Why Google is the Biggest Threat to Americans’ Privacy:

-By Scott Cleland

The Detailed Case from my House Testimony

In my testimony Thursday on Internet privacy before Chairman Markey’s House Internet Subcommittee, I documented for Congress the detailed case of how Google, which is subject to no Federal privacy laws, is the single biggest threat to Americans’ privacy today.

The evidence assembled here shows how Google’s mission and culture are hostile to privacy, how Google’s unprecedented scale and scope enable a breath-taking collection of intimate “blackmail-able” information, and how Google’s track record is not worthy of trust.

From my testimony:

Case Study: How Google Systematically Threatens Americans’ Privacy

To begin, I am not alone in believing Google’s privacy practices are a particularly serious consumer protection problem.

  • Privacy watchdog, Privacy International, ranked Google worst in its world survey on privacy in 2007 and described Google as “hostile to privacy.”
  • EPIC, CDD, and USPIRG filed suit with the FTC last year challenging Google’s privacy practices as deceptive trade practices.


  • Recently, a broad coalition of privacy advocates pressured Google to finally comply with California privacy law and put a link to their privacy policy on their home page.

First, Google’s mission is antithetical to privacy

Google’s megalomaniacal “mission is to organize the world’s information and make it accessible and useful.” Google’s mission is so uniquely antithetical to privacy–it actually warrants the creation of a new term: “publicacy.” Google’s unique and radical “publicacy” mission believes “the world’s information,” is (and should be) public not private. (Note the mission statement puts no qualifier on “information” other than “the world’s”.)

The fact that most of the world’s most valuable information is copyrighted or owned by others hasn’t stopped Google from making other’s property universally available–without permission or compensation. As a result, several different content industries are suing Google for theft. Google supports radical copyright reform to remake the Internet into a less-propertied, “information commons” where almost all content is free to the user and supported by Internet advertising–the business that Google dominates.

The fact that much of the world’s information is also private–or enables privacy because it is not easily accessible publicly by anyone–hasn’t stopped Google from trying to make this private information publicly accessible. The business reason for this is that Google knows that the most valuable information is private, scarce information that was not available before. Google also knows that its competitive advantage is its world-leading “database of user intentions,” i.e. search histories on several hundred million Google users worldwide. Google also understands that it can earn a premium because it knows more private information on users’ intentions, preferences and secrets than any other company in the world–by far. Simply, Google’s business edge is that it collects, stores and uses more private information than any other entity in existence, which enables it to “target relevant advertising” better than anyone else.

The fact that Google’s web “crawlers” are the world’s most pervasive and invasive, Google indiscriminately searches Web sites for whatever it can find, and automatically assumes if their crawlers can find it, it must be “public” information. This indiscriminate web crawling has resulted in Google exposing private information like social security numbers, as Google did in making hundreds of California university students’ social security numbers public (Sacramento Bee, 7 March 2007).

Second, privacy is not a priority in Google’s culture

Google celebrates an “innovation without permission” culture. Google’s obsession with innovation comes at a cost, because it comes with a cultural disdain for internal controls, management supervision, and internal vetting of issues for privacy concerns. Let me illustrate this cultural disdain for privacy with three high-profile examples of Google proceeding full-speed-ahead with “beta” releases–without regard to privacy implications of their actions.

Google introduced Gmail, which enables Google to automatically read the content of users’ private e-mail messages in order to send them “relevant” advertising–without meaningful internal privacy review. This caused a widely reported public uproar over users’ privacy being abused.

Google introduced Google Earth, which exposed the roof tops of the White House, public buildings and military installations, without meaningful internal review of the privacy, safety, or national security implications. The uproar that ensued over this suggests Google learned little from the Gmail incident about the importance of internal review to address external concerns like privacy.

Google then introduced Street View, which is video of people’s homes, apartments and neighborhoods, without meaningful internal review of the privacy or safety concerns involved. The uproar over this invasion of privacy is so significant that Google is very secretive about where and when Google’s “spycars” will be videoing a particular neighborhood in order to protect the safety of the Google drivers from irate residents.

The inescapable conclusion from this pattern of behavior is that Google’s culture exhibits a fundamental and sustained disdain for privacy.

Third, Google gives privacy “lip service”

Only this month did Google begrudgingly comply with longstanding California Privacy law to post a link to their privacy policy on their Web page. Google’s founders did not want to “clutter” the signature simplicity of their homepage with the addition of another word. Google’s leaders spoke loudly on their assessment of the value of privacy policies with their stubborn recalcitrance on this most basic of privacy compliance. The implicit message is that privacy is not a priority to the founders. We also know that members of organizations listen and follow the cues from their leaders about which values to follow in conducting business.

  • Google has not bothered to update its privacy policy since October 14, 2005, despite a number of major external developments that objective observers would think would merit an update or a change in their privacy policy.
  • Since the last update, Google has entered several new businesses which operate under very different privacy laws:
  • YouTube–viewing habits;
  • FeedBurner–reading habits;
  • GrandCentral–voiceprints and wiretapping;
  • DoubleClick–ad viewing;

A few years ago, the FTC sanctioned DoubleClick for its privacy practices. Google Health (which arbitrages HIPPA); and Friend Connect (after state Attorneys General acted on privacy/safety related issues of minors.)

  • In the fall of 2007, Privacy International ranked Google worst in its world survey, and called the company “hostile to privacy.”
  • In 2007, privacy watchdog EPIC sued Google via the FTC review of the Google-DoubleClick merger, for deceptive trade practices.
  • In late 2007, the FTC staff proposed new behavioral advertising privacy principles that run counter to Google’s current privacy practices.

If Google really cared about privacy and it was an important priority, wouldn’t Google have updated its privacy policy to adapt to any of the above mentioned developments? Not only does Google not a lead by example on privacy matters, it doesn’t even follow others’ leads.

Fourth, Google threatens the privacy of more people than most any other entity

Google-DoubleClick track the search histories and ad-viewing habits of an estimated 90% of global Internet users, approaching one billion people worldwide. Google has the largest network of advertisers: ~1,000,000, compared to Yahoo’s ~300,000 and Microsoft’s ~75,000. And Google has relationships with over 1 million websites, orders of magnitude more relationships than its competitors.

What this means is that Google has both the means and the business model to learn more private information about more people than any other company in the world.

Fifth, Google collects/stores the most potential “blackmail-able” information

Consider the depth and breadth of intimate information Google collects:

What you search for;

A Ponemon Institute survey of 1,000 Google users found that 89% thought that their searches were private and 77% thought Google searches could not reveal their personal identities–wrong on both accounts.

Everywhere you go on the web;

Google has pervasive unauthorized-web-surveillance capability (web tracking/stalking) through a combination of Google’s search, Google’s cookies, DoubleClick’s ad-view recording capability, Google’s extensive content affiliate network of hundreds of thousands of sites, and the wide variety of Google apps.

What you watch–through YouTube;

Remember Supreme Court nominee Robert Bork was politically attacked for the videos he rented.

What you read–through Google News, FeedBurner and Blogger;

What you say–in your emails through gmail’s automated reader;

What you produce–in Google Docs;

In return for the free Google apps like Docs, users grant Google some search rights in perpetuity to any content a user produces using Google’s apps.

What your family and friends look like–through Picasa images;

Your medical conditions, medications, and medical history–through Google Health;

Your purchase habits–through Google Checkout;

Your call habits and voiceprint–through Google Talk;

Your travel habits and interests–via Google Maps;

Your interest in other people/places–via Google Earth and Street View;

Your personal information–through Orkut (social networking) Gmail, Google Checkout, etc.;

Where you go/hang out–through Google wireless ventures and Android;

Where you’ll be or where you were–through Google Calendar.

The scale and scope ofGoogle’s unauthorized-web-surveillance is truly Orwellian “Big Brother.” While Google is not the government, all this private information that Google collects and stores is certainly available to the government via subpoena.

It is also important that this capability of Google is very different from Microsoft’s because as a software provider, Microsoft’s access to private information mostly resides on its users’ PCs, where they control it. In stark contrast, all of the private information listed above that Google collects resides on Google’s servers.

Sixth, Google’s track record does not inspire trust

Google does not fairly represent its business to users.

Google’s rhetoric and public relations intimate that Google works for users–they don’t. Google is not paid by users. Google is paid by advertisers and Web sites.

Like investment banks hurt investors during the bubble for not disclosing that their research had a financial conflict of interest, Google puts users at serious risk by not disclosing to them that Google has a financial conflict of interest in looking out for advertiser/website/Google interest before users’ interest.

This conflict could hurt consumers today. For example, when Web sites are infected with dangerous malware, like that which phishes for the purposes of ID theft, Google has not been flagging certain search results as dangerous, even when doing so would protect users from sites Google knows are not safe. Google is being silent and not protecting users from potential harm because that would discourage traffic, clicks and revenue from Google’s real clients–advertisers and Web sites.

If the Ponemon survey of Google’s users is even remotely accurate, most consumers do not understand that they have forfeited their privacy to Google in return for Google’s free applications. In other words, few people understand that Google thinks they have users’ full permission/assent to sell their privacy to the highest bidder.

Another trust-undermining aspect of Google’s business is the rampancy of fraud in Google’s model.

Most people are not aware that click-search is one of the most fraud-prone industries in America. Click Forensics, the leading industry tracker of Web fraud, estimates that 28% of all Internet clicks are fraudulent. The dirty little secret here is that the gross-revenue business model for search, which was pioneered by Google, makes money off of fraudulent clicks. In other words, Google’s gross revenue model does not have a financial incentive to be honest. It is hard to imagine another legal industry in America that would tolerate a 28% gross fraud rate!

Google also does not inspire trust because Google’s words don’t match its deeds. It is the master of the slippery, self-serving, double-standard. Google’s mission is to organize the world’s information to make it accessible, when Google is among the most secretive, non-transparent, ‘black box’ public entities anywhere.

Google pushes “open” everything for everyone else–open access, open source, open social, open handset, open spectrum–but the auction process that is at the core of Google’s business model is not open but an opaque ‘black box’ that users cannot see into.

Google supports net neutrality regulation for its broadband competitors, but maintains that Google, the world’s most dominant access point for the Internet, should not be subject to net neutrality regulation.

Google aggressively protects its intellectual property of copyrights and patents, while strongly supporting “information commons” reforms that would decimate the intellectual property rights of their competitors.

Google runs its not-for-profit Google.org as a for-profit division of Google, when every other corporation in America abides by the clear separation of for-profit and not-for-profit entities to avoid even the appearance of tax evasion or impropriety.


As others have said, information is power. Power corrupts. Absolute power corrupts absolutely. Google’s market power over private information is corrupting Google, just like former FBI Director J. Edgar Hoover was corrupted by his power and mastery of personally-sensitive information.

Google’s unprecedented arbitrage of privacy law combined with its exceptional lack of accountability is fast-creating this era’s privacy-invading, unaccountable equivalent: “J. Edgar Google.”

Remember the timeless insight, those who don’t learn from history–are doomed to repeat it.

Scott Cleland is one of nation’s foremost techcom analysts and experts at the nexus of: capital markets, public policy and techcom industry change. He is widely-respected in industry, government, media and capital markets as a forward thinker, free market proponent, and leading authority on the future of communications. Precursor LLC is an industry research and consulting firm, specializing in the techcom sector, whose mission is to help companies anticipate change for competitive advantage. Cleland is also Chairman of NetCompetition.org, a wholly-owned subsidiary of Precursor LLC and an e-forum on Net Neutrality funded by a wide range of broadband telecom, cable and wireless companies. He previously founded The Precursor Group Inc., which Institutional Investor magazine ranked as the #1 “Best Independent” research firm in communications for two years in a row. His latest op eds can be seen at www.precursorblog.com.

Copyright Publius Forum 2001