Who Has More of Your Personal Data than Facebook? Try Google

04/22/18 08:14 AM EDT
By Christopher Mims 

Recent controversy over Facebook Inc.'s hunger for personal data has surfaced the notion that the online advertising industry could be hazardous to our privacy and well-being.

As justifiable as the focus on Facebook has been, though, it isn't the full picture. If the concern is that companies may be collecting some personal data without our knowledge or explicit consent, Alphabet Inc.'s Google is a far bigger threat by many measures: the volume of information it gathers, the reach of its tracking and the time people spend on its sites and apps.

New regulations, particularly in Europe, are driving Google and others to disclose more and seek more permissions from users. And given the choice, many people might even be fine with the trade-off of personal data for services. Still, to date few of us realize the extent to which our data is being collected and used.

"There is a systemic problem and it's not limited to Facebook," says Arvind Narayanan, a computer scientist and assistant professor at Princeton University. The larger problem, he argues, is that the very business model of these companies is geared to privacy violation. We need to understand Google's role in this.

How Google harvests data

Lawmakers and others have asked Facebook about " shadow profiles" -- data the company gathers on people without Facebook accounts. The company doesn't use the term but does track non-users.

It's likely that Google has shadow profiles on as at least as many people as Facebook does, says Chandler Givens, CEO of TrackOff, which develops software to fight identity theft.

Google allows everyone, whether they have a Google account or not, to opt out of its ad targeting, though, like Facebook, it continues to gather your data.

Google Analytics is far and away the web's most dominant analytics platform. Used on the sites of about half of the biggest companies in the U.S., it has a total reach of 30 million to 50 million sites. Google Analytics tracks you whether or not you are logged in.

Meanwhile, the billion-plus people who have Google accounts are tracked in even more ways. In 2016, Google changed its terms of service, allowing it to merge its massive trove of tracking and advertising data with the personally identifiable information from our Google accounts.

Google uses, among other things, our browsing and search history, apps we've installed, demographics like age and gender and, from its own analytics and other sources, where we've shopped in the real world. Google says it doesn't use information from " sensitive categories" such as race, religion, sexual orientation or health. Because it relies on cross-device tracking, it can spot logged-in users no matter which device they're on.

This is why Google and Facebook are dominant in online advertising. By pouring huge amounts of our personal data into the latest artificial-intelligence tech, they can determine who -- and where -- we really are, whether or not we reveal ourselves voluntarily.

Google fuels even more data harvesting through its dominant ad marketplaces. There are up to 4,000 data brokers in the U.S., and collectively they know everything about us we might otherwise prefer they didn't -- whether we're pregnant, divorced or trying to lose weight. Google works with some of these brokers directly but the company says it vets them to prevent targeting based on sensitive information.

While data brokers can sell this information to insurers, employers and anyone else who might be interested, many of their customers are marketers who need another component: Google's AI, which delivers "look-alike" audiences -- people similar to the ones found in the brokers' data.

How Android funnels data

Google also is the biggest enabler of data harvesting, through the world's two billion active Android mobile devices.

Since Google's Android OS helps companies gather data on us, then Google is also partly to blame when huge troves of that data are later used improperly, says Woodrow Hartzog, a professor of law and computer science at Northeastern University.

A good example of this is the way Facebook has continuously harvested Android users' call and text history. Facebook never got this level of access from Apple's iPhone, whose operating system is designed to permit less under-the-hood data collection. Android OS often allows apps to request rich data from users without accompanying warnings about how the data might be used.

To be listed in Google's Android app store, developers must agree to request only the information they need. But that doesn't stop them from using "needed" data for additional purposes.

Designers call the ways marketers and developers cajole and mislead us into giving up our data " dark patterns," tactics that exploit flaws and limits in our cognition.

Google bans what it calls deceptive requests for user data, such as obscuring opt-out buttons. At issue is whether Google goes far enough. But Google itself uses what are arguably dark patterns to get people to switch to its own apps for things like email and web browsing.

Android users of the Gmail app will be asked to enable access to the device's camera and microphone again and again until they say yes. Similarly, on Android, Google Maps asks users to turn on location services -- justifiable, sure, but this enables geo-targeted ads.

All of this is ostensibly done with your permission. But it's hard to understand how even an expert could give meaningful informed consent to the average request for data, says Dr. Narayanan.

New EU privacy rules are forcing companies to make comprehensible to mere mortals what data they gather and how they use it. But in many cases, Google is pushing responsibility for obtaining data-gathering permissions to advertisers.

Will Google take responsibility?

It's not as if Google is unaware of the issues inherent in its business model. The company opposes the California Consumer Privacy Act, a November ballot measure, on the grounds that it is vague and unworkable. It would grant consumers three basic protections: "the right to tell a business not to share or sell your personal information, the right to know where and to whom your data is being sold or shared, and the right to know that your service providers are protecting your information." Even Facebook dropped its opposition to this act.

The solution may be simple: build better tools to give us a clear understanding of what we're opting into. If given clear choices, many people might be fine with their data being collected. But it's just as likely they would refuse, in ways that could affect Google's bottom line.

Write to Christopher Mims at christopher.mims@wsj.com


(END) Dow Jones Newswires

April 22, 2018 08:14 ET (12:14 GMT)

Copyright (c) 2018 Dow Jones & Company, Inc.