Home Affairs CommitteeSupplementary written evidence submitted by Google [EC 17a]

Thank you for your letter of 25 March following my evidence session to the Committee in February. The issues raised in the session itself were addressed in my letter of March 19th. To address your additional questions in turn:

Q: The default setting on Google+ accounts appears to be public. Would there be any merit in changing this so that information is initially only shared with contacts and altered if the user wishes to make their profile public?

A: On the desktop, the initial default for G+ is to share with no-one. The user has to choose which circles, individuals, or broader choices—public and extended circles—they want to share with. Then their selection is sticky, so that next time they go to share something, those same people, circles, and original choices will appear. So if you wanted to always post to friends, you could just select “friends” the first time you post and then that will remain your default until you change it. For mobile, the firsttime sharing default is with “your circles”, so you do need to change this if you want to share otherwise.

Q: Google’s data use and privacy policies state that it collects data about the web pages that service users visit. How long does Google store this information for and how does it make sure it is secure? Does Google share it with third parties? If so how does it vet the security of their systems and personnel?

A: Like most websites, our servers automatically record the page requests made when users visit our sites. These server logs typically include your web request, IP address, browser type, browser language, the date and time of your request, and one or more cookies that may uniquely identify your browser. We store this data for a number of reasons, the most important of which are to improve our services and to maintain the security of our systems. We anonymize this log data by removing part of the IP address (after nine months) and cookie information (after 18 months). None of this data is shared with third parties.

Q: Does Google support Do Not Track technology? Do you think it’s important that users should be able to choose privacy above a personally tailored service?

A: Our top priority is to protect our users’ privacy and security, and to give them easy ways to control their information when they use our services. We are constantly innovating to find new ways to assist that effort. We added a Do Not Track option into Chrome, and we’ll continue working with industry on a common approach to responding to the Do Not Track feature. Over the past year we have introduced a number of other features that seek to ensure users have more control:

Introduction of a Cookies Consent Mechanism to users in Europe.

We published information about how Google uses cookies, the types of cookies used by Google, how we use cookies in advertising and how to manage cookies in your browser.

We added a feature in Chrome that lets you easily manage cookies—just click on the page/lock icon in the left corner of the omnibox to view and control any website’s permissions.

We implemented the AdChoices icon in the interestbased ads we show in Europe.

Q: How many successful hacks have been made against Google in the last year and what types of data were stolen?

A: None that we know of, and we look really hard. Our security teams and systems are highly effective at fending off attacks—we have actually detected real attempts that failed. Our security team runs frequent tests to estimate how well we’re doing at this detection. We also care about and seek to prevent attacks against our users, through phishing or other means, even when the attack is not directed at Google.

Sarah Hunter
Head of UK Public Policy

April 2013

Prepared 29th July 2013