I have long been a fan of anonymous tracking versus personalized tracking. As long as my Internet activities are aggregated with those of others and kept anonymous, I don't really mind the information about where I go and what I look at being used to improve my experience by presenting more targeted offers. When I care, I use a non-trackable search (like Duck Duck Go) and I use the "don't track me" features of the browser I use when I am doing private things. At particular trusted web sites, I log in and divulge my identity in order to interact as a trusted customer and to have access to my past transactions and customer service records. But for decades, we U.S. consumers have had a semblance (not a guarantee) from the online advertising industry that the information that is scooped up about our wanderings and searches on the Internet is non-identifiable to us as individuals; rather, it is aggregated into various personas and cohorts and used for ad and content targeting.
Is this a naive view of Internet reality? Yes. It's the "put a bag over my head so I don't have to really think about who can see everything there is to know about my life and my interests" approach to Internet usage, which is probably the norm among non-paranoid Americans. Of course, deep down, we ALL know that law enforcement, government agencies, criminals, hackers, or just smart snoops can find out everything there is to know about us. We would prefer to believe that nobody cares enough about us to bother.
When Google acquired online advertising powerhouse, DoubleClick, in 2007, we were all concerned that Google would merge the information it already had about our search activity, our email content, and our identities, with the detailed tracking of everything we do on every website that DoubleClick uses for its ad placement services. We all knew that by using Google's tools, we were on a slippery slope. We were trading our right to privacy for free services and convenience.
I blogged about the state of online privacy and my concern about Google during the Google/DoubleClick merger. After describing the current state of online privacy and summarizing customers' concerns, I concluded:
"Make Opt Out the Default; Let Me Opt In; Don’t Identify and Track My Searches, Activities, and Transactions Without My Permission"
"Here’s my bottom line. I have opted into personalized search for Google, and I know I can control it. I expect the merchants with which I have dealings to maintain a history of our transactions together. And I demand that that transaction history is private to me (and/or my firm, if it’s a business transaction). I own that information. It’s mine. Nobody should be allowed to sell, mine, or otherwise use my personally identifiable trail of activities unless I explicitly opted in. Not 18 months from now, but now."
Then, in 2012, after the social media platforms had completely changed the game, I circled back to Google et al, in a blog post entitled: "How can you keep Facebook, Google, et al from Tracking You and Your Friends." Among the things I said in that post, that I still stand by are the following:
"I’m not complaining about the trade-off between using free services and receiving targeted ads in exchange."
"I AM complaining about the routine collection of very detailed information about each of us—logs that are not anonymous but connected to our identity, our computers/phones and our physical location, and the actual activities we’re doing online. These are logs that are not only able to be used by Google and Facebook for ad placement, but they can also be used by any entity that claims it has the legal right to spy on any of us."
"I am ALSO complaining about how difficult it is for customers to:
a) Know exactly what is being tracked
b) Understand how to turn off tracking
c) Keep the people in our social network from inadvertently violating our privacy
d) Keep applications and other websites that are “in” these companies’ networks from compounding the problem by adding their own tracking and aggregation on top of what is already being tracked about us."
For nearly a decade, Google did in fact keep DoubleClick’s massive database of web-browsing records separate by default from the names and other personally identifiable information Google has collected from Gmail and its other login accounts.
But last summer, Google erased the last semblance of anonymous tracking. And it went unnoticed, until late October when Julia Angwin sounded the alarm. The change was enabled by default for new Google accounts. Existing users were prompted to opt-in to the change this summer. But the prompt was innocuous and misleading.
On October 21st, Julia Angwin's article entitled Google has Quietly dropped Ban on Personally Identifiable Web Tracking appeared in the Investigations section of ProPublica. After pointing out that industry watchers had apparently missed this major shift in Google's privacy strategy, she wrote:
"This summer, Google quietly erased that last privacy line in the sand – literally crossing out the lines in its privacy policy that promised to keep the two pots of data separate by default. In its place, Google substituted new language that says browsing habits “may be” combined with what the company learns from the use Gmail and other tools."
The practical result of the change is that the DoubleClick ads that follow people around on the web may now be customized to them based on your name and other information Google knows about you. It also means that Google could now, if it wished to, build a complete portrait of a user by name, based on everything they write in email, every website they visit and the searches they conduct."
"The move is a sea change for Google and a further blow to the online ad industry’s longstanding contention that web tracking is mostly anonymous. In recent years, Facebook, offline data brokers and others have increasingly sought to combine their troves of web tracking data with people’s real names. But until this summer, Google held the line."
“'The fact that DoubleClick data wasn’t being regularly connected to personally identifiable information was a really significant last stand,' said Paul Ohm, faculty director of the Center on Privacy and Technology at Georgetown Law.'"
“'It was a border wall between being watched everywhere and maintaining a tiny semblance of privacy,” he said. “That wall has just fallen.'”
For existing users, Google's change in its privacy policy went largely unnoticed. Google apparently sent out an email to all of us telling us about "some new features for your Google account." I don't know about you, but I don't recall receiving it and if I did, I never clicked on it. It seems to me that the least Google should have done was to say: "We have changed our privacy policy. Please opt in or out." That would have gotten my attention.
Comments