2-23-2012
By Meg RoggensackSenior Advisor, Business and Human Rights
Today the White House will host a privacy summit to launch a series of initiatives aimed at protecting consumers using the internet. According to Politico, the White House will ask Congress to adopt a consumerprivacy online bill of rights, and will ask companies to do more to addressconsumer privacy concerns.
The White House has it almost right. Consumers are at risk, and companies have not done nearly enough to explain that danger, let alone mitigate the risk. The FTC is working to address the most salient abuses, but that still leaves a considerable gap which companies need to fill. The first step is making sure users fully understand – before providing personal information – what the real risks are.
Consider the case of Google. Last October, the FTC announced a settlement with Google to address concerns about sharing personal information through the Buzz social network without users’ consent. The order required Google to accurately state how and why it collects and uses personal information, and how users can control the ways in which their information is gathered and disseminated. The order also required Google to obtain “express affirmative consent” from users when a new service or privacy policy changes the way it shares private information. Google is also required to undertake regular assessments on its privacy program from independent outside experts.
Google recently submitted its initial privacy compliance report to the FTC, and there are some brightspots in it. There are noteworthy policies and internal compliance safeguards designed to rigorously review third party services providers, and to train board officers in privacy standards. But despite these advances, user privacy is still not sufficiently protected.
The Electronic Privacy Information Center (EPIC) recently filed suit on the grounds that Google’s new privacy policy violates the FTC settlement order. EPIC alleges that Google’s newly announced privacy policy to aggregate user data across services is intended “to benefit advertisers through improved targeting of users.” The complaint adds that Google’s notices fail to disclose this. EPIC also alleges that Google’s new policy doesn’t disclose how users can limit data aggregation.
A group of state Attorneys General also expressed concerns about Google’s new privacy policy. In a letter to Google, they state that Google’s so-called “alternative” for users who wish to opt out of data aggregation by avoiding any use of Google’s services rings hollow “in an Internet economy where the clear majority of all Internet users use – and frequently rely on – at least one Google produce on a regular basis.”
The Wall Street Journal recently reported that Google has been tracking Safari users, apparently without their knowledge or consent, which raises troubling new questions about what Google is prepared to do to obtain personal data.
Where does this leave Google’s users? Why hasn’t the company provided users with specifics about what user data is collected, and what Google does with it?
Without advanced degrees, most of us have no real understanding of what information is being collected and how it is used, leaving users at the mercy of company insiders and their preferred practices. For users in Bahrain, Syria, Russia, China and the world’s other undemocratic regimes, the lack of transparency about data collection can mean life or death, a lengthy prison sentence, a brutal interrogation, and the elimination of entire networks of activists fighting for change.
Members of the Congressional Bi-Partisan Privacy Caucus have called on the FTC to investigate the Safari breach, but it’s unclear what steps the FTC is prepared to take. One prominent blogger has called for new legislation giving users a private right of action to sue when software designs put privacy at risk.
In the absence of clear regulatory and legal standards, it is incumbent on companies like Google to educate their users BEFORE personal information is collected in the first place. Even if Google’s privacy policy notices were clear and complete, there would still be a considerable gap between users’ privacy expectations and the realities of data collection and use.
What steps should Google take to clearly and prominently disclose both the purpose and process of sharing of user information?
We recommend that Google spell out, with examples written for the average user to understand, how its new policy will operate, what it means in practice, and how it differs from prior policies and practices.
Google publishes a set of Frequently Asked Questions (FAQs) regarding its privacy policies that fails to provide that needed clarity. Google’s privacy FAQs should address the following questions: How is it obtaining “express affirmative consent” from users? Does an opt-out policy satisfy this standard? What does such a policy mean in practice? Does it leave a user off the internet?
Until it answers these basic questions for its users, Google should hold off implementing its new privacy policy slated to take effect on March 1.
As Google indicates, it is working to create a beautifully simple, intuitive user experience. But at what price? At a loss of fundamental privacy? Google needs to do more to make the cost to users clear up front, before any information is collected or any new policy is implemented. Then, and only then, will users be able to make informed choices about the personal data that is collected about them.
-
Ian Roberts