Google's Sundar Pichai faced an awkward line of enquiry during today's House Antitrust Subcommittee hearing related to its 2007 acquisition of adtech platform DoubleClick, and how it went on to renege on an original promise to lawmakers and regulators that it would not (nor could not) merge DoubleClick data with Google account data -- automagically doing just that almost a decade later.
By linking internet users' browsing data, as harvested via the DoubleClick cookie, to Google accounts it was able to join the dots of user identities, (Gmail) email data, search history, location data and so on (Google already having collapsed the privacy policies of separate products, to join up all that activity) with its users' wider internet browsing activity -- vastly expanding its ability to profile and target people with behavioral ads.
Agency for Google users to prevent this massive privacy intrusion, there was none.
Rep. Val Demings contended that by combining DoubleClick cookie data and Google account data Google had essentially destroyed user privacy on the internet. And -- importantly, given the domestic antitrust scrutiny the company now faces -- that that had only been possible because of the market power Google had amassed.
"When Google proposed the merger alarm bells were raised about the access to data Google would have -- specifically the ability to connect a user's personal identity with their browsing activity," said Demings, before zooming in to hammer Pichai on another tech giant broken data privacy promise.
"Google... committed to Congress and to the antitrust enforcers that the deal would not reduce user privacy. Google chief's legal advisor testified before the Senate Antitrust Subcommittee that Google wouldn't be able to merge this data. Even if it wanted to, given contractual restrictions. But in June of 2016 Google went ahead and merged this data anyway -- effectively destroying anonymity on the internet," she explained.
Demings then pressed Pichai on whether he personally signed off on the privacy-hostile move, given he became CEO of Google in 2015.
Pichai hesitated before attempting a bland response -- only to be interrupted by Demings pressing him again: "Did you sign off on the decision or not?"
"I -- I reviewed at a high level all the important decisions we make," he said, after a micro pause.
He then segwayed in search of more comfortable territory, starting into Google's usual marketing spiel -- about how it "deeply cares about the privacy and security of our users".
Demings was having none of it. The U-turn had enabled Google to combine a user's search and browsing history, location data and information from emails stored in Gmail, she said, blasting it "absolutely staggering".
She then referenced an email from a DoubleClick exec who had told the committee it was "exactly the kind of user reduction in privacy that users' founders had previously worried would lead to a backlash".
"'They were unwavering on the policy due to philosophical reasons. Which is Larry [Page] and Sergey [Brin] fundamentally not wanting users associated with a cross-site cookie. They were also worried about a privacy storm, as well as damage to Google's brand'," she said, quoting directly from the email from the unnamed DoubleClick exec.
"So in 2007 Google's founders feared making this change because they knew it would upset their users -- but in 2016 Google didn't seem to care," Demings went on, before putting it to Pichai that what had changed between 2007 and 2016 is that Google gained "enormous market power".
"So while Google had to care about user privacy in 2007 it no longer had to in 2016 -- would you agree that what changed was Google gained enormous market power?" she asked.
The Alphabet and Google CEO responded by asking for a chance "to explain" -- and then rattling off a list of controls Google offers users so they can try and shrink how it tracks them, further claiming it makes it "very easy" for people to control what it does with their information. (Some EU data regulators have taken a very different view of Google's 'transparency', however.)
"We today make it very easy for users to be in control of their data," claimed Pichai. "We have simplified their settings, they can turn ads personalization on or off -- we have combined most of activity settings into three groupings. We remind users to go do a privacy check up. One billion users have done so."
Demings, sounding unimpressed, cut him off again -- saying: "I am concerned that Google's bait and switch with DoubleClick is part of a broader pattern where Google buys up companies for the purposes of surveilling Americans and because of Google's dominance users have no choice but to surrender."
She went on to contend that "more user data means more money" for Google.
Pichai had a go at denying that -- starting an answer with the claim that "in general that's not true" before Demings repeated the contention: "So you're saying that more user data does not mean the more money that Google can collect?"
That was easier for Pichai to sidestep. "Most of the data we collect is to help users and provide personalized experiences back", he shot back, neatly avoiding the key point that the access Google has given itself to people's data by cross linking their web browsing with Google IDs and product activity enables the tech giant to generate massive profits via targeting them with creepy ads, which in turn makes up the vast majority of Alphabet's profit.
But with that Demings' five minutes were up -- although the hearing continues. You can tune in here.
Shortly later in the session, facing further questions around ad data, Pichai noted that Google no longer uses data from Gmail for ad targeting -- although this change is relatively recent (June 2017).