Against a backdrop of growing privacy concerns, with every week bringing revelations of data breaches at government or corporate websites, online search behemoth Google quietly updated its terms of service Monday, spelling out just how much personal data it mines as part of its normal business model.
The new language states: “Our automated systems analyze your content (including e-mails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection.”
While corporate fine-tuning to an online policy that few users read closely – indeed, most don’t read at all – would not normally be news, Google is singular, say security and legal experts. Not only is the company in the midst of contentious lawsuits over both the spirit and letter of these privacy issues, but, more important, it dominates the online search space to such an extent that what happens at Google impacts the entire cyber-landscape.
“Whatever Google does matters since it is the 800-pound gorilla online,” says attorney Jeremy Mishkin, co-chair of the litigation department at Montgomery McCracken Walker & Rhoads in Philadelphia.
“The new policy means that if a user shares information with one arm of Google, they’re sharing it with the whole shebang,” he adds via e-mail. The revisions underline this point by stating: “This analysis occurs as the content is sent, received, and when it is stored.”
Indeed, the revisions to the terms of service spotlight the degree to which Google considers anything you upload to any of its various services (YouTube, Google plus, etc.) to be fair game:
“When you upload, submit, store, send or receive content to or through our services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our services), communicate, publish, publicly perform, publicly display and distribute such content,” Google says.
Asked why the revisions were released now and how they would address privacy concerns, Google responded with a statement: “We want our policies to be simple and easy for users to understand. These changes will give people even greater clarity and are based on feedback we've received over the last few months.”
Indeed, some of that feedback has come in the form of legal action, including lawsuits in California from plaintiffs who allege the company violated wiretapping laws by scanning their e-mail.
A judge turned down Google’s request to dismiss the lawsuits, although she also stopped them from moving forward as a class action, stating there were too many variables in the individual cases to constitute a unified class.
These issues are important and new law is being written as technology raises new questions about how far companies can go in collecting and utilizing data, says Mark Thibodeaux, a commercial litigator and a member of Sutherland Asbill & Brennan’s global privacy and data Security practice.
“There is a difference between a human being sitting in a back room reading your personal e-mail and a computer bot scanning for key words and aggregating anonymous information,” he says. But, on the other hand, the question of how far companies can go in collecting and using your personal data is still an open legal question, he says, adding that it is in the process of being addressed as lawsuits such as these go forward.
“However these cases are decided will certainly change the landscape for free e-mail services,” he adds.
A key issue in California involves non-Gmail users who send e-mail to Gmail users. This raises the question of whether or not Google has the right to scan the e-mail of those who are not in the Google ecosystem by means of having signed the terms and conditions policy.
This is where the ethical and legal lines “are being blurred,” says Charles Tendell, founder of Azorian Cyber Security. He points out that state wiretapping law requires dual consent, meaning that both parties must consent to being recorded. Either the laws will be defined with respect to digital use, he says, “or we will see some very interesting case law coming out of these lawsuits.”
As it is, Google may have missed an important opportunity to assuage people’s legitimate privacy concerns, says reputation expert Anthony Johndrow, managing partner of the Reputation Institute in New York.
Wouldn’t it be nice for Google to address possible scenarios while launching this policy change, he says via e-mail, “so that they could point out WHY people should continue to trust Google with their information?”
“Do no evil” is a pithy but vague corporate reputation platform, he notes, “and we have analytics that prove people want to know much more about companies (60 percent of consumer behavior towards large companies is explained by corporate perceptions).”
People would be justified in asking if Google is doing something to prevent the possibility of hacking that is better than anyone else is, says Mr. Johndrow. “If they’re not, what makes them think they can expose all their users to that level of risk?” he adds.