Original URL: http://www.theregister.co.uk/2012/01/31/google_privacy_missive/

Google dings missive to lawmakers: 'We're misunderstood'

Chocolate Factory promises it's not locking your privates in a vice

By Kelly Fiveash

Posted in Law, 31st January 2012 16:54 GMT

Google has responded to US politicos who demanded answers after the advertising giant announced it was "simplifying" its privacy policies across its huge online estate.

In a letter to eight members of Congress, Google's director of public policy, Pablo Chavez, explained he was hoping to "correct some of the misconceptions" about the tweaks to Mountain View's Terms of Service.

"Some have expressed concern about whether consumers can opt out of our updated privacy policy. We understand the question at the heart of this concern," he added in his preamble.

"We believe that the relevant issue is whether users have choices about how their data is collected and used. Google’s privacy policy – like that of other companies – is a document that applies to all consumers using our products and services. However, we have built meaningful privacy controls into our products, and we are committed to continue offering those choices in the future."

Chavez went on to cheerily highlight various "key points" that Google wanted to "clarify".

Apparently, telling people that changes to Google's privacy policy were imminent shows that the company leads "the industry in transparency", but then we suppose that depends on exactly how one might wish to define the word transparency.

He reiterated comments made by the search biz last week about Google users' continued right to have "choice and control".

Chavez, who before joining the ad giant worked on - among other things - internet censorship and privacy for Republican Senator John McCain, went on to list the variety of privacy tools made available to punters with Google accounts.

The Google counsel skirted over the fact that users have to proactively opt out of being tracked around the internet by Mountain View - an opportunity presented when they log into Google+ and other products the company has knitted together.

He did say that "the privacy policy changes don't affect our users' existing privacy settings. If a user has already used our privacy tools to opt out of personalised search or ads, for example, she will remain opted out".

No more data will be collected by Google than is currently the case, Chavez said. Nor will any "personally identifiable information" be sold on.

"Our updated privacy policy simply makes it clear that we use data to refine and improve our users’ experiences on Google – whichever services they use. This is something we have already done for a long time for many of our products."

He used examples of how a user could keep Google services separate from one another. A Gmail user doesn't have to use Google+, Chavez said, without pointing out that all new signups to the email service are automatically logged into its social network by default.

A user can have different accounts, too, said Google's policy wonk. A surprising comment given how keen the company wants to be the online identity shepherd.

One of the changes to Google's privacy policy will see the company being able to pepper YouTube with relevant search results for individual users. We think this means Google has finally found a way to make money from the video-sharing website it bought in 2007 for $1.65bn.

On other plans for sharing data across its products, Google declined to comment, preferring to tell the members of Congress that it had nothing else to announce at this time. ®

Google's full response to US lawmakers' questions

1. Please describe all the information that Google collects from its consumers now. How will this information change after the new privacy policy has been implemented?

Google’s information collection practices are described in Google’s privacy policy.

User data collected by Google can be generally described as belonging to one of three broad categories:

* Log data: the record we keep of a computer’s interaction with our service. This data is unauthenticated, meaning that we don’t know who the user is. All we know is some basic machine identifiers that are sent to our servers from a user’s device. Examples of services where we collect unauthenticated log data are Search and Chrome. Logs enable us to do business-critical operations, such as identify spam and abuse and improve the quality of our search results and other services.

* Account data: the information stored in connection with a Google Account that a user has created. We store this data to provide services to users. For example, a user’s Gmail emails are stored in their Google Account. It’s similar for services like Picasa and Blogger. If you are logged-in and have search history enabled, that service will store a record of your searches in your account. You can access all of this data, you can delete this data, and you can delete your account.

* Service data: content that is not necessarily associated with any user. For example, in Google Maps and Google Earth we show you places of interest overlaid on the map; that data is useful, but it is not associated with any user.

The updated policy does not allow us to collect any new or additional types of information.

2. How is the user’s information collected (i.e. initial sign-up process, usage of mobile phone application, cookies, etc.)?

User information is collected as described in our main Privacy Policy and terms of service, and as permitted under applicable law.

Information is associated with a given user only if the user is signed in to her Google Account. This information is provided by the user – it may include such things as a name, phone number, calendar entries that she adds, emails she sends or receives, Google+ posts she creates, and YouTube videos she uploads. It may also include a record of the user’s previous search queries if the user has search history enabled.

If a user maintains two separate Google Accounts – for example a work account and a personal account – Google will not use information from one account to personalise the other.

The Google Dashboard privacy tool shows users which information is associated with their Google Accounts, and lets users edit that information.

3. Please clarify how Google will use the new information it collects.

The updated privacy policy does not allow us to collect any new or additional types of information about users.

(a.) Will you sell, trade, or rent user information? If so, who has access to users’ personal information?

Google does not sell, trade, or rent personally identifiable user information, and shares it with third parties only with users’ consent and in the limited circumstances described in our privacy policy, such as to satisfy valid legal requests.

(b.) For what purposes do the individuals who buy, trade, or rent user information from Google utilise user information? Does Google contractually establish limitations on the use of such data?

Google does not sell, trade, or rent personally identifiable user information, and shares it with third parties only with users’ consent and in the limited circumstances described in our privacy policy.

(c.) Last year, hackers targeted Gmail users, including some White House staff. What security steps are you taking to protect the new information you are collecting? Does Google store this information in a form that is encrypted or otherwise indecipherable to unauthorised persons?

As explained above, we are not adopting the new policy to allow for collection of any new or additional types of information.

It is important to remember that users of Gmail and other email providers were hacked in this phishing attack because the victims revealed their passwords to the hackers, not through any security weakness in Gmail.

In fact, we provide numerous security features for Google Account holders including two-step verification, SSL encryption of search results and data from services like Gmail, Calendar, and Docs, and notifications to users about suspicious log-ins. In the phishing incident at issue here, several near-victims had turned on our two-step verification tool, which prevented the hackers from accessing those accounts.

We take appropriate security measures to protect against unauthorised access to or unauthorised alteration, disclosure, or destruction of data. These include internal reviews of our data collection, storage and processing practices, and security measures including appropriate encryption and physical security measures to guard against unauthorised access to systems where we store personal data.

We restrict access to personal information to Google employees, contractors and agents who need access to that information in order to process it on our behalf. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet those obligations.

4. Please explain Google’s process for sharing data across products, features and services.

(a.) Currently, what data is Google sharing across products, features and services? When did this practice begin? After March 1, 2012, what data will be cross-shared?

For many years, as permitted by our privacy policies, we have combined data within individual accounts in ways that make the user experience better, for example by having a single address book shared between services like Gmail and Google Calendar. Our main Google Privacy Policy has made it clear since 2005 that data collected by Google is used to improve our services generally.

Users are accustomed to their products working together when they are signed in, and expect this consistent experience across their Google Account. The use of a primary privacy policy that covers many products and enables the sharing of data between them is an industry standard approach adopted by companies such as Microsoft, Facebook, Yahoo! and Apple.

Giving users easy access to their data across Google products allows them to do useful things such as immediately add an appointment to Calendar when a message in Gmail looks like it’s about a meeting; read a Google Docs memo right in Gmail; use Google+’s sharing feature, circles, to send driving directions to family and friends without leaving Google Maps; and use a Gmail address book to auto-complete a contact’s email addresses when you invite them to work on a Google Docs memo or send them a Calendar invitation to a meeting.

The updated privacy policy reflects our efforts to create one beautifully simple, intuitive user experience across Google. The main change is for users with Google Accounts. It makes clear that, if you are signed in, we may combine information you’ve provided from one service with information from other services. In short, we can treat you as a single user across all our products.

Most of our product-specific privacy policies allowed for sharing of information across products with a Google Account prior to this change. A few did not. Specifically, our policies meant that we couldn’t combine data from YouTube and search history with other Google products and services to make them better. So if a user who likes to cook searches for recipes on Google, we are not able to recommend cooking videos when that user visits YouTube, even though he is signed in to the same Google Account when using both. We want to change that so we can create a simpler, more intuitive Google experience – to share more of each user’s information with that user as they use various Google services.

It’s also important to remember that even after the changes, users will still be able to use many of our products – such as Google Search and YouTube – without having to log into their Google Account or having to create one in the first place.

We will continue to develop new product features in line with our privacy principles by, among other things, being transparent about our practices and providing users with clear choices about how their data is used across our services.

For example, users who log in can use the search history settings to edit or delete their search histories or turn off the product entirely. So a user who doesn’t want search history used for other products can simply delete it or turn it off, consistent with our longstanding commitment to user control.

The updated privacy policy does not change users’ existing privacy settings, nor does it result in any new or additional sharing of their personal information with third parties.

(b.) What products, features, and services were cross-sharing consumer data prior to March 1, 2012? Now that the change has been announced, what products, features and services will cross-share data?

Many of Google’s products have historically shared or had the ability to share data between and among themselves within one Google Account, provided such sharing was permitted under the applicable privacy policy.

We have nothing to announce at this time about new products or features that may share data within a Google Account under the updated privacy policy. As explained above, it will now be possible under the updated policy, for example, to use a signed-in YouTube user’s viewing history to show better search results in Google Search, or to use signed-in search history to show more relevant ads across Google.

We are not changing our commitment to being transparent about our practices, or to offering privacy controls that give users meaningful choices about how their data is used across our services.

(c.) Prior to March 1, 2012, please describe how Google notified its customers, including those who use its products without Google accounts, if and when cross-sharing was occurring. What options did the company give those customers for managing or opting out of this data sharing? After March 1, 2012, how can consumers manage opt-out of cross-sharing of personal data?

Like most similarly situated companies, Google has always reserved the right to use user information from one product or service to improve another product or service, unless a specific product privacy policy restricted such data use. Our main Google Privacy Policy has made it clear since 2005 that data collected by Google is used to improve our products and services generally.

We believe that this approach is in the best interests of our users, and that it is consistent with their expectations.

In addition, we give users choice and control over how they use our products. People can use many of our services, including Search, Maps, Google News, YouTube and more, without logging into their Google Account, or creating one in the first place.

When someone does sign in to use our services, we give her ways to control how the information in her Google Account is used. For example, the user can turn search history on or off, and she can use the Ads Preferences Manager to control how ads are tailored to her interests. Users can visit the Google Dashboard to see all of the information that is stored in their Google account and to edit that information.

The changes we are making in the updated privacy policy enable us to treat you as one signed-in user across all Google services—specifically, we will be able to include your use of signed-in search history and YouTube in your use of all Google services. However, we are not changing our approach to protecting user privacy, and will continue to offer our users meaningful privacy controls.

Furthermore, people can still set up multiple accounts to manage multiple identities, move data between those accounts with Data Liberation tools, and prevent information from one account from being used to personalise another account. If Jane wants to use Google Docs and keep that separate from her personal Google+ account, she may create a work_account_jane@gmail.com account that she uses for Docs, and a personal_account_jane@gmail.com account that she uses for sharing on Google+.

In terms of notifying users about these changes, this is the most extensive user notification effort in Google’s history. On January 24, 2012, we began notifying users including those who use our products without Google Accounts, about the changes. This will continue even after the new Privacy Policy takes effect March 1.

Our notification methods include emails to our users; a promotion on Google.com; in-product notices on properties such as Google Maps, Google News, YouTube and mobile search; a "New" icon beside the Privacy link on many Google pages; an interstitial when users sign into their Google Accounts both on computers and mobile devices; an updated website, www.google.com/policies, that explains the changes and the benefits to users; and a post on the Official Google Blog.

(d.) What process do you use in determining whether to enable a new feature, product or service to share data with another Google product, feature or service? Are you currently in the process of exploring new cross-sharing avenues, including those related to geo-location services? If so, how will you notify customers of any potential changes?

The determination of whether to enable a new feature, product or service to share data with another Google product or service is based, first and foremost, on what we believe will be in the best interests of our users. If we believe such a use of data will deliver a better user experience or more relevant content, for example, then it is likely that such a use will be explored.

We are not prepared to make any specific product or feature announcements yet that might involve the future integration of data across products or services. Future products or features will be developed according to our privacy principles, and under our comprehensive privacy program – a deep and systematic collaboration between our product and engineering teams and our cross-functional privacy team of engineers, researchers, lawyers and other experts to ensure compliance with privacy law and obligations.

As part of our comprehensive privacy program, Google implements reasonable privacy controls and procedures to address identified privacy risks on an ongoing basis. Google’s current privacy controls include the development of privacy design documents, product review by our privacy working group, product and privacy attorneys’ legal review of projects prior to launch, and multiple types and levels of training to ensure that privacy issues are promptly recognised and that appropriate escalation paths and response protocols are consistently followed.

Consistent with our obligations under the FTC Buzz Consent Order, our privacy program is subject to bi-annual independent assessments to confirm that we live up to our privacy commitments.

5. Please explain Google’s practices regarding the archiving of user information, and how this will change once its new privacy policy is in place.

The updated Privacy Policy does not materially change our archiving or deletion practices.

(a.) Does Google offer users the option to permanently delete their personal information from its archives? If not, why not?

We make good-faith efforts to provide our users with access to their personal information and to delete such data at their request, if it is not otherwise required to be retained by law or for legitimate business purposes. The current archiving system was originally built to be highly reliable for data retention in order to prevent data loss in case of failures, which must be balanced against deletion requests.

After receiving a deletion request from a user, archived copies will expire and the archival system has mechanisms to subsequently overwrite expired archived data. Data may be retained for a number of reasons, such as when required for legal compliance.

(b.) Please describe the technical challenges faced when responding to users’ requests for deletion of data. How long does it take for data to actually be removed?

As is described above, immediate deletion is not always practicable due to the way the archiving system operates. Also, other considerations such as legal requirements may impair our ability to immediately process a deletion request. However, Google has processes in place to remove user data from active serving systems within a reasonable period of time after a user asks us to close his or her Google Account. Various Google services adhere to different deletion guidelines.

(c.) Does Google store or permanently delete user information once a user closes or deletes his or her Gmail account or Google+ account?

When a Google account is closed, Gmail and Google+ have processes in place to remove account data from Google’s active serving systems within a reasonable period of time.

(d.) If Google retains information from deleted accounts, how long is it archived and for what purpose?

The data is archived on tapes to ensure data recovery in case of failures. Retention periods for archived data vary depending on data source, technology type, and business requirements. Retention can be for a set period (such as 60 days) or for the life of the storage medium.

6. According to an article in The Washington Post, “Consumers won’t be able to opt-out of the changes, which will take effect March 1.” Please explain if consumers will have the option to opt-out of any data collection, usage practices, and information sharing between Google’s many services, including Gmail, Google Search, and YouTube. If so, how can a consumer make this request successfully? If not, why not?

If people continue to use Google services after March 1, they’ll be doing so under the updated privacy policy. The use of a primary privacy policy that covers many products and enables the sharing of data between them is an industry standard approach adopted by companies such as Microsoft, Facebook, Yahoo!, and Apple.

It’s also important to remember that even after the changes, users will still be able to use many of our products – such as Google Search and YouTube – without logging into their Google Account or creating one in the first place.

We will continue to develop new product features in line with our privacy principles, including being transparent about our practices and providing users with clear choices about how their data is used across our services.

For example, users who log in can use the search history settings to edit or delete their search history or turn off the product entirely. These types of tools give users clear choice if they don’t want to combine information from their search history with other information in their Google account under the updated privacy policy, consistent with our longstanding commitment to user control.

Other privacy controls that offers users choices about how data is used include:

Google Dashboard, which shows what information is stored in your Google Account and allows you to edit that information; Google’s Ads Preferences Manager, which allows you to view and edit the information we use to show you personalised ads, or to turn off ads personalisation entirely, on those partners’ sites, Gmail and search; and "Off-the-record" chat in Gmail, if you don’t want your instant message conversations archived; Incognito browsing in the Chrome browser, which lets you surf the web in stealth mode; and Session-wide SSL encryption in Gmail and search results for signed-in users by default, which helps protect your email and search results from being snooped on by others using your Internet connection (like a WiFi hotspot).

In addition, users can set up multiple accounts to manage multiple identities, move data between those accounts with Data Liberation tools, and prevent information from one account being used to personalise another account. If Jane wants to use Google Docs and keep that separate from her personal Google+ account, she may create a work_jane@gmail.com account that she uses for Docs, and a personal_jane@gmail.com account that she uses for sharing on Google+.

7. Does Google plan to offer distinct privacy protections for children and teens?

We are deeply committed to protecting the privacy of all of our users in their online activities, and especially to ensuring that teenagers enjoy appropriate privacy protections online.

Our services are intended for general audiences and are not directed at children. We do not allow consumers to sign-up for a Google account if they indicate that they are under the age of 13. We have invested significant resources in developing tools that enable teens to have a safe and positive experience while using Google services. More generally, we offer industry-leading tools that let parents protect their family’s privacy and safety.

For example, we have built a number of features into Google+ that protect teenagers’ privacy and enable them to have an age-appropriate experience while letting them to build meaningful connections online.

We provide teens with in-product guidance about how to protect their privacy, set default privacy controls for teen accounts to more conservative settings, and offer educational resources specifically designed for teenage users. When teens try to share content outside of their private circles, we provide an in-product notification encouraging them to think before they post. Google+ gives users control over who can contact them online, and by default, only those in a teen’s circles can communicate with that teen.

Furthermore, a teenager can with a couple of clicks block someone from communicating with him or her. If a teenager is using the Hangouts feature in Google+ to do a live multi-person video chat and a stranger outside of a teen’s circles joins the Hangout, we temporarily remove the young adult and give him or her a chance to rejoin.

We also provide expanded abuse reporting functionality across Google+ to give teens powerful tools to maintain positive interactions. Finally, the Google+ Safety Center offers educational resources that describe these tools in more detail and explains how teens can protect their privacy and safety online, including resources such as a Google+ Teen Safety Guide, a Parent's Guide to Google+, and other tips and advice from child safety organisations.

More generally, Google offers users tools to control how the information they post is shared with other users. For example, a user can set a YouTube video to private so that it is only shared with specified people. Sharing controls across Google products puts users in control of what content they share online, including photos, personal blogs, and profile information, by allowing them to share this content with as many or as few people as they choose.

Other tools that Google offers to enable families to protect their privacy and safety online include: our SafeSearch feature for web search that parents can use to filter sexually explicit images and text in search results, YouTube Safety mode that allows users to exercise control to avoid exposure to potentially objectionable video content, and reporting tools to enforce community standards across our products.

In addition to developing tools to empower our users to protect their privacy online, we invest significant resources in providing educational initiatives to promote awareness about online privacy and safety, and in collaborating with industry and law enforcement partners on additional safety initiatives to protect children. We would be happy to provide you with additional information about these efforts at your request.

8. Please explain exactly how a user of an Android Phone will be affected by Google’s new policy. Is there any ability for users to opt-out, other than not purchasing and using an Android phone? How will Google’s new policy affect users who do not use an Android phone but automatically stay logged into their Gmail accounts on their phones?

Our updated privacy policy, like the prior versions, covers users signed into their Google Accounts on Android phones just as it does users signed into their Google Accounts from a desktop computer. So the change will not have any significant impact on users of Android phones, and we are not collecting any new or additional data about Android users in connection with this change.

Users can choose not to log into an Android phone with a Google Account and still use it to place phone calls, send text messages, browse the web and use certain Google applications that do not require account authentication such as Google Maps. Some Google applications such as Android Market and Gmail require authentication with a Google Account.

9. How does Google plan to be open and transparent with its users concerning its new privacy policy?

We are conducting the most extensive user notification effort in Google’s history. On January 24, 2012, we began notifying users, including those who use our products without Google Accounts, about the changes. This will continue even after the updated Privacy Policy takes effect March 1.

Our notification methods include emails to our users; a promotion on Google.com; in-product notices on properties such as Google Maps, Google News, YouTube and mobile search; a "New" icon beside the Privacy link on many Google pages; an interstitial when users sign into their Google Accounts both on computers and mobile devices; an updated website, www.google.com/policies, that explains the changes and the benefits to users; and a post on the Official Google Blog.

We also are displaying our current privacy policy as well as the updated privacy policy so users can read and compare both documents.

10. Which Google products, features, and services on Google or third party devices and websites are subject to the new main privacy policy? Which are not? For each, please explain why each of these products were included or excluded from the new pain privacy policy. For each, describe any changes under the new policy in the ways that data is allowed to be collected or shared (regardless of whether Google does or does not plan on making any immediate operational changes to data collection and sharing on these products, features, devices, or services).

The updated main privacy policy applies to all relevant Google products, features and services with the following limited exceptions. We’re maintaining three product-specific privacy notices, linked to from the main Privacy Policy: Google Wallet, Google Books and Chrome.

Google Wallet is a financial service and therefore regulated by industry-specific privacy laws that require detailed descriptions of our practices. For Chrome and Books, we wanted to explain our privacy practices specific to those products in more detail without cluttering up the main Privacy Policy.

In addition, we are currently keeping the following standalone privacy policies or notices, some of which are carried over from recent acquisitions (which are identified with an asterisk after the name), and others which require their own separate privacy policies due to legal requirements or contractual commitments: AdMob*, BeatThatQuote, CleverSense*, Google Jobs, Google Health, InviteMedia*, Location Services in Firefox, reCAPTCHA, Teracent*, The Dealmap*, and Zagat*.

11. What are the names of all of the Google products and services? For each product, are you able to use that product without logging in?

Users don’t need to log in to use many of our products and services including Search, Maps and YouTube.

Google’s main consumer-facing products are listed at: www.google.com/intl/en/about/products/index.html.

Of those listed, the following products and services may be used without signing in:

Web Search, Google Chrome, iGoogle, Toolbar, Mobile, Maps for Mobile, Search for Mobile, YouTube, Books, Images, News, Videos, Picasa, Picnik, Google, Offers, Maps, Earth, Panoramio, SketchUp, Sites, Translate, Google+, Blogger, Groups, Knol, Orkut, Blog Search, Custom Search, Patent Search, Product Search, Finance, Scholar, Trends, Code.

Also, though not included on that page, Chrome OS and Android may be used without signing into a Google account.

For many of our products and services, additional functionality is enabled when the user signs in to his or her Google account. Furthermore, when users do log in, we give them ways to control how the information in their account is used. For example, they can use the Google Dashboard to see and control what information we associate with their account. They can also turn off search personalisation, turn off or edit their search history, turn their Gmail chats to "off the record" and use the Ads Preferences Manager to control how ads are tailored to them.