Feeds

Google’s privacy policy: Incoherent and confusing

Separating 'personal info' from 'personal data' and 'sensitive personal info'...

Top 5 reasons to deploy VMware with Tegile

Comment: Google’s new combined Privacy Policy (March 2012) has been widely criticised by privacy professionals and Data Protection Authorities (in particular the CNIL – the French Data Protection Authority). However, so far the reasons for this criticism have been made in general terms. Here is a more detailed explanation.

Google’s Privacy Policy is incoherent because it uses overlapping terms. This makes it difficult to follow, and makes it difficult to discern what type of information the policy is claiming to protect. It cannot be fair to users if they cannot easily understand what the privacy policy means for them. The policy is also unfair in conventional terms as it does not, in many instances, fully describe the purposes of the processing.

Secondly, as the CNIL claims, it may be that Google's privacy policy is in breach of the Data Protection Directive – and even of USA’s Safe Harbor Principles2 (see analysis below). Google's privacy policy states that “Google complies with the US-EU Safe Harbour Framework”: but I can show that this claim cannot be substantiated if Google’s new privacy policy is implemented.

Contradictory and confusing: overlapping terms

The privacy policy uses a wide range of similar terms in different circumstances which I think are contradictory. For example, it uses the following terms: “information”, “personal information”, “personal data”, “data”, “non-personally identifiable information", “personally identifiable information”, “sensitive personal information", and "other information that identifies you". Are these terms talking about the same thing? Put simply, the reader doesn’t know for certain.

So when one part of the policy offers protection for “personal information”, another offers protection for “personal data”, another for “personally identifiable information” and yet another for "other information that identifies you" is the policy referring to the same type of information or not? Answers on a postcard to Google.

This is not the only problem. At times the policy uses a qualifier (eg, “log information” or “location information”). "Log information" by the way are the "details of how you used our service, such as your search queries" while "location information" is "information about your actual location" (my emphasis).

Can we have a quick quiz? Can you tell me whether “information” about your use or your location is “non-personally identifiable information” or “personal information”? My own view is that, because the policy uses the word “information” to describe logs and locations, that Google thinks it to be the former, but I suspect you think it could well be the latter.

Confused? You can now safely join the ranks of those who do not know what Google’s Privacy Policy means in practice.

Why is it in breach of the Directive and Safe Harbor?

The CNIL has claimed that, at first reading, Google’s Privacy Policy is in breach of the Directive, a claim so far not accepted by Google. As the Directive is the legislation mentioned expressly in the Safe Harbor Framework, I have checked whether Google’s Privacy Policy is consistent with the terms of that Framework.

There are demonstrable areas where Google’s Privacy Policy is inconsistent with the Safe Harbor Principles2. It follows that it is inconsistent with the Directive. These areas include the following:

1. Safe Harbor requires acceptance of the EU Directive definition of “personal data” – Google’s Privacy Policy uses a definition which is close to that used by the old UK’s Data Protection Act 1984 (and ignores the Directive definition of personal data completely).

2. Safe Harbor requires acceptance of the EU Directive definition of sensitive personal data – Google’s Privacy Policy does not include all items of sensitive personal data identified in the Directive.

3. Safe Harbor requires acceptance of the right of access to personal data – Google’s Privacy Policy includes some administrative exemptions from the right of access to personal data that are not authorised by Safe Harbor.

4. The confusion in the Privacy Policy does not meet the Safe Harbor requirement for clarity; there are several places where the purposes of the processing are not fully described by the Policy.

5. Google’s co-operation with data protection authorities specified in the Privacy Policy relates only to the transfer of personal data; Safe Harbor requires co-operation across the whole Framework.

Concluding comment

Everybody uses Google because its services are free and very useful. However, because they are “free”, it does not mean that Google can take the privacy of its users for granted in order to maximise profit. Its privacy policy1, I am afraid to say, is incoherent, unclear, and likely lead to breaches of data protection legislation. In my view, the Policy needs a major overhaul.

Secondly, I don’t think Google (and other USA corporations, I have to say) have quite “got it” in the context of the messages coming out of the Leveson Inquiry. Google has not understood that a large multinational communications company, headed by the Murdochs, is in trouble not because it invaded the privacy of celebrities, but because it invaded the privacy of ordinary individuals. Google’s meat and drink is the processing of personal data and data relating to millions of ordinary citizens.

The Murdochs thought they were so large and powerful that they were invincible and it appears that Google does the same. By ignoring basic data protection laws and rules in the way described in its own policy, even those agreements established in the USA, Google is taking some unnecessary risks.

References

1Google's Privacy Policy and related FAQs

2The US Safe Harbor Harbor Privacy Principles – issued by the US Department of Commerce on 12 July, 2000.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.