On privacy, Google CEO’s congressional hearing comes up short
Google CEO Sundar Pichai’s first congressional hearing—a milestone he probably wished he could have postponed for a few more years—did not lack drama. As he defended company practices before the House Judiciary Committee Tuesday, listeners were treated to quotable moments such as:
• Rep. Ted Poe (R.-Texas) complaining that the U.S. was “playing second fiddle” to Europe at protecting privacy. Yes, a conservative Republican from conservative Texas said that.
• Rep. Ted Lieu (D.-Calif.) slamming Republicans for complaining about unflattering search results, scolding them with, “If you want positive search results, do positive things.”
• Rep. David Cicilline (D.-R.I.) pushing Pichai for details on Google’s reported experiment in developing a censored Chinese-market search app: “Are there any current discussions with any member of the Chinese government on launching this app?”
• Rep. Louie Gohmert (R.-Texas) demanding that Google be held responsible for promoting the work of Wikipedia’s “liberal editors around the world.”
• Rep. Steve King (R-Iowa) griping that his granddaughter’s iPhone showed a notification featuring an unflattering description of him (presumably for his history of racist remarks), to which Pichai replied “Congressman, iPhone is made by a different company.”
But all this back-and-forth banter failed to illuminate some important privacy and security issues. As in past Washington-meets-Silicon-Valley encounters, under-informed questions and vague responses led to important topics getting neglected or ignored outright.
The European regulation that Poe complimented, the European Union’s General Data Protection Regulation, requires that companies minimize the data they collect and keep from customers. Privacy experts say that, among other things, data minimization can greatly reduce the potential damage of a data breach.
But Pichai’s interlocutors only touched on this topic until almost two hours in, when Rep. Doug Collins (R.-Ga.) specifically invoked the “data minimization” phrase and asked if Google really needed to collect so much information about its users.
Pichai punted on that, saying that on one hand, Google users expect the company to store their Gmail messages forever, while on the other hand, the company’s primary business of search ads needs little user data.
Those answers didn’t address why Google keeps so much precise location data from Android phones, down to the phone’s recordings of barometric pressure. They also ignored Google’s recent moves in Android to rein in the ability of outside apps to scoop up user data in the background.
Another good way to ensure that data stored online stays secure, even if that server gets compromised, is to encrypt it. But encryption never came up, ensuring that we didn’t get to see House members ask Google how many (or how few) users may have set a sync passphrase to keep their Chrome data in sync but invisible to Google.
It also ensured that Google’s apparently shelved project to add the option of end-to-end encryption to Gmail—in which messages are stored not just in transit but at rest—never came up in the hearing. Nor did Google’s decision to make end-to-end encryption only an option, rather than a default setting, in the Allo messaging app it introduced in 2016 and plans to soon retire.
Departures from defaults
Many committee members, Democrats and Republicans included, pressed Google to switch to the GDPR’s opt-in model for consent. Pichai kept returning to the notion of “control”—if you want to stop Google from tracking your usage of one Google service or another, you can do that. Web privacy features such as Google’s Privacy Checkup are fairly easy to find and do get some attention—20 million people a day change privacy settings, Pichai noted.
While committee members such as Rep. Zoe Lofgren (D.-Calif.) tried to pin down the various appetites for data of Android and third-party Android apps, however, they did not call out the absence of a comparable privacy-checkup feature in Google’s mobile operating system.
They also didn’t ask how many people change these privacy settings from the default.
While committee members gave Google’s ad business plenty of attention, they did not note recent moves by competing browser developers Apple and Mozilla to thwart Google’s tracking of users at other sites. Pichai’s comment to Collins that most of its search ads involve little customization—”most of it comes from just the keywords you type”—invited two follow-ups that never came.
One would have been a question for Pichai about how much of a problem the tracking prevention in Apple’s Safari and Mozilla Firefox poses for Google’s ad business. If it’s not proving to be a huge hindrance, maybe all this tracking isn’t so necessary? (See also: data minimization.)
Another would have been a reminder that Google’s browser chief, Parisa Tabriz, has voiced her support for competing with Apple and Mozilla in protecting online privacy—she tweeted, “Challenge accepted!” to privacy researcher Arvind Narayanan when he asked about Google’s intentions in June. Chrome still lacks anything close to Safari and Firefox’s tracking limits.
The single most disappointing part of the hearing may have been its treatment of Google’s dominance of the search market as not just dominant—86.6 percent of the U.S. market in November, per NetMarketShare’s stats—but essentially as the only player worth noting.
Not a single representative testified to using a different search engine, much less changing the default search on any browser or on any device to use something besides Google—an adjustment that isn’t even difficult to make these days. They didn’t even name Google alternatives such as Microsoft’s Bing or the privacy-optimized DuckDuckGo.
In that way, this hearing only served to cement Google’s dominance: A viewer who watched all three and a half hours and left curious about the non-Google part of the search market would have had to turn to Google itself to learn about these competitors.