That, perhaps, is the central truth that Google’s policy exposes: As much as corporations and websites can do to protect users’ privacy — and they can do a lot — the burden will increasingly fall on users. Google deserves some credit for trying, and mostly succeeding, to make it easier to understand what’s at stake.
EDITORIAL | BLOOMBERG NEWS
The only Web company that is also a verb has run into the language barrier. How do you say “Google privacy policy” in French? (It’s “regles de confidentialite Google.” Thanks, Google Translate.)
Google’s new privacy policy, which took effect Thursday, is in general a praiseworthy effort. But it has won only faint applause, especially in Europe. This may have less to do with Google specifically than with privacy generally, and with the differing European and American definitions of the term. At its base this is a philosophical dispute, which is oddly encouraging: All everyone has to do is figure out the least disruptive way to disagree and move on.
And disagree they do. The French National Commission for Computing and Civil Liberties, acting on behalf of a group of European Union officials, sent Google a letter Monday saying the new rules may violate European law. Thirty-six U.S. attorneys general also sent a letter to Google Chief Executive Officer Larry Page. Meanwhile, Google has found little support from privacy groups like the U.S.-based Electronic Privacy Information Center, which sued in federal court to get the Federal Trade Commission to stop the change.
You’d think Google had announced it would start collecting terabytes of data about you, your neighbor and your dog, if he’s ever online. You’d be wrong: Google already does that. Google is not collecting any new information; rather, it is sharing (with itself) more of the information it already has. As of Thursday, Google says, it is combining “information you’ve provided from one service with information from other services. In short, we’ll treat you as a single user across all our products.” The change reduces more than 60 of the company’s privacy policies, spread over as many products, to just one. At about 2,500 words, it is admirably clear and concise.
So what’s not to like? Well, that French letter complains that officials weren’t given enough time to study Google’s new policy and that “trained privacy professionals” — undoubtedly in Brussels — find it confusing. They want more information. That’s easy enough for Google to provide, and it plans to do so.
But there are other concepts, such as the “right to be forgotten,” which are embedded in the European idea of privacy but may prove problematic to honor online. You may have the right to take down that photo of your drunken self from your Facebook wall, but should the law force Facebook to remove it from your friend’s wall? Can it force Google to stop including it in search results? Google has to comply with local laws in all jurisdictions in which it operates. This, however, is an issue that transcends borders.
The American objections to Google’s privacy policy tend to be more legalistic. EPIC, the privacy-rights group, says the new policy violates the consent decree Google signed with the Federal Trade Commission in October, which among other things requires Google to obtain “express affirmative consent” from users for many changes to its policy. The attorneys general carry a brief for the millions of Americans who “bought an Android-powered phone in reliance on Google’s existing privacy policy.” And here we thought all they cared about was the Twitter app.
All of which is not to say that these changes, by Google and to our notion of privacy, aren’t real. Google provides a vast array of products and services, from the aforementioned Android OS to YouTube to blogging platforms to email. When you’re messaging your spouse about dinner from your mobile phone and you see an ad for that takeout Chinese place you searched for a month before, you may find it convenient or creepy (or maybe a little of both). Either way, it is the future.
This is the predicate assumption of the Obama administration’s 62-page “Framework for Protecting Privacy,” issued last week, which includes a seven-point Consumer Privacy Bill of Rights and other good ideas, like a “Do Not Track” button that users could click on if they don’t want anyone following them online. Others have proposed things like privacy insurance that would compensate individuals for any harm caused by a breach.
These ideas are appealing precisely because none of the details have been quite worked out. Once Congress and the private sector start filling them in, there’ll be plenty of debate.
When companies like Google change their policies, it is imperative that they both notify users and allow them the option of not participating. On the first point it’s hard to fault Google, which has just spent a month littering the Internet with notifications. On the second, Google sounds a little like the apocryphal Henry Ford selling the Model T: You can use Google any way you want, so long as you use it the way we say.
One thing Google could be clearer about is how long it keeps your data even after you’ve asked it to stop tracking you. It does allow you to modify some privacy settings, and to create multiple accounts with different settings. But it’s not simple.
That, perhaps, is the central truth that Google’s policy exposes: As much as corporations and websites can do to protect users’ privacy — and they can do a lot — the burden will increasingly fall on users. Google deserves some credit for trying, and mostly succeeding, to make it easier to understand what’s at stake.