Privacy Groups Ping FTC Over Google/DoubleClick
The Electronic Privacy Information Center (EPIC), the Center for Digital Democracy (CDD), and US Public Interest Research Group (US PRIG), are about as happy about the Google DoubleClick deal as Microsoft was, but for different reasons.
Microsoft’s beef (as everybody sat back, pointed, and tried to decide between pot and kettle) was about antitrust concerns. These three groups are more concerned about privacy.
Google will have access to a lot more information through DoubleClick than it had already.
The CDD’s Jeff Chester, whose first-in-a-series of multitudinous words, begins the complaint to the FCC this way:
In the rapidly expanding world of online advertising, a few mega-giants are dramatically expanding their power, including the ability to track consumers’ online movements, to collect and analyze personal data resulting from those travels, and to craft ever-more-sophisticated digital marketing campaigns based on that analysis.
The recent spate of mergers and acquisitions in the online advertising industry—led by Google’s $3.1 billion takeover of DoubleClick in April and Microsoft’s $6 billion buyout of aQuantive in May—threatens to undermine privacy, competition, and diversity on the Internet. Permitting the further growth of these data-dependent unrestrained giants is a threat to personal privacy online.
Increasing digital media consolidation will also have a negative impact on the diversity of public interest content essential for a civil society (e.g., news, public affairs, and cultural programming).
Yes, that’s only three sentences. And yes, somewhat melodramatic, but it will be up to the Federal Trade Commission to decide it’s merit. The triad of privacy advocates added to their original complaint to the FTC, with EPIC leading the wordy objections.
The 12 Commandments, as taken from the 21-page amendment pdf:
1. Order Google to provide meaningful notification when personal data from two distinct Google services are combined to produce a result that is linked an identifiable user.
2. Order Google to give a user the right to obtain knowledge, in a reasonable and timely manner, of whether or not the data relating to the user is processed and if it is processed, information to the purpose of the processing.
3. Order Google to provide, in a reasonable and timely manner, the logic involved in any automatic processing of data concerning that user.
4. Order Google not to retain user data in a form that permits the identification of data subjects for longer than necessary for the purposes for which the data were collected.
5. Order Google to institute an “opt-in” approach to collecting user information. If Google allows a user to “opt-in” before collecting personal data in order to personalize the search experience, Google should implement the same system with regards to a user’s privacy options.
6. Order Google to allow individuals reasonable access to their personal information, along with the ability to edit and delete that information.
7. Order Google to stipulate to never engage in behavioral tracking.
8. Further order Google not to sell personally identifiable information.
9. Order Google to implement a functional and secure system of anonymizing stored user data. Anonymized data remains traceable to the individual user, as demonstrated when America Online inadvertently leaked the search records of 658,000 Americans. Google must implement a technique that truly anonymizes this data, either by erasing more the last octet of the IP address, erasing the IP address completely, assigning randomized numbers to the data, or developing an alternative technique that will render tracing the data back to the individual source impossible.
10. Order Google to cease storage of IP addresses. The search engine functionality would not be impaired if a search engine did not store any user information at all.
11. Condition the merger on Google and DoubleClick maintaining separate databases of user information. Order Google to craft, disclose, and implement a security plan that will maintain, protect, or enhance the privacy, confidentiality, or security of all personally identifiable information.
12. Order Google to implement remedies and a system of accountability in the event of a breach, and to disclose to the public the extent to which it cannot or will not protect the privacy, confidentiality, and security of all personally identifiable information.