Marissa's Internet Law Blog

Why does Google think it’s so important to collect data on its users? Google argues that knowing more about people increases Google’s profits as well as improving the average user’s experience. 

Clearly it is economically valuable for companies to find out more about their customers. By tracking our Internet activities, Google learns about our interests and serves us advertisements that we are more likely to click on. Therefore, Google’s advertisers pay Google more money. Additionally, behavioral targeting produces ads that users are less likely to find annoying. Perhaps a user could actually be served with an ad for something they wanted to buy and weren’t able to find anywhere else. 

Additionally, Google claims that behavioral tracking improves people’s search experiences. In their official blog, Google gives the example that if someone has recently been looking at sites on the Louvre and then searches for “Paris,” they’re more likely to get results about the capital of France than about Paris Hilton. (1) Google argues that it helps consumers to personalize their search results automatically, since consumers don’t have to go through the trouble of changing their search preferences to exclude certain terms or types of results. 

Furthermore, data-gathering enables Google to improve its site, which benefits Google and its users. For example, knowing how many people search for each term enables Google to provide its Spell Checker service. If someone types in a less common spelling of a search term, Google prompts them “Did you mean (the more common spelling)?” Then Google can improve the Spell Checker by tracking which suggestions are clicked on and which are not. Google can also track whether people click on the first search result or move on to another page, enabling them to further improve their search engine. According to Google’s blog, “the ability of a search company to continue to improve its services is essential, and represents a normal and expected use of such data.” (2) 

Tracking also allows Google to protect their site from security threats. Analyzing server logs enables Google to detect possible hacking attempts, phishing, spam, and attempts to monopolize their servers. The official blog goes so far as to say that “immediate deletion of IP addresses from our logs would make our systems more vulnerable to security attacks, putting the personal data of our users at greater risk.” (2) 

These benefits to Google and its customers would be diminished if users could easily opt out of being tracked. Perhaps people who often search for controversial or embarrassing topics would opt-out at a disproportionate rate, so Google’s collection of data would not accurately represent how people search. Google might argue that if data was collected on an opt-in basis, some people would be unaware of the possibilities for personalization that Google offers and would be unable to take full advantage of its services. 

Sources:

http://googleblog.blogspot.com/2007/09/search-privacy-and-personalized-search.html

http://googleblog.blogspot.com/2007/05/why-does-google-remember-information.html

I did an earlier post on U.S. privacy laws, but here I’ll recap the various laws that exist in the U.S. and around the world that limit search engines’ data-gathering powers.

The European approach to privacy tends to view privacy as a human right upon which private companies cannot infringe. The European Union has adopted a framework called the European Privacy Directive, which provides guidelines for individual nations to develop and enforce their own laws. In France, for example, employers cannot fire workers based on things they find when reading the workers’ personal emails. (1) Databases of consumer information in Europe must be registered with the government, and telemarketers and spammers can only target people who have explicitly given their permission. (1)

The Asia-Pacific Economic Cooperation (APEC) framework, on the other hand, is very weak when it comes to protecting consumers’ rights. Consumers must prove actual financial damage from the tracking and/or disclosure of their data in order for a company to be in violation of the law, something that is usually practical only in cases of identity theft. (2) This policy ignores the non-financial reasons why people value privacy, such as avoiding embarrassment or merely disliking the idea that all of one’s activities are recorded.

In the U.S., the word “privacy” is not mentioned in the Constitution, and as a result laws to protect privacy have arisen haphazardly. “There are so many industries with well-paid lobbyists ready to pounce, the minute you propose anything of any breadth you are inundated with whiny companies,” says George Washington University professor Daniel Solove. “It’s easier to do something pretty narrow and go after the ‘now’ problem and limit the amount of companies that are angry at you.” (1) For example, the Video Privacy Protection Act was passed in 1988 after a newspaper published a Supreme-Court nominee’s video rental records (1), and the Telemarketing Do-Not-Call Registry was created by the FTC in 2003 because of consumers’ frustration at excessive telemarketing calls during dinner. (3) In general, laws in the U.S. place more emphasis on protecting people from privacy intrusions by the government, while ignoring similar intrusions by private companies.

Sources: 

1. Sullivan, Bob. “Privacy Lost: EU, U.S. laws differ greatly.” MSNBC. 19 Oct. 2006. 4 Jan. 2008 <http://www.msnbc.msn.com/id/15221111/>.

2. Holtzman, David. “Google’s Paltry Privacy Proposal.” BusinessWeek.com. 12 Oct. 2007. 2 Jan. 2008 <http://www.businessweek.com/technology/content/oct2007/tc20071011_180811.htm?chan=top+news_top+news+index_technology>.

3. Hoofnagle, Chris. “Privacy Self-Regulation: A Decade of Disappointment.” EPIC. 4 Mar. 2005. 4 Jan. 2008 <http://epic.org/reports/decadedisappoint.html>.

Are Google and other search engines doing anything illegal? For the most part, the answer is no. Virtually no laws exist in the U.S. to limit websites’ abilities to gather information on their users. Some laws, such as the California Online Privacy Protection Act, require websites to disclose their privacy policies, but such laws do not make any recommendations as to what the privacy policies should be.

However, some search engines, including Google, may be in violation of the California law’s guidelines of what a site must do to “conspicuously post” its policy. The law states that a site that collects data about its users must display a link to the privacy policy on its home page or “in the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service.”  

It’s hard to determine exactly what constitutes a “reasonably accessible means.” Google has a link on the home page to an “About Google” page, and only when a user follows this link does a link to the privacy policy appear at the bottom of the page. Would a reasonable user necessarily think to go to “About Google” to learn about the privacy policy? And maybe, not seeing privacy as one of the topics listed in the main body of the “About” page, the user wouldn’t think to look for it at the bottom. I think it would make a lot more sense for Google to simply include a link to the privacy policy at the bottom of every page. There doesn’t seem to be a good reason for leaving this link off the home page. But because of the vague wording of the law, it is almost impossible to determine whether or not Google is meeting its legal obligations.

Source: California Online Privacy Protection Act of 2003 <http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579 http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579>