Google’s proposed acquisition of DoubleClick will give one company access to more information about the internet activities of consumers than any other company in the world, a complaint filed with the Federal Trade Commission reads.
Moreover, Google will operate with virtually no legal obligation to ensure the privacy, security, and accuracy of the personal data that it collects, it adds.
The complaint, led by the Electronic Privacy Information Center, claims Google’s privacy practices amount to deceptive trade practices. This claim appears to be based on the fact that the company collects data, and that its privacy policy is four clicks deep into its web site.
It also alleges that Google carries out unfair trade practices by logging users search query data without giving them a chance to opt out of being logged. The complaint is backed by the Center for Digital Democracy and the US Public Interest Research Group.
Two weeks ago Google said it would buy DoubleClick for $3.1bn, but that it expected the deal would come under review from antitrust regulators. It expects to pass these reviews, and for the deal to close late in the year.
The company said yesterday that the EPIC complaint is unsupported by the facts and the law, and that it aggressively protects user privacy and recognizes that user trust is essential to the success of our products and central to the company’s values.
EPIC utterly fails to identify any practice that does not comply with accepted privacy standards, deputy general counsel Nicole Wong said in a statement.
Google has always and continues to store vast amounts of search data. Essentially every query made to its search engine is believed to be logged, along with the IP address and Google cookie of the searcher. Its cookies last for decades.
Even if one trusts Google not to do anything evil with this data, privacy advocates are concerned that if the data falls into the wrong hands — be it hackers or misguided law enforcement officials — it could prove a privacy risk.
Unique identifiers like IP addresses can be connected to user identities through subpoena or educated inference, as some unlucky AOL users discovered last year when the ISP released millions of anonymized search records, some of which could nevertheless be traced back to individuals.
In response to concerns from users and European privacy regulators, Google said in March that it would start anonymizing its logs older than 18 to 24 months, by deleting an undisclosed portion the stored IP addresses and obfuscating the logged cookie. This change is not expected to come into effect until next year.
DoubleClick has had its own share of privacy problems over the years. It was one of the first advertising companies to be targeted for its banner ads’ habit of dropping trackable cookies on surfers’ PCs.
In 2000, it proposed combining data about individuals’ web surfing habits with data about their offline shopping habits. This caused an uproar, and forced the company to back away from its plans.
The company agreed at that time to allow users to opt out of being tracked, by requesting a special cookie from the DoubleClick web site. Google currently has no similar opt-out cookie.
The EPIC complaint says that DoubleClick ads are viewed by upwards of 85% of web users, and that this kind of insight into site usage, when combined with search data, could be dangerous.
EPIC wants the FTC to investigate Google, to force DoubleClick to delete identifying data before the acquisition closes, to force Google to delete search logs after each session ends, and to force Google to comply with OECD guidelines on data privacy.
Our View
While the privacy groups’ goals are noble, the arguments in their complaint as they relate to the acquisition itself are rather weak, and we can’t help but think that DoubleClick deal is just being seized as an opportunity to pressure Google into adopting better privacy practices.
Google is already big enough, and its privacy practices sufficiently slanted away from the end user, that it could use privacy reform whether it gets to buy DoubleClick or not.
A commitment to anonymize search data after two years storage is as good as no commitment at all. The company will still know which IP address and cookie has searched for what terms for the last two years.
What is needed from Google is a method by which users can opt out of having their queries logged, period. DoubleClick has had an opt-out feature for years. Google could simply lay an opt-out cookie on users’ machines, and refuse to log any queries associated with that cookie.
This would very likely make the privacy criticisms go away.