Google is updating its Privacy Policy and Terms of Service. This is certain to be a major media event, and the press has already started publishing pieces about it, most of which are critical. I had a look at the new Privacy Policy myself, and these are the points that jumped out at me:

If other users already have your email, or other information that identifies you, we may show them your publicly visible Google Profile information, such as your name and photo.

We have a situation here where information you might have thought was private will now become public. It doesn’t really matter that your Google Profile is already publicly visible (remember how angry everyone got when Facebook launched the News Feed in September 2006, even though it only presented “publicly visible” information?). What matters is that your email address will be much more readily linkable with you. This seems to be quite a big shift.

When you use our services or view content provided by Google, we may automatically collect and store certain information in server logs. This may include […] telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.

I find this clause very unclear. When reading it, it seems as though Google is telling me it can make a record of the phone calls I make using my phone if I also use my phone to check my Gmail account. In fact, one could go further and say that this clause lets Google save your phone number and record the time and date of calls you make if you just use Google to search the web on your smartphone. Or am I reading this wrong?

Location information

When you use a location-enabled Google service, we may collect and process information about your actual location, like GPS signals sent by a mobile device.

Again, there is a serious ambiguity here, and it resides in the word “When”. Does “when” here mean “while you are using…”? Or does it mean “if you ever use…”? If I allow Google Maps to access my location one time, am I thereby giving Google permission to “collect and process information” about my actual location all the time?

We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

  • meet any applicable law, regulation, legal process or enforceable governmental request.
  • enforce applicable Terms of Service, including investigation of potential violations.
  • detect, prevent, or otherwise address fraud, security or technical issues.
  • protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.

Well this is the catch-all clause, and you don’t have to think Google will act in bad faith in order for it to raise eyebrows. While it says that Google will share personal information following enforceable governmental requests, it also says that it will share information with others “to protect against harm […] to the public”, which is an extremely amorphous concept.

And finally, is the reference to terminating employees an intentional joke? Or am I being too grammatically pedantic?

We restrict access to personal information to Google employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.