I’m travelling this week, but word reached me this afternoon that Google has issued a new privacy policy, according to AP.

I haven’t had a chance to review the document in detail, but the commentators are already suggesting that it’s just as vague as it was before on many key issues.

Most of Google’s privacy issues boil down to questions about precisely what information they are collecting about you, how they’re going to use it, and what ability do you have to exercise any control over what they’re doing.

If the new privacy policy doesn’t give concrete answers to these questions, then it’s probably not an improvement.

The good folks at Good Morning Silicon Valley noticed something interesting today: Google is talking to C|Net News.com after about two months of the silent treatment. Like most toddlers who decide to refuse to talk, it breaks down the moment they have something exciting to share.

Congratulations to Google on passing this milestone. After all the ruckus, it was probably more like passing a kidney stone… but let’s just embrace the fact that they came ’round at all. :-D

Google is so annoyed with one of CNet’s reporters for raising uncomfortable questions about Google’s privacy policies that they are refusing to talk to any CNet reporters for one year.

The startling news of the blackballing is mentioned in a parenthetical note at the bottom of a benign article about Google’s search for a new Chef to cook in the company’s cafeteria, replacing former Grateful Dead chef Charlie Ayers:

Google could not be immediately reached for comment. (Google representatives have instituted a policy of not talking with CNET News.com reporters until July 2006 in response to privacy issues raised by a previous story.)

That story by CNet reporter Elinor Mills summarized the myriad privacy problems that Google seems hell-bent on pretending aren’t there. At the time, I praised her article in this blog entry, and added my voice to the chorus of concerned privacy analysts, asking my favorite question: Why does Google still not have a Privacy Officer?

Elinor’s story focused on the privacy issues that arise from the huge amount of data about individuals which Google has amassed and makes available through careful searching. But she also pointed out that the data which is publicly available is only a fraction of that actually gathered internally by Google about your private searches, what ads you click on, what topics you might be discussing in email, and other fascinating tidbits from your life.

As she suggested, such a treasure trove of data could be an irresistible prize for hackers, “zealous government investigators, or even a Google insider who falls short of the company’s ethics[.]” For what it’s worth, I too have previously analyzed some of the gaping holes in Google’s privacy policies, and how one of Google’s executives unwittingly pointed out just how significant a risk their growing database presents.

To demonstrate how much personal information is publicly available via Google, Elinor dug up a few bits of slightly personal information about Google’s CEO Eric Schmidt — including his salary, his neighborhood, a few of his hobbies and some of his political donations — all obtained by searches using Google:

Google CEO Eric Schmidt doesn’t reveal much about himself on his home page. But spending 30 minutes on the Google search engine lets one discover that Schmidt, 50, was worth an estimated $1.5 billion last year. Earlier this year, he pulled in almost $90 million from sales of Google stock and made at least another $50 million selling shares in the past two months as the stock leaped to more than $300 a share. He and his wife Wendy live in the affluent town of Atherton, Calif., where, at a $10,000-a-plate political fund-raiser five years ago, presidential candidate Al Gore and his wife Tipper danced as Elton John belted out “Bennie and the Jets.” Schmidt has also roamed the desert at the Burning Man art festival in Nevada, and is an avid amateur pilot.

A fairly benign list of details, but apparently enough to send the infants running Google’s PR shop into a full-fledged kindergarten tantrum. But instead of scapegoating the messenger, shouldn’t Google be punishing itself? As one commenter on Dave Farber’s IP List noted:

If digging into someone’s relatively public activities is worth starting a fight, why is the Google CEO running a company that makes it so easy for so many to spy on so many? Shouldn’t he resign if he feels that searching through Google’s index is so evil?

Indeed, it was Google’s CEO who defends privacy claims with the lame-ass excuse, “The company’s founding motto is ‘Don’t Be Evil’.” When Schmidt dropped that stinker at an analyst meeting last May, I blogged an explanation of the difference between “don’t be evil” and “be good.”

I know Elinor and many of the other great reporters at CNet, and I know that they’ll get their stories whether Google’s PR department deigns to return a call. And I have no doubt that Google’s hissy-fit will serve only to embarrass which ever of the company’s young and inexperienced public relations staffers issued the silly decree.

But this situation certainly doesn’t reflect well on the way Google, still very much the apple of Wall Street’s eye, can be expected to handle adversity. Meanwhile, Google’s “La-la-la-la-la-I-can’t-hear-you!” strategy on privacy issues isn’t going to solve them any problems either.

I’m sorry to say, but I remain convinced that Google is a privacy train-wreck waiting to happen. And when it does, it won’t be pretty — a fact to which this latest stunt attests.

Update: Good Morning Silicon Valley covered the issue and there are some really interesting trackbacks that give some different perspectives on this story. One dissenting view is from Jason Shellen, a member of the Blogger team at Google. Jason takes offense at the information about Eric Schmidt that was reported in the CNet article. His concerns were echoed by Jeremy Zawodny’s similarly themed blog entry. (I too joined the comment chorus on Jeremy’s blog). But I agree with Dan Gillmor’s take on the question whether printing such vague information about Schmidt was a problem. The New York Times has discovered the story now too.

In an interesting survey of Google’s difficulty balancing privacy and search ubiquity, CNet reporter Elinor Mills has done an excellent job in chronicling the tensions. I commend the article to your reading.

I do have one criticism, however: she didn’t mention Google’s lack of a Privacy Officer as an issue contributing to Google’s litany of privacy miscues. Frequent readers of this blog know that it’s one of my pet issues, and a critical component of why I believe Google still doesn’t “get it,” and why they will continue to have trouble.

I sent Elinor some feedback, which you can read below. Perhaps the next time Google stumbles on privacy — just a matter of when, not if — people will begin to focus on the underlying reasons for why Google stays on the cutting edge of privacy scandal.

Here’s the feedback I sent:

To: elinor.mills@cnet.com
Subject: FEEDBACK:Google balances privacy, reach

I enjoyed your piece today about the mounting privacy concerns at Google. It’s something I’ve been concerned about for quite a while, and have written about extensively in my blog, http://www.privacyclue.com.

My only criticism of your piece was that I didn’t see you mention their lack of dedicated privacy personnel, such as a Privacy Officer. Most major companies have such a position, but Google doesn’t. hey considered hiring a Privacy Officer back in 2001, but concluded that they didn’t need one — they thought the “do no evil” ethos would insulate them from privacy issues. As a result they have no one looking at privacy as a strategic issue, and the consequences show every time they’re surprised by user concerns over some new practice.

As the world’s first corporate Chief Privacy Officer, and one who has helped many of the nation’s major corporations hire and train their privacy personnel, I’m still appalled by Google’s myopia on this score. Contrary to the headline of your piece (which I know you probably didn’t write), privacy and reach shouldn’t need to be balanced if both are guiding principles and working objectives. It’s only a zero-sum game if you’re not applying creativity to the search for solutions. Unfortunately, when there’s no CPO, nobody is being assigned the task of finding those solutions every single day.

You might find a couple of my recent blog entries interesting if you care to explore these issues further:

Google’s CEO: ‘We Still Don’t Get It’
(In which I discuss the difference between “do no evil” and Doing Good.)

Google Launches New Privacy Controversy
(In which I analyze gaping holes in Google’s Privacy Policy.)

Privacy Wanes when Bloggers are Muzzled
(In which I analyze Google’s blogging policy.)

Best regards,
Ray

Update: 7/15 I stand corrected, thanks to these lovely new shoes Elinor Mills sent me… Seriously though, Elinor pointed out that I missed a couple of sentences where she discusses the privacy officer issue, and even asked Google about it. So bravo for raising the question!

Elinor quoted Google’s rep, saying that the company has several attorneys on staff who deal with privacy issues among other issues. For this reason I do still stand by my criticism of Google.

These problems are precisely why most companies have separated out the privacy issues into a separate position, the Privacy Officer, and sometimes into a separate department. When I created the world’s first corporate Chief Privacy Officer position, we specifically separated the duties from those of the in-house legal team, so that the position could be truly focused on privacy matters.

In-house counsel is a very important part of the equation, but counsel is searching for the minimum necessary for legal compliance, and as a result isn’t always looking for other red flags, such as those that will create PR issues. A specialized Privacy Officer often has the kind of hybrid skill set — including marketing, technology, public relations, and public policy — that prepares them for tackling issues that are more complex than mere regulatory compliance. There’s lots of stuff that a company can do that’s legal, but still dumb. Speaking as a lawyer, I know first-hand that most good lawyers can help you avoid legal problems, but fewer lawyers can help you avoid looking bad while you do it.

A fascinating new survey conducted by the fine folks at the Pew Internet and American Life Project, and released late last week, found that 91 percent of Internet users have changed their online habits to avoid spyware.

This is quite a triumph for malware makers… You can’t get 91 percent of average people to come in out of the rain, so pissing off 91 percent of the public so much that they seek to avoid you is a real accomplishment!

There were a lot of other noteworthy findings. For example, 81 percent of users avoid opening e-mail attachments without knowing for sure that they are safe; 48 percent stopped visiting Web sites they considered to be potential sources of spyware; 25 percent don’t use music-swapping networks anymore; and 18 percent have switched Internet browsers.

The Pew report also showed that about 68% of users (approximately 93 million) have had computer trouble in the past year consistent with problems caused by spyware and viruses, although 60% of those who had problems were not sure where the problem originated. Some 25% of Internet users have seen new programs on their computers that they did not install or new icons on their desktop that seemed to come out of nowhere. One in five Internet users (18%) reported that their homepage had been inexplicably changed.

While covering on the Pew survey, the St. Petersburg Times interviewed Claria’s Chief Privacy Officer Reed Freeman, asking him about the all-too-frequently obscure privacy disclosures that are the stock-in-trade of malware companies. To his great credit, my old friend Reed recognized that it’s up to the malware companies to be more transparent in their practices:

“Consumers shouldn’t have to go hunt for disclosure of that nature,” said Reed Freeman, chief privacy officer of Claria. “Adware companies that are interested in broad consumer acceptance ought to be putting their disclosures in the download process as they are getting the product so they can make an informed decision about what they’re getting.”

I couldn’t help but chuckle at this quote, given that the subject of Claria’s crappy disclosures was a substantial bone of contention during my deposition in the dozen consolidated lawsuits against Claria. I’m so gratified to see that they’ve taken my criticisms to heart! :-D