Yesterday I wrote that Google was ranked dead last in a national survey of Internet search engine companies when it comes to consumer privacy rights. I also notes how Congress was taking a closer look at Google's privacy practices, particularly in light of its proposed merger with Doubleclick.
Now it seems that the heat is really on.
Earlier this week, a key member of the U.S. House of Representatives has called Google on to the carpet to explain its consumer privacy procedures - - and he's not happy with Google's reponse.
Republican Rep. Joe Barton, a key member of the House Energy and Commerce Commiitte, which oversees Internet commerce rules and regulations, slammed Google CEO Eric Schmidt in a letter (included below) that the company is dragging its feet in allowing closer scrutiny of Google's privacy practices. In particular, Barton wants to know
what Google does with search queries, how long information is kept, what data will be merged with DoubleClick's, and how the company performs its partial anonymization of search results. Unlike competitors like Ask.com and AOL, Google does not discard consumer search queries after 18 months -- a practice that Barton calls "disconcerting".
According to the web site, CNETnews.com, The Federal Trade Commission is reviewing the Google-DoubleClick merger, "which Microsoft and a band of pro-regulatory groups are hoping to derail. The FTC could allow the deal to proceed, attempt to block it, or attempt to impose conditions." European regulators are also expected to weigh in on the merger and could have a decision soon.
To date, Google has not commented or responded to Barton's letter, which asks for a reponse by December 18.
Privacy -- or lack of it for its consumers -- could prove to be a powderkeg for Google. With regulatory eyes already trained on Googlepex headquarters, the Doubleclick decision could go against the company because of its lack of consumer privacy protection practices.
(Here is the letter sent by Rep. Barton)
December 12, 2007
Eric Schmidt, Ph.D. Chairman of the Board and CEO Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043
Dear Dr. Schmidt:
On Tuesday, November 6, you visited my office and we discussed a number of topics relating to the online world and Google, in particular. One of these topics was the pending merger of Google and DoubleClick. As you will recall, I voiced concern regarding the potential consumer protection and privacy implications of the merger. You seemed to recognize those and similar concerns as legitimate, and graciously offered assistance to my staff to learn about your company's and the broader industry's current search and targeted advertising practices, as well as the potential ramifications of combining these two functions. This information will be vital as we begin to craft sound policy to appropriately protect consumer information and online behavior.
Your assistance would be a valuable asset in crafting this policy and I attempted to accept your offer. On November 20, I wrote Google corporate officials to request that two counsels from the House Energy and Commerce Committee staff be permitted to visit your California headquarters offices, at Committee expense. The purpose of this trip was to learn first-hand about existing search and targeted advertising technology, what information may be garnered through the use of this technology, how that information is used, and, most importantly, how that information could be used. Google officials with whom we spoke deemed the dates inconvenient, and the request was denied. Since then, all efforts to reach a mutually agreeable time have been rebuffed, and it begins to seem that no date for a visit is sufficiently convenient to Google. Your warm initial invitation followed by Google's chilly response to a proposed visit by Committee counsels is disconcerting.
To help us better understand the privacy and consumer protection implications of this transaction, please respond to the following questions:
1. Please describe Google's retention policy with respect to the following data. Include in your response a description of the type of data retained (for example, URL, Internet Protocol [IP] address, date, time of connectivity); the length of time the data is retained; where the data is retained; who has access to the retained data; and how the data is removed, deleted, or anonymized once the retention period lapses.
a. Search queries on Google search; b. Search queries on Google maps; c. Search queries on Google news; d. Search queries on Google images; e. Email sent, received, or drafted on Gmail; f. Information or data collected or retained through a website's use of Google Analytics; g. Information or data collected or retained from an individual's use of Google Desktop Search, including the Google Desktop Search feature, Search Across Computers; h. Google Maps for Mobile; i. Google Web History Program for registered Google users/Google users with sign-in accounts; j. Information or data collected or retained from an individual's use of Picasa; k. Information or data collected or retained from an individual's use of Calendar; l. Cookies.
2. Please explain how Google uses the information or data described in Question 1(a) - (l), including, but not limited to, the following uses: perfecting Google's search algorithm; operating Google's advertising programs such as AdWords and AdSense; and research or analysis of user activity on www.google.com.
3. Please explain the need to retain collected information for the length of time described in your response to Question 1.
4. Please explain how Google uses the information or data described in Question 1(a) - (1), or any additional data, to drive or target advertisements to individual users' computers.
5. In particular, please explain whether Google Maps directs advertisements to IP addresses based on that user's Google Maps search query history.
6. Please explain how and why information is combined or shared across platforms when consumers opt-in for personalized services and whether Google first requires consent prior to such information-sharing. (For instance, whether search query data is shared with or linked to a user's Gmail account.)
7. Please identify the sections of Google's privacy policy that address the retention and use of the data described in Question 1(a) - (l).
8. Please explain the technology called "rich media" or "interactive multimedia," how this technology works, and what information may be collected by its use.
9. Please explain whether Google utilizes such technology.
10. Please explain whether Google posts a link to its privacy policy on the home page or search results page of www.google.com and, if not, explain why not.
11. In Google's privacy policy, "personal information" is defined as "information that you provide to us which personally identifies you, such as your name, email address, or billing information, or other data which can be reasonably linked to such information by Google."
a. Please describe how Google interprets "reasonably linked." b. Please explain in what circumstances Google links information such that an individual can be identified. c. Please explain whether Google considers an IP address to be "personal information." d. Please explain whether technology exists to personally identify or determine the personal characteristics, including, but not limited to, name, email address, physical address or location, age, gender, or ethnicity of an Internet user based on that user's IP address. e. Please explain whether Google is capable of identifying or determining personal characteristics, including, but not limited to, name, email address, physical address or location, age, gender, or ethnicity of an Internet user based on that user's IP address.
12. Please define the term "anonymization" as related to the data collected as described in, but not limited to, Question 1(a) - (l).
13. Are Google's practices described in response to Question 12 consistent with industry-wide practices? If not, please describe any variance.
14. Please describe how Google anonymizes IP addresses.
15. Please describe how Google anonymizes cookie data.
16. Please explain whether Google has the capability or has attempted or plans to attempt to combine or merge the data described in Question 1(a) - (l).
17. Please define tracking cookies, which may track users across multiple websites, and how they function.
18. Please explain whether Google uses the tracking cookies described in response to Question 17. If the answer is no, please describe how Google's cookies are distinct from those described in Question 17.
19. Please explain whether Google's cookies reset and, if so, how and when the cookies reset.
20. If the merger of Google and DoubleClick is approved, please describe what use Google plans to make of the data retained and collected by DoubleClick (for example, data from DoubleClick's tracking cookies or DoubleClick click-stream data), and whether Google plans to combine or merge DoubleClick's data with data Google retains from individual search queries and other user activity on www.google.com.
a. If Google does not intend to merge or combine the data Google retains with the information or data retained or collected by DoubleClick, please describe the efficiencies of the Google-DoubleClick merger. b. If Google does not intend to merge or combine the data Google retains with the information or data retained or collected by DoubleClick, please explain how the information will be segregated.
21. Please describe how Google defines "behavioral targeting."
22. Please describe your understanding of the broader industry's definition of "behavioral targeting."
23. Please describe Google's understanding of the Asia-Pacific Economic Cooperation (APEC) guidelines and how the guidelines would apply to Google's practices, including, but not limited to, those functions described in Question 1(a) - (l).
24. The House passed the Securely Protect Yourself Against Cyber Trespass (SPY ACT) in the current and prior two Congresses. The SPY ACT, H.R. 964, sponsored by Representatives Mary Bono and Adolphus Towns, mandates an opt-in privacy regime by prohibiting the collection of personal information from a computer without a user's notice and consent prior to the execution of any information collection program. H.R. 964 also demands that a user be able to easily remove or disable the information collection program. Please explain whether Google's applications are subject to H.R. 964's consent requirements. If the answer is no, please explain why these programs, which collect personal information, are not subject to the consent regime established by H.R. 964.
As I mentioned above, I believe Google's participation in our research into and consideration of the consumer protection implications of a merger of any online search engine and any behavioral or targeted advertising firm is vital to crafting sound national policy. In furtherance of this goal, I hope that we may achieve your response to the above questions no later than Tuesday, December 18, 2007.
Sincerely, Joe Barton Ranking Member
cc: The Honorable John Dingell, Chairman The Honorable Bobby Rush, Chairman, Subcommittee on Commerce, Trade, and Consumer Protection The Honorable Cliff Stearns, Ranking Member, Subcommittee on Commerce, Trade, and Consumer Protection The Honorable Ed Markey, Chairman, Subcommittee on Telecommunications and the Internet The Honorable Ed Whitfield, Member The Honorable Deborah Platt Majoras, Chairman, Federal Trade Commission