Privacy advocates fear that interest-based advertising is just the first step toward more highly targeted advertising that draws upon everything Google knows about you. "This is a major issue, because Google has been collecting all of this information over time about people and they said they would not be using that data," says Nicole Ozer, technology and civil liberties policy director at ACLU of Northern California.
Google is not acting alone in moving toward behavioral advertising. It is simply joining many other companies that are pursuing this practice. Mike Zaneis, vice president of public policy at the Internet Advertising Bureau, acknowledges that highly targeted advertising can be creepy. But, he says, "creepiness is not in and of itself a consumer harm."
The practice is unlikely to change unless users respond by abandoning services that use the techniques. But he argues that they won't because highly targeted ads are of more interest to users than nontargeted "spam ads."
Concerns have also been raised about Google's ability to secure user content internally. Google has had a few small incidents, such as when it allowed some Google Docs users' documents to be shared with users who did not have permission to view them. But that incident, which affected less than 1% of users, pales in comparison to security fiascoes at Google's competitors, such as AOL's release of search log data from 650,000 users in 2006.
Ghosemajumder says the privacy of user data is tightly controlled. "We have all kinds of measures to ensure that third parties can't get access to users' private data, and we have internal controls to ensure that you can't get access to data in a given Google service if you're not part of the team," he says.
Bowing to pressure, Google has made other concessions as well.
Google doesn't delete server log data, but it has agreed to anonymize it after a period of time so that the logs can't be associated with a specific cookie ID or IP address. After initially agreeing in 2007 to anonymize users' IP addresses and other data in its server logs after 18 months, it announced last September that it was shortening that period to nine months for all data except for cookies, which will still be anonymized after 18 months. "All of our services are subject to those anonymization policies," says Ghosemajumder.
Critics complain that Google doesn't go far enough in how it anonymizes personally identifiable data. For example, Google zeroes out the last 8 bits of the 32-bit IP address. That narrows your identity down to a group of 256 machines in a specific geographic area. Companies with their own block of IP addresses also may be concerned about this scheme, since activity can easily be associated with the organization's identity, if not with an individual. Even anonymized data can be personally identifiable when combined with other data, privacy advocates say.
Sensing an opportunity, and facing similar criticisms, competitors have tried to go Google one better. Rather than anonymizing IP addresses, Microsoft deletes them after 18 months and has proposed that the industry anonymize all search logs after six months. Yahoo anonymizes search queries and other log data after three months, and the Ixquick search engine doesn't store users' IP addresses at all.
Perhaps the biggest concern for privacy advocates is how the treasure trove of data Google has about you might end up in the wrong hands. It is, says Bankston, a wealth of detailed, sensitive information that provides "one-stop shopping for government investigators, litigators and others who want to know what you've been doing."