Consumer Watchdog has filed a second complaint asking that the Federal Trade Commission act immediately against Google’s most recent privacy violation – sharing users’ personal information with apps developers -- after new information became available in a letter from Google to Rep. Hank Johnson, (D-GA).
We've also expressed our concerns again to California Attorney General Kamala Harris.
When we filed our first complaint, we estimated that Google -- which has effectively become a serial privacy violator -- in ignoring the terms of its so-called "Buzz Consent Order" with the FTC should face penalties that reach into the billions of dollars.
Here is what Google has been doing: They have been sending to app developers personal information about each user who purchased an app from Google, without obtaining the user’s permission. The personal information sent by Google includes the users’ names, certain physical address information and email addresses. Neither Apple nor Microsoft engage in similar conduct when they sell apps through their stores.
Google's activities caught the eye of Rep. Johnson who wrote the Internet giant a letter asking that Google to explain what was going on. Susan Molinari, chief of Google's Washington DC lobbying shop, responded.
Rather than justifying its conduct, Google’s argument demonstrated that the company lacks any satisfactory explanation for its practices. Here is part of what I wrote in our second letter to Charles Harwood, Acting Director of the FTC's Bureau of Consumer Protection:
In its response to Congressman Johnson, Google did not challenge the accuracy of widespread reports that the company routinely discloses confidential information to applicant developers regarding all users who purchase applications from Google. For purposes of evaluating Google’s conduct under the Buzz Consent Order, then, it can be taken as fact that Google engages in this behavior.
Certainly, Google implied in its response that users know or should have assumed that the company would share confidential user identification information with application developers. But that suggestion directly contradicts the privacy representations made by Google to users that users should feel secure because Google will not willy nilly share their information but will only disclose confidential information when “necessary” to process the user’s transaction. More specifically, Google responded to Congressman Johnson as follows:
"Information such as name and email address is necessary for developers to issue refunds, reversals, payment adjustments -- all of which developers are responsible for under the Seller Terms of Service -- and investigate chargebacks."
So, let's assume everything Google says in its letter to Rep. Johnson is true. That means developers only need the users’ confidential information when a request for a refund, reversal or payment adjustment is made. The disclosure exception Google points to in its policy (“necessary to process your transaction”) might justify Google giving confidential information to developers for specific users who request refunds (and the like), but not for every single user who bought an app. It's clear Google violated its pledge to protect the confidentiality of millions of users who bought applications in good faith reliance on Google’s public statements and who never sought a refund, reversal or payment adjustment.
For what it's worth the FTC's Harwood has told me that he referred both of Consumer Watchdog's formal complaints to the Bureau of Consumer Protection's Enforcement Division. Meanwhile, Adam Miller, Supervising Deputy Attorney General in the Privacy Enforcement and Protection Unit of the California Attorney General's office also responded to my earlier letter. He wrote:
"Although our office cannot share any details of any investigation we may pursue, I can assure you that we will look into the concerns raised in your letter to us, as well as your letter to the Federal Trade Commission on the same matter. Should you have any further concerns please contact me at the above telephone number or address."
Google’s most recent violation of the Buzz Consent Order is a matter of intense concern to Consumer Watchdog, to other privacy advocacy groups, to apps users across the country, and to the press. Although given the opportunity by Congressman Johnson, Google has yet to come up with a credible justification for its inappropriate conduct. In fact the letter to the Congressman simply makes Google’s violations clear. Both the FTC and the California Attorney General need to take strong action against Google.