FTC-Google Privacy Settlement Takeaways

The proposed FTC-Google privacy settlement of EPIC's privacy complaint has many important, surprising, and far-reaching implications.

• (FYI: FTC Release, FTC Complaint, proposed Consent Order, Rosch concurrence, Google statement.)

I applaud the FTC for taking Google's privacy misrepresentations and deceptions so seriously and look forward to the FTC rigorously enforcing this landmark consent order.

Summary of Takeaways:

1. Google is now officially the #1 online privacy offender in the U.S.
2. This order is more about enforcing fair representation than enforcing privacy.
3. Don't expect public transparency about privacy problems found in the privacy audits of Google.
4. There is a big disconnect between what the FTC thinks this order means and what Google thinks it means.
5. The FTC will have to ride herd on Google to get it to abide by this privacy order, because it goes against Google's privacy averse culture.
6. FTC Commissioner Rosch's instincts are right in his concurrence; Google is gaming the privacy settlement for a regulatory competitive advantage.
7. The FTC should focus privacy auditors on Google's representations that it does not track Android users movements without their permission -- when it does.

1.   Google Officially #1 Privacy Offender. Google has submitted to Court supervision of the strictest privacy consent order in U.S. history. Per the FTC release: "This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework..." [Bold added]

• This strictest-ever official FTC privacy order effectively affirms Privacy International's 2007 survey that ranked Google worst in the world on privacy, and my 2008 Congressional testimony analysis which concluded that Google is the "single biggest threat to Americans privacy."

Contrary to Google's official assertion that the FTC announcement will "put this incident behind us," this announcement is only the beginning of an effective twenty-year sentence, or supervised parole, for Google's Federal privacy violations.

• To understand the real world effect of this FTC order, think of Google as an admitted privacy offender that has entered into a plea bargain where Google agrees to FTC/Court privacy supervision going forward for twenty years in return for the essentially absolving Google of liability for its past privacy violations.
  • Think of the the FTC's enforcement bureau as Google's parole officer and privacy rehabilitation boss.
  • And think of the Federal Court that will oversee this proposed consent order as The Enforcer, that can hold Google in contempt of court if it does not obey the FTC's implementation of this order.

2.   More about fair representation than privacy. Make no mistake, while the headlines focus on privacy, this order is really about enforcing fair representation and preventing deceptive privacy practices by Google and others, than it is about privacy directly.

• This is an important distinction to appreciate, because this means that Google will have to honor its public privacy pledges, but not necessarily implement any privacy policies that they do not want to implement.

3.   Don't expect transparency from this order. One of the biggest concessions Google won is essentially a Gag order on the FTC.

• Under the agreement the FTC cannot inform the public anything that is learned from the independent privacy audits.
• If the audits find non-compliance with the order, Google will have to correct them after the fact, but the public has no right to know it happened under this agreement.
• The only time the public may learn about problems is if the FTC has to go to Court to ask for a contempt of court citation.

4.   Big FTC-Google disconnect over what settlement means. All is not well here, because there is an obvious disconnect between what Google at large thinks Google agreed to, and what the FTC thinks Google agreed to. While the FTC made a big splash about the importance of this enforcement action, there is a lot of evidence that Google at large is not taking this consent order seriously.

• Per the New York Times, Google's spokesperson said: "We don't see this as being a significant change in how we run our business because this is the standard we hold ourselves to already."
  • (Hmmm... if that were true, why was a settlement necessary at all?)
• Google's official statement was a blog post, not from Google's General Counsel who signs the FTC consent order or any Google senior executive, but a lower level Google privacy functionary.
  • Moreover, the blog post characterized the FTC action as "an agreement with the FTC" with no link to any of the official documents.
• It is supremely ironic that Google's public statement totally missed the FTC's misrepresentation point, by largely misrepresenting, and deceiving the public, about what really happened with the FTC.

5.   FTC will have to ride herd on Google. The FTC should be under no illusion that Google will comply with this order the way the FTC expects.

• Google has a well-known, deeply-ingrained cultural aversion to asking for permission from anyone outside of Google for most anything.
• Google views its innovation without permission ethos as a divine right to do what it views as best for others.
• Organizations don't change their core values that comprise a key part of their identity, unless they want to change or are forced to change.
• Google will only improve privacy compliance to the extent the FTC enforcement staff rides herd on Google, and the FTC should be under no illusion that they are riding herd on Google cattle who are naturally herdable animals.
• Google's employees are more like cats, who naturally do what they please. It is predictable that the FTC will find enforcing this consent order to be like cat-herding 101.

6.   Commissioner Rosch is right; Google is gaming this settlement. In his concurring statement, FTC Commissioner Rosch shrewdly discerns something is awry in the settlement, because Part II of the order "is contrary to Google's self-interest."

Commissioner Rosch figured out what Google is really up to when he asked rhetorically: did Google agree to the order "in hopes that Part II would be used as leverage in future government challenges to the practices of its competitors?" Bingo! Sure Google did.

• Simply, Google agreed to private information restrictions that would cost Google nothing, but could cripple its rival Facebook, if they were to be applied to Facebook. (Google knows Facebook is next in line for FTC privacy enforcement action.)
• In the simplest terms, Part II if applied to Facebook, would permanently lock in Google's competitive advantage over Facebook, because Google's business model and plans never envision sharing private information with third parties but Facebook's business does.
  • That's because as a search advertising monopoly that has vertically integrated over 500 products and services, the Googlomerate is the ultimate Internet one-stop-shop that needs no third parties because Google can do everything in-house.
  • In stark contrast, Facebook's business and monetization model is nowhere near as mature as Google's, so Facebook still has dependence on third parties to monetize its traffic and user activity.
    • For example, a key revenue stream for Facebook is games, which is a business arrangement more susceptible to third party sharing of private information.
    • How does Google know this?
    • Google is one of the largest investors in Zynga, the leading game provider to Facebook.

Commissioner Rosch's instinct's are right.

• Google is cleverly gaming this privacy enforcement action to get the FTC to unwittingly help preserve Google's monopoly market position by regulating Facebook, its primary social media competitor and rival, in such a way that Facebook could not competitively challenge Google.

The FTC would be wise to revisit Part II of this agreement to ensure that, in its eagerness to try and establish a new privacy baseline for the industry, the FTC does not competitively reward and entrench Googleopoly, and thwart and punish Google's competitors.

• The right thrust of Part II would have been to get Google to forthrightly inform their users how much private information Google collects on them, and how the user can get that private information permanently deleted.
• This would be a consumer-driven and competitively/technologically neutral Part II, rather than a policy that implicitly has the FTC picking winners and losers.

7.  Audit Android's tracking of users' movements without permission. After prematurely dropping the Google WiSpy privacy investigation, this order's audit mechanism provides the FTC an opportunity to redeem itself.

• One of the deceptive Google privacy practices most in need of a privacy audit is comparing Google's representations to Android and Latitude users about how Google tracks them and how they can opt out of tracking -- with how Google actually tracks Android device movements without users' permission -- in order to map WiFi signal locations.

In sum, the FTC deserves praise for strongly enforcing fair representation law and for providing itself with Court-enforcement powers to force Google to improve its privacy protections.

• However, the FTC should be under no illusion that it will be easy to secure compliance from Google on privacy.
• Culturally, privacy has never been important or a priority at Google.
  • As I have recently documented in great detail, Google has a "No Privacy By Design Business Model."
• Expecting Google to respect privacy is like expecting an invertebrate to respect backbone.