European regulators on Tuesday sent Google a letter with 12
recommendations for shaping up its new privacy policy - a policy that
most EU data regulators found too vague and too tough for users to opt
out of.
The letter, which stopped short of calling Google's data collection methods illegal, follows a nine-month investigation into the company's data-collection policies led by France's Commission Nationale de l'Informatique et des Libertés (CNIL).
According to Reuters, the letter was signed by 24 of the EU's 27 data regulators, plus those from Croatia and Liechtenstein.
Google on March 1st rolled out its new privacy policy, consolidating 60+ separate policies into one and pooling data collected on individual users across its services, including YouTube, Gmail and Google+.
The letter said that the massive amounts of data sucked up by Google's far-ranging reach raises concerns about user privacy:
Regulators
would prefer to see Google customize its treatment of data as
appropriate to the type of data collected, to get more concrete about
now-hazy parts of the policy, and to enable users to more easily detach
themselves from the search giant's wide and sticky data web.
For example, as it now stands, the regulators pointed out, users have to take six actions to get out of targeted advertising.
Given Google's ever-expanding data universe and the overwhelming number of nooks and crannies a user's data can get wedged into, getting a handle on one's privacy can indeed be daunting.
Some examples:
Advertising: Google shares non-personally identifiable information (PII) between Google services and ad networks by default so as to personalize ads.
Street View: Images including those of men leaving strip clubs, protesters at an abortion clinic and sunbathers in bikinis have caused concern for privacy advocates. Street View has been banned in India and in Germany, while Australia has ordered Google to destroy personal data harvested by its image-collecting cars.
Web History: Google keeps track of search terms and items clicked on when using Google services.
Google Chat: Google by default keeps records of conversations.
Google Analytics: Many websites use Google Analytics to track usage information, page views, and anonymous browser statistics.
Search Personalization: Google customizes search results based on what users click on and search for, regardless of whether you've signed into a Google account.
In preparation for the privacy policy consolidation, Sophos's Chester Wisniewski compiled a list of tips on how to navigate Google's privacy options for all of these services.
It's a bit of work to track them all down and opt out, as you can see when you check out Chester's guide.
Indeed, one problem the EU regulators raised in the letter is that the onus is on the user to figure out how to opt out of Google's myriad data-collection techniques.
They'd rather see Google instead ask users for explicit consent when bundling data from its services, the letter said.
The regulators have listed 12 "practical recommendations" for Google to amend its privacy policy, the first five of which address how Google tells people about how their personal information and browsing records will be used, with a particular emphasis on location data and credit card data.
The BBC reported that one of its sources at Google said that the company would look closely at the recommendations but that the findings weren't as serious as some industry watchers had predicted.
Google’s global privacy counsel, Peter Fleischer, told the AP that the company is reviewing the commission’s report but believes its policy respects European law.
Isabelle Falque-Pierrotin, president of the French National Commission on Computing and Freedom, told the AP that Google has three to four months to respond, but there's no hard deadline.
But if Google fails to comply with the regulators' recommendations, it could push the situation into what she called a "contentious phase", she said, without giving details.
Does making its data-collection techniques more understandable work in Google's favor? Hardly. User ignorance is bliss for Google's bottom line.
As one industry watcher told the BBC, if people realised just how much data Google is amassing, they'd opt out en masse, threatening the company's bountiful ad revenues.
Auke Haagsma, a director for the Initiative for a Competitive Online Marketplace (Icomp), told the BBC that offering all of Google's tasty free services and reaping profits off the ads those services dish out just isn't compatible with data collection clarity:
http://nakedsecurity.sophos.com/2012/10/16/eu-tells-google-to-make-its-new-privacy-policy-clearer-and-to-give-users-easier-opt-out/
The letter, which stopped short of calling Google's data collection methods illegal, follows a nine-month investigation into the company's data-collection policies led by France's Commission Nationale de l'Informatique et des Libertés (CNIL).
According to Reuters, the letter was signed by 24 of the EU's 27 data regulators, plus those from Croatia and Liechtenstein.
Google on March 1st rolled out its new privacy policy, consolidating 60+ separate policies into one and pooling data collected on individual users across its services, including YouTube, Gmail and Google+.
The letter said that the massive amounts of data sucked up by Google's far-ranging reach raises concerns about user privacy:
"Combining personal data on such a large scale creates high risks to the privacy of users."According to Sarah DiLorenzo, writing for the AP, the EU has three main beefs with Google's new privacy policy:
"Therefore, Google should modify its practices when combining data across services for these purposes."
- It’s not clear enough in explaining to users what data is collected and how it will be used;
- It’s too difficult for users to opt out of data collection and combination; and
- Google doesn’t always say how long it will hold onto data.
Regulators
would prefer to see Google customize its treatment of data as
appropriate to the type of data collected, to get more concrete about
now-hazy parts of the policy, and to enable users to more easily detach
themselves from the search giant's wide and sticky data web. For example, as it now stands, the regulators pointed out, users have to take six actions to get out of targeted advertising.
Given Google's ever-expanding data universe and the overwhelming number of nooks and crannies a user's data can get wedged into, getting a handle on one's privacy can indeed be daunting.
Some examples:
Advertising: Google shares non-personally identifiable information (PII) between Google services and ad networks by default so as to personalize ads.
Street View: Images including those of men leaving strip clubs, protesters at an abortion clinic and sunbathers in bikinis have caused concern for privacy advocates. Street View has been banned in India and in Germany, while Australia has ordered Google to destroy personal data harvested by its image-collecting cars.
Web History: Google keeps track of search terms and items clicked on when using Google services.
Google Chat: Google by default keeps records of conversations.
Google Analytics: Many websites use Google Analytics to track usage information, page views, and anonymous browser statistics.
Search Personalization: Google customizes search results based on what users click on and search for, regardless of whether you've signed into a Google account.
In preparation for the privacy policy consolidation, Sophos's Chester Wisniewski compiled a list of tips on how to navigate Google's privacy options for all of these services.
It's a bit of work to track them all down and opt out, as you can see when you check out Chester's guide.
Indeed, one problem the EU regulators raised in the letter is that the onus is on the user to figure out how to opt out of Google's myriad data-collection techniques.
They'd rather see Google instead ask users for explicit consent when bundling data from its services, the letter said.
The regulators have listed 12 "practical recommendations" for Google to amend its privacy policy, the first five of which address how Google tells people about how their personal information and browsing records will be used, with a particular emphasis on location data and credit card data.
The BBC reported that one of its sources at Google said that the company would look closely at the recommendations but that the findings weren't as serious as some industry watchers had predicted.
Google’s global privacy counsel, Peter Fleischer, told the AP that the company is reviewing the commission’s report but believes its policy respects European law.
Isabelle Falque-Pierrotin, president of the French National Commission on Computing and Freedom, told the AP that Google has three to four months to respond, but there's no hard deadline.
But if Google fails to comply with the regulators' recommendations, it could push the situation into what she called a "contentious phase", she said, without giving details.
Does making its data-collection techniques more understandable work in Google's favor? Hardly. User ignorance is bliss for Google's bottom line.
As one industry watcher told the BBC, if people realised just how much data Google is amassing, they'd opt out en masse, threatening the company's bountiful ad revenues.
Auke Haagsma, a director for the Initiative for a Competitive Online Marketplace (Icomp), told the BBC that offering all of Google's tasty free services and reaping profits off the ads those services dish out just isn't compatible with data collection clarity:
"In Google's business model there is an inherent conflict of interest."
"On the one hand Google wants to offer good services to users, but on the other it's being paid for by advertising."
"Google is collecting so much data. If people realise that, they are afraid people will say no."
http://nakedsecurity.sophos.com/2012/10/16/eu-tells-google-to-make-its-new-privacy-policy-clearer-and-to-give-users-easier-opt-out/