Google draws privacy complaint to FTC

Three public-interest groups are expected to ask for a government investigation into issues posed by Google's DoubleClick acquisition.
Written by Stefanie Olsen, Contributor
Three public-interest groups are expected to file a joint complaint on Friday with the Federal Trade Commission calling for an investigation into the potential threat to consumer privacy posed by Google's planned acquisition of DoubleClick.

The Washington-based Electronic Privacy Information Center (EPIC), along with the Center for Digital Democracy (CDD) and the U.S. Public Interest Research Groups (U.S. PIRG), are asking the FTC to stop the $3.1 billion merger until the trade commission investigates Google's data collection and storage practices, orders DoubleClick to sweep out its data storehouse and requires the search giant to offer a public plan for safeguarding consumer privacy.

"Google's proposed acquisition of DoubleClick will give one company access to more information about the Internet activities of consumers than any other company in the world," the complaint reads. "Moreover, Google will operate with virtually no legal obligation to ensure the privacy, security and accuracy of the personal data that it collects."

At stake, the complaint says, are the privacy interests of 233 million Internet users in North America, 314 million Internet users in Europe and more than 1.1 billion Internet users around the world.

Nicole Wong, Google's deputy general counsel, said in an e-mail statement that the company has not yet seen a copy of the filing but that she believes that there would be no basis for such a complaint.

"User, advertiser and publisher trust is paramount to the success of our business and to the success of the acquisition. We can't imagine taking any actions that would undermine these relationships or the trust people have in using our products and services," Wong wrote.

Since Google announced plans to buy DoubleClick for $3.1 billion last week, privacy advocates have expressed growing concern over the mountain of data Google's would hold following the deal. The largest search engine in the United States, Google fielded as many as 3.5 billion search queries last month, and it regularly stores that data. (It recently said it would begin to get rid of those records after 18 to 24 months.)

The company also collects and stores data on a range of other services, including user's schedules on Google Calendar, address information from Google Maps and e-mail documents from Gmail. By acquiring DoubleClick--the country's largest ad-technology provider, with a reach of about 80 percent to 85 percent of the Web population--Google would have access to a database of user's surfing habits across hundreds of sites, including DoubleClick customers such as Time Warner's AOL and Viacom's MTV Networks.

The public-interest groups contend that by holding all of that data, Google is vulnerable to security breaches and surveillance by law enforcements in the United States and abroad. They say people's right to privacy could be severely diminished.

Among other requests, the groups ask that the FTC order Google to create a "meaningful data destruction policy" and give users reasonable access to information stored about them.

Privacy concerns in the United States are being matched in Europe, where Google is the dominant player. (It reaches 75 percent of the European search market, according to a November research report from DoubleClick.)

Earlier this week, a European Union data privacy group reportedly said it plans to send a letter to Google warning that the search giant is running afoul of data collection policies in its member countries.

Privacy advocates are particularly worried that Google will merge the data from users' search queries with DoubleClick's records of people's general Web-surfing habits in order to build a centralized database of consumer profiles.

Google executives have said that for now, the company does not plan to merge collections of personally identifiable information such as names and e-mail addresses, with records of search histories and Web-surfing habits.

Rather, it hopes to combine both companies' non-personally identifiable data, such as search histories and Web-surfing habits linked to a computer's IP address, so that it could better target advertisements. For example, it aims to ensure that no individual computer receives repeated banner ads. (The deal is slated to close sometime this year.)

But one of EPIC's arguments is that an IP address--the string of numbers that identifies each individual computer connected to the Internet--can, with a little work, be linked to an individual, even if a name or address isn't associated with the IP number.

The complaint cites a data spill from last year, when AOL published the search records of 658,000 of its American users. Although the search histories were linked only to numbers, The New York Times was able to match some search records to individuals.

"Identity can be inferred," Marc Rotenberg, executive director for EPIC and author of the complaint, said in an interview with CNET News.com. "We believe that this complaint provides an opportunity for (the) FTC to look closely at whether the online-advertising industry provides adequate privacy protection for Internet users and (to) consider the privacy impact of non-personally identifiable information collected through search histories."

In some ways, the complaint is an example of history repeating itself. EPIC raised major questions about DoubleClick's online profiling in February 2000, when it filed a similar complaint to the FTC.

At the time, EPIC asked the FTC to investigate the company's plans to merge data from consumers' offline behavior--following the purchase of direct marketer Abacus--with anonymous information it held on users' surfing habits. DoubleClick retreated from its plans to merge systems, and the company eventually got out of the online consumer-profiling business.

The current complaint argues that Google be held to privacy standards from the Organisation for Economic Co-operation and Development (OECD), an international body of 33 countries whose guidelines limit the collection of personal data and give individuals the right "to access, amend, complete or erase information, as appropriate." OECD's guidelines also call for an openness about what information is collected and used.

EPIC's complaint also contends that Google's public privacy policy isn't forthcoming enough, given that it takes four clicks on Google's site for people to read that the record of what they've searched for will be associated to their computer's IP address. Google users also do not have a way to access information held about them or delete that information, the complaint said.

"It's a new obstacle for any potential takeover," said Jeff Chester, founder and executive director of the CDD.

Editorial standards