Sigh. Google as a company takes privacy very seriously. I personally feel strongly about protecting our users’ privacy. So I’m frustrated by a recent study that Privacy International did, and I want to know if I’m off-base in my reaction. I got back home from SMX and I’m surfing the web when I see this AP article entitled “Watchdog group slams Google on privacy”:

In a report released Saturday, London-based Privacy International assigned Google its lowest possible grade. The category is reserved for companies with “comprehensive consumer surveillance and entrenched hostility to privacy.” None of the 22 other surveyed companies — a group that included Yahoo Inc., Microsoft Corp. and AOL — sunk to that level, according to Privacy International.

So I surf over to Privacy International (PI) to read the actual report, and I have to be honest with you — it made me mad. But I try not to blog when I’m angry, so I decided to sleep on it. After sleeping on it, I’m still pretty frustrated with Privacy International’s conclusions. Here’s my take.

Google didn’t leak user queries

In this past year, AOL released millions of raw queries from hundreds of thousands of users. Within days, a journalist had determined the identity of an AOL user from the queries that AOL released. But AOL got a better grade than Google.

Google didn’t give millions of user queries to the Dept. of Justice

In 2005/2006, the Department of Justice sent subpoenas to 34 different companies requesting users’ queries and other data. In fact, the original subpoena requested all queries done by users for two full months. AOL, Microsoft, and Yahoo all gave some amount of users’ queries to the Department of Justice. Google fought that subpoena (full disclosure: I filed a declaration in that case). The judge sided with Google; no queries from Google users were given to the DOJ. But Yahoo, Microsoft, and AOL got better grades in this report than Google.

Google will anonymize query logs

In March, Google announced that it would begin anonymizing its logs after 18-24 months. Google has continued to communicate on the issue, including a post on the Google blog in May discussing the reasoning behind that decision. In fact, we talk a lot about privacy, from blog posts to Op-Ed pieces in the Financial Times. To the best of my knowledge, no other major search engine has followed suit in a plan to anonymize user logs.

Misc bits

Other parts of the study just baffle me. The report claims (I am not making this up) that “Every [Google] corporate announcement involves some new practice involving surveillance.” I know that my years of working at Google may bias me, but does that sound impartial? Let’s test that claim. Here’s a Google corporate announcement we made on our blog in March. Google expanded our support for open-source in our third annual “Summer of Code”:

Last year we paid 630 students from 450 schools in 90 countries $4,500 each to work on open source software projects. These projects, selected by some 100 open source mentoring organizations from over 6,000 applications, provided students with invaluable real-world programming experience.

That’s over three million dollars in open-source development last year, with even more money set aside for this year. The program introduces students to open-source programming. In return the open-source community and regular users benefit from students’ projects. Does Google’s Summer of Code program have anything to do with surveillance? Nope, not even close.

Conclusions

Sigh. Okay, take deep breaths, Matt. My spleen is vented. 🙂 Personally, I think Privacy International should feel remorse about walking right past several other companies to single out Google for their lowest rating. But I think that there’s a larger danger here too. I believe this report could corrode earnest efforts to improve privacy at companies around the internet. Why? Because the bottom-line takeaway message that I got from the report is that a company can work hard on privacy issues and still get dragged into the mud. Consider: in the last year or so, other companies gave users’ queries to the government, leaked millions of raw user queries, or even sold user queries and still came off better than Google did.

Wait — someone sold my data?

If I ran a privacy group, I would *find out which ISPs sell their user data*. While Privacy International was conducting its six-month-long study, credit bureau Experian committed to buy Hitwise for $240 million dollars. From the press release:

Hitwise collects and aggregates information from Internet Service Providers (ISPs) on how over 25 million consumers use and search the Internet in the US, UK, Australia and other countries in Asia Pacific.

If you check Hitwise’s most recent blog post about UK site Gumtree, they discuss collecting user queries: “Hitwise captured 4,201 unique terms sending visits to the website.” Did those queries come from opted-in users, or from ISPs? If I ran a privacy organization, I’d want to know which ISPs sell user data. I’ve pointed out before that ISPs have a superset of data on a user compared to almost any other online company. Some have suggested that ISPs sell user data for as little as 40 cents per month per user. It looks like Privacy International didn’t include any ISPs in its study of online companies. Luckily, some other folks are looking into it. A Wired blog enlisted readers and started to get some answers on the topic.

If Privacy International really wants to focus on Google rather than digging into companies that are, you know, actually buying and selling user data, that’s their choice. 🙂 Note that I have nothing against Hitwise, Compete, or ISPs at all; I just think it’s unwarranted to call out Google when user data is being bought, sold, given to the government in the millions, or being leaked — by other companies. And I think Privacy International missed the mark badly by giving those companies a better rating than Google, or by not including the right online companies in their study.

Now it’s your turn. Am I off-base on this issue? Or did this study miss the mark? (I’m going to bed now, so I’ll approve comments in the morning.)