At the end of the nineties, when Google was just a search engine, its privacy policy offered mere six hundred words of explanation on how the company collects and uses our personal information.

For contrast, two decades later and thirty versions after, Google’s privacy policy offers you four thousand words to describe its data collecting and handling practices. Reading Google’s privacy policy took only 2 minutes in 1999, while today you would have to dedicate at least half an hour to review a recently updated document.

There are a lot of reasons for that, most importantly the acquisition of YouTube in 2006, DoubleClick in 2008, Waze in 2013, and many other companies. 

The times have changed, the Internet became way more complex, smartphones changed the way we communicate, and Google has changed not only its privacy policy but its core business model too, finding undisputed benefits of mass data collection.

That is why we have to do much more to protect our digital lives, which are as valuable today as they were twenty years ago.

Tracking The Changes in The Privacy Policy

Google’s first privacy policies did not talk about users as individuals, only as aggregates. 

“Google may share information about users with advertisers, business partners, sponsors, and other third parties. However, we only talk about our users in aggregate, not as individuals.”

This meant that Google could share user information with its business partners, sponsors, and advertisers only in a general overview, talking on behalf of the average Google user, not an individual. Although Google’s business was built around advertising from the beginning, there was no mention of targeted advertisements until the mid-2000s.

July 2004 marked the addition of this sentence:

“If you have an account, we may share the information submitted under your account among all of our services in order to provide you with a seamless experience and to improve the quality of our services.”

Today we can understand that this leads to comprehensive profiling, but back in 2004, the perception was different. The whistleblower scandal involving Edward Snowden, unveiling the truth about modern surveillance techniques was still looming in the future. The PRISM surveillance program that started in 2007 under the Bush Administration would not become public knowledge for more than five years, and it will get more coverage in the next few paragraphs.

In 2012, under the pressure of a lawsuit about cookie tracking of Apple’s Safari users, Google completely revamped the language in the policy about the information they collect. Its terms and conditions document underwent significant changes. 

“When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”

This gives Google the power to do anything with user data and gives it the ability to command consent without asking for it directly, as our use of Google products is essentially an opt-in. 

Even your voice and face when using video chats on Google platforms can be considered to be pieces of content you have submitted to the service, and can be processed by the company as it deems necessary.

Lastly, the last notable change came post-GDPR, in May of 2018, and it was a full-fledged product update, not just the change of legal language. 

GDPR emergence also made privacy policies more pleasant to the eyes, as from now they have to be written in a “concise, transparent and intelligible form, using clear and plain language.” This requirement resulted in a lot of terms not making the “cut” of the latest document. The policy also repeatedly stated how users can export or delete their data.

Even though the readability of privacy policies have improved, they are still designed to protect the companies, and not to inform the users who have the right to protect their personal information even if they don’t understand how data collection works.

The entire archive of policies and changes, however complicated they may be, can be found on Google’s Privacy & Terms page.

Data Collection Now and 20 Years Ago

What did Google collect data-wise before 2000? 

An aggregated search activity, personal information you provided, the clickthrough info, and cookies. Seems to be enough, but this data pales in comparison to what Google collects today. 

Below you can see all the data gathered by the tech giant today.

User-provided information

• First and last name
• Date of birth
• Gender
• Phone number, if you have enabled 2FA
• Password
• Received and sent media content, documents, photos, etc. (facial recognition in Google Photos deserves a special mention)
• Payment information

User activity information

• Search inquiries (Google Activity feature lets you know what you have searched for years ago)
• Video views and interactions with multimedia content
• Chrome browsing history
• Third-party website activity
• Purchase activity
• Voice and audio data provided while using Google Assistant
• Data from Google’s marketing and security partners 

Call and message information from Google services

• Phone number and information
• Calling-party and receiving-party numbers
• Forwarding numbers
• Date and time of calls and messages
• Types and duration of calls
• Routing information

Information from Android applications, devices, and browsers

• Operating system
• IP address
• Location data from GPS, Wi-Fi, Bluetooth enabled devices (Google knows where you go, where you have been and for how long, where you live and work)
• Health information (Google Fit)
• System activity
• Home activity (Google Home and Google Nest)
• Device and browser types and settings
• Mobile network information
• Crash reports
• Other unique identifiers

The collection of personal data in such volumes allows Google to create personal user portraits that can reveal more than any other method of surveillance ever could. While Google claims to never sell your personal information, it facilitates real-time bidding.

It also should be noted that Google never stops expanding its portfolio, engaging in a buying spree of the most promising companies out there to increase their offering. The overwhelming list of the tech giant’s purchases is a sight to behold – in 2020 alone Google acquired eight companies: DevOps Research and Assessment, Elastifile, Socratic, Looker, Alooma, AppSheet, Pointy, and the popular Fitbit. 

This data intake becomes a huge risk not only for our privacy but also for personal security if we bring up Google’s history with intelligence agencies.

Google Practicing Prunes-and-Prisms With The Law

As much as Google is busy picking up promising projects and blossoming them to their full potential, the company is busy in court, fighting off various advertising, privacy, and intellectual property lawsuits.

As we started this post from comparing how much Google’s privacy policy grew over the years, let’s also note that the company's legal department expanded from one lawyer to nearly a hundred lawyers in the first five years of its existence, and around four hundred lawyers by 2014, according to the In-House Playbook report.

Even though one of the loudest cases involving the tech giant is called “United States v. Google Inc” history remembers the already mentioned secret PRISM surveillance program where Google worked with the USA, or rather its intelligence agencies, to collect information on foreigners outside the US as a measure to protect against national security threats.

Under this program, NSA obtained direct access to systems of Google and other tech giants. This allowed the officials to gather data like search history, email content, file transfers, and chats.

Although the leaked presentation mentions that this program is carried with the help of the companies, Google and others refused to admit this of being true.

"Google cares deeply about the security of our users' data. We disclose user data to the government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a back door for the government to access private user data." 

It is within companies’ legal obligation to comply with US law and comply with requests for user’s communications, but this presentation of the program clearly stated that the intelligence services have direct access to the servers of the aforementioned companies. Under this program, NSA can collect all the data listed in the latter paragraph, without having to request it specifically. 

The US National Security Agency's Prism and Upstream programs were renewed in 2018, and efforts to end them were evident in January of 2020.

It doesn’t take a wild guess to predict how lawmakers would fare in their pursuits this time. To summarize, Google and privacy are two words that are used in one sentence often, but not often in a fashion we would like it to be. 

To reiterate, Google is not the only big tech company to be guilty of playing around the word ‘privacy’ for their benefit, but their collection of our data makes them a standalone threat to our basic human rights.