Case Study of Google Serial Over-collection of Private Data for FTC Hearings

A Case Study of Alphabet-Google’s 2004-2018 Privacy Track Record of Evident Unfair and Deceptive Over-collection of Consumers’ Personal Data Exposes an Evident Gap in the FTC’s Remedial Authority to Protect Consumers

Submitted as a public comment for the FTC’s fall 2018 “Competition and Consumer Protection in the 21st Century Hearings.” Topic #5: “The Commission’s remedial authority to deter unfair and deceptive conduct in privacy and data security matters” FTC Project Number: P181201; (PDF FTC submission here)

July 30, 2018; By Scott Cleland; President, Precursor® LLC  info@precursor.com & Chairman, NetCompetition®

Conclusion

This case study of Alphabet-Google’s track record of unfair and deceptive privacy and data security practices provides a compelling body of evidence of 17 major business practice examples over a fifteen-year period that indicate the FTC evidently does not have enough remedial enforcement authority to deter Google, or other Internet platforms, from engaging in unfair and deceptive conduct in privacy and data security matters.

It is also evident from Google’s words and actions chronicled below that it legally does not believe its users have a “legitimate expectation of privacy” concerning the information they provide to Google.

Given that the FTC understands deterrence is inherently a causal concept, and given the evidence provided in this e-white-paper, it is reasonable for the FTC to conclude that its admitted lack of FTC remedial enforcement authority for privacy and data security is in part causing the evident effect of Google’s rampant recidivism on privacy and data security matters.

The cumulative evidence chronicled in this Google case study exposes that the FTC has not deterred Google from serial unfair and deceptive practices via multiple services, involving multiple technologies, in multiple ways, repeatedly, over a fifteen-year period.

The evident common causal thread is Google’s business modus operandi of unfair and deceptive over-collection of private information by default.

Google has serially harmed consumer welfare in unfairly and deceptively undermining consumers’ expectation of, and actual, privacy and data security, as well as undermining consumers’ ability to protect their own privacy and data security and that of minors.

A big question for the FTC’s congressional overseers and the FTC to ask in the Simons hearings this fall, is why Google has been able to serially, unfairly, and deceptively violate consumers’ reasonable expectation of privacy repeatedly, in many dimensions, for 15 years with evident impunity?

Is this systemic risk and failure just a result of insufficient FTC “remedial authority to deter unfair and deceptive conduct in privacy and data security matters?

Or is it also partially a result of: 1) the FTC’s legal case-specific lens, processes, and procedures that may be failing to see the big picture and systemic patterns of bad practices over time or across services; 2) Google and other platforms’ Section 230’s exemption from Federal regulation and immunity from civil liability; and/or 3) regulatory capture?

Bottom-line: The FTC badly needs additional privacy and data security authority from Congress to deter the rampant recidivist unfair and deceptive privacy and data security practices of Google, and other Internet platforms.

 

Summary of the FTC-Google Privacy Case Study

 

This case study of Alphabet-Google’s track record of unfair and deceptive privacy and data security practices is empirical research that spotlights the causal relationship between the FTC’s evident lack of remedial privacy and data security authority and Google’s evident privacy and data security recidivism.

 

It also provides research in support for FTC Chairman Simons’ recent testimony before Congress where he stated the FTC needs more privacy and data security authority from Congress. 

 

Chairman Simons testified: “The Commission continues to reiterate its longstanding bipartisan call for comprehensive data security legislation.” “Section 5 does not provide for civil penalties, reducing the Commission’s deterrent capability. The Commission also lacks authority over non-profits and over common carrier activity, even though these acts or practices often have serious implications for consumer privacy and data security. Finally, the FTC lacks broad APA rulemaking authority for privacy and data security generally.”

 

If the FTC had enough privacy and data security deterrent authority, it is reasonable to expect that after the 2011 FTC-Google-Buzz 20-year privacy decree, that Google would stop, or at least curtail, its unfair and deceptive practices going forward, not the exact opposite, serially repeating them at least nine times subsequently with apparent impunity.

 

Apparently, Google has little reason to fear the FTC on these matters.    

 

First, from 2004 to 2018 Google has established an evident, serial recidivist track record of unfairly, deceptively, and systemically intercepting and misusing personal communications that consumers reasonably expect are private. 

 

Seven of the most evident examples chronicled below are:

 

2004 -- Google scanning personal Gmail exchanges to serve ads without others’ knowledge or consent;

 

2010 – Google-Street View’s undisclosed secret mass-eavesdropping of home WiFi communications;

 

2013 – Google Glass enabling recording of conversations without others’ knowledge or consent;

 

2015 – Google Chrome eavesdropping tool installed on computers without knowledge or consent;

 

2015 – Google-Nest-Aware eavesdropping on home conversations without others consent.

 

2017 – Google Home Mini designed to secretly record conversations without knowledge or consent; and

 

2017 – Google-Android secretly records all device locations even if user disables all location services.

 

This is not accidental, one-off, or anecdotal. This is evidence of a lasting, purposeful, modus operandi of designing new products and services that by default unfairly, deceptively, and systemically intercept, over-collect, and misuse personal communications that consumers have a reasonable expectation are private. 

 

Second, from 2011 to 2018 Google has established an evident unfair and deceptive consumer privacy modus operandi and track record of bait-and-switch, promising and representing to the public one thing and apparently knowingly and repeatedly doing the opposite. 

 

Ten of the most evident examples chronicled below are:

 

2011 – Google Buzz social network did not give users the privacy control they represented;

 

2012 – Google completely changed its privacy policy for Google+ without users’ affirmative consent;

 

2012 – Google hacked Safari browser to track Apple’s users and serve them ads without consent;

 

2013 – Google Play shared personal info with app developers without user knowledge/consent;

 

2013 – Google Wallet shared users’ personal info with app developers without user knowledge/consent;

 

2014 – Google+ forced users to publicly associate with people they do not know without their consent;

 

2015 – Google Education made the Student Privacy Pledge, but does not abide by its representations;

 

2016 – Google-DoubleClick combined personal info and ad tracking data after promising it would not;

 

2017 – Google secretly tracked users in-store purchase activity without user knowledge/consent; and

 

2018 – Google-YouTube uses minors’ personal info without required parental knowledge/consent.

 

***

 

Disclosures: These public comments are my own. No one requested these public comments be submitted or has reviewed them prior to publication. I am Scott Cleland and served as Deputy U.S. Coordinator for International Communications & Information Policy in the George H. W. Bush Administration. I am President of Precursor LLC, an internetization consultancy specializing in how the Internet affects competition, markets, the economy, and policy, for Fortune 500 companies, some of which are Internet platform competitors. I am also Chairman of NetCompetition, a pro-competition e-forum supported by broadband interests. I have testified seven times before the Senate and House Antitrust Subcommittees on antitrust matters, twice before House Subcommittees on Privacy, and overall, eight different congressional subcommittees have sought my expert testimony a total of sixteen times. When I served as an investment analyst, Institutional Investor twice ranked me the #1 independent analyst in communications.