Chris Soghoian, a well-known privacy advocate and former Federal Trade Commission technologist, has filed a complaint with the FTC asking that the commission force Google to amend its privacy policy to reflect what he says are shortcomings in the company’s protection of data related to consumers’ searches.
The complaint, which Soghoian filed with the FTC in early September, concerns the way that Google handles referrer header data that it passes on to other sites. The data is sent to sites that users visit after they click on a link on a search result page and can contain detailed information about exactly what search terms the user entered. In some cases, that data could include sensitive information such as a credit card number of Social Security number if a consumer was searching to see if his data had been exposed online.
Soghoian said in a blog post explaining his complaint that while there is nothing illegal about Google leaking the referrer data to third parties, the company makes no mention of the practice to consumers. Further, he says that Google has statements in its privacy policy that seem to preclude its sharing of user data in this way. He points to three “limited circumstances” in which Google says it may share users’ personal data: when the company has a user’s consent; in order to allow trusted third parties to process the data on Google’s behalf; or in response to requests from law enforcement or other similar cases.
“The widespread leakage of search queries doesn’t appear to fall into
these three ‘limited circumstances.’ Perhaps Google doesn’t consider
search query data to be ‘personal information’?” Soghoian wrote.
In an interview, Soghoian said that Google has gone out of its way to continue providing referrer data to other sites and it should be required to explain that to consumers, who, in general, have little idea how much of their data is shared and with which sites.
“It’s not like I just discovered referrer headers. I understand how this works. It’s been in the standard since 1996. The real issue is that there have been three times when Google accidentally stopped providing referrer data in headers, and each time the SEO community freaked out and Google said, sorry, we’ll give you even more data,” he said. “Now, they include data about where on the page the link was clicked on, whether it’s the third or fourth result. That’s a strong signal. Google is spending engineering time on this. This is a willful practice.
“Google positions itself as the company that does better on privacy. They give the impression to consumers that they do better than this,” Soghoian said. “The leakage of referring data is sketchy. Privacy invasive practices that rely on user ignorance are in and of themselves inherently evil.”
Google is not the only search engine that shares referrer data with
third parties, but Soghoian’s complaint centers on the seeming
disconnect between the sharing of that data and the way that Google
addresses user data in its privacy policy.
“If Google wants to share its users’ search query data with third
parties, there is nothing I can do to stop it. That practice, alone,
isn’t currently illegal. However, the company should not be permitted to
lie about its practices. If it wants to share its customers’ search
queries with third parties, it should disclose that it is doing so. Even
moreso, it shouldn’t be able to loudly, and falsely proclaim that it is
protecting its users’ search data,” Soghoian wrote.
“However, since the company
has for years bragged about the extent to which it protects its
customers data, I think that it should be forced to stand by its
marketing claims. Thus, I have petitioned the FTC to compel the company
to begin scrubbing this data, and to take appropriate steps to inform
its existing customers about the fact that it has intentionally shared
their historical search data with third parties. This, I think, is the
right thing to do.”
In the interview, Soghoian said he expects Google to change its practices, one way or another.
“I filed the complaint with the FTC because I worked there and I understand the process. But the FTC isn’t the only game in town,” he said. “There’s the Canadian authorities, there are state AGs, the European regulators. The purpose was to get the information and the facts out there. Either Google will quickly come to its senses or they’re facing a long, drawn-out battle.”