Google's new privacy policy raises new worries for feds

Following Google’s announcement of sweeping changes to its privacy policies on Jan. 24, concerns are being raised about possible user profiling and access to user information that could affect federal agencies and employees.

For example, a privacy watchdog is cautioning that there may be implications for Google’s role as a vendor of cloud email, Android mobile solutions and identity management services to federal agencies.

“Congress should investigate Google's role as a federal contractor in light of its new data collection and profiling practices,” Jeff Chester, executive director of the Center for Digital Democracy, wrote in an email to FCW on Jan. 25. “The government should require a better privacy standard from Google when it serves as a federal contractor.”

Related story:

However, the General Services Administration said its Google Apps for Government are not at risk and are not affected by Google’s new privacy policy.

"The recent changes announced by Google pertain only to their free, publicly available services,” the GSA statement said. “These changes do not apply to Google Apps for Government, which is the version used by GSA. Our usage of the Google Apps solution is governed by contractual agreement with Google and our prime contractor, Unisys. The solution is compliant with all federal regulations and requirements, including those regarding privacy and data protection."

Even so, while the GSA’s Google Apps application is exempted, it was not immediately known whether those same conditions applied to other federal agencies utilizing Google services through agreements with YouTube, Gmail and Android application providers, or to agencies using Google’s services as a certified identity provider to the federal government. Google users often have to log in with a username, which, in many workplaces, might be linked to the agency or company as much as the individual user.

Google's new policies are raising questions in the blogosphere about how Google will use the tracking information it collects on individuals, whether it would assemble detailed dossiers on individuals, how long it would be stored, who might have access to it, and whether it would ever be disclosed publicly or to third parties. The answers might have impact on federal workers, especially those in sensitive positions or those involved in contracting.

For example, there might be reason for concern if Google assembles a tracking profile based on online activity by a federal contracting officer who is involved in a vendor selection in which Google is competing. There may be ethical and privacy concerns about which Google company members are allowed to view the profile, or how that profile might be used or distributed.

In another hypothetical scenario, there may be privacy concerns related to Google’s collection of phone numbers and location data for a federal employee in a sensitive national security or law enforcement position who uses an Android mobile device. It was not clear from the announcements how that information would be stored, and who might have access to it.

In theory, those concerns might apply whether the federal contracting officer used Google at work or at home. Broadly speaking, Google’s policy changes also are triggering privacy concerns for the public, including federal executives and employees, who use Google’s search, Gmail, YouTube in their private lives.

Google announced it would begin consolidating and tracking personal user data collected through search, Gmail, YouTube, Google+ and other products into a single user data profile for the purpose of better serving users. That allows Google to better target advertising to individual tastes across platforms; for example, users who view a Lady Gaga video on YouTube may see ads for upcoming concert tickets when they open their Gmail email account.

Google executives described the changes as a streamlining and simplification of its services. “Regulators globally have been calling for shorter, simpler privacy policies—and having one policy covering many different products is now fairly standard across the Web,” Alma Whitten, Google’s director of privacy, product and engineering, wrote in a blog post about the new policy.

The changes go into effect March 1. Users cannot opt out of the new policies.

Reaction to the policy changes on the Web was leaning negative. Although a few bloggers and observers were mildly supportive, many others questioned Google’s motives and foresaw the possibility of broad profiling and significant privacy risks.

“Google’s Broken Promise—The End of ‘Don’t Be Evil,’” was the headline at Gizmodo. “This is an entirely new level of sharing. And given all of the negative feedback that it had with Google+ privacy issues, it's especially troubling that it would take actions that further erode users' privacy," Gizmodo said.

Those risks may be heightened for federal employees in general, many of whom work in sensitive positions, such as federal law enforcement or national security.

Federal contracting workers also may be facing greater privacy risks, as a result of the strict ethics rules and conflict-of-interest prohibitions related to federal contracting. In every agency, there are dozens if not thousands of employees who are covered by the contracting ethics rules.

In Google’s role as a federal contractor, its new privacy policies may create new difficulties, Chester said.

“Google's contracts with the federal government should be reviewed to ensure that it cannot gather and analyze additional data. These contracts may require revision to limit the kinds of data practices Google just announced, which will enable it to collect and harvest complete profiles of its users,” Chester said.

Google's privacy changes are coming at a time when competition appears to be intensifying for social media advertising dollars. Facebook recently changed its format to Timeline, with more than 60 new applications being introduced in its Timeline Open Graph. Google also announced recently it was adding social results to its search engine, which also was greeted with mixed reactions.

Google is on the defensive on its new privacy policy because of its track record on the subject, according to Juliana Gruenwald in an article in the National Journal.

"The company has come under increased attention after a privacy settlement last year with the Federal Trade Commission on privacy concerns over the rollout of Google's now-defunct social-networking service Buzz,” Gruenwald wrote. “The commission said that Google engaged in deceptive practices when it automatically signed Gmail users up for Buzz without users’ consent.”