Original URL: http://www.theregister.co.uk/2013/04/29/hawktalk_google_eu_authorities/

How Google lost the trust of Europe’s data protection authorities

The days of teensy fines may be over for Mountain View

By Amberhawk Training

Posted in Policy, 29th April 2013 09:36 GMT

Opinion Over the last two years, various European data protection commissioners have taken action against Google. Hardly a month goes by without something being reported: a €145,000 (£121,000, $189,000) StreetView fine here or a court case about jurisdiction there.

So it is important to understand: “Why is Google on the receiving end all this enforcement action?” Why now, and not five years ago? What has changed?

From Europe’s data protection commissioners' perspective, there is a collective recognition that Google has given them the equivalent of the two fingers. Despite a lack of powers and resources, (and even though, for example, a maximum fine of £500,000 is a pinprick to an organisation whose profits are running at more than £8bn per year), the commissioners have collectively concluded that not to take action is not an option.

From Google’s perspective, I don’t know whether it is “carelessness” or “arrogance” or a combination of the two. “Carelessness” because data protection regulators generally try to reach some kind of compromise; so why can’t Google compromise? “Arrogance” because Google might have taken the view that it is such a rich, powerful and profitable multinational that it can process personal data despite the concerns of national data protection regulators (and if there is a dispute, tie them down in court processes that wipe out their legal budget).

'Faustian pact' and increasing surveillance

Five years ago, there was an acceptance by most internet users that the free access to services offered by Google involved an undeclared "Faustian pact". The user received the services for free and in return Google captured some data that assists something called “behavioural advertising”.

At that time, the user did not care much because - what the heck - the internet experience was really valuable and of course, the internet got better by the day. The pact was sustained in the knowledge that free access to the internet was (and still is) the main delivery vehicle for uncensored information into authoritarian regimes.

Of course, at that time also, there were a collection of “privacy nutters” bleating on the side-lines, identifying a host of hypothetical or far-fetched problems. For instance, the StreetView images of anonymous individuals (but identifiable to those who know that individual) entering a sex shop or, more recently, receiving a hand-job in the back streets of Manchester. I guess that such images caused more general amusement than concerns over individual privacy – after all the user was not looking at himself or herself.

However, over time, there has been dawning realisation that Google’s surveillance does indeed focus on each and every user; Google follows surfers around the net, wherever they go, whether they are logged into a Google service or not.

As Google’s “free” services expanded and the internet developed, this pact resulted in an unrestrained collection of more data about its users. This in turn resulted in a virtuous (or vicious) spiral; a booming business that needs more and more user data to guarantee higher and higher revenues from advertising.

That is why Google’s mission statement is all about data collection: it states that “Google’s mission is to organise the world’s information and make it universally accessible and useful”. Want a “scary version” of this statement? Just place the word “personal” before the word “information” and ask “accessible by whom?” or “useful for what?”.

It is no surprise that Google’s vast personal data collections are acting as a magnet for other forms of surveillance activity. That is why Governments want access to how the public uses the Internet so that law enforcement can obtain IP addresses and details of browsing habits. The collection and subsequent retention of such personal data concerns all users irrespective of whether or not there are grounds for suspicion for its retention.

The privacy issue here can be simply expressed: the grounds for suspicion about an individual user do not arise before the time of collection of IP addresses etc. Such grounds are found afterwards when the authorities, in some back office and at some time in the future, try to find a “wrong-un”. If a profiling algorithm is used, then any suspicion is likely to be based on a pre-programmed set of assumptions. In this way, the data that Google (and others) collect turns every user into a potential suspect.

Application of the Reagan doctrine

Even with its own privacy pronouncements, Google has been accused of being “economical with the truth”. For instance, what Google told the Information Commissioner in July 2011 was that the Wi-Fi data collection by its StreetView Camera cars was accidental.

By contrast, a Federal Communications Commission (FCC) report into the same problem made it clear that Google intentionally intercepted such Wi-Fi data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the interception. That is why the Federal Communications Commission imposed a $25,000 fine in April 2012.

However, I think the most damaging conclusion was that Google impeded the FCC investigation by “delaying its search for and production of responsive emails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions”.

So when Google says something about privacy, how do we know that it is kosher? That is why European data protection commissioners are pushing their equivalent of the “Reagan doctrine” at every turn: “Trust but verify”.

So when Google last year changed its Privacy Policy, many data protection commissioners wanted answers to certain questions and the CNIL (the French Data Protection Authority) was given the lead co-ordinating role. All European Commissioners signed a letter containing a number of queries on 26 October 2012 expressing their concerns asking Google to comply with their recommendations within four months. Google’s response was of the two-fingered variety.

The CNIL’s concerns (still unaddressed) were that Google:

So what’s wrong with Google’s privacy policy?

At the heart of Google’s problems, is its privacy policy, and it is quite easy to see why there are issues. For example, just compare one basic definition:

Google definition of “Personal information”. This is “information which you provide to us which personally identifies you, such as your name, email address or billing information, or other data which can be reasonably linked to such information by Google".

UK Act definition of “personal data”. This "means data which relate to a living individual who can be identified: (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller…”

Now suppose Google has collected an IP address. To satisfy its definition of personal information, that IP address requires identification of an individual from “other data which can be reasonably linked to such information by Google”. By contrast, the Data Protection Act requires merely that the identification information to be “in the possession” of Google (ie, there is no requirement to “reasonably link” the identifying information with the IP address as per the Google definition).

Note also that the UK definition merely requires the identification information to be “likely to come into the possession” of Google. By contrast again Google’s definition needs the data to be under Google’s control and an actual linkage to the specific individual.

It now can be seen, that the Google definition is far narrower than the 1998 Data Protection Act. How then does the UK’s Information Commissioner know that Google has complied with that Act, if Google does not provide the details such as those requested by the CNIL?

In practice, I think the Google definition is very close to that found in the Data Protection Act 1984 repealed by the 1998 Act (this required the processing of personal data had to be “by reference to the data subject”). In my view, the definition that Google uses in its Privacy Policy is nearly three decades out of date.

Finally there are questions of the scope of Google’s Privacy Policy. Its website says that it applies to “Information that you give us (for example"; “many of our services require you to sign up for a Google Account”); or “Information that we get from your use of our services” (for example, when you visit a website that uses our advertising services”). There is no reference to personal information obtained by Google from other sources or from the public domain; so the status of such personal information is unclear.

You can see now that Google’s Privacy Policy does indeed raise several legitimate questions as to what it means in the context of data protection legislation which uses different definitions. I think most responsible companies would answer these questions; failure to answer them merely serves to raise suspicion.

The “Starbucks effect” (and the Boston Tea Party)

The press report that Google employs more than 1,300 people in London and Manchester, generates £2.5bn of UK sales and pays corporation tax of £6m or so. This latter figure implies its UK profits are of the order £30m per year.

This crude analysis shows that Google is, in effect, another “Starbucks”. It generates hundreds of millions of pounds of revenues in the UK and pays disproportionately little Corporation Tax. Of course Google pay VAT and their UK employees their PAYE, but in general the public can now categorise Google as another large organisation evading their fair share of tax. The prime minister’s dictum that “we are all in this together” clearly excludes Google from the “we”.

It follows that when Google take the high moral ground in support for notions of freedom of speech, this does not extend to the facts that allow such speech to be informed in the context of its own tax affairs. In summary, any future public pronouncement by Google about “freedom” should be accompanied with a great deal of cynicism.

Then there is the unprecedented lobbying from USA companies like Google concerning the content of the Data Protection Regulation. The idea that corporate America can employ its financial muscle to influence Europe’s Parliamentary processes and laws should make everyone feel very uneasy. What do you think would happen if Europe’s corporate giants started lobbying the USA Senate about gun control or abortion or taxation? They would quickly be told where to go.

Indeed, Google’s involvement presents a historical curiosity. In 1773, the cry at the Boston Tea Party was: "No taxation without representation".

Google’s version of this is: “Full representation without taxation".


CNIL’s Google links

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.