Google Privacy Policy. Google, Inc.16 March 2003 <http://www.google.com/privacy.html>

During recent weeks, Google has began to be vilified as the "Big Brother" of the web. While many things have converged in order to make Google the new big evil, the largest reason is its efficacy in search rankings and the power that lends to the company. Most major search engines today use the Google engine and algorithm for their results, and as a result most commerce sites via for ranking strength (a result that has followed every major search engine/we directory since the web started...Altavista, Yahoo, etc.). As Google has become a verb, more and more attention has been paid to not only its ranking methods, but its privacy and security policy for the data it collects from users. I have chosen to examine the Privacy Policy outlined by Google, and see whether or not is seems a good or bad policy based on my criteria.

Summary

Google's privacy policy covers four central issues: how they use cookies, what information they actually gather from you, how this policy effects links within Google, and who has access to all of this information.

They admit immediately that they use cookies to track your searching habits by identifying a cookie with each unique user. They also indicate that browsers have the ability to stop cookies from being set, or to alert you when one is attempting to be set (at the cost of lack of functionality). Google makes clear that the results they provide are not affiliated with Google, and they have no control over the links to other sites. They further admit that they track the click-through's to other sites, and give an example of one type of information they collect (the frequency of initial results that are clicked as contrasted with later results used).

The policy is again unspecific about who information is divulged to, only noting types and not specifics (advertisers, business partners, sponsors). According to the policy they will only release aggregate information to these, but note that they will release individual information about patrons with a court order or subpoena.

They provide an email address for questions about their policy: help@google.com

Criteria

Applicable Parties
Anyone who uses Google or any of the sites that use Google as a source for results fall under the domain of this policy. At this point, that means just about every single person who uses the web.

Clarity of Language
Very clear and easy to understand, but low on the legal details. For instance, the statement "Google will not disclose its cookies to third parties except as required by a valid legal process such as a search warrant, subpoena, statute, or court order." is light on specifics...what kind of process do they have for verifying legality? Is there a process for the affected party to respond to legal threat, or will Google contact the party in question? Is there anyway for someone to discover that they are the target of legal action through Google?

Adequacy
I would judge that this policy is adequate for comforting most users and asuaging fears, but lacking in actual legal language. I worry that it is insufficient to stand up to serious challenges.

Legal Issues Covered
As mentioned several times throughout this review, the simple language of the policy is both its strength and weakness. Google basically admits throughout the policy that it will comply with an legal summons for information, and while that is certainly the correct corporate stance to take to avoid trouble with the legal system themselves, it isn't as strong as some internet companies. Some build their databases in such a way that IP and other individual identifiers simply can't be linked with any specific search, but instead simply view the numbers in aggregate. Others analyze the information, and delete the databases on a specific schedule (say, weekly or monthly) so that the details of any specific search from the past are simply nonexistant.

Other weaknesses
Instead of using cookies to identify unique users, they could gain much the same data efficacy from geolocating the users IP and referencing that for browsing patterns and search terms rather than the individual. Doing so would lower the amount of possibly sensitive information that they collected. They are also less than clear about the actual information that they gather, using phrases like "notes and saves information such as" which is open ended and unspecific. Google catagorizes the information they gather, rather than specifiying it.

Suggestions for changes

I would like to see a much sharper distinction between what information is gathered, rather than the vague types that are given. I would also like to see Google have a firm statement about purging individual records from their databases. According to the policy, they only provide aggregate information to third parties, so to protect their users from legal action by simply eliminating the information all together seems a benefiicial step.