Leading Internet search engine Google has received the lowest possible rating for privacy practices, according to a detailed report released Friday by Privacy International, a global organization working for the protection of privacy. The report, entitled “A Race to the Bottom: Privacy Ranking of Internet Service Companies – A Consultation Report,” comes after a six-month investigation by the 17 year old international, non-governmental organization. Google was the only company of 22 tested to receive the report’s only “black” color-coded rating, a category Privacy International gives to companies which do “comprehensive consumer surveillance and [have] entrenched hostility to privacy.”

The report was conducted with the aim of finding the best and the worst companies “across the full spectrum of search, email, e-commerce and social networking sites,” according to Privacy International, and details their investigation into the privacy practices of what it sees as the key Internet-based companies, including Yahoo!, AOL, Microsoft, Amazon, Apple, eBay, Myspace, Facebook, Wikipedia and the BBC, along with Google and ten others which are mentioned below. The report is designated as an initial “consultation” version, a precursor to the final report to be released in September, which has been done in order to allow the companies noted in the report to come forward with additional information on how they process customer information, according to Privacy International, which states that it will welcome comments on the findings of the consultation report from companies, consumer organizations and industry organizations. “[We] look forward to working with the relevant companies in the coming months to complete the study,” the report goes on to say. The group hopes to receive further relevant information over the coming months, however it also notes that “If useful information is not offered we will wherever possible use legal mechanisms to obtain it,” according to Friday’s report. Privacy International hopes to receive help from regulators, privacy commissioners worldwide, and the U.S. Federal Trade Commission, in order to “help illuminate some of the more arcane collection and processing practices,” the report states. The report also makes clear that some of the group’s findings may have substantial changes in the final report.

The study looked at nearly 20 aspects of each of the 22 companies, and gathered information from technical analysis, present and former employees, interviews with company representatives, and data from public sources which ranged from privacy policies and governmental inquiry submissions, to newspaper articles and blog entries. Customer privacy is, in the words of Neil Marshall, Director of Forum Operations at WebmasterWorld, a popular community of web professionals, “one of those issues that often bites most people when they least expect it.”

The London-based group, which also has offices in Washington, D.C. and members in 40 countries, began as a human rights research and campaign organization in 1990, and claims to be the first global non-governmental organization dealing with privacy. The group aims to “provide technology assessment, develop reviews of public policy and to act as a watchdog on surveillance by governments and corporations,” according to the study. The group works with other non-governmental organizations, educational institutions and inter-governmental organizations, according to the study, and receives funding primarily through philanthropic and charitable groups.

Privacy International’s has previously worked against some of Amazon.com’s corporate privacy practices, problems with advertising in Google Gmail (PDF) service relating to technology design, and is the group that founded an annual award called the “Big Brother Award,” which is held yearly in more than 15 countries and is aimed at identifying the “worst corporate invaders,” according to Friday’s report. The group has also been involved in ranking countries for their levels of privacy protection and surveillance, and now feels that it has positioned itself to tackle similar ratings for companies. According to the study, the group has frequently been asked to suggest privacy protection practices; however they make clear that they do not endorse any specific companies.

A Race to the Bottom in Customer Surveillance

The group has witnessed an increased “race to the bottom – in corporate surveillance of customers,” according to the study, and also notes that in some instances companies who do not resort to “abusive and invasive profiling of their customers,” may be put in a position where they are at a competitive disadvantage. “In this race to the bottom some have even begun looking for new and more innovative ways to become even more surveillance-intensive,” the report states. The group has released the report aiming to inform customers about the current surveillance practices of the 22 companies involved, so that they can make, “a better-informed decision about how, whether and with whom they should share
their personal information,” according to the report. Mr. Marshall of Webmaster World notes that, “Every time data is entered into a search engine, that information will not be simply discarded. No, it will be used in some form or another,” and warns that “It's time users woke up to the fact that data is being gathered every time they search.”

Privacy International wants Internet companies to know that their tracking and surveillance tactics are being watched, and according to Friday’s report, the group believes there needs to be more openness about how Internet companies process information, and why it is processed. The group has been tracking Internet companies since the web began in the early 1990s, and according to the newly-released study has argued for years that Internet companies “should embrace a wider range of privacy protections for users.”

Lowest Common Denominator Privacy in 2007

The report pays particular attention to the practice of requiring user registration in order to work with many new Internet products, and notes privacy concerns relating to terms of service agreements. However, the biggest and “most dangerous threat to privacy,” according to the report, may be the movement over the past three years of Internet companies into advertising space. As companies have merged and grown, ever-larger Internet communities have developed, and the report raises concerns that new forms of user targeting and profiling aimed at generating money through advertising to these communities risks developing a “lowest common denominator for privacy.” The report compares the 1990s, when a company could tout its strong privacy practices as a market differentiator, with 2007, when according to the study, “all major Internet players may move to establish a level of user surveillance that results in little or no choice for Internet users and relatively few meaningful privacy mechanisms.” The report warns that without intervention and scrutiny from groups such as Privacy International, a “race to the bottom” may develop, with a market dominated by a small number of exceedingly powerful companies.

The goal of the report is not to “name and shame,” according to the group, but to point out trends they believe will “shape the future of privacy on the Internet.” Pointing out confusion over the privacy policies of many Internet companies, the group warned “If we, as specialists in this field, cannot fully understand the full range of surveillance practices of some companies leaves us greatly concerned about the ability of consumers to make informed decisions in the marketplace.”

The Scope of the Study

The group studied on-line service companies only, and selected 22 based on, “market share, services offered, number of users, [and] site traffic,” according to the report, and excluded companies such as banks offering on-line banking, which operate under mandatory data collection rules.

Microsoft and Google each have two entries on the list of companies studied, Google with Orkut and Microsoft with Windows Live Space. “We ranked Orkut as a separate entity even though it is owned by Google,” the study explains, while noting that Window’s Live Space “is part of Microsoft, but because it offers services that are quite specific and because of the size of the user base, we took the decision to treat it as a distinct organization [sic].” The group goes on to explain grouping the rest of Google’s services together, noting that its “practices and ethics are very much part of its brand and image as a whole, and so we treated it as one single entity." The other companies involved in the report include Bebo, Friendster, Hi5, Last.fm, LinkedIn, LiveJournal, Reunion.com, Skype, Xanga and YouTube.

How the Study Was Conducted

The group factored information from a number of areas about each company into the study, including corporate administrative details, corporate leadership, data collection and processing, data retention, openness and transparency, responsiveness, an “ethical compass”, customer and user control, fair gateways and authentication, and privacy enhancing innovations along with privacy invasive innovations.

In measuring corporate administrative details the study looked at whether each company has a department or a person who is responsible for privacy compliance, and found that Google does, but notes that their privacy policy has not been updated since 2005, a notion that unofficial Google spokesperson Matt Cutts disputed today writing in his personal blog, which is examined at the end of this article.

With the corporate leadership category the study looked into whether each company has signed up for the U.S. and European Union Safe Harbor agreement, among other factors. Google is noted as having “rejected access to data by U.S. Justice Department for research purposes,” and as being a member of Safe Harbor.

When the study looked to data collection and processing practices, it attempted to determine what type of information each company collects, both with and without customer consent, and whether the companies consider each customers Internet Protocol (IP) address number to be “non-personal” or anonymous. The study notes that Google does describe the data it collects, but that customer IP addresses are not considered personal information. The study finds that Google does not believe that they collect sensitive information, that they “sometimes track links clicked upon,” and that Google “shares information with consent, or to companies. “

Looking into data retention policies the study notes of Internet companies, “the risk to their market position and customer base may be proportionate to the amount of personal data they store.” Of Google’s data retention policies, the study notes the results are unclear, but that they have stated “18-24 months as [an] eventual outcome.” The report also notes that Google keeps a customer log history even after this 18 to 24 month period.

Privacy International describes the openness and transparency category of their report by noting, “Privacy policies often say much but disclose relatively little about a company's true practices. […] We rate these companies on how open they are to the public about their actual practices. Are policies ‘merely a collection of disarming words’ [such as] 'At [company X] we take your privacy seriously.'" The study also pointed to Internet company privacy policies that seem to have as a goal “[saying] very little but in as complex a way as possible.” At the other end of the privacy policy spectrum, the study points out that “some policies that are exemplary in their eloquence and detail, describing every element of information and how it is processed by the company." The study finds that Google has a “vague, incomplete and possibly deceptive privacy policy,” and one which, “fails to explain detailed data processing elements or information flows.”

In the study’s responsiveness category the group has rated how each company handled customer’s privacy concerns, and whether those concerns were dismissed. One unnamed company in the study is noted as having told Privacy International that, “Life is too short (too worry about privacy).” Google’s responsiveness is summed up as a “generally poor track record of responding to customer complaints,” and as having an “ambivalent attitude to privacy challenges (for example, complaints to EU privacy regulators over Gmail).”

The study’s “ethical compass” category focuses on how each company in the study has co-operated with “problematic warrants and access contentious requests from law enforcement agencies and foreign governments,” and how each has handled customers’ concerns. According to the report, Google’s “Privacy mandate is not embedded throughout the company,” and that “Techniques and technologies [are] frequently rolled out without adequate public consultation.” The report cites Google Map’s recent “Street Level view” maps as an example.

In the customer and user control category the study states that several companies would not allow customers to delete their accounts, and questions whether some companies who claim to have “x million customers” in fact have only “x thousand” active customers. This category of the study also looked into whether customers were able to choose what types of information they wished to disclose. The study found that Google’s “customers have a right to amend personal details held by Google but does not allow search history to be removed,” and that “most services to not permit user access to specific or aggregated disclosure or tracking data.”

The report’s fair gateways and authentication category looked into a trend of on-line services which “increasingly require individuals to create accounts in order to gain access to services.” Google received the following rating in this study category: “Opt-out possible for some services. Some services may not work well without cookies. May access essential resources without account but when account is created it is sticky.”

In the broad “privacy enhancing innovations and privacy invasive innovation category”, Privacy International looked at whether the companies studied used progressive techniques to gather data, or more underhanded methods. The group hoped to “highlight when companies use blunt instruments to collect personal information without consent, and when they use pinpoint precision to delve deeper into personal profiles,” and also noted in the report that some companies are spending large amounts of money pursuing invasive privacy practices. The report notes that Google “will utilize Doubleclick’s “Dynamic Advertising, Reporting and Targeting (DART) advanced profiling system.” (PDF)

Color Coding System Ranks Google Black

The report states that the group decided to assess only those areas of each company in the study which they were able to actually identify, and claims to have erred on the side of caution, giving each company the benefit of the doubt. The report gave each category a color-coded rating, ranging from green, for the most privacy-friendly or “generally privacy aware” companies, to a rating of black for companies with the worst privacy policies, which the study defines as those who do “comprehensive consumer surveillance and [have] entrenched hostility to privacy.” Of the 22 companies analyzed during the six-month study, Google is the only one to receive the bottom-ranked black rating.

Not one of the 22 companies in the study received a green rating, while five received the second best teal status, including eBay, the BBC, Wikipedia, Last.fm, and LiveJournal. In the yellow band the study places six companies, including Friendster, Amazon, Bebo, Skype, MySpace, and LinkedIn. The orange category contains four entries, those of YouTube, Xanga, Orkut and Microsoft. The companies listed in the red and second lowest rated band of the study, include these seven entries: Hi5, Facebook, Apple, AOL, Yahoo!, Window’s Live Space, and Reunion.com. The Search Engine World chart to the right shows the number of companies in each of the study’s color bands.

The Controversial Google Black Rating

The Privacy International study notes that the “decision to place Google at the bottom of the ranking is likely to be controversial, but throughout our research we have found numerous deficiencies and hostilities in Google's approach to privacy that go well beyond those of other organizations,” and that “none [but Google] comes close to achieving status as an endemic threat to privacy.” The group went on to further detail the decision to place Google in the black category, and mentions the most widely-used search engine’s ability to share data between the companies various tools as playing a factor in the decision. Also playing a factor was Google’s “market dominance and the sheer size of its user base,” according to the study, which also found in Google an “aggressive use of invasive or potentially invasive technologies and techniques.” The report takes into consideration Google’s efforts to open up information through the companies various services, but concludes that this “does not exempt the company from demonstrating responsible leadership in privacy.” Additionally the report finds that Google has not demonstrated "well defined and mature user controls and an equally mature privacy outlook," and goes on to describe an attitude at Google towards privacy that is “at its most blatant is hostile, and at its most benign is ambivalent.” The group’s decision to give Google their worst rating was also influenced by information about a complaint from the Electronic Privacy Information Center (EPIC) received by the U.S. Federal Trade Commission relating to the pending merger between Google and DoubleClick, and an additional submission to the FTC from the New York State Consumer Protection Board, according to Friday’s report.

Seven Specific Google Privacy Failures Found

The report details seven specific privacy failures at Google, including findings showing that “Google account holders that regularly use even a few of Google's services must accept that the company retains a large quantity of information about that user, often for an unstated or indefinite length of time, without clear limitation on subsequent use or disclosure, and without an opportunity to delete or withdraw personal data even if the user wishes to terminate the service.” The report also claims that Google “maintains records of all search strings and the associated IP-addresses and time stamps for at least 18 to 24 months and does not provide users with an expungement option,” and goes on to say that “While it is true that many US based companies have not yet established a time frame for retention, there is a prevailing view amongst privacy experts that 18 to 24 months is unacceptable, and possibly unlawful in many parts of the world.” The third specific Google privacy failure noted in the report relates to the company keeping data from Orkut user profiles even after a customer has deleted their account. Additional privacy failures were found relating to the Google Toolbar, compliance with OECD privacy guidelines and European Union data protection laws, logging search queries, and not allowing customers to access log information from interaction with Google Maps, Google Talk, Google Reader, Google Video and Google’s Blogger service.

Microsoft Rated Two Color Bands Higher than Google

The study addresses why it awarded Microsoft an “orange” status, a full two levels higher than Google, explaining that “Microsoft is a better privacy performer than Google.” The report found the biggest difference between Microsoft and Google was in “the corporate ethos and leadership exhibited by each," and that “Microsoft has at least put in place the beginnings of a framework for responsible privacy practice and has created a corporate vision, cloudy though it may be.” Microsoft is also mentioned in the report as having “even pursued the concept of privacy as a market differentiator,” and concluded that, “We have no evidence that Google has achieved this level of awareness or development.”

In a Nutshell

The report pays particular importance to the fact that none of the 22 companies in the study achieved a “green” status, and that the group finds the privacy standards of the key Internet companies “appalling,” with certain companies “demonstrating either wilful [sic] or a mindless disregard for the privacy rights of their customers.” The report sees a future containing some of the most difficult privacy challenges seen in decades, largely as a result of the “current frenzy to ‘capture’ ad space revenue through the exploitation of new technologies and tools.”

The Aftermath Following the Report

Following the issuance of Privacy International’s report on Friday, came an open letter to Google CEO Eric Schmidt from the group, alleging a possible smear campaign by Google relating to the report. Google’s deputy general counsel Nicole Wong said in a statement issued Friday, “We are disappointed with Privacy International's report, which is based on numerous inaccuracies and misunderstandings about our services," and additionally stated that, “It's a shame that Privacy International decided to publish its report before we had an opportunity to discuss our privacy practices with them." Privacy International contends that it did contact Google earlier in the month, but did not received a response, according to group director Simon Davies. The group also contends in its open letter to Google that, “Two European journalists have independently told us that Google representatives have contacted them with the claim that ‘Privacy International has a conflict of interest regarding Microsoft’,” which the group states is the first such accusation in their 17 year history. The correspondence goes on to point out how the group has in the past been a strong critic of Google’s rival Microsoft, including presenting Microsoft with the “Worst Corporate Invader” award in 1999. The open letter also attempts to dispel any sign of impropriety in having a board member who is a current Microsoft employee, noting “I can confirm that he joined our Advisory Board well before he was headhunted by Microsoft. Upon his appointment with Microsoft [he] offered us his resignation. We refused to accept it. […] he continues to serve on the Board in a private capacity.” The letter also asks Google whether, “Your company's actions stem from sour grapes that you achieved the lowest ranking amongst the Internet giants?” The group also states in their open letter that they believe an apology from Google is in order.

Reaction from Google

Google’s Matt Cutts expressed his thoughts on the Privacy International report on his personal Internet blog today, stating “I have to be honest with you — it made me mad.” Mr. Cutts writes that, “Google as a company takes privacy very seriously,” and commenting further on the report states that, “the bottom-line takeaway message that I got from the report is that a company can work hard on privacy issues and still get dragged into the mud.” Cutts points out some of the ways in which Google’s competitors in the search engine field have not performed as well as his employer, observing “In this past year, AOL released millions of raw queries from hundreds of thousands of users,” nonetheless noting of the report, “But AOL got a better grade than Google.” Cutts also states that Privacy International should have included Internet Service Providers in their study, and writes, “If I ran a privacy group, I would find out which ISPs sell their user data,” and goes on to state “I think Privacy International missed the mark badly by giving those companies a better rating than Google, or by not including the right online companies in their study.”

Privacy International’s final report is schedule to be released in September, and is bound to be met with much anticipation and scrutiny.