This story was written by Keith Dawson for UBM DeusM’s community Web site Business Agility, sponsored by IBM. It is archived here for informational purposes only because the Business Agility site is no more. This material is Copyright 2012 by UBM DeusM.

Google's Privacy Policy and the Law

European authorities claim Google is breaching EU law, while their combined data stash might prove all too tempting to US and other law enforcement agencies.

Google's privacy policy consolidation may be in breach of EU law, while the merged data stash might prove all too tempting to US and other law enforcement agencies.

The scrutiny they are under reflects the lack of agility with which Google has handled the questions of privacy swirling about the company, and can be traced back to the way they have built their business. Facebook collects a similar quantity of user data across a vast ecosystem of programs and partnerships. They got there by "boiling the frog" -- by gradualy taking more and more data under the aegis of the unified Facebook brand. In contrast, Google expanded their product space by small "20 percent" projects and acquisitions, until by 2011 when Larry Page took the reins the product catalog was a smorgasbord. As Google now attempts to share all its data across its diverse products, the move has the appearance of a "big bang" of privacy violation, rather than a gradual raising of the heat.

On March 1, Google put into effect its plan to share user data across many of its online properties, and simplified into a single policy over 60 privacy policies scattered across the Google galaxy. Pretty much everything except Google Books and Google Wallet is now under a unified privacy policy. Now, your Gmail activity might affect the results you see in a Google search; and what you search for could help determine which ads you see on YouTube.

Here's a sample of the data Google collects from users' computers and phones: phone number, carrier, computer model and OS, serial number, IP address, call records, location information (even if GPS is turned off), cookie data, Google search history, YouTube search history, Gmail history, the headers and bodies of all Gmail emails, the documents stored on Google Docs, and social media activity on Google+.

What does Google want with all that data? I'm not sure they know the full answer to that question themselves yet. Certainly it will help them to target advertising, both display ads and search ads; with the combined data they will be in a better position than almost anyone, Facebook possibly excluded, to zero in on users' interests. Google's public statements allude to improving search results using the collected data.

Aghast in the EU
The company's move upset a lot of people. A privacy group filed suit to force the FTC to move against the privacy change (the suit was thrown out). The attorneys general of 36 states sent a letter to Google CEO Larry Page, expressing their concern that users would not be able to opt out of being tracked -- especially users of Android phones.

The European Union went farther: The EU's justice commissioner declared that the changes Google had made are in breach of European law. This followed a letter to Google from France's privacy watchdog agency, CNIL, urging a pause in the rollout of the policy change. "The CNIL and EU data authorities are deeply concerned about the combination of personal data across services: they have strong doubts about the lawfulness and fairness of such processing and its compliance with European data protection legislation," the French regulator wrote to Google.

The other end of the law
The changes Google made could have a different kind of problem with the law. All that data represents a big, juicy honeypot to law enforcement and other government agencies. The Patriot Act gives the US government the ability to demand any such data held by an ISP, without a warrant or court order, and then to gag the ISP from telling anyone that the data has been requested or divulged. Google's Government Requests page shows that in the first half of 2011, the company received over 15,700 data requests from governments worldwide; 38 percent of these were from the US. Google has a department devoted to answering governments' requests.

Now that the FBI has been forbidden to place GPS receivers on suspects' cars, with what covetous eyes might they view Google's trove of location data regarding someone's Android phone?

Google's timing in rolling out this feature is unfortunate, following as it does so many privacy uproars across the technology landscape. It demonstrates that, for all their apparent attention to privacy issues, Google has something of a tin ear when it comes to judging the reception its moves will encounter.