Few companies inspire the awe — and the dread about privacy concerns — that Google does, because of its search engine, Google maps and its Street View imagery, its Gmail e-mail and other cloud-based services.
From its inception, Google has been a compulsive collector, a hoarder, of information about its users, though the company is quick to say it's not personal. For instance, Gmail users get ads — a hefty part of its revenues — based on automated machine reading for e-mail content. "We tell everyone up front about how we match words in mail with ads," says Vint Cerf, Google's chief Internet evangelist. "I don't consider that a violation of privacy."
The plain-spoken, erudite Cerf is well-qualified to wear the mantle of statesman of the Internet, having played a significant role in its very invention decades ago. Since joining Google six years ago in the "evangelist" role, he's found himself of late explaining and defending Google's practices related to privacy — particularly after last year's privacy blow-ups.
Google has perennially faced criticism for its massive data-collection practices from privacy advocates such as Electronic Privacy Information Center (EPIC) and Electronic Frontier Foundation (EFF), among others. But perhaps nothing stirred up a storm as much as when the search giant last year admitted it had collected — by mistake, it says, for three years — information on open Wi-Fi networks when its Google Street View cars with mounted cameras were riding around neighborhoods in countries around the world to capture geographic data.
That touched off class-action lawsuits, a U.S. Federal Trade Commission investigation (closed last October with the agency declining to take action) and actions by regulatory authorities in Europe, especially, calling Google to account.
In the United Kingdom, for example, the U.K. data-protection watchdog agency, the Information Commissioner's Office, said Google did break the law but didn't impose a fine, instead demanding Google submit to an audit of its privacy policies. The audit, completed this August, was generally approving but urged Google to ensure "that users are given more information about the privacy aspects of Google products."
The WiFi blow-up became a huge scandal in Germany, leading to Google agreeing to offer people an "op-out" to not to have where they live be included in Google Maps through a blurring process. Ilse Aigner, Germany's Consumer Protection Minister, last year urged all Germans to opt out, and told the German magazine Spiegel, "Google unfortunately seems to lack any kind of sensitivity when it comes to collecting personal data."
Hundreds of thousands of Germans did opt out. In April of this year, even though a German court declared what Google was doing was legal, Google decided to stop doing Street View imagery collection in its cars, though it will map German street names and the like.
In the whole WiFi blow-up, "the controversy was that we didn't tell people we were collecting that data. We stopped." Cerf says. "We wanted to figure out where hotspots were so we could locate them later. We could locate the device and provide location services on GPS if the user had that."
Cerf adds he believes Google is still holding onto that cache of WiFi-related information that led to the whole controversy in the first place because Google has to be prepared to respond to any "grievances" legally that arise from it and it's all "evidence" that can't be destroyed.
Google has been willing in several ways to modify practices to address privacy concerns. The Electronic Frontier Foundation (EFF), which has criticized Google in the past, thinks the company is showing signs of warming up to ideas about how to protect consumer privacy in an era where new technologies mean it will simply have to be thought about in an entirely new way.
"The Electronic Communications Privacy Act (ECPA) is 25 years old next week. It's outdated and doesn't protect people's information," says Rebecca Jeschke, EFF digital rights analyst, pointing to the need for updated law on digital surveillance. She's glad to see Google as a key part of the group Digital Due Process Coalition, which includes technology companies, civil rights organizations and academics seeking to update ECPA to provide privacy protections to newer technologies.
Some ideas for that include requiring the government to first get a search warrant before it can track the location of a cell phone or other mobile communications device, or require the government to demonstrate to a court that data they seek in monitoring of any communications medium is relevant and material to a criminal investigation.
But Jeschke notes this doesn't explain what Google itself might be doing for its own benefit with personal data it can collect.
"Google has a huge reach. We all use Google every day," she says. "Google has a ton of information about you. All that information is collected and can be linked to each other." She adds: "The fact that it's there is worrying. It's a honeypot for all sorts of people — marketers, civil litigants, law enforcement."
Google tries to be transparent about its collection practices through its online "Privacy Center" and "Privacy FAQ." And Cerf says Google does hold onto what Web searches are made based on IP address but "the IP address doesn't bind to a person." He says Google does not keep files on individuals for data collection purposes. And when it comes to business practices with third parties, any data that Google does share is done so on an anonymous basis.
Around the world, privacy is a topic of huge concern and how local law is applied varies widely. In Italy last year, for instance, a video posted on YouTube that showed an autistic teenager being punched and bullied became a legal case on privacy that led to three Google executives being given six-month suspended sentences by a Milan court.
"The Italian situation was pretty extreme, Cerf says. "I didn't agree with the court's view on that one." Google's global privacy counsel, Peter Fleischer, one of the executives sentenced by the Italian court, indicated in his recent blog post he's appealing the court decision.
But at the same time, Cerf says he profoundly feels how the advent of cameras everywhere and the ability to post video and photos online can be hugely disconcerting. He recounts how he stepped once off a helicopter for a meeting in Brazil and minutes later was informed a video of himself doing that had been posted to YouTube, something he found to be a discomforting experience. He says getting constant notes about being "tagged" in online photos from social networking sites such as Facebook still remains a bit of a jolt.
One of the experiences of our time is we need to understand "the extraordinary loss of privacy we get from each other," Cerf points out.
With all the privacy issues, yet another is also troubling: the attacks on users of Gmail. Earlier this year, Google disrupted what it said was a targeted phishing campaign aimed at stealing e-mail from government officials, contractors and military personnel, and Chinese political activists.
"The spear-phishing attacks against Gmail were clearly targeted at high-level officials in government and industry," Cerf says. "Whether it was Chinese-government-inspired or not, I don't know." But he notes there has been a lot of speculation that it may well have been.
Even as it seeks to influence privacy protection for a possible updated version of the ECPA surveillance law in the U.S., Google seeks to maintain some control over what it might have to do to respond to requests by law enforcement in countries abroad.
One position Google has taken is that if China or any other country requests access to any data associated with any person, "we'll follow the U.S. rules for access to the data." This has led to situations where Brazil, for instance, has asked for jurisdiction in the U.S. But Cerf says one approach that Google has taken is if the company doesn't have servers in that country, it doesn't have to respond. "We don't have servers in China. That's why we're able to say we won't respond to those queries."