Canada’s privacy commissioner joined nine other government privacy authorities on Tuesday to condemn Google Inc. for its irresponsible privacy values.
The privacy watchdogs expressed their concerns in both an open letter to Google CEO Eric Schmidt and at a press conference in Washington, D.C. In addition to Canadian Privacy Commissioner Jennifer Stoddart’s participation, the open letter was also co-signed by data protection authorities from France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain and the United Kingdom
The 10 country group charged Google with failing to take privacy considerations into account when launching new applications and services. At the top of the list was Google’s Buzz service, a tool launched in February that added micro-blogging and social networking functionality to the company’s Gmail client.
Upon its launch, Google faced widespread criticism among media pundits and privacy activists who protested that the company transformed a private e-mail service into a public social networking site.
Some users also complained that Google publicly disclosed their personal information without properly notifying them. In wake of the outrage, Google modified the Buzz service to better protect customer privacy.
Now several months later, the action appears not to be strong enough for some global privacy agencies. In Tuesday’s press conference, the group said the Google Buzz situation was the “last straw” and added that many of the privacy authorities would not hesitate to use its powers if this latest warning is ignored.
Stoddart said that privacy has become a global issue and that Google cannot continue to ignore fundamental privacy norms and laws when rolling out future services. “This can’t go on the way it (has been),” she said in a press conference. “New products are being launched in untested form and (Google) is doing tests on the live marketplace with real people.”
Although when asked by ComputerWorld Canada what the Office of the Privacy Commissioner of Canada would do if Google either ignored the warning or continued to release products that violated privacy standards, Stoddart could not say what course of action would be taken. She only reiterated her ability to conduct an investigation and potentially take a case to federal court.
Stoddart also said her office did not conduct an investigation into Google Buzz last February and could not comment on whether they actually violated Canadian privacy legislation. She only said that there were “pretty obvious transgressions of Canadian privacy standards.”
In its letter, the group of government regulators is asking Google and other online service providers to ensure personal data is adequately protected, simplify the process of deleting accounts, collect the minimum amount of customer data needed, use simple language in drafting the user terms of agreement, roll out privacy protective default settings, and ensure privacy controls are easier to understand.
In response to an interview request, a Google spokesperson replied with an e-mail response, which reiterated the company’s efforts to be upfront about the data it collects. “Google Dashboard, the Ads Preferences Manager and our data liberation initiative are all good examples of such initiatives,” said the spokesperson. “Of course we do not get everything 100 per cent right — that is why we acted so quickly on Buzz following the user feedback we received.”
Google said that it has discussed these issues many times before and that the company does not plan to respond to the open letter. Instead, the search engine giant intends to focus on launching its new transparency tool.
The open letter from the privacy authorities to Schmidt requests a response from the CEO.
While both the open letter and press conference referenced the need for all online app and service providers to do a better job protecting data and conforming to privacy laws, Google was the only company mentioned by name.
Jonathan Penn, a vice-president who advises tech industry vendor strategy professionals at Forrester Research Inc., said Google is being singled out simply because they have millions of users.
He said that while Google is great at developing apps and services, the company has developed a poor sense of what the market wants from a privacy and security perspective. “In Google’s defense, users — especially consumers — are not good at articulating their concerns,” Penn said. “Also, these concerns are changing from a focus on personally identifiable information which is regulated in many jurisdictions, to a focus on behavioural data that is surreptitiously aggregated and largely unregulated.”
Personal data is comprised of information such as name, address, and credit card numbers, while behavioural data includes online search and browsing history and e-mail contacts, he said.
“All that said, however, Google should have realized all this,” Penn added. “It invests a ton of money and manpower on R&D related to user interface design and usability; if it invested even a tiny fraction of a percent of that into some market research on consumers’ privacy and security concerns it would avoid serving as the poster-child for privacy-eroding evil empires.”