European privacy regulators have reported on their investigation into Google's privacy policy, which was launched on March 1st. Their investigation found:
incomplete information and uncontrolled combination of data
across services.
The privacy policy is a mix of particularly wide statements and of examples that mitigate these statements and mislead users on the exact extent of Google's actual practices.
Google's
answers have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object. Indeed, the Privacy policy suggests the absence of any limit
concerning the scope of the collection and the potential uses of the personal data. We challenge you to commit publicly to these principles.
The investigation showed that Google provides insufficient information to its users
(including passive users), especially on the purposes and the categories of data being processed. As a result, a Google user is unable to determine which categories of data are processed in the service he uses, and for which purpose these data are
processed.
The company's new privacy policy, which came into force on March 1 2012, was criticised by many at the time, including Big Brother Watch. We highlighted how most consumers had not read the policy, and warned that even if
they did the opaque language made it difficult to understand exactly what data was being captured and what would happen to it.
The test now will be whether data protection regulators have the ability to hold the company to account, or if as before
their powers are limited to a paltry fine that will barely trouble one of the world's largest corporations.
Germany advises against the use of Google's Chrome internet browser
No doubt Germany is actively pursuing data retention and internet surveillance of its own people. And then the whinge at other governments who do the same.
I would rather be spied on
by foreign powers than by my own government. It is highly unlikely that the US cares much about my misdemeanour. But my own Government delights in putting us in prison for all sorts of trivial offences.
In telling the world it will anonymize user IPs after only nine months, Google has appeased EU regulators. At least in part. But it looks like Mountain
View's new policy is just another example of Google Privacy Theatre.
After nine months, the company has confirmed with The Reg, Google will change some of the bits in the user IPs stored in its server logs. But as the plan stands now, it
will leave cookie data alone.
This means the missing bits are easily retrieved.
More than a year ago, the company said it would "anonymize" its server logs after eighteen months. And sometime between March and July, it actually
put this plan into action. In this case, anonymize meant change some of the bits in the IP address in the logs as well as change the cookie information. Google now says it erases exactly eight bits from a user's IP, but it has yet to explain what
it actually does to the cookie data.
After nine months, we will change some of the bits in the IP address in the logs, the company says: After 18 months we remove the last eight bits in the IP address and change the cookie
information...It is difficult to guarantee complete anonymization, but we believe these changes will make it very unlikely users could be identified.
But as CNet points out, if your cookie data remains intact, restoring the full IP address is
trivial. Google may erase some IP bits on your nine-month-old search queries, but those bits will remain intact on your newer queries - and both sets of queries will carry the same cookie info.
ie Google search data is not really anonymised until
9 months after users clear their cookies. And few users are likely to clear their cookies, ever.