Google News

Google accidentally revealed more than it intended to in its latest transparency report. The Guardian reported today that it discovered “new data hidden in source code on Google’s own transparency report that indicates the scale and flavour of the types of requests being dealt with by Google – information it has always refused to make public. The data covers more than three-quarters of all requests to date.”

Those “requests” the Guardian mentioned are link-takedown requests invoking the so-called “right to be forgotten,” a legal [privilege and/or burden, depending who you ask] covering people and organizations in the European Union, but not in the United States (though some U.S.-based consumer groups would like to see that change).

Origins of "right to be forgotten"

The European “right to be forgotten” dates back to May 2014, when the E.U. Court of Justice ruled that Google and other search engines are, in at least some circumstances, legally obligated to stop linking to old news stories about various people — true and accurate news stories about people — if the people in question request it.

The original case was brought by a Spanish national, Mario Costeja González, whose house was auctioned off for unpaid taxes back in 1998. A Spanish newspaper printed legal notices about the proceedings — standard operating procedure for a local paper, in Spain or in America — and then in 2009, Costeja asked the newspaper to remove the stories from their online archives and also asked Google to stop linking to the stories, on the grounds that those 11-year-old news pieces about his debts were no longer relevant, since the debts in question had been settled.

Google and the newspaper refused, so Costeja sued them both. The court sided with the newspaper – so it is not required to remove the stories from its website. But the court also sided against Google – the stories can stay online, but Google has to stop linking to them when people search for the name “Mario Costeja González.” Specifically, Google and other search engines must honor certain takedown requests which involve “irrelevant and outdated” search results.

Data leak

As soon as the European court announced its decision, Google was inundated with takedown requests. Within two days of the court ruling, the BBC mentioned three of them: a politician running for re-election asked Google to stop linking to old news stories about his behavior while in office, a pedophile wanted Google to stop linking to news articles about his previous criminal conviction for possession of child pornography, and a doctor wanted to take down links to negative reviews written by his patients.

But that was only during the first two days of Europe's “right to be forgotten.” That right is now 14 months old and, according to the Guardian, “Less than 5% of nearly 220,000 individual requests made to Google to selectively remove links to online information concern criminals, politicians and high-profile public figures … with more than 95% of requests coming from everyday members of the public.”

Not that you'll find this statistic in the transparency report itself. The Guardian figured it out by analyzing previously archived versions of older transparency reports. The data “details the numeric breakdown of each request and associated link by country and issue type. The underlying source code has since been updated to remove these details.”

Largely private and personal information

Information about specific takedown requests doesn't seem to be available, but the Guardian said that “Of 218,320 requests to remove links between 29 May 2014 and 23 March 2015, 101,461 (46%) have been successfully delisted on individual name searches. Of these, 99,569 involve 'private or personal information'.”

Although some consumer or privacy groups want Google to honor a similar “right to be forgotten” in America – and even asked the Federal Trade Commission to require it – it's not certain whether such a law would even be constitutional. Unlike Europeans, Americans have First Amendment guarantees to free speech and a free press, which sometimes means that laws allowable in the E.U. wouldn't pass constitutional muster in the United States (and, conversely, that certain U.S. laws and practices violate privacy laws in the E.U.).

For example: in Europe, you won't find many websites like ConsumerAffairs or Yelp, for the simple reason that businesses can bring libel charges against anyone who speaks ill of them and have a reasonable certainty of winning, even if the criticism is accurate. (And now, even if websites like ConsumerAffairs did operate in Europe, it might be illegal for Google to link to our stories anyway.)

That said, European supporters of the “right to be forgotten” will likely view the accidental Google data dump as evidence favoring their cause. The Guardian quoted Dr. Paul Bernal, a lecturer in technology and media law at the University of East Anglia, as saying that the data suggests the right to be forgotten is a legitimate law (in the United Kingdom): “If most of the requests are private and personal ones, then it’s a good law for the individuals concerned. It seems there is a need for this – and people go for it for genuine reasons.”

Fairly or not, people often judge you by the company you keep. And the nonprofit group Consumer Watchdog says this can cause huge problems for people with Google+ accounts, who might not be able to control who does or does not associate with their virtual online personae.

In December, Consumer Watchdog criticized Google for allowing Google+ to become “a virtual playground for online predators and explicit sexual content” (according to this .pdf letter CW sent to Google).

To back its claims, CW also sent Google a detailed, 27-page study (which is also available in .pdf form, but be warned: due to sexually explicit content it might not be suitable to download or read on your workplace computer).

On January 9, Consumer Watchdog thanked Google for clearing out some of the more predatory Google+ accounts but brought another problem to the company's attention: pretty much any Google+ user can add people to their “Circles” whether they want to be there or now.

In social media terminology, Facebook users have “friend lists,” whereas Google+ users have people in their “Circles.” In theory they're pretty much the same thing, only on different social media platforms, so that saying “Let's be Facebook friends” or “Let me add you to my Google+ circle” are more or less synonymous.

Except they're not. There's a big distinction between becoming somebody's Facebook friend and joining their Google+ Circle, as Consumer Watchdog said:

[On Facebook] a person receiving a request from an individual to be their “friend” must approve that request first. If the person chooses not to accept, he or she is in no way associated with the individual.

On Google+ any individual can add a user to his Circles. If the user does not appreciate the posts he sends to them, they can block the individual. However, if anyone visits the person’s profile and he has opted to display publicly who is in his Circles, the user’s name and picture will still appear there. The user cannot remove himself from the sender’s Circles, no matter what, once that person has placed them in their Circle's. A user is forced to be publicly associated with someone with whom they do not wish to be associated.... This is a fundamental privacy flaw and must be fixed. People must have the right to choose with whom they are associated.

Friends and Circles

In other words: on Facebook, I can't add you to my “friends” list (or vice-versa) unless we both agree to it. But on Google+, I can add you to my “circle” whether you want me to or not — so anyone looking through the list of people in my Circle will see your name there, and naturally assume that you chose to associate with me.

Google has already been under fire for accusations that it's going too far in its attempts to expand the size of its Google+ user base (or at least increase the number of people who have Google+ accounts, whether or not they actually use them).

Just this week, we learned the story of Thomas Gagnon, who was arrested after sending a Google+ invite to an ex-girlfriend who had taken out a restraining order against him — except Gagnon's attorney says Google sent the invite automatically, without his client's knowledge or approval. (Gagnon was arrested in late December; as this story is published, Google has not yet released any records related to the invitation or who exactly sent it.)

There's an acronym you'll often see used in online forums: IRL, which stands for “In Real Life” (as opposed to the “virtual” life on the Internet). It usually appears in such contexts as, “I only talk to him online; we've never met IRL.” But as Gagnon's story shows, and Consumer Watchdog's concerns further underscore, “Internet vs. real life” is probably a false distinction — nowadays, the Internet is part of real life, and what you do on the Internet can have real-life consequences … even if you had no idea you did it, because Google's auto-bots did it for you.

In light of the old joke “You're not paranoid if everyone really is out to get you,” we offer the following joke corollary: “Therefore it's not possible to be paranoid on the Internet, where everyone really is out to get you.”

More frightening is the following non-joke observation: “It's not paranoia to think using Google might be all it takes to get in trouble with the law.”

Last month we told you about the former federal contractor suing various federal officials on the grounds that they unfairly deemed him a national-security risk due to autocomplete results on a Google search:

“In October of 2009, Kantor used the search engine Google to try to find, 'How do I build a radio-controlled airplane …. He ran this search a couple weeks before the birthday of his son with the thought of building one together as a birthday present. After typing, 'how do I build a radio controlled', Google auto-completed his search to, 'how do I build a radio controlled bomb.'"

But if Google+ user Thomas Gagnon's complaints are accurate, what happened to him was even worse. On Dec. 21, the Salem News in Massachusetts reported that Gagnon was arrested for violating a restraining order his ex-girlfriend had taken out against him — specifically, by sending her an invitation to join one of his “circles” on Google+.

But Gagnon's attorney claims that Google+ sent the invitation automatically, without Gagnon's approval.

Numbers inflated?

The story came to national attention on Jan. 8 when tech writer Austin Carr wrote about it for Fast Company; Carr also discussed various ways Google is alleged to have been inflating the number of Google+ users – or at least inflating the number of people who have a Google+ account, regardless of whether they ever do anything with it.

Since last November, for example, anyone wishing to comment on YouTube can only do so through a Google+ account. Even worse (and potentially more relevant to Gagnon's case) are claims that Google connects Gmail accounts with Google+ circles, to the point where “by default, when someone joins Google+ and that person is in your Gmail contacts, Google will automatically send you a notification, along with an invitation suggesting that you "add him [or her] to your Circles to stay connected."

Of course, it's also possible that Gagnon actually did violate the terms of his restraining order, by deliberately sending a Google+ invite to his ex, and is now blaming Google in hope of wriggling off the hook. Thus far, Google has not released any records or responded to any media requests for comment, regarding exactly how that invitation came to be sent.

By Jon Hood
ConsumerAffairs.com

September 13, 2009
The proposed Google Books settlement, once hailed by Google cofounder Sergey Brin as giving consumers unprecedented access to the tremendous wealth of knowledge that lies within the books of the world, is getting decidedly negative reviews from a number of industry players and government agencies, with concerns about monopolies and consumer privacy at the top of the list.

Google was hit with a lawsuit in 2006, accused of copyright infringement for offering over 10 million protected works to the public free of charge. The search behemoth settled the lawsuit in October of last year, agreeing to pay $125 million in what it called an historic deal that would benefit consumers. Under the agreement, Google would give publishers about two-third of revenues made from selling access to out-of-print works, keeping 37% for itself.

The settlement was hailed as the first step toward allowing consumers to search for and buy out-of-print books, and provided that U.S. libraries would have free access to Google's master database. In testimony before Congress, Google's chief legal officer David Drummond added that bookstores and online booksellers like Amazon.com would be able to sell access to Google's database on any Internet-connected device they choose.

The settlement is now facing increasing scrutiny as it awaits final court approval. A key point of contention is a section permitting Google to scan and store orphan books -- those that are no longer in print but still protected by a valid copyright -- without first securing permission from the works' copyright holders.

Marybeth Peters, head of the U.S. Copyright Office, told Congress that the settlement would give Google a license to infringe first and ask questions later, and added that the agreement makes a mockery of Article One of the Constitution, that anticipates that authors shall be granted exclusive rights.

John M. Simpson of Consumer Watchdog, a California-based non-profit, said a key problem is the unfair competitive advantage Google receives under the settlement that comes from its attempt to pull an end-run around the appropriate legislative solution to the orphan books problem. This is not an issue for a court and certainly one that cannot be settled by solving the problem for one large corporation and no one else, he said in testimony before the House Judiciary Committee last week.

He said the problem is Googles monopolistic digital library and how it would be implemented. The proposed class-action settlement is monumentally overbroad and invites the court to overstep its legal jurisdiction, to the detriment of consumers and the public, he said. The proposed settlement agreement would strip rights from millions of absent class members, worldwide, in violation of national and international copyright law, for the sole benefit of Google.

Google's competitors -- Microsoft, for example -- are also crying foul, claiming that the provision allowing Google to store orphan books would amount to a veritable monopoly on that market. Amazon executive Paul Misener told SF Gate that, while his company also scans and stores orphan books, it first secured permission from copyright holders. We went to the rights holders, and one by one, negotiated deals, Misener said.

Misener likened Amazon's interest in blocking the settlement with its interest in network neutrality. He said the settlement would give Google an advantage rather than provide a level playing field. "Under the proposed settlement, Google would become a consumer's nightmare: the only store in town," he said.

In a move aimed at quelling such criticism, the settlement agreement provides that funds for orphan books would be held in escrow for five years, or until the copyright owner claims the book. Additionally, Google has agreed to spend $34.5 million to create a registry in an effort to locate those owners.

Privacy concerns

Google is also under fire from privacy advocates, who insist that the agreement will do nothing to protect consumers. The Electronic Privacy Information Center (EPIC) sought to intervene on behalf of consumers' privacy rights, apparently unswayed by Google's newly released privacy proposal.

That proposal, pitched to the Director of the Bureau of Consumer Protection, stresses that Google would not share users' information with third parties except under very limited and narrow circumstances, which would be explicitly set forth in the final privacy proposal. According to Google, those narrow circumstances are limited to situations where Google shares information with trusted entities that process information on our behalf or to prevent physical or financial harm. Google also promised to enact protections to limit the information ... available to credit card companies about book purchases. Privacy advocates point out that these measures are informal and not legally binding, and thus afford consumers little real protection.

The amount of data that Google could amass about a readers behavior is unprecedented, Consumer Watchdog's Simpson said. It could be commingled with data from other Google services posing a new threat to user privacy and flies in the face of the U.S. tradition of privacy regarding reading habits, he argued.

"Consumer Watchdog supports digitization and digital libraries in a robust competitive market open to all organizations, both for-profit and non-profit, that offer fundamental privacy guarantees to users, Simpson concluded. But a single entity cannot be allowed to build a digital library based on a monopolistic advantage when its answer to serious questions from responsible critics boils down to: Trust us. Our motto is Dont be evil.

Its its defense, Google notes that it has taken measures to protect privacy in the past. The company blurs certain locations on Google Maps including, until January, the Vice President's residence in Washington -- and its privacy policy says that personal information required for customers to log in is not shared with third parties, although it makes an exception for trusted parties.

Trying to pin down Google privacy policies is like discussing the weather: whatever you say about it today will probably be obsolete by next week.

Just a couple weeks ago, on April 15, we discussed how Google, in response to an attempted class-action suit alleging privacy violations in California, changed its Terms of Service for Gmail users to say outright that Google will scan the contents of your emails.

As of May 1, Google's online terms of service page is still dated April 14 and still says, in part, that:

Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.

However, despite these terms, Google has announced intentions to stop scanning the contents of certain emails—specifically, those attached to students' Apps for Education accounts (which have been made available to schools for seven years), and also, those attached to various government or business accounts.

Privacy implications

For all the privacy implications involved in Google's scanning the contents of everyday Gmail accounts (which, according to its terms of service, it still does), the privacy violations inherent in scanning student or workplace accounts are arguably worse. Consider the opening paragraph of Google's April 30 announcement on the official Google Enterprise blog: “Protecting students with Google Apps for Education”:

Today more than 30 million students, teachers and administrators globally rely on Google Apps for Education. Earning and keeping their trust drives our business forward. We know that trust is earned through protecting their privacy and providing the best security measures.

Nitpick: actually, driving that particular business forward requires only the trust (or at least cooperation) of school administrators, and possibly the teachers. Students, by contrast, can be required to use Google at school whether they trust Google or not, which is one of the reasons why scanning their Gmail activities is more fraught with privacy violations than usual.

A similar problem involves workplace accounts, whether government agencies or the private sector: while no adult is legally mandated to hold down a particular job (in the same sense that minors are legally mandated to attend school or otherwise acquire an education), it's still disquieting to think that, for example, letting Google analyze your workplace communications should be a prerequisite for government employees. However, Google has said it will stop scanning their emails, too.

InBloom withers

Google is not the only company to recently step back from data-mining captive-audience public school students. Last week, data-harvesting company inBloom announced its intention to close up shop altogether, after its CEO Iwan Streichenberger posted a head-smackingly self-serving letter blaming his business failure on overprotective parents who don't want third-party data harvesters vacuuming up all available data about their children and themselves:

Over the last year, the incredibly talented team at inBloom has developed and launched a technical solution that addresses the complex challenges that teachers, educators and parents face when trying to best utilize the student data available to them. That solution can provide a high impact and cost-effective service to every school district across the country, enabling teachers to more easily tailor education to students' individual learning needs. It is a shame that the progress of this important innovation has been stalled because of generalized public concerns about data misuse, even though inBloom has world-class security and privacy protections that have raised the bar for school districts and the industry as a whole.

What were these world-class high-impact utilize-the-data corporate buzzspeak services inBloom offered?

Sopho's Naked Security blog, writing about inBloom's shutdown on April 24, noted:

Since inBloom's rollout in 2013, privacy and security experts and parents have been aghast at schools sucking up everything from students' tax ID numbers to intimate family details (including options to identify family members as "foster parent" or "father’s significant other") with inBloom.

So, between Google's recently announced intention to stop data-mining Apps for Education accounts, and inBloom's intended closing, American students this week theoretically enjoy more privacy protections at school than a month or so before. (Even so: you should probably tape over the webcam on any school-issued laptops your kids have, so school administrators can't spy on them at home.)

Google and a California non-profit, Consumer Watchdog, are hurling accusations and insults today over whether consumers should really expect their emails to be private.

The dispute grows out of a class action lawsuit that charged Google was violating federal and state wiretap laws by analyzing its 425 million users' emails. In a court filing, Google said that people can’t expect privacy when sending a message to a Gmail address.

In a motion to dismiss the lawsuit, Google said there is no reasonable expectation of total privacy when sending an email through the public Internet:

“Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their emails are processed by the recipient’s [email provider] in the course of delivery. Indeed, ‘a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.’"

 

Consumer Watchdog jumped on the motion and called on Google to "stop reading and analyzing the content of emails sent to its system."

In response, Google seemed to backtrack from the message in its court filing, saying: 

“We take our users’ privacy and security very seriously; recent reports claiming otherwise are simply untrue. We have built industry-leading security and privacy features into Gmail — and no matter who sends an email to a Gmail user, those protections apply.”

Which is it?

Google can't have it both ways, Consumer Watchdog said, alleging that "Google is either lying to the court or lying to the public."

“If they take privacy seriously, then they must amend their brief and stop reading and analyzing the content of email we send to their system,” said Consumer Watchdog's John M. Simpson. “If Google stands by the claim of no expectation of privacy it asserted in the court filing, they cannot claim to respect users’ privacy. These two claims are obviously incompatible.”

Google has always insisted that the "processing" to which emails are subjected is automated and intended only to match advertising to the general context of the email or to sort emails into appropriate folders or categories.

In its motion, Google said the plaintiffs in the lawsuit were trying to "criminalise ordinary business practices" that have been part of Gmail's service since it was introduced.

 The class action lawsuit, filed in San Jose U.S. District Court in May, charges that Google "unlawfully opens up, reads, and acquires the content of people's private email messages." It quotes Eric Schmidt, Google's executive chairman as saying: "Google policy is to get right up to the creepy line and not cross it."

The suit claims that "on a daily basis and for years, Google has systematically and intentionally crossed the 'creepy line' to read private email messages containing information you don't want anyone to know, and to acquire, collect, or mine valuable information from that mail."

The full text of the lawsuit was filed under seal because it details many of Google's confidential and proprietary business practices. A hearing in the case is set for Sept. 5 before Judge Lucy H. Koh.

When Google changed its privacy policy in 2012 to expand its data-mining, there was an outcry from consumers and privacy groups who were certain that an outrage was being committed. A blizzard of class action lawsuits followed.

But judges have shown little sympathy for the claims. In the latest act of judicial rejection, U.S. District Court Judge Lucy Koh held that a class action is not the right way to resolve the matter, even though she had previously refused Google's motion to dismiss the case.

"The court finds that individual issues regarding consent are likely to overwhelmingly predominate over common issues," Koh said in her 41-page ruling, Courthouse News Service reported.

At issue is Google's claim that it is within its rights to electronically scan emails to and from Gmail users for the purpose of displaying ads based on the emails' content.

Google contends that such activities are within the normal range of business activities. Privacy advocates say they're not.

Where it starts to get complicated is the point at which millions of individuals, each with slightly different situations and grievances, are lumped into one gigantic class action lawsuit.

Koh's ruling doesn't mean individuals could not, at least in theory, pursue a successful case against Google. It doesn't even mean that aggrieved consumers are wrong to claim their rights have been trampled. It just means that there are too many differing claims wrapped up in one enormous class action.

The other issue facing privacy advocates is the matter of damages, around which all lawsuits revolve. It's difficult for an individual to show that he has been damaged by Google displaying an ad for snow blowers when the individual has penned an email complaining about the weather.

There's a dangerous new phishing scam, first discovered by security experts at Symantec, that seeks to steal the passwords and other confidential information of any Google account holder.

It's quite sophisticated compared to most phishing attempts, but even so: you should be able to protect yourself provided you pay extra-close attention to details, and also remember the phishing-protection rule “Don't call us; we'll call you.”

Here's how the newest scam works: you, the would-be victim, get an email with the subject heading “Documents”; the body of the email includes a link to an “important” Google Docs document.

Hopefully, if you'd received such an email you'd already know to ignore it, since it's neither personally addressed to you nor from any sender you actually know and recognize. But suppose you decided to click on this unknown link from an unknown sender anyway — what would you have found?

Looks convincing

Here's where the sophistication of this new scam comes in. In most phishing attempts, if you clicked on such a link (and did not immediately infect your computer with all sorts of malware as a result), you'd usually be taken to a page whose address, visible in your browser bar, is obviously not that of the company the scamsters are pretending to be – as in, you get a fake email allegedly from Google, but the link leads to a page with an unfamiliar (and distinctly not Google) web address.

However, as the official Symantec security blogger warned on March 13, if you click on this new Google-based phishing link:

“[T]he link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown. The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages.”

In other words, you think you're logging in to your actual Google account, so you type your email address and password as usual, not realizing that your password is not being read by the real Google to verify your identity, but by phishing scammers to steal your identity.

Still not too late

However, even if you were caught off-guard enough to click on the unsolicited Google Docs link that some unknown sender e-mailed you, it's still not too late to detect certain details indicating a scam. Remember two sentences ago, when we said “you type your email address and password as usual”? That's the detail which sharp-eyed Google account holders should recognize as scammy: usually, when logging into legitimate Google accounts from your own computer, you don't have to type your email address at all, only your password.

As Gizmodo writer Adam Clark Estes pointed out: “if you show up at the log-in screen, you should notice that it doesn't recognize you as a Google user (if you are a Google user).”

Note to non-Google users who don't understand what Estes is talking about here: if you have a Google account, or more than one, anytime you visit a genuine Google page it will recognize you, and you'll see your name, avatar and other personal features as applicable — although you still won't be allowed access to your Gmail or any other personalized, password-protected Google things until you actually type in your password and only your password — your actual you@gmail.com email address is already there.

But with this fake Google phishing scam, you only get a generic login page requiring you to type not just your password, but your email address itself; the genuine Google login pages only require this if you're accessing your account from a public computer, or a brand-new one you've never used to sign in to Google before.