A controversial report ranking Google’s consumer online-privacy practices at the bottom of a list of popular web companies highlights a profound shift in the company’s public image as it has evolved from upstart web darling to seemingly unstoppable commercial powerhouse.
Privacy International, a U.K.-based civil liberties organization best known for its Big Brother Awards, graded the privacy and data-retention practices of 28 major online companies, including YouTube, Microsoft, eBay, MySpace and Yahoo, and found most had some privacy lapses.
But the report, released over the weekend, was particularly tough on Google, which alone earned a black mark for “comprehensive consumer surveillance and entrenched hostility to privacy.”
Simon Davies, Privacy International’s director, said in an interview that the rating in part reflects Google’s power and reach, which require it to meet a higher standard than others.
“One of the points we are making is that Google is the new Microsoft,” Davies said. “Five years ago, Microsoft was rightly perceived as the evil empire. But Microsoft has turned the ship around somewhat, and it doesn’t require much tweaking to embed privacy infrastructure into planning processes.”
Davies added, however, that he believes the firestorm over Google getting the lowest mark of any company is overblown. “The most important conclusion is that privacy invasion is endemic,” he said. The group has called for a July 23 privacy summit in San Francisco, where it hopes the largest internet companies will meet to create standards for online privacy.
In a written statement, Google sharply protested its ranking, saying the findings weren’t shared with the company before publication.
“User trust is central to our business and that is why we aggressively protect our users’ privacy,” the statement said in part. “We stand by our record for protecting user privacy and offering products that are transparent about what information is collected and empower users to control their personal data.”
Google employee Matt Cutts, the public face of Google to web designers, defended the company’s refusal to turn over search-engine queries to the government when other companies complied and for Google’s recent announcement that it would remove some identifying information in its logs after 18 to 24 months.
The report adds heat to a long-simmering debate over Google’s thirst for user data and how that squares with the search and online ad giant’s commitment to its infamous motto, “Don’t Be Evil.”
Google’s dominance of online advertising and search gives the company such power over the internet that it needs to be more transparent, according to Jeffrey Chester, who heads the Center for Digital Democracy and helped author the Federal Trade Commission complaint against the Google-DoubleClick acquisition.
“They need to create an opt-in system with full disclosure,” Chester said. “They won’t lose market share and could make themselves the hero of the online world for decades.”
Currently, Google retains reams of data on users, tying internet queries to cookies for users without accounts for years, and aggregating data on registered users across Google’s services which now include email, word processing, website traffic analysis, as well as search. Google also opts new users into its “Web History” tracking system that lets you review all your past Google searches, and for those with the Google Toolbar, Google will capture the URLs of your entire web travels.
Critics say this information will be used to manipulate individuals or be subpoenaed by the government, while Google maintains the data helps its engineers tweak and personalize its services.
Google’s privacy practices and hunger for user data is already under scrutiny from federal regulators who are reviewing Google’s proposed $3 billion acquisition of DoubleClick, an online ad giant that serves multimedia ads on thousands of websites and tracks users across a large swath of the web. In response to a formal complaint to the FTC from several privacy groups, the commission is looking into the privacy implications of merging the companies’ massive databases of surfers’ online habits.
Google initially said that move was intended to comply with European data-retention rules, but experts say those rules apply only to communications, such as e-mail headers and phone-call records, not search queries. The European Union’s independent privacy commission is looking into Google’s data practices with an eye to whether the company is violating other data rules that strictly limit the storage, sale and reuse of personal data of Europeans.