Why Google Isn’t the Privacy Villain (This Time)Derrick Harris
Just look at the hysteria that transpired after Google announced its new policy in late January. The changes whittled down about 70 different policies into one and brought YouTube and Web history data under the same rules as most of the services Google offers. First a few dozen state attorneys general expressed concerns over the new policy, alleging Google is leveraging the ubiquity of its services by taking further advantage of users’ personal data. More recently, on March 20, a trio of class-action lawsuits were filed jointly in California, New York, and New Jersey, claiming Google’s new policy violates users’ privacy rights (and, somehow, the Federal Wiretap Act).
For a deeper look at the silliness, let’s go to the class-action lawsuit. Here’s why the complaint in the March 20 suit claims the plaintiffs are entitled to damages:
Google is now aggregating consumers’ personal information without consumers’ consent; has failed to provide a simple, effective opt-out mechanism; and Google’s primary, undisclosed reason for doing so is its own commercial advantage, private commercial gain, and financial benefit.
But Google isn’t doing anything now. According to the company, its privacy policies have always allowed it to combine information among services, and the new policy only folded YouTube and Web history into the mix. In that regard, there’s actually little that’s new except for the condensed format. Furthermore, a Google spokesman told me last week it hasn’t even rolled out any new features or services utilizing the new permissions it does grant itself.
Google isn’t yet even doing what it’s being accused of doing.
When it does use the few new permissions it has under the new policy, it will be in part because Google is trying to evolve its products so they don’t become obsolete and, yes, to make money. Using consumer data to serve advertisers is how Google makes its money and can afford to offer its myriad services for free. That’s really no secret, and it’s not something Google should have to constantly remind users about.
Like Facebook’s Sponsored Stories, which are the subject of another questionable lawsuit, or Chevron’s touting its use of Techron in its gasoline, Google’s new data practices serve multiple purposes. They all claim to help users, and maybe they do, but they also aim to put more money in the company’s pockets. That’s business. As one attorney familiar with the ongoing spate of privacy lawsuits told me, however, “It seems as if the alternative [to expanding use of user data] is to freeze these companies in time.” Anything new is scary, and the companies must be punished.
And then there’s the issue of consent. Both the recent class-action lawsuit and consumer watchdog group EPIC have called out Google for not giving users a chance to consent expressly to the changes. After entering into a settlement with the Federal Trade Commission over the way it shared user information with Google Buzz, Google now has to obtain users’ express consent before changing the way it presents data to third parties.
Google’s official take on how that settlement relates to the firestorm it’s currently facing, according to a company spokesman, is: “We’re not changing how any personal information is shared outside of Google. No users’ settings regarding the sharing or visibility of their personal information are being changed.”
But even should Google decide to share more data with third parties, the FTC agreement might end up being what one attorney calls “an empty framework.” Making users consent expressly to having Google share their data in new ways isn’t much of a choice at all: If users want to use the service, they will click “I agree.” If not, they won’t use the service. Clickwrap contracts, as they’re called, are no different from shrink-wrap contracts for physically purchased software in that regard, because there’s no room for negotiation.
Interestingly, though, some form of negotiation or à la carte menu of privacy terms is exactly what the class-action lawyers and attorneys general appear to want. One has to wonder how they came to expect this, given the current state of the Web. When it comes to direct agreements between service providers and users of their free services, it’s a take-it-or-leave-it world. The FTC even acknowledges as much in its latest report on Web privacy.
If anything, Google has been remarkably forthcoming—in part because its FTC settlement mandates such clarity—in telling consumers of its free services what has changed and pointing to tools in its account-management settings for controlling how the company uses their data. Just last week, Google rolled out a new service to show users what it knows about them. The efforts probably won’t qualify Google for sainthood, but they’re commendable.
But real debate over business models and how to truly empower users to consent is complex stuff; it’s much easier to jump on the bandwagon, call out Google for impinging on users’ privacy, and call it a day. Stoking the fires of privacy hysteria probably won’t change anything, but it might score some attorneys their legal fees or win some politicians a few more votes.
Also from GigaOM:
The Capex Connection: Why We Pay for Privacy on the Web (subscription required)