Google dings missive to lawmakers: 'We're misunderstood'

Google's full response to US lawmakers' questions

1. Please describe all the information that Google collects from its consumers now. How will this information change after the new privacy policy has been implemented?

Google’s information collection practices are described in Google’s privacy policy.

User data collected by Google can be generally described as belonging to one of three broad categories:

* Log data: the record we keep of a computer’s interaction with our service. This data is unauthenticated, meaning that we don’t know who the user is. All we know is some basic machine identifiers that are sent to our servers from a user’s device. Examples of services where we collect unauthenticated log data are Search and Chrome. Logs enable us to do business-critical operations, such as identify spam and abuse and improve the quality of our search results and other services.

* Account data: the information stored in connection with a Google Account that a user has created. We store this data to provide services to users. For example, a user’s Gmail emails are stored in their Google Account. It’s similar for services like Picasa and Blogger. If you are logged-in and have search history enabled, that service will store a record of your searches in your account. You can access all of this data, you can delete this data, and you can delete your account.

* Service data: content that is not necessarily associated with any user. For example, in Google Maps and Google Earth we show you places of interest overlaid on the map; that data is useful, but it is not associated with any user.

The updated policy does not allow us to collect any new or additional types of information.

2. How is the user’s information collected (i.e. initial sign-up process, usage of mobile phone application, cookies, etc.)?

User information is collected as described in our main Privacy Policy and terms of service, and as permitted under applicable law.

Information is associated with a given user only if the user is signed in to her Google Account. This information is provided by the user – it may include such things as a name, phone number, calendar entries that she adds, emails she sends or receives, Google+ posts she creates, and YouTube videos she uploads. It may also include a record of the user’s previous search queries if the user has search history enabled.

If a user maintains two separate Google Accounts – for example a work account and a personal account – Google will not use information from one account to personalise the other.

The Google Dashboard privacy tool shows users which information is associated with their Google Accounts, and lets users edit that information.

3. Please clarify how Google will use the new information it collects.

The updated privacy policy does not allow us to collect any new or additional types of information about users.

(a.) Will you sell, trade, or rent user information? If so, who has access to users’ personal information?

Google does not sell, trade, or rent personally identifiable user information, and shares it with third parties only with users’ consent and in the limited circumstances described in our privacy policy, such as to satisfy valid legal requests.

(b.) For what purposes do the individuals who buy, trade, or rent user information from Google utilise user information? Does Google contractually establish limitations on the use of such data?

Google does not sell, trade, or rent personally identifiable user information, and shares it with third parties only with users’ consent and in the limited circumstances described in our privacy policy.

(c.) Last year, hackers targeted Gmail users, including some White House staff. What security steps are you taking to protect the new information you are collecting? Does Google store this information in a form that is encrypted or otherwise indecipherable to unauthorised persons?

As explained above, we are not adopting the new policy to allow for collection of any new or additional types of information.

It is important to remember that users of Gmail and other email providers were hacked in this phishing attack because the victims revealed their passwords to the hackers, not through any security weakness in Gmail.

In fact, we provide numerous security features for Google Account holders including two-step verification, SSL encryption of search results and data from services like Gmail, Calendar, and Docs, and notifications to users about suspicious log-ins. In the phishing incident at issue here, several near-victims had turned on our two-step verification tool, which prevented the hackers from accessing those accounts.

We take appropriate security measures to protect against unauthorised access to or unauthorised alteration, disclosure, or destruction of data. These include internal reviews of our data collection, storage and processing practices, and security measures including appropriate encryption and physical security measures to guard against unauthorised access to systems where we store personal data.

We restrict access to personal information to Google employees, contractors and agents who need access to that information in order to process it on our behalf. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet those obligations.

4. Please explain Google’s process for sharing data across products, features and services.

(a.) Currently, what data is Google sharing across products, features and services? When did this practice begin? After March 1, 2012, what data will be cross-shared?

For many years, as permitted by our privacy policies, we have combined data within individual accounts in ways that make the user experience better, for example by having a single address book shared between services like Gmail and Google Calendar. Our main Google Privacy Policy has made it clear since 2005 that data collected by Google is used to improve our services generally.

Users are accustomed to their products working together when they are signed in, and expect this consistent experience across their Google Account. The use of a primary privacy policy that covers many products and enables the sharing of data between them is an industry standard approach adopted by companies such as Microsoft, Facebook, Yahoo! and Apple.

Giving users easy access to their data across Google products allows them to do useful things such as immediately add an appointment to Calendar when a message in Gmail looks like it’s about a meeting; read a Google Docs memo right in Gmail; use Google+’s sharing feature, circles, to send driving directions to family and friends without leaving Google Maps; and use a Gmail address book to auto-complete a contact’s email addresses when you invite them to work on a Google Docs memo or send them a Calendar invitation to a meeting.

The updated privacy policy reflects our efforts to create one beautifully simple, intuitive user experience across Google. The main change is for users with Google Accounts. It makes clear that, if you are signed in, we may combine information you’ve provided from one service with information from other services. In short, we can treat you as a single user across all our products.

Most of our product-specific privacy policies allowed for sharing of information across products with a Google Account prior to this change. A few did not. Specifically, our policies meant that we couldn’t combine data from YouTube and search history with other Google products and services to make them better. So if a user who likes to cook searches for recipes on Google, we are not able to recommend cooking videos when that user visits YouTube, even though he is signed in to the same Google Account when using both. We want to change that so we can create a simpler, more intuitive Google experience – to share more of each user’s information with that user as they use various Google services.

It’s also important to remember that even after the changes, users will still be able to use many of our products – such as Google Search and YouTube – without having to log into their Google Account or having to create one in the first place.

We will continue to develop new product features in line with our privacy principles by, among other things, being transparent about our practices and providing users with clear choices about how their data is used across our services.

For example, users who log in can use the search history settings to edit or delete their search histories or turn off the product entirely. So a user who doesn’t want search history used for other products can simply delete it or turn it off, consistent with our longstanding commitment to user control.

The updated privacy policy does not change users’ existing privacy settings, nor does it result in any new or additional sharing of their personal information with third parties.

(b.) What products, features, and services were cross-sharing consumer data prior to March 1, 2012? Now that the change has been announced, what products, features and services will cross-share data?

Many of Google’s products have historically shared or had the ability to share data between and among themselves within one Google Account, provided such sharing was permitted under the applicable privacy policy.

We have nothing to announce at this time about new products or features that may share data within a Google Account under the updated privacy policy. As explained above, it will now be possible under the updated policy, for example, to use a signed-in YouTube user’s viewing history to show better search results in Google Search, or to use signed-in search history to show more relevant ads across Google.

We are not changing our commitment to being transparent about our practices, or to offering privacy controls that give users meaningful choices about how their data is used across our services.

(c.) Prior to March 1, 2012, please describe how Google notified its customers, including those who use its products without Google accounts, if and when cross-sharing was occurring. What options did the company give those customers for managing or opting out of this data sharing? After March 1, 2012, how can consumers manage opt-out of cross-sharing of personal data?

Like most similarly situated companies, Google has always reserved the right to use user information from one product or service to improve another product or service, unless a specific product privacy policy restricted such data use. Our main Google Privacy Policy has made it clear since 2005 that data collected by Google is used to improve our products and services generally.

We believe that this approach is in the best interests of our users, and that it is consistent with their expectations.

In addition, we give users choice and control over how they use our products. People can use many of our services, including Search, Maps, Google News, YouTube and more, without logging into their Google Account, or creating one in the first place.

When someone does sign in to use our services, we give her ways to control how the information in her Google Account is used. For example, the user can turn search history on or off, and she can use the Ads Preferences Manager to control how ads are tailored to her interests. Users can visit the Google Dashboard to see all of the information that is stored in their Google account and to edit that information.

The changes we are making in the updated privacy policy enable us to treat you as one signed-in user across all Google services—specifically, we will be able to include your use of signed-in search history and YouTube in your use of all Google services. However, we are not changing our approach to protecting user privacy, and will continue to offer our users meaningful privacy controls.

Furthermore, people can still set up multiple accounts to manage multiple identities, move data between those accounts with Data Liberation tools, and prevent information from one account from being used to personalise another account. If Jane wants to use Google Docs and keep that separate from her personal Google+ account, she may create a work_account_jane@gmail.com account that she uses for Docs, and a personal_account_jane@gmail.com account that she uses for sharing on Google+.

In terms of notifying users about these changes, this is the most extensive user notification effort in Google’s history. On January 24, 2012, we began notifying users including those who use our products without Google Accounts, about the changes. This will continue even after the new Privacy Policy takes effect March 1.

Our notification methods include emails to our users; a promotion on Google.com; in-product notices on properties such as Google Maps, Google News, YouTube and mobile search; a "New" icon beside the Privacy link on many Google pages; an interstitial when users sign into their Google Accounts both on computers and mobile devices; an updated website, www.google.com/policies, that explains the changes and the benefits to users; and a post on the Official Google Blog.

(d.) What process do you use in determining whether to enable a new feature, product or service to share data with another Google product, feature or service? Are you currently in the process of exploring new cross-sharing avenues, including those related to geo-location services? If so, how will you notify customers of any potential changes?

The determination of whether to enable a new feature, product or service to share data with another Google product or service is based, first and foremost, on what we believe will be in the best interests of our users. If we believe such a use of data will deliver a better user experience or more relevant content, for example, then it is likely that such a use will be explored.

We are not prepared to make any specific product or feature announcements yet that might involve the future integration of data across products or services. Future products or features will be developed according to our privacy principles, and under our comprehensive privacy program – a deep and systematic collaboration between our product and engineering teams and our cross-functional privacy team of engineers, researchers, lawyers and other experts to ensure compliance with privacy law and obligations.

As part of our comprehensive privacy program, Google implements reasonable privacy controls and procedures to address identified privacy risks on an ongoing basis. Google’s current privacy controls include the development of privacy design documents, product review by our privacy working group, product and privacy attorneys’ legal review of projects prior to launch, and multiple types and levels of training to ensure that privacy issues are promptly recognised and that appropriate escalation paths and response protocols are consistently followed.

Consistent with our obligations under the FTC Buzz Consent Order, our privacy program is subject to bi-annual independent assessments to confirm that we live up to our privacy commitments.