The proposed FTC-Google privacy settlement of EPIC‘s privacy complaint has many important, surprising, and far-reaching implications.

I applaud the FTC for taking Google’s privacy misrepresentations and deceptions so seriously and look forward to the FTC rigorously enforcing this landmark consent order.

Summary of Takeaways:

  1. Google is now officially the #1 online privacy offender in the U.S.
  2. This order is more about enforcing fair representation than enforcing privacy.
  3. Don’t expect public transparency about privacy problems found in the privacy audits of Google.
  4. There is a big disconnect between what the FTC thinks this order means and what Google thinks it means.
  5. The FTC will have to ride herd on Google to get it to abide by this privacy order, because it goes against Google’s privacy averse culture.
  6. FTC Commissioner Rosch’s instincts are right in his concurrence; Google is gaming the privacy settlement for a regulatory competitive advantage.
  7. The FTC should focus privacy auditors on Google’s representations that it does not track Android users movements without their permission — when it does.

1.   Google Officially #1 Privacy Offender. Google has submitted to Court supervision of the strictest privacy consent order in U.S. history. Per the FTC release: “This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework…” [Bold added]

  • This strictest-ever official FTC privacy order effectively affirms Privacy International’s 2007 survey that ranked Google worst in the world on privacy, and my 2008 Congressional testimony analysis which concluded that Google is the “single biggest threat to Americans privacy.”

Contrary to Google’s official assertion that the FTC announcement will “put this incident behind us,” this announcement is only the beginning of an effective twenty-year sentence, or supervised parole, for Google’s Federal privacy violations.

  • To understand the real world effect of this FTC order, think of Google as an admitted privacy offender that has entered into a plea bargain where Google agrees to FTC/Court privacy supervision going forward for twenty years in return for the essentially absolving Google of liability for its past privacy violations.
    • Think of the the FTC’s enforcement bureau as Google’s parole officer and privacy rehabilitation boss.
    • And think of the Federal Court that will oversee this proposed consent order as The Enforcer, that can hold Google in contempt of court if it does not obey the FTC’s implementation of this order.

2.   More about fair representation than privacy. Make no mistake, while the headlines focus on privacy, this order is really about enforcing fair representation and preventing deceptive privacy practices by Google and others, than it is about privacy directly.

  • This is an important distinction to appreciate, because this means that Google will have to honor its public privacy pledges, but not necessarily implement any privacy policies that they do not want to implement.

3.   Don’t expect transparency from this order. One of the biggest concessions Google won is essentially a Gag order on the FTC.

  • Under the agreement the FTC cannot inform the public anything that is learned from the independent privacy audits.
  • If the audits find non-compliance with the order, Google will have to correct them after the fact, but the public has no right to know it happened under this agreement.
  • The only time the public may learn about problems is if the FTC has to go to Court to ask for a contempt of court citation.

4.   Big FTC-Google disconnect over what settlement means. All is not well here, because there is an obvious disconnect between what Google at large thinks Google agreed to, and what the FTC thinks Google agreed to. While the FTC made a big splash about the importance of this enforcement action, there is a lot of evidence that Google at large is not taking this consent order seriously.

  • Per the New York Times, Google’s spokesperson said: “We don’t see this as being a significant change in how we run our business because this is the standard we hold ourselves to already.”
    • (Hmmm… if that were true, why was a settlement necessary at all?)
  • Google’s official statement was a blog post, not from Google’s General Counsel who signs the FTC consent order or any Google senior executive, but a lower level Google privacy functionary.
    • Moreover, the blog post characterized the FTC action as “an agreement with the FTC” with no link to any of the official documents.
  • It is supremely ironic that Google’s public statement totally missed the FTC’s misrepresentation point, by largely misrepresenting, and deceiving the public, about what really happened with the FTC.

5.   FTC will have to ride herd on Google. The FTC should be under no illusion that Google will comply with this order the way the FTC expects.

  • Google has a well-known, deeply-ingrained cultural aversion to asking for permission from anyone outside of Google for most anything.
  • Google views its innovation without permission ethos as a divine right to do what it views as best for others.
  • Organizations don’t change their core values that comprise a key part of their identity, unless they want to change or are forced to change.
  • Google will only improve privacy compliance to the extent the FTC enforcement staff rides herd on Google, and the FTC should be under no illusion that they are riding herd on Google cattle who are naturally herdable animals.
  • Google’s employees are more like cats, who naturally do what they please. It is predictable that the FTC will find enforcing this consent order to be like cat-herding 101.

6.   Commissioner Rosch is right; Google is gaming this settlement. In his concurring statement, FTC Commissioner Rosch shrewdly discerns something is awry in the settlement, because Part II of the order “is contrary to Google’s self-interest.”

Commissioner Rosch figured out what Google is really up to when he asked rhetorically: did Google agree to the order “in hopes that Part II would be used as leverage in future government challenges to the practices of its competitors?” Bingo! Sure Google did.

  • Simply, Google agreed to private information restrictions that would cost Google nothing, but could cripple its rival Facebook, if they were to be applied to Facebook. (Google knows Facebook is next in line for FTC privacy enforcement action.)
  • In the simplest terms, Part II if applied to Facebook, would permanently lock in Google’s competitive advantage over Facebook, because Google’s business model and plans never envision sharing private information with third parties but Facebook’s business does.
    • That’s because as a search advertising monopoly that has vertically integrated over 500 products and services, the Googlomerate is the ultimate Internet one-stop-shop that needs no third parties because Google can do everything in-house.
    • In stark contrast, Facebook’s business and monetization model is nowhere near as mature as Google’s, so Facebook still has dependence on third parties to monetize its traffic and user activity.
      • For example, a key revenue stream for Facebook is games, which is a business arrangement more susceptible to third party sharing of private information.
      • How does Google know this?
      • Google is one of the largest investors in Zynga, the leading game provider to Facebook.

Commissioner Rosch’s instincts are right.

  • Google is cleverly gaming this privacy enforcement action to get the FTC to unwittingly help preserve Google’s monopoly market position by regulating Facebook, its primary social media competitor and rival, in such a way that Facebook could not competitively challenge Google.

The FTC would be wise to revisit Part II of this agreement to ensure that, in its eagerness to try and establish a new privacy baseline for the industry, the FTC does not competitively reward and entrench Googleopoly, and thwart and punish Google’s competitors.

  • The right thrust of Part II would have been to get Google to forthrightly inform their users how much private information Google collects on them, and how the user can get that private information permanently deleted.
  • This would be a consumer-driven and competitively/technologically neutral Part II, rather than a policy that implicitly has the FTC picking winners and losers.

7.  Audit Android’s tracking of users’ movements without permission. After prematurely dropping the Google WiSpy privacy investigation, this order’s audit mechanism provides the FTC an opportunity to redeem itself.

  • One of the deceptive Google privacy practices most in need of a privacy audit is comparing Google’s representations to Android and Latitude users about how Google tracks them and how they can opt out of tracking — with how Google actually tracks Android device movements without users’ permission — in order to map WiFi signal locations.

In sum, the FTC deserves praise for strongly enforcing fair representation law and for providing itself with Court-enforcement powers to force Google to improve its privacy protections.

  • However, the FTC should be under no illusion that it will be easy to secure compliance from Google on privacy.
  • Culturally, privacy has never been important or a priority at Google.

Expecting Google to respect privacy is like expecting an invertebrate to respect backbone.

 

Why is there a selective political fixation on AT&T-T-Mobile’s ~43% combined market share when so many related markets are dramatically more concentrated, less competitive, or even monopolized?

  • This blatant competition double standard originates from the political agenda of the FreePress/Silicon Valley net neutrality regulatory complex that seeks a broadband industrial policy — to create an information commons and generate tens of billions of dollars in implicit bandwidth subsidies for Silicon Valley special interests.

When the FCC does the “data-driven analysis” that it claims to value, it will discover a blatant competition double standard where broadband critics gerrymander and torture broadband market share statistics to raise the specter of a broadband “opoly” — to justify broadband regulation.

  • It is telling that opponents have to bring Verizon, which has nothing to do with the AT&T-T-Mobile transaction, into the equation in order to manufacture market shares of concern.
  • The outrageous and unsubstantiated implication of opponents’ “Ma Bell duopoly” narrative here is that broadband competitors will anti-competitively collude, when all the evidence is that Verizon, AT&T, Sprint, Metro PCS, Leap Wireless and others compete fiercely and relentlessly in multiple dimensions: price, value, device choice, quality, technology, plans, and innovation.

The opposition to this transaction is obviously political and a trojan horse to advance more net neutrality regulation to replace the broadband competitive marketplace with a regulated “information commons” that bestows billions of dollars in bandwidth subsidies on powerful Silicon Valley special interests and political allies.

It is easy to test if concern about AT&T-T-Mobile market share is based on merit and the facts or whether it really is political and a stalking horse for more net neutrality regulation — like was imposed on Comcast-NBCU as the price for that transaction’s approval.

Simply ask opponents of this transaction if they are concerned or doing anything about:

The brief illustrative data-driven analysis above proves that there is a blatant competition double standard.

  • There obviously is a political campaign that focuses only on the unlikely potentiality of competition problems in broadband, while those same people totally ignore the very real and documented problems of lack of competition among Silicon Valley special interests who provide the funding for the net neutrality regulatory complex.

If people want to be credible in raising concerns about competition in certain markets they need to be consistent in raising concerns in any related market that has competition, dominance, or monopoly problems.

In sum, this blatant competition double standard has one obvious cause: the net neutrality regulatory complex, which is propelled by the twin engines of FreePress’ information commons political agenda and Silicon Valley special interests’ economic agenda for massively subsidized bandwidth.

Despite Sprint and Clearwire opposing the proposed AT&T-T-Mobile acquisition, expect the DOJ and FCC to approve it, because the DOJ appreciates the facts of vibrant wireless competition and because the FCC will come to appreciate how the transaction actually helps solve many of the FCC’s highest priority problems.

As a veteran analyst, who has closely covered most all of the roughly two dozen major communications mergers since the 1996 Telecom Act, it is easy to cut through the critics’ standard, hyperbole and histrionics — that they use to attack every major communications merger — to get to the rub of this matter.

  • The rub here is twofold:
    • First, the market competition facts of this transaction and the DOJ’s many analogous precedents from previous similar mergers, provide no basis for the DOJ to try and block this merger; and
    • Second, the communication policy facts of this transaction will help solve many of the FCC’s highest priority problems: promoting universal broadband, mitigating spectrum exhaust, accelerating broadband adoption, and promoting economic growth and competitiveness.

Like I blogged that the Comcast-NBCU merger would get approval when the hyperbole and histrionics were similarly over the top and not credible, this acquisition ultimately will gain government approval.

  • It is only a matter of how long it will take and what concessions special interests will be able to extort as the transaction runs through the FCC’s outrageously long approval gauntlet.

I. Competitive Facts

In all of the previous analogous communications transactions to this one, the DOJ has analyzed them by local geographic market, not by national market as opponents suggest in their criticism. As AT&T has indicated, and the CTIA confirms in its research, there are 5+ wireless competitors in 18 of the top 20 markets and there are four in most other relevant markets.

  • There may be a small percentage of markets that the DOJ believes could be problematic, but the remedies for that narrow problem have been implemented many times before — so its no deal-breaker.

Opponents’ “Ma Bell duopoly” political/PR frame of this transaction shows that opponents have already conceded defeat on the facts at the DOJ. It also shows they are already focusing most all their efforts on persuading the FCC to extort concessions under the FCC’s amorphous “public interest” test, which is basically whatever three votes at the FCC say it is at any point in time.

  • However, it does not pass the antitrust laugh test when the #3 competitor in the U.S. wireless market, Sprint, the 58th largest corporation in the U.S. with ~$40b in revenues, ~50 million customers, ~40,000 employees, and the most spectrum in both absolute and per customer terms, argues politically that they are competitively irrelevant to the market or consumers.
  • What is really going on is that opponents of this merger know they have to scream “opoly” in order to generate concern and get attention in Washington.
    • However, opponents also know that they would have zero credibility if they tried to claim this transaction would result in a wireless monopoly, and that they would be giggled at if they tried to claim this transaction would cause a triopoly, quadopoly or a quintopoly.

The competitive facts overwhelmingly support approval of the acquisition.

  • Wireless consumers enjoy fierce relentless competition for their business and benefit from dynamic multi-dimensional competition on price/value, pricing plans/models, network quality, technologies, business models, handset/device choice, and innovation.

II. A Solution to Many Problems

Universal Broadband: After the President pledged in January: “within the next five years, we’ll make it possible for businesses to deploy the next generation of high-speed wireless coverage to 98% of all Americans.” and after the FCC made universal broadband deployment the signature goal of the FCC in its National Broadband Plan to Congress in 2010, it is hard to imagine the FCC blocking a clearly legal transaction that actually fulfills with great fanfare what the President and FCC have said they most want to do in this sector.

Spectrum Exhaust: After the FCC has repeatedly stated publicly that mobility is the communications future, and that the problem of spectrum exhaust is real and imminent, it is hard to imagine the FCC blocking a legal transaction that helps mitigate the most immediate problem for consumers at risk from the consequences of spectrum exhaust, i.e. higher prices for high bandwidth usage to reduce demand and stave off spectrum exhaust.

  • Simply it is more efficient, effective and timely for AT&T to buy the spectrum it needs now in the marketplace than to wait potentially years for the FCC to get and auction additional spectrum from the U.S. Government.

Accelerating Broadband Adoption: Given the FCC’s National Broadband Plan goals of accelerating broadband adoption, it is hard to imagine the FCC blocking a legal AT&T-T-Mobile transaction that would result in much faster broadband adoption with combined resources and synergies than would occur with AT&T and T-Mobile remaining separate. Moreover, the transaction would bring the iPhone to T-Mobile customers who otherwise would not gain access to it.

  • Simply, blocking this transaction would not achieve accelerated broadband adoption like approving this transaction would.

Promoting Economic Growth & Competitiveness: After the President instituted a new Executive Order to promote economic growth and competitiveness via a regulatory system of “least burdensome regulation,” it is hard to imagine the FCC employing maximally burdensome regulation by blocking a legal transaction that transfers $21b in revenues and scarce spectrum resources from foreign control to U.S. control.

  • Simply, it would be extremely difficult for the FCC to make the case that Deutsche Telecom, which has been trying to sell T-Mobile because it does not want to invest the resources necessary to grow T-Mobile’s broadband business, would somehow invest more in T-Mobile’s network than AT&T would.
  • It is obvious that the U.S. would be more competitive and grow faster if AT&T were to invest several billion dollars more into T-Mobile’s business and network than Deutsche Telecom would.

In sum, the DOJ is not going to block this transaction because the facts don’t merit it and the DOJ has tried and true targeted remedies that can mitigate any anti-competitive effects around the edges that they may find in their review.

The FCC is also not going to block this transaction when it helps the FCC solve many of its highest priority problems.

  • And as the FCC tries to determine what concessions it wants to try and politically bestow on special interests, it will find that, in part, it is negotiating against itself, as onerous conditions on AT&T could undermine expeditious solutions to the FCC’s highest priority problems of: promoting universal broadband, avoiding spectrum exhaust, accelerating broadband adoption, and promoting economic growth and competitiveness.  

 


It will be surprising if the Republican FCC Commissioners and a bipartisan majority of Congress do not oppose the FCC’s unwarranted war on wireless competition policy.

  • The FCC appears to be itching to start another political battle over competition policy with its upcoming fifteenth wireless competition report to Congress, by making another political decision devoid of supporting evidence or merit, that the wireless market does not have “effective competition.”
    • Such a fantastical political finding, helps the FCC to ignore Congress and the law yet again, and also to unilaterally impose new sweeping economic regulations on wireless, including net neutrality.

The linchpin of the FCC’s de-competition policy to restore the FCC to its pre-1996 monopoly regulation glory days, and to put the FCC in more control of the communications sector going forward, is to politically define away the existence of “effective competition,” in order to justify FCC regulation of the mobile Internet.

  • In order to justify imposing net neutrality in its December Open Internet order, the FCC stretched credulity by assuming that wireless broadband is not a competitor to wireline broadband, despite their obvious functional equivalence and the way consumers routinely substitute the services. Moreover, one quarter of households have cut the cord and substituted wireless for voice.
  • In order to justify imposing new economic regulations on wireless, it looks like the FCC may be laying the groundwork to ignore the facts that:
    • The U.S. has a more competitive wireless market than most any nation in the world with four large national wireless broadband providers: AT&T, Verizon, Sprint, T-Mobile — and a fifth, Clearwire, building out nationally;
    • The U.S. wireless market continues to grow subscribers and the U.S. wireless market has penetration of ~93%;
    • The average U.S. monthly wireless bill is falling;
    • There are more inexpensive entry point offerings for new wireless consumers than ever before;
    • Consumers have the choice of over 600 handsets; and
    • Much of the world’s wireless innovation springs from American soil.

If the FCC would only take a moment of their time and look online, read a newspaper, listen to the radio, or watch TV, they would find overwhelming and undeniable, empirical, marketing and advertising evidence of how robustly U.S. wireless providers compete for consumer’s business on price, choice, and innovation.

  • Only communications hermits could not be aware of the fierce and effective competition for consumers wireless and wireline broadband business in the U.S.
  • In addition, why would U.S. wireless companies spend more in absolute dollars than most any industry in the world to advertise to keep existing customers and to win new ones, if they were not effectively competing?

So why does the FCC apparently view competition policy as its enemy?

  • Under longstanding bipartisan competition policy;
    • Consumers, not the FCC, are in the driver’s seat picking market winners and losers and the technologies that best work for them;
    • The FCC can’t unilaterally redistribute economic growth, opportunity, market share and spectrum to Silicon Valley special interests; and
    • The FCC can’t tilt the regulatory playing field to favor free ad-based business models that undermine property rights over fee or subscription-based business models that protect property rights.

What does the FCC want to do when it defeats competition policy by politically defining competition as ineffective?

The FCC is on path to impose:

  • Full Open Internet net neutrality on wireless;
  • New data roaming price regulation where the FCC effectively sets the price of key broadband inputs; and
  • The redistribution of wireless spectrum, away from the providers that have most need for it, that can put it to highest utilization, and that are most willing and able to pay top dollar for it to lower the deficit, in order to give it for free to Silicon Valley special interests seeking government subsidies.

In sum, the FCC’s attempt to assert that the U.S. wireless market is not effectively competitive is preposterous on its face, and it is obviously not a fact-driven decision, but a politically driven decision.

Make no mistake, the real endgame behind the FCC declaring that wireless is not effectively competitive is this FCC’s apparent desire to effectively reinstitute spectrum caps to redistribute the new spectrum coming available in the future, away from those who are willing to pay for it in full at a public auction, to Silicon Valley interests who don’t want to pay for it and want FCC rules and actions that will effectively yield them multi-billion dollar subsidies of free or greatly reduced-cost spectrum.

  • Taxpayers beware. Silicon Valley interests are using the FCC to pick your pocket.

Google’s deep aversion to securing the permission of others before doing something that affects them is central to Google’s famed “innovation without permissionethos. Sadly, it is also the wellspring of Google’s infamous privacy and security problems.

Where does Google’s deep aversion to permission come from? From Google’s founders, Larry Page and Sergey Brin, according to their mentor Terry Winograd, in Ken Auletta’s book “Googled.”

  • Winograd describes his former students as impatient: ‘Larry and Sergey believe if you try and get everybody on board, it will prevent things from happening. If you just do it, others will come around to realize they were attached to the old ways that were not as good.’ The attitude, he said ‘is a form of arrogance.'”

This week we witnessed the latest high profile example of Google’s deep aversion to getting the permission of others.

A few days ago, Google announced that it remotely disabled malware-infected Android applications without the permission of 260,000 Android users who bought or downloaded infected applications from Google’s app store.

  • This is significant because Google is the only major company that remotely modifies its software on users devices without the affirmative permission of the user or owner of the device.
    • Other companies responsibly employ a permission-based protocol on a device as a necessary and responsible user security line of defense against malware and bad actors.

This lack of permission in remotely taking back what a user bought at ones store would be like if representatives of Best Buy walked into your house unannounced and without permission, rummaged around to find what they were looking for, and then took back some of the products you had bought from Best Buy.

  • It appears Google’s definition of “openness” means Google need not respect any closed doors, or normal boundaries of others’ privacy, property or sovereignty.
  • This Google assumption of no permission for entry is troublesome because what is to stop Google from remotely peeping on a person’s device like the Google engineer did who stalked and taunted teenagers?
  • Google’s first use of its remote snooping and retrieval open window into all Android devices begs the question, what information exactly does Google take and record from Android devices?
  • Simply, how “open” are Android devices to Google’s remote intervention without a user’s authorization?

Ironically, Google’s aversion to permission was also a big cause of Google’s security problem this week. Amazingly, Google’s app store still does not review or approve applications before they are offered in the store to the public — like Apple and others responsibly do.

  • Google’s aversion to having developers ask Google for permission to offer apps to users that can be infected with dangerous and harmful malware, would be like an airport that did not believe that people should have to ask for permission to get on an airplane because requiring a passport/ID or a physical examination of their bags for bombs or weapons — would not be “open.”
    • Clearly openness comes before security for Google; and that may be good for Google but not good for Google users.

Interestingly, we learned something else this week from All things Digital that Google does without asking anyone’s permission and that puts users in greater danger to identity theft or phishing fraud.

Google is now actively engaging in identity aggregation and creating “AuthorRanks” (Google’s euphemism for a user profile/social graph) without permission – in order to better compete with Facebook.

  • Remember in September when Google CEO Schmidt creepily warned that if Facebook did not give Google’s search engines crawling access to the private Facebook data they wanted, they had other unmentioned means to get that social graph information on users?
  • Well now Google has told us how they are able to target users based on their social graph like Facebook does.
  • Please see Liz Gannes excellent piece in All Things Digital on this, where Google’s rep said:
    • We actually do try to map to one true person… the more we can do to associate content to one person, the better… …we measure everything at Google.”
  • The security implications of this are obvious. Google has long been the biggest target for hackers, phishers and fraudsters, and now Google has the best user profiles in the world to steal to use for fraud and other bad acts. (And per a front page New York Times story, we know that Google’s entire password system of security was hacked and stolen in late 2009.)
    • Google now has probably the most complete and valuable user profiles on people in the world — and all done without the users’ permission.

There are other high-profile examples of how Google’s aversion to permission has played out and has put users’ at greater risk to harm.

  • Google’s conscious decision to make all Wikileaks stolen documents available to the world via Google search without asking any of the owners of that private or secret information for permission put untold lives at risk around the world.
  • Google’s Streetview videographing of peoples homes without permission has created privacy and security consternation in most all countries Google has videographed.
  • Google’s WiSpy recording of everyones WiFi private communications without permission of the people affected, may be the most high profile example of what happens when Google puts others at risk for its gain without their permission.

In sum, there are obvious privacy and security reasons why societies expect that if one is going to negatively affect or endanger another by ones actions, one needs to get their permission first so that the person affected can decide if they are willing or able to accept the risk involved.

Google’s business assumption and standard practice that they largely do not need the permission of others is reckless and irresponsible, and may make Google the  Internet’s worst security menace.

***

Previous parts of the “Security is Google’s Achilles Heel” Series:

  • Part I: “Why security is Google’s Achilles heel”
  • Part II: “Google values security much less than others do”
  • Part III: “Google: “Security is part of our DNA” (Do Not Ask)
  • Part IV: “Why Security is Google’s Achilles Heel”
  • Part V: “Google Apps Security Chief is a magician/mentalist”
  • Part VI: “Google-China: Implications for Cybersecurity”
  • Part VII: “Did Google Over-React to China Cybersecurity Breach?”
  • Part IX: “Google’s Titanic Security Flaws”
  • Part X: : “A Google Android Botnet Problem”

For even more information, see the Security section of PrecursorBlog’s sister site: www.GoogleMonitor.com.

 

Follow

Get every new post delivered to your Inbox.