You are here
Google's Top 35 Privacy Scandals
Submitted by Scott Cleland on Wed, 2012-02-22 13:22
Since Privacy International ranked Google worst in the world for Privacy in its 2007 privacy survey for its unique “comprehensive consumer surveillance & entrenched hostility to privacy,” Google has had at least 24 more public scandals/controversies over privacy/security.
- The large number (35) of Google's serious privacy/security failings -- of the same type, over several years (9), that are catalogued below -- indicate a near complete privacy protection breakdown at virtually every level: Google's front-line employees; Google's supervision; Google's privacy team; Google's claimed privacy-by-design; Google's management systems and internal controls; Google's executive management/leadership; Google's Board of Directors' fiduciary oversight; Federal Trade Commission enforcement; State Attorneys General enforcement, and Congressional oversight.
- This Top 35 list, with supporting links (78) to the public evidence, indicates that Google’s privacy problems have gotten worse and more frequent, and that they represent a longstanding and systematic pattern of Google behavior. The list is organized by year in reverse chronological order.
Google’s Top 35 Privacy Scandals/Controversies:
- 2012 Google iPhone Hacking Scandal: A Stanford researcher discovers Google hacked Apple Safari’s browser to circumvent both users' and Apple’s privacy protections to enable tracking for Google + advertising -- per a WSJ lead story which prompted widespread outcry and official privacy complaints. Google's quickly stopped the offending hacking, implying wrongdoing, did not apologize, and was misleading in its public defense.
- Google Wallet PIN not private/secure: A blogger discovered Google Wallet had a large security hole where the privacy/security of the users' PIN to access the Wallet was not adequately protected, enabling relatively easy access to the Google Wallet owner’s money. Google had to shut down service for about a week to patch the privacy/security hole that most likely would have been discovered by a company with a proactive approach to privacy/security, rather than Google's reactive crowdsourced approach.
- Google Search Plus Your World integrates private posts with search results: EPIC asked the FTC to investigate if Search Plus Your World violates the FTC-Google Buzz privacy settlement given that it integrates private Google+ posts (that most people view as not searchable) with public data, thus increasing the risk of private information inadvertently being made public.
- 2011 Google fails to fulfill LAPD contract to keep Gmail private/secure. Over a year after contractually promising that Google could ensure the privacy and confidentiality of LAPD communications with other law enforcement and confidential sources, Google admitted it could not provide the contractually required level of privacy/security. City of Los Angeles threatened to sue to recoup its costs.
- Chinese hackers accessed U.S. officials’ private Gmail accounts: Per the Washington post, Chinese hackers compromised the private Gmail accounts of a U.S. Cabinet official and Defense Department officials.
- Android’s default set to collect & implement network passwords without user’s permission: Security blogger Donovan Colbert discovered that the Android operating system by default, i.e. without permission, automatically collected and implemented encryption key pass codes in order to automatically gain access to private networks without the permission of the user. In Mr. Colbert's own words: "Honestly if there is any data that shouldn't be harvested, stored and synched automatically between devices, it is encryption keys, passcodes and passwords."
- Google abused users’ privacy by knowingly geo-targeting them with ads for illegal/counterfeit drugs: Google settled with DOJ and paid a near-record $500m criminal penalty for knowingly aiding and abetting the illegal importation of prescription drugs into the United States with geo-targeted advertising facilitated by the misuse of users’ private information.
- “Locationgate” Android tracks users’ movements thousands of times a day without user knowledge: This Wall Street Journal investigative scoop prompted Senate hearings and calls for new privacy legislation, a Do Not Track list like the FTC’s Do Not Call List, and the scandal moniker "locationgate."
- Android’s lax security enables hackers access to users private information: A North Carolina State University study showed how lax Android security permitted hackers to snatch users private records of users’ phone calls, texts, emails and call lists, all without a user’s permission or control.
- Google TV prevented users from installing security/privacy software for protection: Google TV’s Android operating system did not allow users the option to protect themselves from harmful content or malware, per PC World.
- Only Google made all WikiLeaks stolen secret/private cables publicly searchable: When Wikileaks leaked several hundred thousand highly-sensitive private and secret government cables, only Google decided to publicly index them and make them publicly accessible via Google search. Given that this decision was made by Google’s leadership shows that when confronted with a choice of keeping massive amounts of sensitive private information private or making private secret information public, Google’s leadership deliberately valued transparency over privacy/security. This incident, maybe more than any other, spotlights Google’s philosophical and political ambivalence towards privacy.
- Android’s “no-curation-policy” means no privacy/security by design for users: Google ignores its corporate responsibility to protect others in Google’s care. Google’s no curation policy means Google does not screen, review, or police apps in the Android Market before they can be used by the public, like Apple and others do, in order to protect consumers and ensure their platforms are not abused by unsafe or illegal apps. Google’s irresponsible policy on security/privacy means that “Android is the worst platform for malware;"
- Google enabled 35 million personal profiles to be publicly downloaded – a boon for identity thieves: No other entity has made more personal profiles (35 million Google Profiles) publicly accessible for easy downloading and indexing by hackers to effectively aid and abet criminal spearfishers than Google -- per a recent study by a University of Amsterdam PHD student Matthijs R. Koot.
- DOJ catches Google misrepresenting it had Federal security/privacy certifications when it didn’t. In a filing with a Federal Court, the DOJ said: "On December 16, 2010, counsel for the Government learned that, notwithstanding Google's representations to the public at large, its counsel, the GAO and this court... Google does not have FISMA certification for Google Apps for Government."
- “Doodle4Google” art contest required children to provide part of their Social Security # to participate: After an incredulous outcry from privacy groups, Google backed off this requirement to collect private information on children as young as kindergarten age.
- 2010 Google Street View’s unauthorized recording of private WiFi communications: For three years in over thirty countries Google secretly drove streets collecting all available transmissions emanating from a household WiFi router, until a German privacy authority caught them. Google blamed it on one engineer’s action in 2006, and apologized for the “mistake.” At least seventeen countries investigated the legality and propriety of the Google WiSpy effort: U.S., Canada, EU, Czech, France,Germany, Hungary, Italy, Spain, Sweden, Switzerland, UK Hong Kong, South Korea, Japan, Australia, and New Zealand.
- Hackers stole Google’s entire password security/privacy system: No other entity (that the public knows of) has had their entire password security code stolen wholesale by Chinese hackers like Google has -- per John Markoff's front page expose in the New York Times. The potential size and scope of this privacy/security breach is unfathomable.
- Google engineer stalked teens and spied on chats: Per reports, “A Google engineer spied on four underage teens for months before the company was notified of the abuses.” The engineer named “seemed to get a kick out of flaunting his position at Google, which was the case when, with a friend's consent, he pulled up the person's email account, contact list, chat transcripts, Google Voice call logs—even a list of other Gmail addresses that the friend had registered but didn't think were linked to their main account—within seconds."
- 2009 Google depends on others to find Google’s security/privacy vulnerabilities: No other Fortune 500 company so officially relies on the crowd sourcing of their non-expert users and others to be their primary line of security/privacy defense, rather than taking corporate responsibility for maximizing the security/privacy of the information and people entrusted to safekeeping and protection at Google.
- Google’s uber-centralization creates massive “single point of failure” for security/privacy: No other entity universalizes its password access to more products and services (hundreds) than Google, a high risk practice author and Google Security expert Greg Conti describes as a "single point of failure" problem, in his book: “Googling Security: How Much Does Google Know about You?"
- 2007 Privacy International ranked Google worst in the world for privacy: In its 2007 survey Privacy International spotlighted Google’s uniquely bad privacy record by placing only Google in the bottom worst category of “comprehensive consumer surveillance & entrenched hostility to privacy."
- Google Street View raised privacy concerns with public photos of interiors of private homes: A front page New York Times story spotlighted the public unease of Google publicly exposing the interior of people’s homes, which could make them more vulnerable to burglars and stalkers. Prior to the 2010 Google Street View WiSpy scandal, many countries had objected to Google’s Street View service without authorization: U.S., Canada, UK, Denmark, Germany, Greece, Japan, and Switzerland.
- Google exposed 2,000 college students’ social security #s/personal information in search results: The Sacramento Bee reported that Google bots indexed a community college’s student files meant to be private -- exposing the dangers of private information making it into Google search results.
- Google Docs terms of service claims perpetual rights to use users’ private material: In a ZDNet post entitled: “The content in Google Apps belongs to Google,” showed Google’s obliviousness to the extensive privacy implications of private document creation.
- Privacy watchdogs opposed Google-DoubleClick merger on privacy grounds: In a filing with the FTC, privacy groups pointed out that Google and DoubleClick each had accumulated the most private data on individuals in the world, and that both companies had bad privacy track records, making the combination of these companies obviously an even greater threat to people’s privacy.
- Google publicly displayed a live feed of everyone’s private search terms in its lobby: Per a video posted on the popular blog Scobleizer we learned that people’s expected private searches could become publicly displayed in Google’s lobby.
- 2005 Google Earth publicly exposed aerial views of White House roof endangering its security: When Google updated satellite views of cities in Google Earth, Google failed to erase out the sensitive security defenses atop the White House, giving potential terrorists for the first time a clear view of the White House’s extremely national-security-sensitive military and security defenses.
- 2004 Google chooses an “all eggs in one basket” database design called Big Table: No other entity stores all of its information in one unified "BigTable" database eschewing the normal security/privacy protocols of compartmentalizing confidential or private information to prevent catastrophic universal data breaches.
- Thirty-one privacy groups oppose Gmail scanning emails to target advertising: The World Privacy Forum and thirty other privacy and civil liberties groups called on Google to suspend Gmail until privacy concerns were addressed sufficiently. The groups were concerned about: the privacy-invading precedent it would set; the long times Google would retain the information; andGoogle's launch of the Gmail service without a delete button. (It took two years for Google to offer users a delete button for Gmail.) Legislation against Gmail was tabled in California and Massachusetts.
- Google Desktop function exposed as a big spyware risk for users: WebProNews was one of many that spotlighted the big privacy risk inherent in Google Desktop: “If you use public computers at work or at libraries, internet cafes, Kinko’s or the local Mailboxes Etc. store, now you’ve got to worry that previous users of that public machine, or worse, the business owner or employees, have installed Google Desktop Search on that machine to purposely spy on you!”
In conclusion, it is very telling that Google Watch presciently predicted in 2002, a decade ago, that “Google is a privacy time bomb,” and “a privacy disaster waiting to happen.”
A new Google Privacy Scandal/controversy 3-2-12:
36. "By design Android apps do not need permission to get a user's photos:" According to the New York Times report on Android's privacy/security flaws. A security expert said: "We can confirm that there is no special permission required for an [Android] app to read pictures." A CDT privacy expert said: "It does create so many vectors for bad actors to get information about you."
Another Google privacy scandal/controversy 3-4-12:
37. "Android Apps share personal data with advertisers," per Channel 4 News; MWR InfoSecurity explained to Channel 4 News: "We found that a lot of the free applications in the top 50 apps list are using advertising inside the applications, and that the permission that you grant to these applications is also granted to the advertiser. If users knew about this, I think they would be concerned about it. But at the moment I don't think they are aware of the situation and how widely their information can be used."