
Formal GDPR complaint against Google’s internal data free-for-all - hadrien01
https://brave.com/google-internal-data-free-for-all/
======
robertpelloni
I _want_ Google to use my data in a "free for all." They have done incredible
and useful things with it and in my opinion have been extremely responsible
about it. If Google had a waiver I could sign allowing my data to be used for
future developments I would sign it.

I hope they continue doing more cool stuff and measures like these don't end
up limiting any future developments.

If anything I just wish I could more easily see what internal data all the
advertising companies have on me. I'm sure they know more about me than I know
about myself.

~~~
pmoriarty
_" They have done incredible and useful things with it and in my opinion have
been extremely responsible about it"_

It's impossible to know everything that they've actually done with your data,
so I don't see how you can maintain that they've been responsible with it.

~~~
creato
It's pretty easy to see data "leakage" from other services when it happens.
Maybe google is just better at hiding this, but I doubt it.

------
Hokusai
> hundreds of ill-defined processing purposes, and unknown legal bases

I have worked in regulated markets for quite a long time. I can understand
that many companies do not understand what it means to be compliant. For many
years the tech industry has avoided many requirements that affect other
engineering companies. Software is at the core of our society and cannot have
a free pass any more. Now it's more important to be reliable than to move as
fast as possible. I hope this is the end of the era of move fast and break
things, software is now too critical for that.

~~~
whatshisface
What are you hoping to get as a result of increased regulation? Not as in
"more careful software," I mean, what software are you hoping will be made
more carefully?

~~~
Hokusai
GDPR is a good example on how treating information carefully is important.

Facebook, YouTube, etc spreading of missinformation is something that needs to
be fixed for democracy to survive.

Apps like Uber that do not recognize its own employees and follow the strategy
of running faster than laws are also a good example of something that is
damaging our society.

Addictive loot boxes that prey on teenagers is another ugly one.

I will need more time to think to make a better list, but these are some of
the ones I think need stronger regulation.

~~~
som33
Uhh the last 200 years of IP law is proof regulation doesn't work, the
corporations won every battle.

[https://en.wikipedia.org/wiki/Copyright_Term_Extension_Act#/...](https://en.wikipedia.org/wiki/Copyright_Term_Extension_Act#/media/File:Tom_Bell's_graph_showing_extension_of_U.S._copyright_term_over_time.svg)

It was a blow out, the average person like yourself is too politically
uninformed to know what to do. The only way out would to get rid of DRM
entirely and reform IP law so that we owned our machines and software, you
can't have privacy if every piece of software is client-server oriented like
PC games have become over the last 20 years.

The videogame industry has been stealing PC game software since the late 90's
starting with them rebadging PC RPG's they had in development as mmo's to
confuse a lay public, after the early successes of Ultima online, everquest
and guild wars 1, that lead us to Valve dropping steam in 2004, a piece of
corporate malware wrapped around games. From 2004 to 2009, was the game
industry cleaning house as PC games they had in development were either
rebadged mmo, or were given steamworks integration, this lead to EA and
ubisoft to make Uplay and Origin, more malware, client-server oriented bs.

IF you don't own the software you have no rights to your machine and your
software can now be disabled remotely.

Going from dedicated servers, complete software ownership in teh 90's to this
locked down dystopian hellscape of steam, Epic game store, Ubisoft Uplay,
Bethesda launcher, EA's origin, and Battle.net launcher for activision games.

I have to wonder what you are smoking to think regulation will work this time,
when everytime IP law came up for reform it was expanded everytime to remove
basic rights of the citizens.

------
izacus
It's worth noting that this is a COMPLAINT, not a RULING (e.g. as opposed to
the fine that Google just got in Sweden, which is a ruling). The allegiations
that Googles browser competitor Brave is making will have to be actually
proven first.

Until then, it's just one competitor accusing another competitor of wrongdoing
on their own web page.

------
tqi
This reads like bad content marketing. Why am I being asked to tweet every
quick fact? Why do I need to download a PDF to read what is ‘Inside the Black
Box’? Is this a privacy/data use complaint or an antitrust complaint?

~~~
jariel
"Why do I need to download a PDF to read what is ‘Inside the Black Box’?

This is a little disingenuous to the point of almost gaslighting.

You need to 'click on a PDF' because it's 60 full pages of dense data in a
spreadsheet.

It's 100% reasonable to provide a link to that data, it's exactly the right
thing to do.

It's also fully reasonable to provide links to tweeting about specific issues,
that's how information is shared in 2020.

Though on a level it's 'marketing' \- the claims are that Google is in
existential violation the law, this is not Walmart proclaiming they have
'lower prices and better service than Target'.

~~~
tqi
"Gaslighting"? I opened the PDF. If by "dense data in a spreadsheet" you mean
rows like the very first one:

Category: Accounting

Purported processing purpose: “purposes such as accounting...”

Other discoverable processing purposes: “…such as…” is vague language that may
conflate or omit many distinct processing purposes.

Data collected: BLANK

Data shared externally: BLANK

Explanation and examples: For example, when you purchase apps from the Play
Store or products from the Google Store. Purported legal basis: Unknown

Give me a break, the legal reason in the first column. To me obvious reason
this is a 60 page PDF is because they hope people don't open it and discover
that they are full of shit.

~~~
lmkg
> the legal reason in the first column

In GDPR terms, the "Legal Basis" is one of the following six values[1]:

    
    
      Vital Interest
      Public Benefit
      Legal Obligation
      Performance of Contract
      Legitimate Interest
      Consent
    

"Accounting" is not a Legal Basis.

Several might apply, including Legal Obligation, Performance of Contract,
Consent, or Legitimate Interest. Stating the Legal Basis for processing is one
of the requirements under the Right to Transparency[2]. Among other things,
the Legal Basis affects other rights the Data Subject has. E.g. the Right to
Erasure is much stronger for data collected under Consent than Legal
Obligation.

On the face of it, it looks to me that Brave has a point: Google is not
complying with some (frankly, rather simple) transparency requirements.

[1] GDPR Article 6 Section 1: [https://gdpr-info.eu/art-6-gdpr/](https://gdpr-
info.eu/art-6-gdpr/). [2] GDGPR Article 13 Section 1(c): [https://gdpr-
info.eu/art-13-gdpr/](https://gdpr-info.eu/art-13-gdpr/)

~~~
tqi
I couldn't find the exact line from the citation in the pdf[1], but I assume
"Accounting" means financial accounting ("For example, when you purchase apps
from the Play Store or products from the Google Store."), which is a legal
obligation?

[1]
[https://policies.google.com/technologies/retention#purpose-f...](https://policies.google.com/technologies/retention#purpose-
financial))

~~~
lmkg
The fact that you have to guess is exactly the problem ;)

Accounting for SEC filings or whatnot are legal obligations. But processing an
individual payment is also probably part of Performance of Contract, and
Google explicitly mentions fraud detection on that same page, which is usually
Legitimate Interest. To say nothing of whether that financial data is compiled
into a user profile or used to train a model in some way.

------
londons_explore
It's a bold move to attack the main contributor of the opensource project upon
which your business is based...

~~~
JadeNB
> It's a bold move to attack the main contributor of the opensource project
> upon which your business is based...

Is it? Part of the point of open source is that you're not beholden to any
individual contributor. They can't be cut out from existing code; I don't know
if they try to roll in future code developments, but, if they do, then Google
can't keep them out of those, either, without a license change.

~~~
yjftsjthsd-h
> Part of the point of open source is that you're not beholden to any
> individual contributor.

I am skeptical of this being the case with Google's idea of "open source";
does anyone other than Google actually have any material say in any of its
projects? Or is it like Apple's open source: code dumps with no path to
upstream?

~~~
londons_explore
Chromium has a pretty open leadership process. Each subsystem has a small
number of people who make technical decisions about the roadmap, and for some
subsystems of the browser, none of those people are Google employees.
Qualcomm, Microsoft, and Nvidia all have direct leadership control over some
Chromium subsystems.

------
ptasci67
Not saying that Google is or isn't breaking the intention of GDPR here but
thinking as a critical reader:

\- this complaint is lodged by an upstart privacy-based browser which directly
competes with a Google product (Chrome) so they are not objective players here

\- reading through the PDF linked in the blog post, it seems there is no
"canary in the coal mine". It is a spreadsheet with a lot of empty cells and
red backgrounds. The post and the facade of the spreadsheet scream "look at
this, something's wrong" but the content doesn't match that at all. The
impression is that they have found Google to be doing something wrong but the
reality is that they want regulators to check and see _if_ Google is doing
something wrong. Is there presumed innocence in this circumstance (really
asking here because I don't know)?

As with most things, the truth often lies in the middle. It seems to me at
least that this is both a click-baity blog post and complaint meant to drum up
media and press for Brave as much as it is a spotlight on Google's data
practices. Both are bad.

~~~
JadeNB
> As with most things, the truth often lies in the middle. It seems to me at
> least that this is both a click-baity blog post and complaint meant to drum
> up media and press for Brave as much as it is a spotlight on Google's data
> practices. Both are bad.

I agree on this, but if there's a company trying to make a name for itself by
attacking privacy violators, and if the benefits of that accrue even to people
who aren't customers of the company, then I don't overly begrudge the company
a little (or, let's be honest, a lot of) breathless self-generated PR in the
process.

~~~
shadowgovt
The penalties will also accrue even to people who aren't customers of the
company. It may be harder to see when that occurs.

Google's speech model, for example, was bootstrapped on the audio collected
from GOOG-411. Is the GDPR intended to prevent things like that? Then it's
"intended" to hinder development of practical speech models the likes of which
hadn't been seen from decades of research that lacked access to hundreds of
hours of input from users asking real questions in real environments.

~~~
jariel
"Then it's "intended" to hinder development of practical speech models the
likes of which hadn't been seen from decades of research that lacked access to
hundreds of hours of input from users asking real questions in real
environments."

This is simply not true.

Google can absolutely obtain data from users in a manner that's transparent
and clear for specific purposes.

They have 40K highly paid Engineers and $100B sitting in the bank. They have
ample resources with which they can draw meaningful data necessary - but
they'd rather not, if they can just use your data for whatever they want.

~~~
shadowgovt
Not when they don't even know what future purposes look like.

------
SpicyLemonZest
It should be noted that Brave is not an advocacy group; they're a medium size
for-profit company, with a business model that stands to gain if Google is cut
down to size. So even if their complaint seems valid, calling on regulators to
shut down your business rivals is shady, and you should take any
representations they make with a pile of salt.

I also maintain my general skepticism that Google's business model is illegal
under the GDPR. If the regulators had intended to make Google illegal, I'd
think they would have said that.

~~~
rob74
First, they're not calling on regulators to shut down Google, but to make sure
they respect the GDPR (and thus their users' privacy). Second, the regulators
didn't intend to make Google illegal, they intended to establish respect and
moderation in the processing of users' data. Of course, it's obvious for
everyone that the companies doing the massive data gathering are mostly
American (Google, Facebook etc.) and that European competitors to these giants
_could_ potentially profit from this, but that's just a (very welcome) side-
effect...

~~~
SpicyLemonZest
It seems very clear to me from the content and tone of their article that
their goal is to get regulators to hurt Google. There's a lot of discussion
about how dastardly Google's being, and of how different their business will
have to be after the enforcement action, but very little about which specific
wrong things Google is doing.

~~~
gnud
Let's assume they're just trying to get Google to follow the GDPR. How would
the report look different, compared to 'wanting to hurt google'?

~~~
SpicyLemonZest
They would say something along the lines of "I gave Google my data for purpose
X, but they're using it for Y and/or claiming the right to use it for Z,
what's up with that?".

They would not have a "Purported Legal Basis: Unknown" column with a scary red
background in their spreadsheet.

------
open-source-ux
I am glad to see someone, even if it is a competitor to Google, raising
important questions about the data Google captures.

The amount of data Google collects about users is quite simply of unimaginable
scale. Who sees this information at Google? Are they able to identify an
individual and browse or analyse their online activity (which for millions of
people will include some of their most personal and private details)?

Who has access to this data should be stated clearly in Google's Privacy
Policy [1]. Instead we have this vague and generic paragraph:

 _" We restrict access to personal information to Google employees,
contractors, and agents who need that information in order to process it.
Anyone with this access is subject to strict contractual confidentiality
obligations and may be disciplined or terminated if they fail to meet these
obligations."_

I'll repeat that this is a company that holds the private and personal online
behaviour of millions of people, and yet the only detail they reveal about who
sees that data internally and which user details are exposed is the
purposefully vague and unspecific paragraph above.

The fact that the "tech community" has never chosen to challenge Google on
their internal usage of people data shows how little developers care about
privacy (as this thread amply demonstrates).

[1] [https://policies.google.com/privacy?hl=en-
US](https://policies.google.com/privacy?hl=en-US)

~~~
joshuamorton
What would you prefer that paragraph say?

------
wharfjumper
As discussed in "The Age of Surveillance Capitalism"[0] it's inconsistent with
their business model for Google to comply with GDPR and other similar privacy
laws/regulations.

The benefits of the surveillance capitalism business model are seeing business
values being recalculated as business owners recognise the value of exploiting
vast amounts of data collected in the pursuit of a purpose other than for
which it was collected. Microsoft for example has been heading in this
direction over the last few years through their acquisition of Lynda/LinkedIn,
Github and Glint. I expect other SaaS businesses to increasingly exploit this
opportunity.

Personally I support the efforts of Brave in this case and there are other
potential targets that I think are vulnerable to a similar complaint. It will
be interesting to follow the Irish Data Protection Commission's progress on
this.

0\.
[https://en.wikipedia.org/wiki/Surveillance_capitalism](https://en.wikipedia.org/wiki/Surveillance_capitalism)

------
random3
GDPR weaponizing privacy-oriented companies and the ability of the EU to walk
the GDPR talk (as opposed to simply producing legislation) is going to be an
interesting development to watch.

------
andrewljohnson
Typo in article: “for hundreds ill-defined processing purposes.”

~~~
gentaro
Good to know.

------
shadowgovt
This complaint is going to be an interesting test, because if it ends up with
legs it could go two ways:

1) it fails, and the GDPR has some precedent to constrain its application in
the future

2) it succeeds, and Google actually pulls out of the European markets
completely. Internal responsible data-sharing and data-aggregation is
extremely core to Google's entire business model (it is the "special sauce"
that drives the entire application suite, from search to speech), and if the
GDPR is incompatible with that business model, Google is incompatible with
Europe.

~~~
KarlKemp
The idea of Google pulling out of Europe is a fantasy, the libertarian
equivalent of hoping for famine in the Sowjet Republic ca 1975.

As long as Google doesn't have to pay their lawyers more than what they are
earning in the EU, Google will happily continue doing business in the EU. And
if I had to guess, lawyers make up 0% of their costs in Europe and anywhere
else, when rounding to the next integer.

I see suggestions of various companies leaving the EU far more often these
days than suggestions to leave China. It seems people on HN consider GDPR a
more serious danger to justice than, say, "reeducation" camps for unliked
minorities. Go figure..

~~~
shadowgovt
Good point. As long as the costs to do business in Europe can be quantified
and managed, even if those costs were legal penalties, I agree. I was
imagining the scenario where Europe went as far as "cease and desist mixing
and aggregating all user data or we'll start throwing people in prison."

------
nostrademons
My understanding (based only on investor filings, I left Google long before
GDPR was drafted) is that Google's plan is basically just to set aside several
billion dollars every quarter for GDPR fines and pay them as a cost of doing
business. Many of Google's critical product features wouldn't work without the
"internal data free-for-all". If EU regulators really make a stink about it
(rather than just setting fines that can be covered by profit) they'd likely
just pull out of the EU.

~~~
saagarjha
_Can_ Google afford your pull out of the EU? How about California, which seems
to be following suit?

~~~
nostrademons
EU, sure. They make about ~$50B of a total $161B in annual revenue from
Europe. It'd hurt their stock price - at least temporarily - but there's
nothing fundamental about the service they're offering worldwide that'd
disappear if they no longer did business in Europe. They'd treat it as a
simple economic decision: when the cost of operating in Europe exceeds the
revenue generated from it, it's time to pull out of Europe.

I also suspect that Project Dragonfly (Google's re-entry into China) might've
been partially to blunt the effect of a European exit - Europe hasn't really
liked Google since about 2010, and the regulatory climate keeps getting worse
for them, so at some point it'll become not worth it for them to continue.
They already pulled Google News out of several European countries when
regulations made it too much trouble to continue offering the service, and
then reinstated it when the regulations were rescinded because local
publishers realized how much traffic they'd lose if Google News no longer
featured their articles.

California is trickier because many key employees work at their Mountain View,
San Francisco, and Santa Monica offices. I suspect that that's changing -
they've been expanding rapidly in offices in other locations, perhaps as
insurance against this (and the rising cost of living in California), and
there's probably less of a concept of a "key employee" now that the main
services are written, not really innovating, and mostly in maintenance mode.

------
alkonaut
I use google and don’t even want them to use my last search query when
answering my next one. I have no idea if they do or where I’d change it, but
I’d like that to be the default. If they use e.g content of a gmail email or
something I did on another site as a clue for what and to show in my search
result then I don’t just want a better option and default, I’d like to see
them fined.

~~~
drusepth
Why wouldn't you want your search engine to use what contextual information it
knows about you when attempting to provide you quality, relevant answers to
the questions you're asking it?

~~~
alkonaut
I’m ok with seeing a shoe ad if I google shoes. It’s fine to do a geo lookup
of my up to show a local offer too. That’s context from the request. That
should be enough. I’m not ok with seeing anything that requires them storing
information I don’t want them to store (eg search history, behavior on other
sites such as past purchases). I’d rather have worse results. Google works
great in a private browser using a vpn, I don’t need whatever extra they can
bring with my info.

------
chupa-chups
The really funny thing about this thread is that:

* google appears to make all of our data available to most of its developers

* we complain that brave wants to boost its reputation

wtf, seriously, wtf?

I mean, granted, brave sucks and wants to have an easy buy-in to some folks,
but still: what's hiding behind this is huge.

If I were google I'd buy brave for this kind of burying.

~~~
dantheman
Because seriously this a relative non-issue.

~~~
chupa-chups
Yeah, sure. I know I'll be downvoted for this into oblivion, but hell, the
collective stupidity of mankind really surpasses the probability of the
universe being infinite.

Einstein was right :)

Just one small thing to consider: if even _one_ person of google was a federal
agent (of an offending country). Fill the missing parts of the sentence.

And yes, as much as I despise the EU in its current form, that's the intention
of GDPR: to prevent spilling personal data into a pool of people with
potentially malignant actors, and, if this happens, to be responsible to full
disclosure.

@dantheman: I guess you still won't be considered to be hired by google for
this post.

