It's fair to make an opening critique of the NYT's privacy policy, based on word count, because that is the main metric the NYT uses for the visualizations in the article. But the article's claims don't rest on that metric, so to assert that the NYT has "basically everything that they're criticizing Google for" requires more evidence and specifics. Especially when we consider that the info Google solicits and stores is by every standard far greater than anything the NYT collects, which means that the potential damage from abuse is also far greater. So it's worth asking why you think Google having fewer words for its privacy policy is, even on a facile level, an argument for its favor and not against it, considering Google has far more kinds of data and ways to share it.
But let's go with your claim, that NYT's policy is "basically everything" that they critique Google for. You mention NYT sharing name and postal address with advertisers and direct mailers – while that's something that has been an industry (in general, not just media) practice well before the computer age, let's agree for the sake of argument that it's still evil, and both the NYT and Google do it.
What other privacy policies/potential abuses do you see them sharing? We might assert that both companies say they collect and store location information, but on closer reading of the NYT's policies, I see some specific and substantial differences:
On ad-targeting:
> The ads in our apps are not targeted to you based on your current GPS location, but they are targeted to you based on your ZIP code or device's IP address.
On retention:
> If you elect to have a location-based search saved to your history, we will store that information on our servers. If you do not enable the location-based service, or if an app does not have that feature, the app will not transmit to us, and we will not collect or store, location information.
So I didn't scour the policy pages completely -- I tried to find info based on keywords, e.g. Ctrl-Fing for "location", "gps", "ip", so I apologize in advance if I overlooked something. But as far as I can tell, Google does not state a limit to the precision of location info they give to advertisers. And they do not say that users have the option to opt out of location-processing, nor do they state if it's possible for users to deny the transmitting of location info, period, in the way that the NYT says "we will not collect or store location information" if a user disables it. Again, I apologize if I've missed a similar specific statement in Google's policy.
That's a key difference in scope of data collection and retention, one that strongly rebuts your generalization. But more to the point, it's a difference in scope that has extremely obvious differences in actual impact. I think it's safe to assume if the NYT were subpoenaed for a user's IP address (such as someone making illegal threats in the comments section) they would comply with authorities.
But if the NYT were subpoenaed for the timestamped location info of a user accused of crime, and known to use the NYT website/app, the NYT, if it follows its stated policy, simply cannot comply, because it has made a decision to not track or store that info without user approval.
That doesn't seem to be the case with Google. And the consequences to the user are not theoretical – Google has already acknowledged that it complies with sweeping requests made by law enforcement, such as "the coordinates of any phones that were in the area between 7:30 pm and 10:30 pm" on the night of a suspected arson fire [0]. You can argue all you want that Google is just following the law, but the fact remains that they choose to collect and store this info. And that being the case, claiming that the NYT's privacy problems are "basically everything" of Google's, seems so facile as to trivialize the debate.
Disclosure: I just noticed that a former student of mine is listed as a co-author, and I'm assuming she was key in creating the data visualization and analysis.
This seems pretty disingenuous given the range of services offered by Google and New York Times - New York Times is a regional publication that doesn't really have any reason to know your location besides ads, while Google offers a free mobile operating system that millions of apps run on top of, many of which (including their own) use the location capabilities of the platform to provide useful services.
Just a nit - calling the NYT a "regional publication" is like calling Google a "california search engine." It's one of the largest global news organizations in the world with active newsrooms in NYC, London, Hong Kong and Paris. It has 6 news bureaus in the NY area, 14 news bureaus in the US outside of the NY area and 23 international news bureaus employing over 1300 news staff. (For reference the BBC has 50, CNN has 32 and the Times' has 46). Its California coverage is as robust as the LATimes and more robust than the SF Chronicle.
Of course, when you have multiple full newsrooms, you care about location capabilities. I get a customized California feed (California Today) when I go to it.
Again, this doesn't really compare to Google - if somebody started up a business within Google and only had about New York Times level of success, it may very well be in danger of being shut down. New York Times has about 3 million subscribers. Youtube Premium had 1.5M about a year after launch and it's on life support. Youtube Music has 16 million subscribers a year after launch and it's barely successful enough not to be cut. These are ancillary services run by small teams. Google has Android, Chrome, Search, GMail, Maps, Photos, Calendar, etc, etc, many of them actually manage lots of your data on your behalf and/or require real-time location capabilities. Of course providing these services requires a long privacy policy if they want to honestly cover what they do with user data.
"California Today" needing a location capability - I'm not sure if you're entirely serious. Why would it need to access your current location - people read local news for where they live, not where they happen to be. And whether you're in California or not is not something that changes frequently. Nor is California Today a travel guide - it has no relevance for people who happen to be in California. Do you actually know if it's based on your real time location? I doubt it. And even if it was, it doesn't have to be.
Also looking at this - https://www.nytimes.com/column/california-today - it consists of an article every other day or so? This is why they need the location data? And it doesn't look like it's a customized feed at all - seems like everyone gets the exact same feed. What data do they need to put this together? And it looks like they have a signup sheet - https://www.nytimes.com/newsletters/signup/CA - are you sure they don't automatically sign you up based on your permanent address? I mean, consider the level of location access (frequency and granularity) needed to show New York news vs California news and compare that against, say, turn-by-turn navigation.
Also I just downloaded the app and it has "Australia" as a top-level section by default (I'm in the US). Are you sure user location is used meaningfully for anything in the app?
OK, so you believe Google and the NYT are so different in scope that it's silly to compare them at all, as it would be to compare Little League to MLB, or 2 entirely sports even? I agree with that, which is why I argue that the purported hypocrisy of the NYT's policy is trivial – nevermind that the reporters do not have executive power over site and business operations, nor do we know that they aren't pushing for reform in their own house.
If the president of the World Curling Federation were to publish an op-ed on how the NFL's policies and protocols were inadequate in protecting players from permanent brain injuries, would "How big is curling's global audience and revenue compared to the NFLs?" or "How many pages does the WCF policy book devote to concussion protocols?" be relevant angles of rebuttal?
You're dodging the point here - the point is that the scope of the privacy policy should correspond to the scope of the business. And the NY Times privacy policy has basically the same scope as Google's privacy policy, despite them not providing useful services at the same scale. The evolution of Google's privacy policy in fact is about the increase in the scope of Google's business.
It's not so much hypocrisy as the fact Google's collection and use of data is skewed towards providing better services to consumers while New York Times's (and their partners' through the site/app) collection and use of data is skewed towards monetization.
As I said in another comment, you are seriously underestimating the size of the NYT. By many metrics, it's the largest global news organization based in the US and one of the largest in the world. Certainly larger than CBC, CNN, FNC, NBC News and about the same size of the BBC (and a bit smaller than Reuters and AP).
Their data collection helps them decide where to build new news bureaus and news rooms and also what content they should surface to their readers. I get a very California focused NYT vs my friends who live in NYC and London.
Also, I'm sure a chunk of their privacy policy is actually impacted by using Google as their ad service and a passthrough from Google's to them.
I'm not underestimating anything at all - how many news organizations have apps that run on Android? How many of them run Google ads? Google's privacy policy has to account for all of that. And all of that is a relatively small business compared to Google's cash cows. They are not at all comparable in terms of scale or diversity of services offered. Yet, in terms of privacy policy, they are quite comparable. Back when Google's business was at NYT's scale, its privacy policy was considerably shorter.
Some of the services and advertisements included in the NYT Services, including on NYTimes.com and within our mobile apps, are delivered or served by third-party companies, which may collect information about your use of the NYT Services.
These companies place or recognize cookies, pixel tags, web beacons or other technology to track certain information about our NYT Services website users. For example, in the course of serving certain advertisements, an advertiser may place or recognize a unique cookie on your browser in order to collect certain information about your use of the NYT Services. For another example, an advertiser or ad server may also be able to collect your device’s unique identifier in the course of serving an ad. In many cases, this information could be used to show you ads on other websites based on your interests.
We do not have access to, nor control over, these third parties' use of cookies or other tracking technologies or how they may be used.
For example, we use Google to serve advertisements on the NYT Services, which use the Google Doubleclick cookie, and in some cases, a unique device identifier, to show you ads based on your visit to NYTimes.com and other sites on the Internet. You may opt out of the use of the Google Doubleclick cookie by visiting the Google ad and content network privacy policy. If you would like more information about this practice, and to learn how to opt out of it in desktop and mobile browsers on the particular device on which you are accessing this Privacy Policy, please visit http://optout.aboutads.info/#/ and http://optout.networkadvertising.org/#. You may download the AppChoices app at http://www.aboutads.info/appchoices to opt out in mobile apps.
They are embedding third-party tracking technologies inside their app and letting each of them track however they want.
I'm sorry, but can you be more specific about your point? Is it that companies should always be held just as complicit as the third parties they use? And how absolutist are you on that? e.g. does the NYT have no moral right to report on climate change, because the NYT depends on energy suppliers, which produce the CO2 emissions the NYT complains about? Sure, that's a principle, but not one that leaves much room for actual discussion.
That's not the point - the point is that this is a loophole that effectively says, third-parties can do whatever they want with respect to your private information through our website and app and we're not at all responsible. This more or less renders the privacy policy entirely moot. It's like a vegan restaurant coming up with a "vegan guarantee" agreement that is supposed to guarantee that the dining experience is vegan, but excludes "third-party" ingredients from the guarantee. And it more or less says, you're subject to Google's privacy policy, when you visit the New York Times site, which means everything bad about Google's privacy policy is included in the New York Times privacy policy.
From a technical standpoint, what's happening is that New York Times is running arbitrary code that it doesn't know anything about on the browsers of people that visit their site. And they are claiming that they are not responsible for what it does, despite the fact it's delivered through New York Times.
Quite the opposite, they're basically saying "we use Google for ads and know what it does but if google changes what it does we don't have much control - watch our policy for changes"
Does any company in the world that serves ads from Google not do this or state this?
How would you technically host ads on your site without "running arbitrary code"? How would you add an analytics solution without doing that?
And also, focusing on this defeats the actual purpose of this article. I assume it means you agree with it's message and are just nitpicking? (Or don't and are deflecting.)
New York Times is saying much more than that - they are saying that they are using an unspecified number of third parties each of which is operating independently while having potentially full access to customer data. And throwing their hands up in the air and saying that they have no control over any of this. Google isn't their only vendor and at least Google is likely to be operating within some bounds - you don't know what their other vendors are nor what they are doing. This renders the entire privacy policy moot from the consumer's perspective.
And no this is not something they have to do. The idea that they cannot control what their vendors do is completely absurd - they have contracts with these vendors so they can state exactly what vendors are allowed to do under these contracts in the privacy policy. The only excuse here is that they are either too embarrassed to put what's in these contracts and/or they have no idea what's in those contracts. What NYT is doing is more or less equivalent to selling their users' data, which Google does not do.
And no this is NOT nit-picking and it directly counters the entire point of the article - Google's privacy policy is long because it actually covers what is being done with the data, as opposed to the New York Times policy, which states that they outsourced data collection/monetization third parties so anything goes and it's not their fault.
> let's agree for the sake of argument that it's still evil, and both the NYT and Google do it.
I don't think I'm willing to agree to that. What bit in the Google Privacy Policy makes you think they do it (it doesn't seem to fit in under any of the four categories of sharing)? And do you have an example of them actually doing it?
Re: location, I don't understand the distinction you're trying to make here. Under section 4 NYT says they collect "IP addresses, geolocation information, unique device identifiers". They "use and disclose this information for any purpose", which seems rather broad and "store it in log files". The retention is specified as "as long as needed or permitted in light of the purpose(s) for which it was obtained and consistent with applicable law".
(NYT then have a section on a specific app whose location information you can turn on/off, just like Google has a section on the Android location and Location History that can be turned on/off.)
Re: what does the article criticize Google for:
- Having a "sprawling 4000 word policy". NYT is the same.
- Treating the users as individuals rather than as aggregates. NYT is the same.
- Sharing data (which the article sneakily puts as the heading of a section that's not actually about sharing data). NYT is slightly worse.
- Personalized ads / ad targeting. Google basically just say they use data to personalize ads shown to you, and link to the controls for it. The NYT policy says they target ads by ZIP code or IP address, but on a re-read I agree that they don't say anything about personalization (I misread the last paragraph of 4.B, it seems to actually be about targeting ads for the NYT, not ads on NYT).
- License for uploaded content. The authors are pulling a fast one here, since that's the TOS rather than the privacy policy. The NYT TOS, of course, has almost exactly the same language.
> And that being the case, claiming that the NYT's privacy problems are "basically everything" of Google's, seems so facile as to trivialize the debate
But I didn't claim that. I said that everything the authors criticized Google's policy for was also in the NYT policy.
And fair enough, maybe it wasn't everything but more like 4.5/5.
I think there would have been a much better article here somewhere, where they'd e.g. first done a critique on the NYT policy using a similar tone as here. Shredding NYT like that would have certainly gotten the reader's attention. And once you've established a baseline and gotten the reader worked up, show how the Google/Facebook/etc policies are even worse.
First, thank you for correcting me that Google does not sell personal user info to third-parties, at least in the way that the NYT sells subscriber info to other mailers. And thank you for pointing out the clause in 4A, regarding "We collect information about the computer [such as] geolocation information", and how a reasonable interpretation of that means the NYT reserves the right to store and analyze location info.
On the topic of location information, my justification for seeing the difference is based on a couple of factors:
1. What ability does the NYT have to collect GPS info from users other than through mobile and explicit permission? I can't remember when I was last prompted by my browser to allow NYT access to the browser geolocation API (some interactive apps may use it), but it's still an explicit prompt. And it's still limited by me having to actively use their services.
2. I do know that Google allows for users to opt-out of and delete Location History. I'm happy to assume (and don't know any counterexamples) that when Google says it deletes the history upon user request, that it's an actual deletion, not just a database flag. But in all that I've read, I've never been clear on how opting out of Location History affects or relates to any other location data collected by Google's services. For example, from the Manage Your Location History page:
> When Location History is off: Some location data may continue to be saved in other settings, like Web & App Activity, as part of your use of other services, like Search and Maps, even after you turn off Location History.
So as an engineer, this seems reasonable to me (even if I think it's not obvious to laypeople). But is there a section where Google describes the nature of that other location data, including how it's managed and stored? In other words, if I turn off Location History, and later I'm part of a police request for geolocated devices, what potential info of mine is there for Google to share?
For the sake of argument, I'll concede a couple of points: that the NYT reserves the right to collect, store, and use GPS-level data. And that the NYT is no less compliant than Google when it comes to legal requests (and to be clear, I do not believe that Google is particularly subservient to law enforcement, and is not opposed to fighting on behalf of its users when it can). So the main difference is what each company collects as part of its normal operations, and how important/sensitive that information is for each user.
What is the worst-case scenario for the NYT user whose complete information the NYT, through malice and/or incompetence, divulges to a third-party? Billing info, of course. All my devices and everything that shows up in an IP log. Every article I've clicked on in the past 5+ years, and related page analytics. My comments/interactions on the comment sections. And I'll assume every search query I've ever made on its site. Those are all things I would never willingly put out for display, and of course I don't know the unknown unknowns (all the potential risks I can't even imagine), but the NYT-exclusive data seems mostly limited to content I've consumed and when/where I was when reading NYT-operated sites.
With Google, I don't have to imagine hypotheticals. Here's a pretty bad situation -- but by far not the worst-case scenario I can think of -- in which a man was wrongly arrested based on information provided to police by Google's SensorVault:
By all accounts, this kind of geofenced dragnet is very new, and at the time of this man's arrest, used only a handful of times. And yet despite the best intentions of Google's legal and engineering team, and what I'm assuming is good faith work by experienced homicide detectives, we already have a known and publicized incident that turned into a classic and rare nightmare law enforcement scenario (an innocent person being imprisoned for a murder).
I don't think the above situation is an extreme one, other than it happened to involve a murder, which is a situation in which law enforcement generally acts with the most discretion. But in any case, Google search results are routinely used as evidence in criminal cases, and while they often correlate with the prosecutor's case (e.g. the suspect John Doe searched for "how to hide a body" just days before the victim James Doe went missing), search data is just as prone to wild and broad misinterpretation, and anyone who googles random questions/topics regularly is at risk of cherry-picked evidence -- A well-known case is Casey Anthony's misinterpreted search for "chloroform":
Again, I reiterate, these issues don't arise from malice on Google's part. But that's irrelevant -- Google has no choice on how well others use the data they give. But knowing the actual consequences, they do have a choice in data retention policies, even if it means making it clear to the user, "Sorry, we couldn't run our systems unless we kept data in perpetuity, and that's just how it is". Until I can even imagine a situation in which NYT-exclusive data can (justifiably or not) wreck my life, I simply don't expect the same level of scrutiny for their privacy policies.
And just to be clear, this cuts both ways. The NYT, like many news organizations, have public (and internal) policies regarding conflicts-of-interest and employee public behavior: https://www.nytco.com/company/standards-ethics/
For example, I do think Google, given an indisputable document trail, would punish or fire the shit out of an engineer who was found to have manually tweaked/censored search results as a favor to their politically-connected lover. And that would/should happen at any news outlet. But AFAIK, Google (and most non-media industries) does not require or suggest that an employee tell their managers about possible conflicts of interest (romantic or not). Whereas the NYT does [0], which gives the NYT the right to fire an employee for failing to inform their editor, regardless of whether the relationship results in unethical actions.
And to me, this is fine, because it's not just about the ethics, but the potential for harm given the realities and the nature the work. It is patently obvious to me (and most journalists, I would hope) that a reporter has unilateral power to dictate what does (and does not) get covered on their beat, such that a reporter could intentionally hijack their work for a long while before suspicions arose. Is this the same at Google? Can the average employee have the unilateral ability to maliciously change the search index, without it being caught in a pre-production review, or it being explicitly recorded in an audit log? It doesn't seem so.
And because of the stark difference in the expected work and responsibilities, if the NYT were to not have its current ethics policy, and a Google exec were to call them out (e.g. "don't trust the NYT, they don't have a policy preventing their tech reporters from dating, and thus being influenced by Microsoft or Amazon employees"), I would disagree very strongly with an NYT apologist who says, "Well neither does Google!"
But let's go with your claim, that NYT's policy is "basically everything" that they critique Google for. You mention NYT sharing name and postal address with advertisers and direct mailers – while that's something that has been an industry (in general, not just media) practice well before the computer age, let's agree for the sake of argument that it's still evil, and both the NYT and Google do it.
What other privacy policies/potential abuses do you see them sharing? We might assert that both companies say they collect and store location information, but on closer reading of the NYT's policies, I see some specific and substantial differences:
On ad-targeting:
> The ads in our apps are not targeted to you based on your current GPS location, but they are targeted to you based on your ZIP code or device's IP address.
On retention:
> If you elect to have a location-based search saved to your history, we will store that information on our servers. If you do not enable the location-based service, or if an app does not have that feature, the app will not transmit to us, and we will not collect or store, location information.
So I didn't scour the policy pages completely -- I tried to find info based on keywords, e.g. Ctrl-Fing for "location", "gps", "ip", so I apologize in advance if I overlooked something. But as far as I can tell, Google does not state a limit to the precision of location info they give to advertisers. And they do not say that users have the option to opt out of location-processing, nor do they state if it's possible for users to deny the transmitting of location info, period, in the way that the NYT says "we will not collect or store location information" if a user disables it. Again, I apologize if I've missed a similar specific statement in Google's policy.
That's a key difference in scope of data collection and retention, one that strongly rebuts your generalization. But more to the point, it's a difference in scope that has extremely obvious differences in actual impact. I think it's safe to assume if the NYT were subpoenaed for a user's IP address (such as someone making illegal threats in the comments section) they would comply with authorities.
But if the NYT were subpoenaed for the timestamped location info of a user accused of crime, and known to use the NYT website/app, the NYT, if it follows its stated policy, simply cannot comply, because it has made a decision to not track or store that info without user approval.
That doesn't seem to be the case with Google. And the consequences to the user are not theoretical – Google has already acknowledged that it complies with sweeping requests made by law enforcement, such as "the coordinates of any phones that were in the area between 7:30 pm and 10:30 pm" on the night of a suspected arson fire [0]. You can argue all you want that Google is just following the law, but the fact remains that they choose to collect and store this info. And that being the case, claiming that the NYT's privacy problems are "basically everything" of Google's, seems so facile as to trivialize the debate.
Disclosure: I just noticed that a former student of mine is listed as a co-author, and I'm assuming she was key in creating the data visualization and analysis.
[0] https://slate.com/technology/2019/02/reverse-location-search...