Despite Google’s best efforts to create a “privacy-first web” (i.e., the end of third-party cookies, its new search removal policy, etc.), it is still infringing on employee privacy—but probably not in the way you think.
Although Google gets a bad rep for its data tracking and collection policies, the good news is that to quote the tech giant itself, Google does not “sell your personal information to anyone.” The bad news is that Google jeopardizes people’s privacy in other ways, putting employees and the organizations they work for at an increased risk of harassment and cyber attacks.
Here are three ways Google negatively affects employee privacy and how organizations can give better privacy protection to their staff.
When you think of Google, the first thing that comes to mind is probably its eponymous web-based search platform. Google is so synonymous with its Search product that in 2006 the Oxford English Dictionary included the word “Google” as a verb, meaning to “search for information about (someone or something) on the internet using the search engine Google.”
Today, Google Search has billions of users worldwide and a market share of more than 90%. That means that Google is the dominant search engine and the place most people go to when they want to find out something, whether that’s a cafe nearby that does brunch or the email address of someone they got into an altercation with online.
Google makes finding the latter, plus other incredibly personal information, surprisingly easy. Search for the name of someone within your organization and what often comes up is not only their social media accounts and professional information but also information collected by data brokers and people search sites like Intelius, Acxiom, and PeekYou.
Like Google, these firms collect as much information about people as possible. But they don’t give anything back in return. In fact, they sell our data to anyone with a credit card, exposing information like our home addresses, phone numbers, and even hobbies to marketers, insurance companies, and other third parties, including cybercriminals and disgruntled individuals with an agenda.
Data brokers and people search websites are not hidden on the second or third page of results, either. Less than 10% of people click on the second page of Google search results. Even though Google claims that the results it features are curated by autonomous algorithms, there is some evidence to suggest that it, in fact, manipulates the results it shows, favoring big businesses over smaller ones.
Considering that the data broking industry is worth $200 billion per year and includes big players like Experian, Epsilon, and Equifax, it’s little wonder that Google ranks data brokers so high up in its search results.
For businesses, this means that executive and employee data is easily accessible on the open web and can be used for cybercrime, identity theft, intimidation, harassment, and stalking purposes.
Communicate to employees the risk that data brokers pose to their personal and professional lives and share information on how to opt out of major data broker sites. But remember: data brokers re-upload people’s information even after the initial opt-out, so removal must be continuous to maintain employee privacy.
Anytime an employee uses Google’s products (i.e., Android phones, Fitbits, Chromebooks, etc.) or services (Google Docs, Google Maps, YouTube, Chrome, etc.), Google records their interactions with said products and services.
For example, Google knows all the sites a person visited on Chrome and all the places they went to or looked up on Google Maps.
As one of the largest technological media ecosystems operating today, Google collects information like your:
Some of this information is used to improve Google’s current services and create new ones, as well as to tweak algorithms.
However, the main reason Google collects such vast quantities of data is to power its ad business. More than 80% of Alphabet’s (Google’s parent company) revenue comes from ads. And while Google insists it doesn’t sell sensitive user data, it does share it with interested parties using its real-time bidding (RTB) ad placement process (described in detail by the Electronic Frontier Foundation (ECC)).
According to the ECC, “Real-time bidding is a convoluted, opaque system of data collection and sharing that enables profiling and surveillance by advertisers, data brokers, hedge funds, and ICE.”
So, even though Google doesn’t directly sell information it collects to data brokers, it’s quite likely that data brokers can nonetheless use Google to get their hands on some of this data, further expanding their already detailed dossiers on millions of Americans. A recent federal lawsuit claims that “many participants [in the RTB] do not place bids and only participate to conduct surveillance and collect ever more detailed data points about millions of Google’s consumers.”
Encourage employees to see the type of data Google holds on them via “Google Takeout” and delete their Google activity in order to maintain their privacy.
Besides RTB, Google also has a “Customer Match” program that lets third parties show users ads based on data like their names, IP addresses, phone numbers, etc.
Third parties can buy lists of people (for example, the IP addresses of executives) from data brokers, upload these lists to Customer Match, and wait for Google to display ads on these individuals’ computers, phones, and TVs. Anyone who clicks on the ad is redirected to the advertiser’s landing page, where they end up giving away additional information, such as IP addresses and, in some cases, even geolocation data.
The ECC calls this a way for advertisers to “turn lists of identifiers into direct pipelines to real humans.”
Unfortunately, it’s not just advertisers who may use this method to show specific ads to particular individuals. Cybercriminals are already using paid ads to target niche groups of people, for example, customers of cloud providers and crypto investors.
Most of these ads are triggered by keywords, but it is easy to see how threat actors could target executives at large companies based on their IP addresses or other identifying information. Research shows that 4 in 10 data brokers have access to executives’ home networks’ IP addresses.
Let employees know they can turn off ad personalization by visiting the “Ad Settings” page. This way, any ads they see will depend on the page they’re visiting as opposed to what Google knows about them.
Wherever you go online, you can be sure that somewhere, someone is watching you—and it’s not just Google. Thousands of other companies are keeping tabs on you as you browse the web to collect and monetize your data, some of which may end up in the hands of data brokers and compromise employee privacy.
The best way to protect employee privacy (and, consequently, your organization) from bad actors is to foster a culture of privacy. The less information about staff exists online, the less likely they are to be targeted.
DeleteMe is built for organizations that want to decrease their risk from vulnerabilities ranging from executive threats to cybersecurity risks.