User privacy is of major concern to just about everyone, because just about everyone needs some level of privacy. Google, with its massive user following and array of product offerings, has a huge responsibility to keep their users’ data confidential and safe. The Google Buzz bungle is an example of how Google’s handling of private user information doesn’t always live up to expectations.

Privacy/Data/Information commissioners from 10 countries sent a joint letter to Google CEO Eric Schmidt on April 20, expressing their concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”

The letter made various statements like Google Buzz “betrayed a disappointing disregard for fundamental privacy norms and laws” and that “launching a product in “beta” form is not a substitute for ensuring that new services comply with fair information principles before they are introduced.” Also included were suggested principles to be used by Google to ensure user privacy, such as “collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service” and “ensuring that all personal data is adequately protected.”

While the letter seems well intentioned, its message is a bit late to the stage. U.S. congressmen John Barrow penned his own joint letter to the Federal Trade Commission at the end of March over the same Buzz/privacy issues. Congressman Barrow’s letter cites the Electronic Privacy Information Center’s (EPIC) previously filed complaint “alleging that Google Buzz violates federal privacy law.”  In a manner of public response, Google issued a letter to the Federal Trade Commission regarding their policies on information privacy. In this ten page letter, Google shared their efforts to “develop products that reflect strong privacy standards and practices.” They also stated their support for “strong industry commitments to ensure transparency, user control, and security in Internet services for consumers” as well as “strengthened protections from government intrusion.”

To demonstrate a small history of various government “intrusion”, Google created the government requests page (http://www.google.com/governmentrequests/). The page maps out content removal requests and user data requests made by government agencies for the second half of 2009.  The leaders in user data requests are Brazil (3663), the U.S. (3580), the U.K. (1166) and India (1061).

 

Also displayed through this map is the inclusion of  every country who signed the privacy letter to Google. Government agencies from France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain, Canada and the United Kingdom all scolded Google for inadvertently disclosing  personal user information, but prodded them for the same information months earlier.

Though data protection departments may not be the ones who made the requests, government is often looked at as a collective entity, causing some to consider these actions as hypocrisy. In the FAQ for the government requests page, Google says “the statistics primarily cover requests in criminal matters.”  Does this justify cooperation from Google? When is it okay to abandon privacy for the sake of law enforcement? I don’t know. It is a difficult balance for Google and world governments in protecting both privacy and national laws.

The Electronic Communications Privacy Act (ECPA) is a key part of finding this balance. Find out more:
www.digitaldueprocess.org

If you want to see what Google has on you, start with:
www.google.com/dashboard

Matt Sully
Director
Threat Research & Analysis