May 10, 2011
The FTC's Proposed Settlement With Google Over Buzz Privacy Breaches
[Post by Venkat Balasubramani with additional comments from Eric]
[Eric's note: This topic festered in my blogging queue for far too long, so we are finally posting this after the FTC's comment window closed. Nevertheless, this is such an interesting and important settlement that it's worth reviewing at this late date.]
The FTC proposed a tentative settlement with Google over Google's ill-fated rollout of Google Buzz. The settlement includes the following terms:
No misrepresentations: The proposed agreement prohibits Google from making any misrepresentation regarding its information collection and use, and "the extent to which consumes may exercise control over the collection, use, or disclosure of covered information."
Develop a privacy program: Google is mandated to develop a "comprehensive privacy program", and appoint a privacy czar who must, among other things conduct ongoing risk assessments, implement reasonable controls and procedures, and evaluate and adjust its privacy program in light of the results of any monitoring or any material changes.
Ongoing assessments: Google must obtain biennial assessments from third party experts regarding Google's "privacy controls," and how the controls are appropriate, and are implemented to meet the requirements of the settlement.
Record keeping requirements: Google has to comply with ongoing record keeping requirements, including of its own privacy pronouncements, consumer complaints, any documents that question its compliance with the settlement, and underlying data used to prepare any assessments.
This looks similar to the settlement Twitter and the FTC entered into over Twitter's privacy (and security) practices. ("The FTC Dings Twitter's Security Practices -- What Does This Mean for Everyone Else?") Both agreements impose a variety of fairly onerous obligations on the companies for a fairly long period of time. The FTC's proposed agreement with Google imposes significantly more obligations on Google than its settlement did with Twitter and it applies across the board to all of Google's various initiatives. (This includes YouTube, Google street view, Android etc.) I did not pick up on this at first, but Commissioner Rosch concurred but issued a separate statement speculating about Google's own anti-competitive motivations in agreeing to restrictions that would make it harder for potential entrants into the field. ("Concurring Statement of Commissioner J. Thomas Rosch" [pdf].) Professor Goldman comments on this below, but maybe Google wanted this consent decree to be extraordinarily broad in its application?
I don't have a sense of the inner workings of an agency and what sorts of considerations go into bringing an enforcement action, but this seems over the top. Google acknowledged that its rollout of Buzz was fumbled - I don't think anyone thinks this was some nefarious plot to get everyone to share their email addresses and contacts and then exploit this information sharing. Apart from the outcry from privacy advocates, the service received a tepid response and was pretty much a flop. Google took reasonably prompt action in response to user outcry. I doubt this type of a botched rollout will happen to Google again. If there was ever a situation where a slap on the wrist would have been appropriate, this is it. Instead, Google is subjected to potentially onerous ongoing compliance obligations, and the failure to follow any one of these will result in a potential call from the FTC.
It's also odd that Twitter and Google who are viewed to be on the more privacy-friendly end of the spectrum are both under FTC jurisdiction for twenty or so years when the FTC hasn't taken action against Facebook. If anyone should be jumping through hoops and filing periodic reports with the FTC about privacy, it should be Facebook! [I'm sure Apple is viewing this with interest, in light of the ongoing commotion over its location tracking. (See "Apple Blames Bug For Extensive Location Tracking.")] As Professor Goldman points out, maybe this is part of an FTC strategy to bypass Congress when dealing with online privacy in general. When and if this settlement is approved, the FTC will have two of the biggest companies in the space under its thumb. It only has a few more to go before all of the major players are accounted for.
Two specific observations about the language of the agreement.
The definition of "covered information" includes:
(a) first and last name; (b) home or other physical address, including street name and city or town; (c) email address or other online contact information, such as a user identifier or screen name; (d) persistent identifier, such as IP address; (e) telephone number, including home telephone number and mobile telephone number; (f) list of contacts; (g) physical location; or any other information from or about an individual consumer that is combined with (a) through (g) above. [emphasis added]
This language is slightly different from the language in the privacy bill recently proposed by Senators McCain and Kerry. The proposed bill does not treat an IP address as personally identifying information but instead uses the term "unique identifier information that alone can be used to identify a specific individual." This may indicate a slight but potentially significant difference in the way that Congress and the FTC view an IP address as being "personally identifiable information".
The language also references "information [Google] collects from or about an individual." Initially, I assumed that the parties intended to refer to information Google collected while an end user is using one of its products or sites or information that is provided to Google by an end user, and not include the information Google "collects" about an individual. This latter category includes a whole lot more than information individuals provide to Google while using any of its products or services (e.g., information Google collects when it crawls the web). An FTC chat on Twitter regarding the proposed settlement makes clear that the FTC intends that any information Google collects about an individual is covered. (See FTC's "March 30 Twitter Chat regarding the proposed settlement with Google" [pdf], A5.)
There's also the issue of the class action over Buzz which Google settled which is awaiting final approval from the trial court. ("Google Settles Buzz User Privacy Litigation.") The lawyers are entitled to up to $2.5 million from the settlement, but the settlement did not extract from Google 1/10th of the provisions as the ones in the FTC's proposed settlement. If there was ever a situation that highlights the need for scrutiny of lawyers' fees in privacy class action, this is it. (As a sidenote, EPIC whose complaint prompted the FTC inquiry is objecting to the proposed settlement in the class action.)
To me, one fact about the FTC-Google settlement stands out above all others: Google isn't paying a dime to the FTC. Given that Google already paid $8.5M to settle the civil lawsuits and the fact that very few (if any) consumers were actually harmed by the botched Buzz launch, a no-cash settlement with the FTC is logical. But it still leaves me pondering: if it wasn't looking for cash, why did the FTC initiate an enforcement action in the first place?
One possible answer is that the FTC is using this settlement to establish de facto legislation without having to deal with Congress, and it found a pliable target who thinks de facto legislation could help increase barriers to entry for its competition. After all, Google is already doing some of the things required by the settlement; but maybe Google's competitors aren't, in which case agreeing to the settlement has the backdoor benefit for Google of raising its competitors' costs. Commissioner Rosch hints at this possibility in his concurring statement.
Like Venkat, I see the similarities between this settlement and the Twitter settlement. Both involved Silicon Valley companies, both were no-cash deals and both involved lengthy behavioral restrictions. Another hypothesis to explain the enforcement action is that the FTC has had it with the Silicon Valley "cowboys," so it is going to lock down the leading Silicon Valley companies, one-by-one if it has to, into settlement agreements that give the FTC greater control over their activities. If this hypothesis is correct, then this settlement apparently has plenty of implications for Facebook and Apple and other leading Silicon Valley Internet companies--the FTC *will* be calling at some point based on some "technical" breach of the FTC Act, looking to put you under their thumb too.
I would also link this settlement with the DOJ's conditions on the Google-ITA merger, which also imposed substantial reporting requirements on Google. Maybe the DC powers-that-be are craving deeper looks into key Silicon Valley companies, and the reporting requirements give these regulators lots of extra information to improve the future ability to bust Google whenever they want.
The "fencing-in" part of the settlement is also particularly interesting. The actual commitment by Google--get express opt-ins for secondary data uses--isn't earth-shattering; it's always been my position that such permission was legally required anyway. However, the requirement in the settlement agreement has two implications.
First, the restriction applies across Google's entire organization for the next 20 years. If any part of Google violates the restriction, even accidentally, then the FTC comes a-callin' for a violation of the settlement agreement rather than an enforcement of the FTC Act from scratch. Procedurally, this puts the FTC in a more advantageous position to turn the screws on Google if there's a slip-up; or stated differently, Google has less room for minor errors than its competitors.
Second, Internet technologists widely believe that it's OK to launch half-baked web services on a beta basis and quickly iterate to fix any issues identified by the beta test. This approach doesn't work from a legal standpoint. If a beta version of an Internet service has a privacy problems, the privacy plaintiffs' bar will swarm all over the company like flies to honey; the "but it was only a beta test" defense is legally irrelevant. This settlement, and the de facto legislation binding Google, is an indication that the FTC won't give anyone a free pass for botched beta launches either. Ultimately, this standard may be a good thing; companies should resolve issues before they put their users at risk. On the other hand, making new services error-proof before they go live is hard, and doing that level of fit-and-finish makes the innovation cycles harder. Unquestionably, the innovation process at Google will get gummier due to this settlement.
Admittedly, it's hard to feel sorry for Google in this situation. After all, I could comfortably live the rest of my days on only 0.1% of their 2010 profits, and their Buzz offering was misarchitected and too addled by Facebook envy. But given Google's large cash settlement of the civil lawsuit and the seemingly complete failure of Buzz in the marketplace, I don't see how the FTC's appearance at this party was either necessary or desirable. Thus, I still have this queasy feeling that the FTC settlement isn't designed to advance the public interest.
Posted by Venkat at May 10, 2011 09:03 AM | Privacy/Security