Keeping tabs on Google
Consumers and regulators are becoming increasingly concerned about the types of personal data held by companies like Google, as the search giant prepares to launch advertisements based on 'user interests'.
Although many internet users seem to remain blissfully unaware of all that, every now and again something brings a jangling reminder of the ever greater trove of personal information being gathered. One of those moments came last month with the UK launch of Google’s Street View, which allows a user to look around 25 cities and see each road from various angles – frozen in time, complete both with building frontages and pedestrian passers-by.
Complaints came about husbands photographed with strange women, workers caught having cigarettes by "no smoking” signs and people emerging from sex shops. The concerns prompted Privacy International, a UK-based pressure group, to file a complaint about Street View with the country’s information commissioner. One village banned Google’s camera cars from taking pictures there.
These stories captured the public imagination despite the company’s attempts to blur faces and licence plates – and even though everything recorded was in the open air. Though an even bigger privacy issue comes up this month as Google begins to sell "interest-based” advertising – with material tailored to individuals based on their evident preferences and behaviour online.
When an internet user visits any website containing a Google ad, the visit will be recorded and used to compile a profile that will then be deployed to direct future advertising to the user. Anyone who, for example, surfs a number of sites related to do-it-yourself projects will be noted as a home improvement fan and will begin to see advertising for paint and power tools turn up on all manner of sites.
On Tuesday, the European Union’s executive arm called for an overhaul of UK data privacy laws, out of concern that Britain was failing to protect internet users from having their behaviour monitored on behalf of advertisers. The European Commission has initiated a formal complaint against the UK government with a focus on secret trials carried out by BT, the country’s dominant telecommunications group, and Phorm of the US where internet users’ habits were monitored without permission. The Commission is also thought to be looking at other member states’ data privacy regimes.
So what is in prospect both for advertisers, which are eyeing the benefits of a targeted approach all the more keenly as recession bites – and for consumers, whose often benign view of what is being collected may change with further advances in technology?
Certainly, Google is not the first to offer targeted advertising. Yahoo, Microsoft and AOL all collect behavioural data and use that sum of knowledge about someone to target ads. Many other websites collect information about their visitors, as a result of which many internet users have dozens of cookies embedded on their computers – small text files that hold data specific to that site
BT and Phorm are expected to launch a program that will observe the surfing habits of BT’s internet subscribers and use this for advertising. Google is merely the latest to join the party. But the arrival of the internet’s biggest advertising company makes this practice truly mainstream.
"The theory behind it is great, it’s what we’re all after – effective optimisation of your inventory,” says Matt Simpson, chairman of the Institute of Practitioners in Advertising’s digital media group and UK head of digital at OMD, a media agency. "In a perfect world, you can deliver a more relevant message and spend less money.”
"Advertising is part of what keeps the internet alive. Period,” says Kent Ertugrul, Phorm’s chief executive. "There is a trade-off. You read a web page in exchange for advertisers getting the opportunity to present you with information. There has been a growing recognition of this in the past year.”
Privacy advocates worry, however, that not enough controls exist on how personal data are collected and used. "We are not against advertising. The internet is a good way to reach target audiences,” says Marc Rotenberg, executive director of the Electronic Privacy Information Center, a US pressure group. "But the question is: are there any limitations? The frustration is that advertisers say they don’t want any limitations.”
Meglena Kuneva, the EU’s consumer affairs commissioner, said this month that while personal data made the internet as an advertising-supported service "go round”, privacy policies were either non-existent or at best opaque. In the UK, parliamentarians have formed an all-party group to look at privacy issues. More than 40 MPs and peers have joined. "Symbolically this is a huge step,” says Simon Davies, director of Privacy International. "For the first time, it shows that parliament is aware of these issues.”
Behavioural profiles for advertising are just the tip of the online data iceberg. Records of every internet search are stored for three to nine months. The companies that host email hold copies of their users’ correspondence and contacts indefinitely. Companies as well as individuals are also beginning to use internet-hosted word processing and scheduling programs such as Google Docs and Google Calendar – meaning that business information and details of people’s planned movements are being held on Google’s servers.
Sites such as Facebook and Flickr store billions of photos of people. Facebook says more than 1 billion are uploaded every month. Face.com, an Israeli company, is launching facial recognition software that can sift through these better. Internet-connected mobile handsets such as the iPhone are capable of tracing someone’s location at any time.
Collecting information is itself hardly new but in the past it has been labour-intensive and limited. It has never before been possible to collect so much information about so many people and use it so easily. "There has been a transfer of control over our personal information,” says Mr Rotenberg of Epic.
"Individuals are not easily able to control the information or opt out, which means these issues need to be raised as broader public policy issues or in the courts.” Epic recently filed a complaint to the US Federal Trade Commission over Google’s "cloud” computing service, which provides storage and programming capacity on the company’s servers.
It is not just advertisers that are keen to use the growing digital databanks. Governments too want to mine internet profiles to catch suspected terrorists. The UK already requires internet service providers to keep records of website visits and email for a year, and has mooted plans to extend this to instant messaging, VOIP services and social networking sites in the interests of national security. Criminals, too, are breaking into databases to steal credit cards and identity details. No one is entirely safe. Google has some of the most cutting-edge technology but last month a security flaw meant some of the documents stored on the Google Docs service became visible to other users.
But laws on the use of online information are unclear. Regulators, companies and privacy campaigners have yet to agree on who can collect the information, how they can collect it, how long they can keep it and what they can use it for. The EU’s 1995 Data Protection Directive was written at a time before the internet was widely understood. It has taken several years of argument to establish basic things such as the fact that an IP address (the string of numbers that identifies a computer connected to the internet) counts as personal data.
Technology companies are trying to provide tools that allow people more control over their data. Google has created a page where users can see the profile of interests that has been built up around them, at www.google.com/ads/preferences. Users can change or delete information and can opt out of monitoring if they wish. The latest version of Microsoft’s Internet Explorer browser has an "InPrivate" mode, which prevents the tracking of web pages that are being visited. "People are becoming concerned about having control over their privacy. We are helping them do that,” says Laurent Delaporte, a marketing vice-president for Microsoft in Europe.
Phorm, the advertising technology company that is working with BT and Korea Telecom, has devised a system of targeting ads without retaining any personal data. Because it is not creating a database, Phorm has received approval from groups including Privacy International, although others such as Epic still question its right to intercept data in the first place.
Facebook is asking users for advice on privacy, after facing protests. In February the company tried to introduce terms of service that would have allowed it to use uploaded content on its site however it wanted – including for marketing – even after users deleted it. Following an uproar it retracted the terms and asked users to give feedback on how it should set these.
Regulators would prefer companies to ask consumers explicitly to opt into having their behaviour tracked rather than just giving them the option to opt out. But officials have been slow, however, to take action.
The Article 29 Working Party, a group of European data privacy officials that advises the Commission on policy, has tried to hammer out an agreement on how long search data can be kept by companies. The resulting guidance is loose – up to six months. This is a compromise: countries including Germany do not want data to be retained even for a day while others, like the UK, are happy with longer periods.
There is also a problem in enforcing any rules. National data protection agencies are small and have limited powers. Despite the Article 29 group’s finding, Google still retains its search information for nine months and European regulators have done nothing.
National regulators privately admit they feel powerless to impose sanctions on large multinational companies. The Dutch data protection authority, for example, has a comprehensive set of rules on publishing data on the internet. But the maximum fine they can impose in case of breaches is €4,500 ($5,975, £4,010).
"The regulators have become toothless and inept as watchdogs. The public no longer really expects its data protection commissioners to do anything. But that, I think, is going to change,” says Mr Davies. "There is some real anger out there. It took two weeks of Privacy International’s time to deal with all the complaints about Google’s Street View. We were flat out. People are learning.”
Epic’s Mr Rotenberg, too, is positive that it is not too late for people to take control of their personal data.
"Ultimately it is our decision what the future will look like,” he says. "It won’t be decided by Google.”