Google Answers G+ Privacy Questions, Declines Others
Dan Gillmore, writer, teacher, and Google+ member has been in communication with Google over the past few weeks, asking questions about security and safety of information as it pertains to Google+. As he says in his own words, "I find Google's responses (and non-responses) disappointing." As you'll see below, Google answered some key questions and uncovered a few rocks we're sure you'll be interested in seeing under. There's also a list of questions they did not reply to, and assuming Gillmore actually DID send these questions in and Google DID decline to answer, the implications are immense.
One of Gillmore's first questions is about chat and video chat, and how much Google – or anyone else not in the chat – is able to see. Google replied that the only piece of information or media collected from Hangouts (video chat) were the names of the participants, and then only so that participants could easily add these new friends to their Circles should they so wish. This, and "other usage stats" for debugging and improving the service. In the case of Chat, transcripts, says Google, are stored in your account so that YOU can search across them. By default your chat transcripts are stored, and if you do not want them stored at all, you can choose to chat "off the record."
Gillmore then submits a series of questions, each of them one after the other as follows:
Follow-up: To be clear, then: Google can record video, even though by default it does not. Correct? If a user is "off the record" can Google record it anyway?
Has Google been asked to make this service comply with CALEA (federal law requiring certain kinds of communications to be easily "wiretapped")?
Is G+ compliant with CALEA, by creating backdoor for law enforcement to see/hear/record communications?
Does Google plan to make G+ compliant with CALEA?
Is there a web page at Google that addresses all of this?
Google replies that of course there is a website, right over at [PRIVACY POLICY PAGE] for all to see. Google then goes on to say that like all law-abiding companies, they "comply with applicable laws and valid legal process, such as court orders and subpoenas." They go on to speak about data requests and how they notify affected users about requests for user data that may effect them. They go on to note the following about their 2006 court case against a Department of Justice Subpoena:
[The subpoena was for] millions of search queries on the grounds that it invaded our users' privacy. The judge ultimately ruled in Google's favor, establishing an important precedent for user privacy. And because we believe in transparency, in 2009 we launched our Transparency Report, which shows the number and types of requests we get for user data from different governments.
Gillmore follows up with a question on the matter which Google does not reply to:
Follow-up: To clarify: So Google can and will enable a government to tap/record conversations and review stored ones if a government (US or otherwise) requires this in a "valid legal process" — and the company cannot assure people that their communications are not being intercepted or otherwise reviewed. Correct?
Finally, Gillmore ends his conversation with Google with two questions on Google+ posts, asking if there's a retention policy/privacy plan, asking also if users will be able to define a purge/preserve policy for their own posts. Google replies that Google+ posts will be retained indefinitely unless a user decides to delete them. Google notes that when a user deletes data, they remove it from their systems, but that due to "various regulations and the complexity of [their] infrastructure," the total removal of said data may take some time. Google notes furthermore that in rare cases, they couple be "required by to retain data that a user has deleted."
We must assume that there's a missing word between "required by" and "to", more than likely it being "law." When pushed to answer what "various regulations" and "rare cases" were, Google again said the same thing in so many words, this final reply more than likely coming straight from their legal department:
We believe strongly that users' data belongs to users and not Google, so when you delete your data, we remove it from our systems. Note that due to various regulations and the complexity of our infrastructure, the complete removal of data may take some time, and in rare cases, we may be required by to retain data that a user has deleted. We also believe that people should be able to control the data they store in any of our products, so our Data Liberation Front has created a tool called Google Takeout, to easily download a copy of your data from Google+. Visit google.com/takeout to learn more.
Sound alright to you?
[via G+]