselves. Google themselves have said that because of the way GFS works they can *NEVER* know when a piece of data flagged for deletion is actually no longer recoverable. That fault tolerance and redundancy is built into the design.

It is the same thing at Yahoo and MSN. All these guys have redundant systems with backups. It would take days worth of man hours to delete a persons profile. Hard thing to demand from a free service.

If you don't want Google holding your data, no one is putting a bullet to your head. You don't need to have cookies enabled or anything else to use their search engine. Frankly I trust them with my email more than my ISP.

Re:You can't

Deleting accounts created on systems has always been a default consideration.

As proper deletion should have been

Not if the filesystem support and account management code had been properly written.

You obviously have no clue how a filesystem stack works. Data is rarely deleted per se on *any* filesystem, simply unlinked and possibly flagged for later overwriting. Why do you think projets like this [sourceforge.net] exist?

Even if a file (if an email or google doc is even stored in what one would *call* a file) did get deleted, the indexing that is done would make at least pieces parts recoverable until their staleness is discovered, which could be a while.

Even then, a good forensic analyist could probably recover something that had been allegedly deleted.

Overwriting data to securely erase it is expensive on a desktop and approaching impossible on a busy server. This is why people who don't wear tinfoil hats will use Boot'n'Nuke or somesuch before selling a hard drive on eBay. You can't just delete something (even on your own computer, mind you) and expect it to be gone. That's not the way filesystems work.

--------
Check your facts at the door; be sure to pay a quarter!

Re:A suggestion...

Very nice, but how long until either Google loses some legal fight, or it simply decides not to fight?

If Google loses the legal fight to defend their data from government violations, then you should be looking at your government, not Google for the privacy violation.

Pot calls kettle black.

Why are these people attacking Google. Privacy and anonymity are rapidly eroding in the UK. Hello! You've got bigger privacy problems than Google if you're living there.

Re:Pot calls kettle black.

The whole "UK is a big brother society" thing is overdone. 99% of cameras are just local shops looking out for their business. Remember that the UK is densely populated and natural selection has ground the a halt; council estates breed criminals. Sure, there are a lot of cameras, but it isn't some government conspiracy that people make it out to be.

Re:Pot calls kettle black.

The whole "Google is big brother" thing is overdone. 99% of logging is just statistical. Remember that google is mainly an ad firm and they rely on statistics to do their job. Sure, there are a lot of logging, but it isn't some conspiracy that people make it out to be.

Re:Pot calls kettle black.

The whole "Google is big brother" thing is overdone. 99% of logging is just statistical.

Very funny. Statistical would imply they can't tie info back to you. When your mail, history, ip, browsing and search habits are all recorded in your exact account, it's not statistical. It's a disaster.

Google can pull all this crap out since they're so trusted by the large masses. Companies are pushed to behaving good by customers not trusting them. Google just didn't get enough of that throughout the years, and here's the result.

Funnier even, they seem to use their "goodness" as an argument here as well: the fact they fight back in court to protect that data isn't helpful. What would be helpful is that data is never collected in a way it can be abused, if god knows what happens (cracked server, loss in court, new law, insider leaking info etc etc)

Re:Pot calls kettle black.

No its not a government conspiracy, they really ARE watching you. The average brit is photographed 200 to 400 times per day.

Hea, waat the hell, why not just pull random people over for.. no reason at all.. and take fingerprints. http://news.bbc.co.uk/1/hi/uk/6170070.stm [bbc.co.uk] Alread on it in the UK, the worlds leading police state.

Sound Orweallian..? guess what, it *looks* that way too. Check out the "it's for your 'safty'" ads. http://www.infowars.net/articles/april2006/170406w atching.htm [infowars.net]

For the Tin Foil Hat Brigade (myself included)

Firefox and the Customize Google extension make a good team: http://www.customizegoogle.com/ [customizegoogle.com]

Features:

        * Remove click tracking
        * Anonymize your Google userid
        * Block Google Analytics cookies

        * Secure Gmail and Google Calendar, switch to https
        * Remove ads

Re:For the Tin Foil Hat Brigade (myself included)

Yeah, I'm the same way. When I have girls over at my place, *all* they have to do is ask about the "no sound/video recording" option, and I won't keep their data. They just never request that feature.

Toppling the Top Guy

This is a classic trick of anti-capitalist lefties (and looking at who is on their committees, there's a whole bunch of them).

Look at how much scorn is pushed onto Starbucks, despite being quite decent to their suppliers, staff and the environment. If they were the 2nd biggest coffee shop chain in the world, the scorn would not exist.

So, Google, despite behaving a great deal better than Yahoo over privacy get nobbled.

Re:Toppling the Top Guy

This is a classic trick of anti-capitalist lefties (and looking at who is on their committees, there's a whole bunch of them).

Are you aware of the fact that this makes you sound like a cold war era crazy-person? I mean, if so, feel free to continue - I just thought you might want to know.

If they were the 2nd biggest coffee shop chain in the world, the scorn would not exist.

If they made decent coffee there would be a hell of a lot less scorn for them too...

Re:Toppling the Top Guy

If they were the 2nd biggest coffee shop chain in the world, the scorn would not exist. I'm from the Netherlands. No starbucks at all to be found here- I guess they felt they couldn't compete with the Fine Products sold in coffee shops here :)

Amusing...

It's amusing how people root for the underdog but start to turn against it once it gets too big. I remember a time when M$ was viewed as a hero for scoring victories over the evil IBM monopoly.

I suppose the lesson is that companies are never your friends, just allies of convenience at best. Something to remember the next time some slashbot claims comapny X will save the day because they are a friend of open source.

Re:Amusing...

You have a point. But then what if open source gets too big?

Probably BS

Reminds me of the recent Greenpeace report on Apple, mainly containing groundless claims that in the end were mainly due to Apple not trumpeting the eco-friendly things they were already doing. In this case, Google is going to have lots of user data simply because lots of people use it many times a day to search for things. I think big companies shouldn't give in to these underhanded tactics, since it only encourages more of this crap from organizations that should have more integrity.

Google? Hardly...

While a number of other Internet companies have troubling policies, none comes as close to Google to 'achieving status as an endemic threat to privacy,'

They've obviously never heard of LexisNexis [wikipedia.org] or Accurint [accurint.com]. Unless they consider information on what web page you visited to be more infringing than, say, your full financial history, residence, court records, marriage licenses, property deeds, loans, phone numbers (including unlisted), etc., etc. Of course, that's all "public information."

Yeah right

> Google last year successfully fought a U.S. Justice Department subpoena demanding to review millions of search requests.

Yeaha. Google protects the data from the Justice Department.
But it DOESNT (and thats the point of the rating) protect the data from google itself. The google privacy idea is more or less "We are good. Thats why WE are allowed to do everything, and you WILL like it (trust us, we know you better than you do yourself)".

clusty

Clusty.com seems to have better privacy policies than google, and seems to give results of about the same quality. I use it as a matter of habit these days, except for some fancier searches, for which I need google.

Abuse of "anonymity"

I have been sued for defamation by a Russian businessman after I wrote a webpage that criticized him. One of my witnesses claimed the Russian threatened his life. A commment was later posted on my website using an anonymizing web proxy saying the businessman was in the Russian Mafia, and implying if I win in court I might loose my life.

I issued a federal subpoena for an IP trace to find out who made this threat. It went to Affinity Internet, who is the ISP for Unipeak, an anonymizing web proxy. I later learned Unipeak was the source of the comment threatening me, but Unipeak didn't have any valid contact information and their website says they keep no traffic logs.

Further research showed the Russian, Andrew Vilenchik, was a user of Unipeak. See Vilenchik's anonymous comments. [cgstock.com]

My local police are now involved, my neighbors keep an eye on my house, and my wife and extended family are very upset about this threat, which we take seriously.

Whoo hoo! Hooray for anonymity! By all means, terrorize, threaten, steal, and engage in represehsible and illegal conduct with anonymity and impunity. I choose not to lie, cheat, or steal, but I tell the truth without anonymity and I face any consequences. By comparison, every criminal and scumbag wants anonymity.

A full description of the Lawsuit is online [cgstock.com]

Re:Abuse of "anonymity"

You know, you could have avoided a lot of trouble if you had published your Russian businessman criticizing webpage anonymously...

Finkployd

and, in related news, privacy international

gets the lowest google ranking available.

How do we know Goog isn't giving up info already??

Seriously, did you know...(from wikipedia) "Under FISA, any agency may require a common carrier, landlord, custodian, or other person provide them with all information, facilities, or technical assistance necessary to accomplish ongoing electronic surveillance. They must also protect the secrecy of and cause as little disruption to the ongoing surveillance effort as possible." "A common carrier is an organization that transports persons or goods, and offers its services to the general public. In contrast, private carriers do not offer a service to the public, and provide transport on an irregular or ad-hoc basis. Common carriers typically transport persons or goods according to defined routes and schedules. Airlines, railroads, bus lines, cruise ships and freight companies may be common carriers." So, if the Goog was instructed to provide info, they wouldn't be telling us.

Of course Google is awful for privacy!

After all, in what other website can I google anybody?

This seems hilarious...

...that a group based IN THE UK is giving anybody a grade on privacy, considering how much respect the government down there has for it.

Yes

Well, if Privacy International says it's so, then it must be so!
I mean, they're Privacy International for cripe's sake. That's at least 20% better than just Privacy National. Just because I had never heard of them until today is irrelevant.

GMAIL

Then I wonder why anyone who sees this would want to have GMAIL?

-Dee

There is a lot Google is

Look at the entire scope of what Google does and you see that they want to know everything about you, and not some anonymous information. EMail is something you alomost always log in to. Many people set the login to remember them. Makes it easier to check you email, but once you are logged in your search queries are not anonymous. That is the reason Google has so many other things to try tog et you logged in and to stay logged in. For example, the have IM so that you've leave it running and yourself logged in.

However, most commercial activity and interesting behaviors, the ones worth money to advertisers and others, don't happen at the search screen. This is why Google has toolbar and desktop. They want to watch all of the sites you visit and what you do on the sites. Using this data they build a detailed behavioral profile of you. But they also have way more information then your commercial behaviors. They know about a wide variety of sites and can determine if you look at sites about health issues, or other sensitive and personal behaviors.

Google is a HUGE threat to your privacy. One could reasonably say that if you use many Google services and tools you have already given them such a detailed picture about you your privacy is essentially gone. And remember, they keep a 2 year rolling picture of the details about you. But they can also keep the "important" items they discover and toss the detail.

And, to those who say "Remember that Google went to Court to prevent the Government from getting records", remember what Google said. They said they were doing this NOT to protect your privacy, but to protect their trade secrets. That means so that no one can found out the real details about what they track and know about you.

Don't believe the "Do NO Evil" stuff. It is just clever marketing. They are a big company, just like all the rest and in many ways worse. Remember that they say that they want to index all of the World's information. That includes the very intimate and personal details about you!

Many viewed Google as the anti-Microsoft. Microsoft just dominated a market. Is is really debatable whether Microsoft's dominance actually cost consumers financially, but if they did, it was just money. There is no question that Google threatens at least our privac and that is just the first of our basic rights that their behavior and business interests threaten to erode.

   

Privacy International?

Never heard of them. Oh wait, now they've attacked google and everybody knows who Privacy International is. Cheap, but effective, PR for PI.

ooh i bet they're scared now...

Ob Futurama [wikipedia.org]:

WERNSTROM: I give you the worst grade imaginable, an A minus minus!

High Horses

P.I. has simply done what ACLU does frequently: jumped up on other peoples' high horses and ridden them, even if its legs are imaginary. Don't get me wrong, I fully support what ACLU stands for and what actions they do undertake. Unfortunately they very often go for PR by chiming in on many topics others happen to be making noise about (ie. getting media attention) even though they have no intention of taking action themselves. Look back through the media and see how many times you can find ACLU "condemning" something in the press, and that's all you hear from them on the subject. Then see how often that's a concern others have raised previously, valid or not.

P.I.'s report is a summary of accusations, pretty much all of which were raised by others well before they undertook this "study". It is not an empirical accounting of Google's policies or practices. They didn't examine these. They'd have had to do that from the inside. They made no effort to do so, as they had no intention of studying it objectively.

Note that this takes no stand on the reality of Google's policies and practices. I don't know what they really are from the inside any more than P.I. This is simply an observation and comparison of self-styled "watchdog" groups whose intent too often is more self-promotion than watchdogging.

googleisevil

I for one welcome the return of our new-ish stupid tag overlords.

Marketing and Privacy are diametrically opposed

The subject line says it all. Advertising needs to know who the viewers are when targetting an advertisment. And the more accurate a description, the more "effective" an advertisment may likely be. So if they can collect a bunch of info on a user and set up a profile then advertising can be better targetted, be more effective and the advertising space provider can charge highter rates.

A matter of interpretation.

They make a big deal out of google serving content-targeted ads in email, but they don't say anything about AOL, MSN, and Yahoo actively "wire tapping" IM conversations? Of course, AOL, MSN, and Yahoo aren't that explicit about the wiretaps. They get away with it through a combination of their privacy policy's statements of needing to comply with "local laws and regulations", and the federal government mandating said wiretaps. If you use MSN, AIM, or Yahoo messenger, or email, you are subjecting yourself to wiretapping by the U.S. Federal government -- even if you aren't a U.S. citizen. Do google's targeted ads genuinely bother anyone more than this? I'm not saying that Google's privacy policy can't be improved -- everyone can use some improvement. I am saying that I think people are looking at the wrong things when evaluating how much protection a company offers to its customers.

Bullshit

Oh yeah, Google is really insecure. I mean come on, they've had a whole 0 leaks in the last decade alone. That's almost a measurable increase from previous times.

Seriously though, with a new "Thousands of credit card/social security numbers released by company XYZ" story every other week, how did Google score this low? Seems to me there's more at play here than facts and studies. Perhaps Google indexed one of their "confidential" pages they put on their server and didn't realize was on the Internet until Google indexed it.

News at 11

Criminal defense lawyer John Henry Browne sues [slashdot.org] Privacy International on behalf of Google Inc. for poor rating.

Its interesting...

.. that "Google has some of the worst privacy-protection practices anywhere on the web." when wasn't it just two or three months ago when Yahoo gave the account details of a Chinese blogger to the Government which lead to his arrest and ten year sentence?

Wake me up when Google does something like this, until then its all BS.

Whatever...

... if "British Privacy Group" isn't a an oxymoron, I don't know what is.

Consistency & Reliability?

In reading the actual findings [privacyinternational.org], I'm a little confused. They fault one company for using "web beacons" and another for using "pixel tags" -- but those are the same thing, so why not be consistent in terminology? They fault Apple because it "kept quiet on the potential watermarking of DRM-free iTunes songs" when this topic only broke out within the last week, and there is zero evidence of actual watermarking (versus plain text additions of your name and email address -- yes, there is a difference). They fault AOL for preventing Mac users from viewing videos, but that's hardly a privacy concern (hello, competing video formats!). For Google, "Privacy mandate is not embedded throughout the company," whatever THAT means. Finally, a majority of the listed sites have no information listed in the categories of "responsiveness", "ethical compass", and "corporate leadership" -- so how can you adequately compare them to the bigger sites who have such information?

how to find these

once the privacy results are published, will i be able to google them?

a look at the Wash. Post's board of Directors

Reveals an interesting member [corporate-ir.net].

Bill must have been exstactic that his wife's newspaper did such a fine hit-job on the Goog.

This is the same Washington Post that reported continuously on the travails of Jack Abramoff - without ever mentioning the fact that most of his career was spent under the employment of the Preston Gates law firm (yes, that Gates - firm was / is microsoft's legal arm).

Re:Don't use it if you don't like it!

Yeah right. What are you going to use instead?

Ask Jeeves? ...didn't think so.

Re:Don't use it if you don't like it!

Nobody is forced to use it!

What about users of Opera? Doesn't google still get every URL they visit?

Re:Doesn't make sense.

You're forgetting the various apps like Mail that store personal information online on their servers.

need to privacy is important, not retarded

you're having it all mixed up. this is not about _you_, it is about _them_. the problem with companies like google is you don't know when you're using them. they own a lot of sites and services and probably have stake in even more, and all this data is collected, analyzed and processed by a single entity, without you knowing it, agreeing to it, or having an option to do anything at all about it.

you say you like this, and you call people "retarded" because they worry about privacy, but actually you say because you haven't thought much about it, and obviously don't have enough experience outside of the US. stop for a moment and consider -- what can happen to you personally when a powerful entity can go after you with a large profile that basically follows what you're thinking? i come from a country where everybody had a file, and the file was used to make people do things they otherwise wouldn't. i have seen what this does to people. google and the likes take it to a new level.

unless there is a general understanding that you control some parts of your life and can dispose of them as you wish, including legally limiting other people's ability to own this data, i can easily see this happening with profiles kept by information clearing houses like google. done by an agency or company near you.