April 20, 2007 4:00 AM PDT

Google draws privacy complaint to FTC

Three public-interest groups are expected to file a joint complaint on Friday with the Federal Trade Commission calling for an investigation into the potential threat to consumer privacy posed by Google's planned acquisition of DoubleClick.

The Washington-based Electronic Privacy Information Center (EPIC), along with the Center for Digital Democracy (CDD) and the U.S. Public Interest Research Groups (U.S. PIRG), are asking the FTC to stop the $3.1 billion merger until the trade commission investigates Google's data collection and storage practices, orders DoubleClick to sweep out its data storehouse and requires the search giant to offer a public plan for safeguarding consumer privacy.

"Google's proposed acquisition of DoubleClick will give one company access to more information about the Internet activities of consumers than any other company in the world," the complaint reads. "Moreover, Google will operate with virtually no legal obligation to ensure the privacy, security and accuracy of the personal data that it collects."

At stake, the complaint says, are the privacy interests of 233 million Internet users in North America, 314 million Internet users in Europe and more than 1.1 billion Internet users around the world.

Nicole Wong, Google's deputy general counsel, said in an e-mail statement that the company has not yet seen a copy of the filing but that she believes that there would be no basis for such a complaint.

"User, advertiser and publisher trust is paramount to the success of our business and to the success of the acquisition. We can't imagine taking any actions that would undermine these relationships or the trust people have in using our products and services," Wong wrote.

Since Google announced plans to buy DoubleClick for $3.1 billion last week, privacy advocates have expressed growing concern over the mountain of data Google's would hold following the deal. The largest search engine in the United States, Google fielded as many as 3.5 billion search queries last month, and it regularly stores that data. (It recently said it would begin to get rid of those records after 18 to 24 months.)

The company also collects and stores data on a range of other services, including user's schedules on Google Calendar, address information from Google Maps and e-mail documents from Gmail. By acquiring DoubleClick--the country's largest ad-technology provider, with a reach of about 80 percent to 85 percent of the Web population--Google would have access to a database of user's surfing habits across hundreds of sites, including DoubleClick customers such as Time Warner's AOL and Viacom's MTV Networks.

The public-interest groups contend that by holding all of that data, Google is vulnerable to security breaches and surveillance by law enforcements in the United States and abroad. They say people's right to privacy could be severely diminished.

Among other requests, the groups ask that the FTC order Google to create a "meaningful data destruction policy" and give users reasonable access to information stored about them.

Privacy concerns in the United States are being matched in Europe, where Google is the dominant player. (It reaches 75 percent of the European search market, according to a November research report from DoubleClick.)

Earlier this week, a European Union data privacy group reportedly said it plans to send a letter to Google warning that the search giant is running afoul of data collection policies in its member countries.

Privacy advocates are particularly worried that Google will merge the data from users' search queries with DoubleClick's records of people's general Web-surfing habits in order to build a centralized database of consumer profiles.

Google executives have said that for now, the company does not plan to merge collections of personally identifiable information such as names and e-mail addresses, with records of search histories and Web-surfing habits.

Rather, it hopes to combine both companies' non-personally identifiable data, such as search histories and Web-surfing habits linked to a computer's IP address, so that it could better target advertisements. For example, it aims to ensure that no individual computer receives repeated banner ads. (The deal is slated to close sometime this year.)

But one of EPIC's arguments is that an IP address--the string of numbers that identifies each individual computer connected to the Internet--can, with a little work, be linked to an individual, even if a name or address isn't associated with the IP number.

The complaint cites a data spill from last year, when AOL published the search records of 658,000 of its American users. Although the search histories were linked only to numbers, The New York Times was able to match some search records to individuals.

"Identity can be inferred," Marc Rotenberg, executive director for EPIC and author of the complaint, said in an interview with CNET News.com. "We believe that this complaint provides an opportunity for (the) FTC to look closely at whether the online-advertising industry provides adequate privacy protection for Internet users and (to) consider the privacy impact of non-personally identifiable information collected through search histories."

In some ways, the complaint is an example of history repeating itself. EPIC raised major questions about DoubleClick's online profiling in February 2000, when it filed a similar complaint to the FTC.

At the time, EPIC asked the FTC to investigate the company's plans to merge data from consumers' offline behavior--following the purchase of direct marketer Abacus--with anonymous information it held on users' surfing habits. DoubleClick retreated from its plans to merge systems, and the company eventually got out of the online consumer-profiling business.

The current complaint argues that Google be held to privacy standards from the Organisation for Economic Co-operation and Development (OECD), an international body of 33 countries whose guidelines limit the collection of personal data and give individuals the right "to access, amend, complete or erase information, as appropriate." OECD's guidelines also call for an openness about what information is collected and used.

EPIC's complaint also contends that Google's public privacy policy isn't forthcoming enough, given that it takes four clicks on Google's site for people to read that the record of what they've searched for will be associated to their computer's IP address. Google users also do not have a way to access information held about them or delete that information, the complaint said.

"It's a new obstacle for any potential takeover," said Jeff Chester, founder and executive director of the CDD.

See more CNET content tagged:
DoubleClick Inc., Google Inc., acquisition, complaint, Europe

8 comments

Join the conversation!
Add your comment
Privacy and the Internet
People crying "privacy rights" many times have something to hide.

But there is on the other hand a constitutional ammendment in place that guarantees the right to privacy at least for US Citizens.

I think that a reasonable expectation exists within the mind of most internet users that they will in fact be able to maintain their privacy.

The reality may be much different. Most people who are savvy enough to "cover their tracks online" and who require for some legitimate reason "privacy" as to their online user activities; already know how to maintain that privacy through the use of proxy surfing, cookie and adware deletion, even script inhibition.

Quite frankly, if you legitimately need privacy as to what you do online, it is incumbent upon each individual user to initiate and maintain protocols for keeping sensitive information secure.

Likewise, if Google and Doubleclick merge and somehow that massive database that everyone knows they will build is breached; then they will be sued. And will have to settle.

Trying to block the merger is much like trying to keep the National Do Not Call list and telemarketing legislation that was passed a few years back from actually passing.

I watched as these knuckleheads from a very well respected and succesful telemarketing management company spend literally hundreds of hours trying to get the telemarketing legislation not to pass. Guess what? They failed miserably. And it passed.

Why? because lawyers in general profit from representing clients. And where there is a cause, there will always be a client and lawyer who wants to benefit in some way from either opposing it or lobbying for it.

Why is our society the most litigious in history? Because we made it that way.

The only real concern with this merger is who's stock to buy. google's or doubleclicks? or both? the merger will go through so, savvy investors will profit. And before it goes through a few lawyers will garner massive fees feeding on the controversy.
Posted by Dwight Stickler (8 comments )
Reply Link Flag
Don't want google to have your data? use yahoo or MSN!!
If you have a computer.. microsoft has access to your data... whether you use google or not.

If you don't want Google to have your search queries, use another search engine.

Google doesn't sell our data, they use it to make search better, discover trends, etc..

These people need to get a life.
Posted by djpaisley (80 comments )
Link Flag
Just say No! to Google...
Just say No! to Google Search, and Gmail, and other Google applications, and DoubleClick cookies.
Posted by john55440 (1020 comments )
Reply Link Flag
Oh do be quiet
Google is by far the best search engine on the net, and so far it has a very good track record when it comes to safeguarding private information!

If worried about privacy on the Internet, don't use the net!
Posted by jatos (55 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.