Internet Policy Review recently published an excellent journal article on Google’s and other information intermediaries’ privacy issues surrounding data collection and terms of service. One highlight:
During the implementation of its Street View project Google compiled publicly accessible routers’ Medium Access Control (MAC) addresses, which is a unique hardware number, and SSIDs, such as network names, to improve its location services. Simultaneously, supposedly by mistake, the company also collected information sent over public Wi-Fi networks, including e-mails, passwords, and financial information without users’ knowledge or consent. Google’s unauthorised collection of personal information went undetected for two years until the German Data Protection Authority (DPA) made it public in 2010.
Regarding information intermediaries’ recent attempts to tighten up its privacy practices, the article concludes:
These private companies have mastered the strategy of implementing seemingly privacy-centric policies and tools without compromising their economic interests. Policy changes towards notice and choice and privacy controls are all positive developments but they have not affected intermediaries’ surveillance and subsequent implications for anonymous expression and privacy risks. Instead, they may have enabled intermediaries to justify their ever-growing data processing activities based on the idea that users agree to their privacy terms [emphasis added].
In other words, they legitimize their data privacy breaches by forcing users to sign cumbersome and cryptic terms-of-service agreements that none of us have time to actually read or fully understand.