February 24, 2012
February 23, 2012
Mr. Colin McKay
Manager, Global Public Policy
340 Albert Street
Dear Mr. McKay:
We do, however, have a number of questions and concerns, as outlined below, that we would appreciate receiving a response from you on.
Data retention information
As with all efforts to condense and streamline privacy information, there is always a risk that important information will be dropped. One area we noticed where important information seems to be missing in the new consolidated policy, when compared to previous service-specific policies, relates to data retention and disposal. Those service-specific policies that were reviewed provided specific deadlines for the deletion of personal information following a request for deletion from the user (e.g., Google Health – 24 hours for deletion; Picasa – 60 days for deletion). The new general policy does not include any such timelines. We strongly encourage Google to more clearly explain its data retention and disposal policies and practices, particularly those dealing with data deletion in response to a user request, and would request that you let us know how you intend to address this issue.
Linking of services and personal information
The other goals of consolidating the privacy policies are very significant and may raise privacy issues, particularly the objectives of creating a simpler user experience, improving search results and making ads more relevant to users. It is important to note that, as we understand it, the proposed changes only affect users who have, and are signed into, a Google account. For those who do not have a Google account but simply use such services as Search or YouTube, the changes reflected in the new policy have no impact. The following comments therefore concern account holders only.
Under the current policy, data sharing already takes place across certain products. For example, Google makes it easy for a signed-in user to immediately add an appointment to Google Calendar if an incoming e-mail looks like it is about a meeting. For other products, such as Search and YouTube, the data that Google collects about how individuals use a particular product have been kept separate. Specifically, a user's general search history would not be used to improve search results on YouTube. Considering that an individual's search history can be quite unique and sensitive (indicating vital facts about the person’s location, interests, age, sexual orientation, religion, health concerns, and much more), this was an important privacy protection.
We understand that, under the new policy, Google is removing this separation between its various products. In other words, Google will be linking all of a user’s data together when the user logs into his/her account and uses various services. According to Google, "information is associated with a given user only if the user is signed into their Google Account. If a user maintains two separate Google Accounts – for example a work account and a personal account – Google will not use information about one account to personalize the other". As we understand it, the policy changes do not mean that Google is collecting more information about its users than it currently does. They do, however, mean that you are going to be using the information in new ways – ways that may make some users uncomfortable. We would strongly encourage you to make it clearer to users that if they are uncomfortable with these new uses of information, they can create separate accounts. This is not clearly stated in your new policy; rather, the information about the separate accounts was clarified in one of the letters from a Google senior executive in response to queries by the Article 29 Working Party.
A further concern regarding the personalization of services comes from language in the new policy, where Google states that it “may use the name you provide for your Google Profile across all of the services we offer that require a Google Account. In addition, we may replace past names associated with your Google Account so that you are represented consistently across all our services". It is not entirely clear how this process would work and just how far it would extend. For example, will Google attempt to link existing accounts to each other or new accounts with previous accounts, either of which would contradict statements by the company that users can create and maintain separate accounts? We would appreciate your clarification of this issue.
Lastly, with respect to Android users, it is our understanding that Google currently collects the following information:
- device information: Google may collect device-specific information (such as hardware model, operating system version, unique device identifiers, and mobile network information including phone number). Google may associate the device identifiers or phone number with the user's Google Account;
- log information: telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls; and
- location information: when an individual uses a location-enabled Google service, Google may collect and process information about the individual's actual location, like GPS signals sent by a mobile device. They may also use various technologies to determine location, such as sensor data from the device that may, for example, provide information on nearby Wi-Fi access points and cell towers.
Although Google has stated that some of its services can be used without signing into an account, this is not very practical if a user is accessing those services via an Android phone. While signed-out users will be able to make calls and send texts, for instance, they will not be able to download new applications, update those already installed or synchronize the phone with G-mail or Calendar. In effect, it appears that there is very little choice for Android users should they not wish Google to have the ability to link all of the services they use. This is of particular concern given the potential ease with which accounts could be linked together on the basis of the device identifier information that Google collects. We would appreciate receiving comments from Google with respect to such linking of vast quantities of personal information as a condition of service to use the Android phone.
In the meantime, we would appreciate receiving your views on our three areas of concern at the earliest opportunity. Thank you again for meeting with our Office.
Original signed by Patricia Kosseim for
Privacy Commissioner of Canada
c.c. The Information and Privacy Commissioners of Alberta, British Columbia and Quebec