The privacy role of information intermediaries through self-regulation

: Through qualitative analysis of the policies of two major global information intermediaries — Google and Microsoft — and related case studies, this paper demonstrates a) that intermediaries’ participation in self-regulatory programmes and implementation of privacy principles does not necessarily translate into meaningful privacy safeguards for users in the face of growing private surveillance capacity; and b) that within the EU and US self-regulatory frameworks, information intermediaries have discretionary power to set their policies and practices prioritising strategic interests over privacy commitments. Discussions in this paper complement existing studies on the implementation of privacy principles stipulated in Fair Information Practices (FIPs) by enhancing understanding about the role of information intermediaries in defining privacy conditions of users within self-regulation.


INFORMATION INTERMEDIARIES' ROLE IN SETTING USERS' PRIVACY CONDITIONS
As millions of users in Europe and the US access online services such as Google maps, YouTube, Skype, Bing, and others, intermediaries' Terms of Service (TOS) and privacy policies grant these companies the right to collect vast amounts of data about users and their online activities.
Intermediaries collect and process personal information such as name, e-mail, address, phone number, financial and location details, as well as non-personal data generated from users' interaction with services such as communication content, browsing history, search queries, etc.
(e.g., Google, 2015b;Microsoft, 2015e).Private surveillance, while an essential source of advertising and revenue for intermediaries, reinforces government surveillance and exacerbates privacy conditions of users.Being a repository of user data, information intermediaries become a natural target by governments who turn to these private companies to gain access to user information for legitimate and illegitimate reasons (Deibert, 2013;DeNardis, 2012;Sargsyan, 2016).Intermediaries then carry a gatekeeping role by making decisions about collaborating on surveillance and disclosing user data to government agencies (e.g.Google, 2014b).In this context, information intermediaries' data collection, retention, and disclosure policies have significant public importance as they greatly reduce possibilities for anonymity and increase risks associated with inhibition of expression, physical, financial and reputational harms (Solove, 2006).Collection of personal information, for example, makes user identity known to information intermediaries and potentially their affiliates and governments, putting citizens at a higher physical risk, especially in countries where the rule of law is weak and inadequate.Cases of imprisonment and harassment of journalists and activists based on their communicative activities via intermediary services are not uncommon (Hosein, 2010;MacKinnon, 2012;Weber, 2013).
Further, even when intermediary services do not require disclosure of personal information, technical affordances and analytics of huge sets of data can reveal private information about users.Computer scientists have confirmed that data sets containing no personal information can be deanonymised and lead to identification of specific individuals (Angwin & Valentino-DeVries, 2010;Montjoye, Radaelli, Singh, & Pentland, 2015;Ohm, 2010).For example, each device connected to the internet is assigned an Internet Protocol (IP) address based on geographic location, and each phone or computer has a unique device identifier consisting of a sequence of letters and numbers (e.g., Google, 2015b;Microsoft, 2015e).IP addresses and unique hardware numbers can be combined with other data such as search logs and browsing details to reveal the identity of hardware owners and sensitive information about them (DPA, 2010;Tene, 2008).

LEGAL CONTEXT REINFORCING INTERMEDIARIES' LEADING PRIVACY ROLE
Information intermediaries' essential role in defining user privacy conditions took place organically and has been reinforced by their technical affordances and the legal context in which they operate.Many globally popular private intermediaries, including Google and Microsoft, originated in the US political system where the state favours unregulated markets as an efficient way to improve economy, distribute resources and boost innovation (Cohen, 2012;Mayer-Schönberger & Cukier, 2013;Pickard, 2013).The US government has refrained from passing a data protection law that covers private sector activities.Restrictions on private intermediaries' information activities exist only in the areas regulated by US privacy law, which are mostly limited to financial, health and children information.In response to the growing benefits of data in digital commerce and international trade, even the EU states, which have a more restrictive legal stance on information processing, have allowed intermediaries to collect, transfer and use consumer information across jurisdictions (Bennett & Raab, 2006;Zimmer, 2010).
Nonetheless, recognising that the private sector's data activities greatly impact public interest, government agencies have embraced alternative forms of regulation and expect information intermediaries to fulfill public policy goals through self-regulatory mechanisms.Self-regulation is an umbrella term that refers to a non-binding process of regulation conducted through voluntary agreements, delegated decision-making, standards setting, certification, etc. (Feeley, 1999;Senden, 2005).In the US, the FTC has been the major player in promoting self-regulation by putting forward loosely enforceable privacy standards and recommendations to guide information intermediaries' information processing and by exercising its authority to sanction unfair and deceptive practices of companies, in accordance with Section 5 of the FTC Act (Culnan & Bies, 2003;FTC, 2000).In Europe, under the 1995 EU Privacy Directive, personal information could only be transferred from the EU to countries with adequate data protection laws, as defined by the European Commission.Since the EU did not consider the US to have adequate privacy protection, policymakers in these jurisdictions authorised transfer of personal information via a self-regulatory scheme-the Safe Harbor agreement, which allowed voluntary participation by companies (Farrell, 2003).For example, to transfer and process EU citizens' data, many information intermediaries, including Google and Microsoft, received certification The privacy role of information intermediaries through self-regulation f) providing data security; g) granting users the right to learn about collected data that relates to them and to challenge and correct the data; and h) being accountable (OECD, 2013).
In this context, Google and Microsoft, as intermediaries subject to the FTC authority and certified participants of the Safe Harbor and now, the Privacy Shield agreement, are expected to implement these privacy principles to legitimise their information practices online.However, despite visibility and millions of users in the US and EU (e.g., Craddock, 2013;Lardinois, 2015;Steele, 2013), even Google and Microsoft have been inconsistent in their efforts to align their policies with principles stipulated in FIPs, the Safe Harbor, and FTC recommendations.For example, instead of minimising data collection, these companies continue to grow their surveillance capacity.In 2015, for instance, Microsoft launched the Windows 10 operating system, which is not a static software stored and run out of users' devices like previous Windows versions.It is a cloud-based personalised system that is linked with all of Microsoft web-based services such as Bing, Skype, and Outlook.com,granting the company access to an unprecedented range of data across services and raising its advertising capacity (Hoffman, 2015;Microsoft, 2015g).Similarly, despite the acknowledgement that network encryption is an essential component of data security, Google's and Microsoft's encryption efforts used to be sporadic and intensified only after the revelations about the National Security Agency (NSA) mass surveillance scandal in 2013 and these companies' secret provision of user data to the NSA (Greenwald, 2013(Greenwald, , 2014)).Facing potential loss of business opportunities globally due to lack of trust, and foreign countries' efforts to increase reliance on domestic internet infrastructure (Chander & Le, 2015;Miller, 2014;Sargsyan, 2016), Google and Microsoft started encrypting data across all of their online services to regain trust and remain competitive (Google, 2014c;Microsoft, 2015bMicrosoft, , 2015d)).Thus, information intermediaries choose to codify privacy principles into their policies and tools opportunistically, based on market considerations.Moreover, even when information intermediaries change their policies to comply with privacy principles, it does not always denote meaningful privacy protection for users.In the next section, I argue this point by focusing on Google's and Microsoft's implementation and observance with notice and choice privacy principles.

INTERMEDIARIES' PRIVACY POLICIES TOWARDS NOTICE AND CHOICE
Solutions to consumer privacy concerns due to ubiquitous data collection and processing are predominantly associated with giving users more control over their information through notice and choice (FTC, 2012;The White House, 2012;ITA, 2016).Notice refers to the expectation that intermediaries should inform their customers about what information they collect, how they collect and use the information, and weather they disclose that information to third parties.
Choice, used interchangeably with consent, is about giving users the ability to control how their data is used.The typical implementation of choice happens through provision of customisable privacy settings, as well as opt-in and opt-out tools, which allow companies to get implicit or explicit consent from users about primary and secondary uses of their information (FTC, 2000;Schwaig, Kane, & Storey, 2006).These two principles have become the most essential benchmark against which the FTC and EU data protection authorities evaluate intermediaries' policies and bring enforcement actions against them.The FTC and data protection authorities in Germany, France, and the UK among others have penalised information intermediaries for failing to provide notice to data subjects and obtain their consent in advance of collecting their personal information (Dutch DPA, 2010;FTC, 2011;O'brien, 2013;Streitfeld, 2012).
Google's and Microsoft's privacy policies have evolved to provide notice to users about their growing means of data collection.These intermediaries continuously update their policies to provide information about how they collect, combine and use data for analytics, advertising, and improvement of operation as their services evolve and include new features (e.g., Google, 2015b;Microsoft, 2015e).Both companies' policies are forthcoming and reveal that they virtually collect all information related to uses of online services including personal information voluntarily disclosed by registered users such as name, contact information, payment details, location information, etc.For example, with the introduction of its voice-enabled digital assistant Cortana, Microsoft informed users that Cortana collects information about their contacts, location, typing patterns, speech, browsing history, and more (Microsoft, 2015c).
In addition to providing notice to users by disclosing detailed information about their data practices, Google and Microsoft also implement the principle of choice by asking users to agree to privacy policies and TOS before processing personal information (e.g.Google, 2014aGoogle, , 2015b)).
Moreover, the idea of choice has also been applied more broadly, beyond personal information, to give users options to customise their tracking, data sharing and advertising preferences.For example, in 2010, Google started offering an extension that users could download and add to their web browsers such as Chrome and Internet Explorer not to be tracked by Google's DoubleClick cookie, which monitors users' web behaviour for commercial purposes.Google has also created a "My Account" dashboard, where users can see how their data is managed and control their privacy settings in one place, such as turning off location sharing in most of Google's services.The "Ads Settings" on the dashboard allows users to turn off interest-based advertising from Google's products such as Maps and Gmail, as well as websites beyond Google.com (Google, 2015a).In 2011, Google also announced that owners of Wi-Fi routers can add "nomap" to the router's name, which will notify Google that users are opting out of having the names and locations of their routers from being collected and stored in the company's databases (Google, 2011a).In 2012, Google also joined a select number of companies to enable a Do Not Track system on its browser, however, not by default.When users turn on Do Not Track on Chrome, the system sends out requests with users browsing traffic to notify websites about The privacy role of information intermediaries through self-regulation users' wish not to be tracked.Whether the websites will cease tracking depends on their willingness to respect users' requests.Companies have no legal obligation to do so (Google, 2015a).
Microsoft followed a similar path in implementing privacy choice controls in its services.In 2009, the company also added private browsing feature in Internet Explorer 8, and its versions that followed after.Microsoft has also had cookie control options enabled in its browser since the early 2000s (Microsoft, 2000(Microsoft, , 2008)).In 2011, Microsoft's browser Internet Explorer featured a tool called Tracking Protection, which enabled users to opt out of being tracked by cookies and other technologies by the websites they visited.When a user turns on the Tracking Protection, they can either download or create a personalised list of third-party websites that will be prevented from collecting user data (Microsoft, 2010(Microsoft, , 2011)).In addition, Microsoft has been a long-time supporter of the Do Not Track standard (Microsoft, 2015f).Like Google, Microsoft also created a dashboard where users can turn off personalised advertising from Microsoft's Windows and its applications, and from all other services that customers use with their Microsoft account (Microsoft, 2015a).This brief overview demonstrates that Google and Microsoft have codified notice and choice into their policies and added privacy control tools to enable users to customise their privacy preferences.Undoubtedly, these changes can be valuable in some contexts but they have had no substantial impact on users' ability to stay anonymous, control uses of information about themselves, and minimise many potential risks such as inhibition of expression, information inequality, profiling, discrimination, etc.First of all, not all users read policies to give their informed consent to intermediaries (e.g.Smith, 2014).Second, privacy policies do not capture privacy implications of intermediaries' ever growingly complex data practices such as the extent of data flows among devices, platforms, advertising networks, and third parties.Third, while users may give consent to the practices of intermediaries at the time of registration, intermediaries reserve the right to make changes to their policies without asking users' consent again, greatly undermining the purpose of consent.Moreover, the dichotomy between personal and non-personal information is misleading.Even anonymised data sets can be deanonymised to reveal information about specific individuals (Mayer-Schönberger & Cukier, 2013;Ohm, 2010).
The privacy role of information intermediaries through self-regulation Justifiably, users have a choice to decline to provide information to companies but need to be prepared to be denied the service.Google, for example, will not allow users to create a Gmail account without providing their phone number (Google, n.d.-b).Users of Google's and Microsoft's services can also opt out of receiving interest-based advertising but it does not mean companies stop collecting information about users.For example, Google warns users that opting out of personalised advertising does not stop the company from serving ads to users.Simply, instead of serving ads based on interests and browsing behaviour, the company delivers ads based on more general attributes such as browser type, location information, search terms, and more (Google, n.d.-a).Google and Microsoft also give their users the option to turn off location tracking on their mobile applications and from their centralised privacy dashboard.However, sometimes intermediaries make it challenging for users to easily opt out.Google phone users, for example, found out that Google Play-which is the app store in Android phones-was tracking their location in the background.If any app on a user's phone needed to access location, it had to do it through Google Play, the central provider of the location services.It means that if users disabled location tracking in Google Play, none of their apps could access their location.Similarly, if users chose to enable location tracking in a single app, they had to grant location tracking to Google as well (Ducklin, 2016).Moreover, even if users completely turn off location in all of Google's and Microsoft's services, these intermediaries can still locate users, albeit approximately, based on their IP address.Ultimately, if a user has a Google or Microsoft account, the intermediary collects his/her contact information, location (IP) and device identifiers, usage data and content of communication with no option to opt-out.
Thus, the evolution of information intermediaries' policies towards notice and choice do not necessarily provide users with means to define the condition of their privacy and the uses of their information.With users' reliance on endless applications on personal computers and mobile phones, and companies' constant data exchange with partners who engage in their own online and offline information collection, intermediaries are still able to collect data on users' behaviours and interests and use it in various contexts.Hence, safeguarding users' privacy does not depend on control but on these companies' practices and decision that take place beyond the content level of services.Information intermediaries have historically made decisions that advance their strategic interests, sometimes violating notice and choice principles.

INTERMEDIARIES' DISREGARD FOR NOTICE AND CHOICE
In 2012, Google announced that it would consolidate privacy policies from over 60 services to legitimise merging user data collected and generated from and by users on its numerous services.While the policy change would allow Google account holders to seamlessly navigate from Google Maps to YouTube to Search to Google Plus to Gmail and Google Drive with single account credentials, it also enabled personalisation of one service based on user data collected from across all of these services.Google presented the policy change as a simplification and addition of conveniences for users, but it raised privacy flags (Google, 2012a(Google, , 2012b)).Regulators in the EU and US and privacy groups strongly opposed the policy change questioning its legality and observance with the notice and consent privacy principles.In the US, Congress members sent a letter to Google raising concerns about Google's compliance with the FTC's settlement agreement following an earlier privacy violation (Bartz & Richwine, 2012).Similarly, attorneys general from 35 states sent a letter to Google criticising its intent to change its privacy policy without allowing users to opt-in or out of the modification and expressed worries about privacy risks associated with Google's expanding ability to create richer user profiles under the new privacy policy (Paulson, 2012).
The Transatlantic Consumer Dialogue (TACD), which is a forum of US and EU consumer groups, also followed suit with a letter to Google's CEO, asking the company to suspend the privacy policy consolidation plan.The letter stated that combining and repurposing data provided by users in different contexts and for different purposes without consent was an unwise choice (Mello, 2012;TACD, 2012).US privacy groups even filed a lawsuit against the FTC to compel the agency to enforce its earlier consent order by prohibiting Google's policy change (EPIC, 2012).Moreover, consumer groups argued that in a complaint filed with the FTC that Google misled its users by failing to accurately describe that the real motives behind its consolidation of policies was to gain increased access to more user data for advertising opportunities (Chester, 2012;Mills, 2012).In fact, according to the Wall Street Journal Google's sales representatives informed advertising agencies about their new advertising potential with the consolidation of the privacy policy (Efrati, 2012).For example, Google collects personal information, content of e-mails and contacts of its e-mail users to show them advertising.With the changed policy the company could use content of e-mails with the user's YouTube browsing and his/her location history to make analytic inductions about the user's behaviour to identify more nuanced interests and enable its clients to design marketing messages and products accordingly (Sullivan, 2012).
Privacy agencies in Europe also widely criticised Google's plans.France's data protection agency (CNiL) officials announced that their preliminary assessment of the policy indicated a violation of European privacy rules and urged Google to reconsider its policy decision (Pfanner, 2012).
The EU data protection authorities wanted to halt the changes until a formal investigation would determine whether the new policy was in compliance with the European data protection principles.However, Google ignored the extensive pressure from government officials and nonprofits and enforced its new privacy policy (Efrati, 2012;Google, 2012a).Two years later Microsoft followed suit and also consolidated its privacy policies into one document and reserved the right to collect and analyse user data from one service to improve service quality, security, and offer tailored content in another service (Gutiérrez, 2015).Like Google, Microsoft did not obtain user consent in advance of the update and simply stated that by using its services, consumers automatically agreed that their data may be used, modified, distributed and displayed upon necessity to improve Microsoft products and services (Bishop, 2012;Microsoft, 2012b;Toor, 2012).
This case demonstrates that when intermediaries' market interests are concerned, they are willing to defy authorities' requests and recommendations and disregard their privacy commitments under self-regulatory agreements.Ceasing data integration would have cost Google and Microsoft long-term loss in marketing and advertising opportunities, and hence they ignored the fierce pressure and implemented a fundamental policy change risking legal action and financial penalties in Europe (Arthur, 2013;CNiL, 2013;Schechner, 2013;Souppouris, 2013).
Disregard for privacy commitments during consolidation of privacy policies, however, was not an isolated case.During the implementation of its Street View project Google compiled publicly accessible routers' Medium Access Control (MAC) addresses, which is a unique hardware number, and SSIDs, such as network names, to improve its location services.Simultaneously, supposedly by mistake, the company also collected information sent over public Wi-Fi networks, including e-mails, passwords, and financial information without users' knowledge or consent.
The privacy role of information intermediaries through self-regulation Google's unauthorised collection of personal information went undetected for two years until the German Data Protection Authority (DPA) made it public in 2010 (Kiss, 2010).The incident was highly publicised in the media and criticised by regulators globally, leading to many formal investigations into the company's data collection incident in Europe and in the US.At least nine countries determined that Google violated their privacy law by capturing and storing personal data without authorisation including the Netherlands, France, Germany, and Spain (EPIC, 2010;Paul, 2010).
In the Netherlands alone, Google captured information on more than 3.6 million routers, equivalent of 63% of the households and companies with broadband connection.The radio antenna attached to Google cars recorded publicly broadcast Wi-Fi radio signals enabling the company to collect unique MAC addresses for each of these routers; the strength of the signal; and the name of the network (Dutch DPA, 2010;Google, 2010).In addition, Google obtained large scale of personal data from unencrypted networks, including names, phone numbers, hardware identifiers, and more than 16,000 e-mail addresses.As a result, the Dutch DPA concluded that Google violated the Personal Data Protection Act on many accounts by not having a justified reason for such data collection and by failing to provide notice to data subjects and obtain their consent in advance.Moreover, the Dutch DPA established that the router MAC addresses in combination with the location information constitute personal data as they can lead to the revelations of the identities of routers' owners (Dutch DPA, 2010;Kravets, 2012;O'brien, 2013).
In the aftermath of investigations and negative publicity, Google made a few amendments to its privacy practices.The company also announced that it would build effective privacy controls into its products and internal practices; train its employees on the responsible collection and use of data; and document privacy design initiatives.Further, Google introduced a method to allow users to opt out of having their wireless access point included in Google's data collection for location services (Google, 2011a(Google, , 2011b)).Nonetheless, such opt-out tools and promises do not guarantee against unethical and unauthorised use of information by intermediaries.In fact, in 2012 Google was caught tracking users without their knowledge and consent by circumventing the privacy settings of Microsoft Explorer and Safari, which blocks third-party tracking cookies by default.Framed as a mistake again, the incident undermined the effectiveness of the training programmes and other internal changes that Google promised to implement after the Wi-Fi data collection controversy (Mayer, 2012;Microsoft, 2012a;Valentino-Devries, 2012).Thus, these cases demonstrate information intermediaries' discretionary power to make decisions that prioritise their strategic interests over privacy commitments.

CONCLUDING REMARKS
The rationale of this paper was a) to demonstrate that participation in self-regulatory programmes and the implementation of privacy principles by information intermediaries does not necessarily translate into meaningful privacy safeguards for users in the face of growing technical affordances that enable greater surveillance capacity online; and b) to highlight the discretionary power of information intermediaries to set their policies and practices with opportunistic regard for their privacy commitments in order to prioritise their strategic interests.In exploring the implementation of notice and choice framework as a case study into information intermediaries' behaviour, this paper has highlighted that despite growth in privacy awareness and a number of policy changes, information intermediaries have not reduced the amount of data they collect and process about users.These private companies have mastered the The privacy role of information intermediaries through self-regulation strategy of implementing seemingly privacy-centric policies and tools without compromising their economic interests.Policy changes towards notice and choice and privacy controls are all positive developments but they have not affected intermediaries' surveillance and subsequent implications for anonymous expression and privacy risks.Instead, they may have enabled intermediaries to justify their ever-growing data processing activities based on the idea that users agree to their privacy terms.The discussions of the policies and cases in this paper have implications for policymakers and civil society actors by highlighting that participation in selfregulatory frameworks and update of policies does not mean control over information and protection from misuse of information and various risks.Moreover, there is precedent to believe that without strong enforcement mechanisms, information intermediaries may continue to set and enact policies in a manner consistent with their business interests, even if that means violating privacy commitments.In this light, it is worth acknowledging that the Privacy Shield that has replaced the Safe Harbor agreement might be slightly superior to the latter in having better oversight mechanisms.However, it is still fundamentally based on privacy principles that rely on notice and choice principles (among others), putting the burden on users to read, understand, and agree to information practices despite the questionable utility of such an approach.Instead, the privacy principles that government agencies endorse and enforce should shift responsibility on the companies.After all, in the current information environment there is an inherent power differential between users and information intermediaries, who are the ones designing the platforms and setting the rules of engagement.
The privacy role of information intermediaries through self-regulation Internet Policy Review | http://policyreview.info 3 December 2016 | Volume 5 | Issue 4

Table 1 :
Privacy choice by Google and Microsoft