Google could tell you about its privacy practices except, well….they’re private. That’s the conclusion privacy advocates are drawing after the Federal Trade Commission took a black marker to an independent audit of the company’s privacy practices before releasing it to the group EPIC in response to a Freedom of Information Act (FOIA) request.
The FTC released a copy of a Price Waterhouse Coopers audit (PDF) of Google that was mandated as part of a settlement with the FTC over complaints following a 2010 complaint from EPIC over privacy violations in Google Buzz, a now-defunct social networking experiment. However, the agency acceded to Google requests to redact descriptions of the search giant’s internal procedures and the design of its privacy program.
“Part of that (Google Buzz) settlement requires that Google implement a ‘comprehensive privacy program,’ EPIC Consumer Protection Fellow David Jacobs wrote to Security Ledger. “Part of that settlement also requires that Google obtain “initial and biennial assessments and reports…from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession.”
The redacted report, dated June 22, 2012, was submitted to the FTC, but not released to the public. EPIC filed a Freedom of Information Act (FOIA) request to obtain the report, which was given to the group on September 25. The 29 page report presents the findings of a PWC audit of Google’s privacy practices covering October 29, 2011 to April 25, 2012.
The audit shows that PWC concluded that Google was in accordance with the terms of its settlement with the FTC. The auditing firm wrote that privacy controls were “operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information” during the covered period.
However, readers who might be curious to know more about what those privacy practices are will be frustrated, as FTC redactions blot out much of the substance of the PWC audit. As an example, in a section of the audit in which PWC responds to the government request for information about “the nature and scope” of Google’s information gathering on users, PWC describes Google’s management of log data on “a computer’s interaction with Google’s service,” the FTC redacted all information on how Google manages log data. A section describing Google’s handling of user account data, the PWC audit describes how the search giant manages “the information stored in connection with a Google Account that a user has created.” However, the FTC redacted all but one sentence that reads “The user can access this data, can delete this data and can delete the account.”
FTC rules allow those submitting materials to the Commission to designate some of it confidential and request it be withheld from the public record” if it would result in competitive harm. In a July 3, 2012 letter to the FTC’s Associate Director of Enforcement from the law firm of Perkins Cole, which is representing Google, partner Albert Gidari Jr. argued that the non-public information on its privacy practices, if disclosed, could be “easily used and exploited in an unfair manner by various competitors in the Internet service provider business” who were “seeking to harm Google commercially.” To help the agency along, Google submitted a redacted copy to the FTC which it requested the Commission release in lieu of the unexpurgated PWC report.
In fact, the exact content of Gidari’s letter, itself, are a mystery: as fully a third of it is redacted from the documents released to EPIC under the Freedom of Information Act. EPIC immediately cried foul.
In a statement on its Web page, the group noted that the FTC “has withheld from public disclosure information about the audit process, procedures to assess privacy controls, techniques to identify privacy risks, and the types of personal data Google collects from users.”
“We think the redactions have gone too far here: there isn’t enough information to allow the public to evaluate the privacy assessments,” said Jacobs.
The information in a unredacted report would help privacy advocates and consumers evaluate the comprehensiveness of the privacy program and the means by which the FTC is protecting consumers against future violations. “Unfortunately, nearly all of that information has been redacted,” he wrote.