Offener Brief an Google: Unterschied zwischen den Versionen
Kde (Diskussion | Beiträge) (→Brief) |
(→Brief) |
||
| Zeile 24: | Zeile 24: | ||
in your June 10 letter [1] to the Chairman of Article 29 Working Party, Mr Peter Schaar, you claim | in your June 10 letter [1] to the Chairman of Article 29 Working Party, Mr Peter Schaar, you claim | ||
that data protection is one of Google's main interests. We appreciate | that data protection is one of Google's main interests. We appreciate | ||
| − | your | + | your willingness to improve protection of your customers privacy. Even so we |
| − | + | are strongly concerned about Google's ongoing violation of European law. | |
| − | are strongly concerned about Google | ||
| − | European | ||
You argue that it would not be possible to preserve your interests in | You argue that it would not be possible to preserve your interests in | ||
security, innovation and fraud-resistance without storing personal data | security, innovation and fraud-resistance without storing personal data | ||
| − | like IP addresses, search logs and user | + | like IP addresses, search logs and user behaviour for at least 18 |
| − | months. | + | months. However in a democratic society it is up to Parliament to balance the users and the providers needs, rather than to commercial enterprises. |
| − | |||
| − | |||
| − | |||
| − | |||
| − | For example German law specifically prohibits data | + | For example German law specifically prohibits the retention of personal data that is not needed for billing purposes. Therefore storing |
| − | |||
personal data is illegal for most services offered by Google as they are | personal data is illegal for most services offered by Google as they are | ||
| − | + | free of charge. Local laws are applicable to Google, and the | |
level of data protection should follow the laws of the country with the | level of data protection should follow the laws of the country with the | ||
strictest privacy protection. | strictest privacy protection. | ||
| − | We fully accord with your | + | We fully accord with your questioning the EU Data Retention |
| − | Directive. | + | Directive. However, the directice is limited to E-Mail and VOIP services on the Internet and does not apply to your search engine, for example. There is no reason why Google should bow to |
| − | + | obligations that do not exist. Also Ireland and Slovakia have filed a | |
| − | + | lawsuit in 2006 against the Data Retention Directive with the European Court of | |
| − | obligations that do not exist. | + | Justice. Legal experts are confident that in accordance with the Court's jurisprudence on PNR data, the directive on data retention will be anulled for the same reasons. |
| − | lawsuit against the Data Retention Directive | ||
| − | Justice. | ||
| − | |||
| − | + | You give some concrete examples of why data retention is supposed to be necessary | |
| − | for operation of Google services. Of course analysing user trends | + | for the operation of Google services. Of course analysing user trends my be necessary for software like Google Spell Checker, but anonymised data would |
| − | + | be absolutely sufficient for this purpose. Additionally, the | |
| − | absolutely | + | protection of your servers against criminal attacks does not justify a |
| − | protection of your servers against criminal attacks does not | + | blanket collection of personal data on all customers. Retaining data on a case by case basis is sufficient as demonstrated by several large sites in Germany that have long operated without logging any personally identifyable data. The retention of data does not, it itself, prevent or stop attacks, anyway. Moreover, dealing with fraud is the business |
| − | + | of public prosecutors, not of private companies. Prosecutors may order the collection and preservation of data where needed. | |
| − | |||
| − | of | ||
| − | At last we | + | At last we would like to remind you of how dangerous extensive data collection |
| − | potentially | + | can potentially be. As a company operating world-wide Google should know |
| − | that not all countries are democracies | + | that not all countries are democracies. Data |
| − | collected by private companies | + | collected by private companies can be and is abused by |
totalitarian regimes. We wonder how it is possible to pervasively filter | totalitarian regimes. We wonder how it is possible to pervasively filter | ||
| − | Google search results for Chinese users | + | Google search results for Chinese users while anonymising search strings |
| − | + | is supposed to compromise the operation of Google services. Furthermore we know that even intelligence agencies in democratic societies use (in our eyes abuse) the data you collect in order to spy on human rights or environmental NGOs, on legitimate protest groups and local activists. The only way to prevent abuse is not to collect personally identifyable data in the first place. | |
| − | Sincererly, | + | For the time being, please consider at least optionally offering anonymous gateways to your services such as the Google search engine. We are confident that a test phase of offering services without retaining identifyable data will convince you that the security of your services will not be compromised. It may even generate business from users who currently refuse using Google services because of your blanket retention practises. [2] |
| + | |||
| + | Sincererly,<br> | ||
xyz | xyz | ||
| − | [1] http://64.233.179.110/blog_resources/Google_response_Working_Party_06_2007.pdf | + | [1] http://64.233.179.110/blog_resources/Google_response_Working_Party_06_2007.pdf<br> |
| + | [2] http://www.privacyinternational.org/issues/internet/interimrankings.pdf | ||
Version vom 15. Juni 2007, 10:19 Uhr
Info
Entwurf von Jan-Kaspar. Bitte lesen, diskutieren, ausführen, verbessern.
Brief
Berlin, 17 June 2007
Mr Peter Fleischer
Privacy Counsel
38, avenue de l'Opéra
F-75002 Paris
Sent via email: <enkode>pfleischer@google.com</enkode>
Dear Mr Fleischer,
in your June 10 letter [1] to the Chairman of Article 29 Working Party, Mr Peter Schaar, you claim that data protection is one of Google's main interests. We appreciate your willingness to improve protection of your customers privacy. Even so we are strongly concerned about Google's ongoing violation of European law.
You argue that it would not be possible to preserve your interests in security, innovation and fraud-resistance without storing personal data like IP addresses, search logs and user behaviour for at least 18 months. However in a democratic society it is up to Parliament to balance the users and the providers needs, rather than to commercial enterprises.
For example German law specifically prohibits the retention of personal data that is not needed for billing purposes. Therefore storing personal data is illegal for most services offered by Google as they are free of charge. Local laws are applicable to Google, and the level of data protection should follow the laws of the country with the strictest privacy protection.
We fully accord with your questioning the EU Data Retention Directive. However, the directice is limited to E-Mail and VOIP services on the Internet and does not apply to your search engine, for example. There is no reason why Google should bow to obligations that do not exist. Also Ireland and Slovakia have filed a lawsuit in 2006 against the Data Retention Directive with the European Court of Justice. Legal experts are confident that in accordance with the Court's jurisprudence on PNR data, the directive on data retention will be anulled for the same reasons.
You give some concrete examples of why data retention is supposed to be necessary for the operation of Google services. Of course analysing user trends my be necessary for software like Google Spell Checker, but anonymised data would be absolutely sufficient for this purpose. Additionally, the protection of your servers against criminal attacks does not justify a blanket collection of personal data on all customers. Retaining data on a case by case basis is sufficient as demonstrated by several large sites in Germany that have long operated without logging any personally identifyable data. The retention of data does not, it itself, prevent or stop attacks, anyway. Moreover, dealing with fraud is the business of public prosecutors, not of private companies. Prosecutors may order the collection and preservation of data where needed.
At last we would like to remind you of how dangerous extensive data collection can potentially be. As a company operating world-wide Google should know that not all countries are democracies. Data collected by private companies can be and is abused by totalitarian regimes. We wonder how it is possible to pervasively filter Google search results for Chinese users while anonymising search strings is supposed to compromise the operation of Google services. Furthermore we know that even intelligence agencies in democratic societies use (in our eyes abuse) the data you collect in order to spy on human rights or environmental NGOs, on legitimate protest groups and local activists. The only way to prevent abuse is not to collect personally identifyable data in the first place.
For the time being, please consider at least optionally offering anonymous gateways to your services such as the Google search engine. We are confident that a test phase of offering services without retaining identifyable data will convince you that the security of your services will not be compromised. It may even generate business from users who currently refuse using Google services because of your blanket retention practises. [2]
Sincererly,
xyz
[1] http://64.233.179.110/blog_resources/Google_response_Working_Party_06_2007.pdf
[2] http://www.privacyinternational.org/issues/internet/interimrankings.pdf