House Republican targets Google on privacy grounds

Updated at 11:58 a.m. PST Wednesday: added response from Google and links to two more letters.

A top Republican in the House of Representatives is demanding that Google answer a barrage of questions about privacy, some of which are related to the company's proposed purchase of the DoubleClick advertising firm.

Rep. Joe Barton, who has positioned himself as a privacy advocate and previously criticized the merger last month, complained in a letter to Google CEO Eric Schmidt that the company had initially agreed to let his aides visit the so-called Googleplex in Mountain View, Calif. but then didn't confirm a date. Barton is the senior Republican on the House Energy and Commerce Committee, which has Internet regulation as one of its responsibilities.

The two men met in person on November 7 and the idea of a visit came up. But then, Barton said in his letter on Wednesday, "all efforts to reach a mutually agreeable time have been rebuffed, and it begins to seem that no date for a visit is sufficiently convenient to Google. Your warm initial invitation followed by Google's chilly response to a proposed visit by Committee counsels is disconcerting."

Most of the rest of Barton's 24 questions deal with what Google does with search queries, how long information is kept, what data will be merged with DoubleClick's, and how the company performs its partial anonymization of search results. Barton asks for a response by December 18. (Unlike Ask.com, AOL, and Microsoft, Google does not delete search-related queries after 12 to 18 months. See the chart on this page for details from a survey we performed in August.)

The Federal Trade Commission is reviewing the Google-DoubleClick merger, which Microsoft and a band of pro-regulatory groups are hoping to derail. The FTC could allow the deal to proceed, attempt to block it, or attempt to impose conditions. In Europe, antitrust bureaucrats said last month that they were conducting their own investigation and would make a decision by April 2, 2008.

Google spokesman Adam Kovacevich said Wednesday that Barton's aides are more than welcome to visit the 'plex. He said the dispute was essentially over dates: Barton suggested on November 20 that his aides visit on November 27 and November 28, precisely when their Google counterparts happened to be in Florida for the Republican YouTube debate. Barton didn't suggest any alternate dates, and, Kovacevich added, the House aides said they were unable to come during early December because Congress would be in session.

Here's the November 20 letter (PDF) from Barton--much more polite than this week's--and the November 30 reply (PDF) from Schmidt.

Although Barton has talked about privacy before in terms of restricting the sale of Social Security numbers, he has not sought to assail other advertising-related mergers, some of which were larger than Google's proposed purchase. He never sent a barrage of questions to Yahoo (which bought ad firm Right Media), AOL (Adtech AG and Tacoda), or Microsoft (Aquantive and AdECN Inc.). By contrast, Barton, who counts telecommunications companies as major donors, has enthusiastically supported huge telecommunications mergers including Sprint and Nextel, AT&T and SBC, AT&T and BellSouth, and Verizon and MCI.

Even though Barton says in his letter this week that he's concerned about the "privacy implications of the merger," he has a long history of voting for legislation that has been criticized by privacy groups such as the Electronic Privacy Information Center. Those bills include the Real ID Act, the Patriot Act, another bill to expand Internet surveillance performed without a court order, and a requirement to disclose federal agencies' data-mining programs to the U.S. Congress. (Barton opposed that last requirement.)

Barton's letter to Google
Here's the text of the letter, which Barton provided to CNET News.com. I'm including it below because it doesn't seem to be up on Barton's Web site:

December 12, 2007

Eric Schmidt, Ph.D.
Chairman of the Board and CEO
Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043

Dear Dr. Schmidt:

On Tuesday, November 6, you visited my office and we discussed a number of topics relating to the online world and Google, in particular. One of these topics was the pending merger of Google and DoubleClick. As you will recall, I voiced concern regarding the potential consumer protection and privacy implications of the merger. You seemed to recognize those and similar concerns as legitimate, and graciously offered assistance to my staff to learn about your company's and the broader industry's current search and targeted advertising practices, as well as the potential ramifications of combining these two functions. This information will be vital as we begin to craft sound policy to appropriately protect consumer information and online behavior.

Your assistance would be a valuable asset in crafting this policy and I attempted to accept your offer. On November 20, I wrote Google corporate officials to request that two counsels from the House Energy and Commerce Committee staff be permitted to visit your California headquarters offices, at Committee expense. The purpose of this trip was to learn first-hand about existing search and targeted advertising technology, what information may be garnered through the use of this technology, how that information is used, and, most importantly, how that information could be used. Google officials with whom we spoke deemed the dates inconvenient, and the request was denied. Since then, all efforts to reach a mutually agreeable time have been rebuffed, and it begins to seem that no date for a visit is sufficiently convenient to Google. Your warm initial invitation followed by Google's chilly response to a proposed visit by Committee counsels is disconcerting.

To help us better understand the privacy and consumer protection implications of this transaction, please respond to the following questions:

1. Please describe Google's retention policy with respect to the following data. Include in your response a description of the type of data retained (for example, URL, Internet Protocol [IP] address, date, time of connectivity); the length of time the data is retained; where the data is retained; who has access to the retained data; and how the data is removed, deleted, or anonymized once the retention period lapses.

a. Search queries on Google search;
b. Search queries on Google maps;
c. Search queries on Google news;
d. Search queries on Google images;
e. Email sent, received, or drafted on Gmail;
f. Information or data collected or retained through a website's use of Google Analytics;
g. Information or data collected or retained from an individual's use of Google Desktop Search, including the Google Desktop Search feature, Search Across Computers;
h. Google Maps for Mobile;
i. Google Web History Program for registered Google users/Google users with sign-in accounts;
j. Information or data collected or retained from an individual's use of Picasa;
k. Information or data collected or retained from an individual's use of Calendar;
l. Cookies.

2. Please explain how Google uses the information or data described in Question 1(a) - (l), including, but not limited to, the following uses: perfecting Google's search algorithm; operating Google's advertising programs such as AdWords and AdSense; and research or analysis of user activity on www.google.com.

3. Please explain the need to retain collected information for the length of time described in your response to Question 1.

4. Please explain how Google uses the information or data described in Question 1(a) - (1), or any additional data, to drive or target advertisements to individual users' computers.

5. In particular, please explain whether Google Maps directs advertisements to IP addresses based on that user's Google Maps search query history.

6. Please explain how and why information is combined or shared across platforms when consumers opt-in for personalized services and whether Google first requires consent prior to such information-sharing. (For instance, whether search query data is shared with or linked to a user's Gmail account.)

7. Please identify the sections of Google's privacy policy that address the retention and use of the data described in Question 1(a) - (l).

8. Please explain the technology called "rich media" or "interactive multimedia," how this technology works, and what information may be collected by its use.

9. Please explain whether Google utilizes such technology.

10. Please explain whether Google posts a link to its privacy policy on the home page or search results page of www.google.com and, if not, explain why not.

11. In Google's privacy policy, "personal information" is defined as "information that you provide to us which personally identifies you, such as your name, email address, or billing information, or other data which can be reasonably linked to such information by Google."

a. Please describe how Google interprets "reasonably linked."
b. Please explain in what circumstances Google links information
such that an individual can be identified.
c. Please explain whether Google considers an IP address to be "personal information."
d. Please explain whether technology exists to personally identify or determine the personal characteristics, including, but not limited to, name, email address, physical address or location, age, gender, or ethnicity of an Internet user based on that user's IP address.
e. Please explain whether Google is capable of identifying or determining personal characteristics, including, but not limited to, name, email address, physical address or location, age, gender, or ethnicity of an Internet user based on that user's IP address.

12. Please define the term "anonymization" as related to the data collected as described in, but not limited to, Question 1(a) - (l).

13. Are Google's practices described in response to Question 12 consistent with industry-wide practices? If not, please describe any variance.

14. Please describe how Google anonymizes IP addresses.

15. Please describe how Google anonymizes cookie data.

16. Please explain whether Google has the capability or has attempted or plans to attempt to combine or merge the data described in Question 1(a) - (l).

17. Please define tracking cookies, which may track users across multiple websites, and how they function.

18. Please explain whether Google uses the tracking cookies described in response to Question 17. If the answer is no, please describe how Google's cookies are distinct from those described in Question 17.

19. Please explain whether Google's cookies reset and, if so, how and when the cookies reset.

20. If the merger of Google and DoubleClick is approved, please describe what use Google plans to make of the data retained and collected by DoubleClick (for example, data from DoubleClick's tracking cookies or DoubleClick click-stream data), and whether Google plans to combine or merge DoubleClick's data with data Google retains from individual search queries and other user activity on www.google.com.

a. If Google does not intend to merge or combine the data Google retains with the information or data retained or collected by DoubleClick, please describe the efficiencies of the Google-DoubleClick merger. b. If Google does not intend to merge or combine the data Google retains with the information or data retained or collected by DoubleClick, please explain how the information will be segregated.

21. Please describe how Google defines "behavioral targeting."

22. Please describe your understanding of the broader industry's definition of "behavioral targeting."

23. Please describe Google's understanding of the Asia-Pacific Economic Cooperation (APEC) guidelines and how the guidelines would apply to Google's practices, including, but not limited to, those functions described in Question 1(a) - (l).

24. The House passed the Securely Protect Yourself Against Cyber Trespass (SPY ACT) in the current and prior two Congresses. The SPY ACT, H.R. 964, sponsored by Representatives Mary Bono and Adolphus Towns, mandates an opt-in privacy regime by prohibiting the collection of personal information from a computer without a user's notice and consent prior to the execution of any information collection program. H.R. 964 also demands that a user be able to easily remove or disable the information collection program. Please explain whether Google's applications are subject to H.R. 964's consent requirements. If the answer is no, please explain why these programs, which collect personal information, are not subject to the consent regime established by H.R. 964.

As I mentioned above, I believe Google's participation in our research into and consideration of the consumer protection implications of a merger of any online search engine and any behavioral or targeted advertising firm is vital to crafting sound national policy. In furtherance of this goal, I hope that we may achieve your response to the above questions no later than Tuesday, December 18, 2007.

Sincerely,
Joe Barton
Ranking Member

cc: The Honorable John Dingell, Chairman
The Honorable Bobby Rush, Chairman, Subcommittee on Commerce, Trade, and Consumer Protection
The Honorable Cliff Stearns, Ranking Member, Subcommittee on Commerce, Trade, and Consumer Protection
The Honorable Ed Markey, Chairman, Subcommittee on Telecommunications and the Internet
The Honorable Ed Whitfield, Member
The Honorable Deborah Platt Majoras, Chairman, Federal Trade Commission

(Disclosure: Declan McCullagh is married to a Google employee.)