By Joseph Menn
SAN FRANCISCO (Reuters) - This week's revelations that Google Inc, Twitter and other popular Internet companies have been taking liberties with customer data have prompted criticism from privacy advocates and lawmakers, along with apologies from the companies.
They are the latest in a long line of missteps by large Internet companies that have faced little punishment for pushing privacy boundaries, which are already more expansive than most consumers understand.
Despite all the chatter about online privacy and the regular introductions of proposed data protection laws in Congress, Silicon Valley is in the midst of a veritable arms race of personal data collection that is intensifying.
Many innovative companies, most prominently Facebook, base virtually all of their services on the ability to personalize, which requires them to know their users well. Their business models likewise depend to an increasing degree on the ability to target a banner advertisement or other marketing pitch to an individual. Millions of times each day, the right to advertise to a specific user is auctioned off in a fraction of a second by computers talking to one another.
For both the buyers and the sellers of the advertising, the business advantage goes to the participant with the most knowledge, and that race is driving companies like Google to learn as much about its users as Facebook does.
Video-Is Google tracking you: http://r.reuters.com/tat66s
Few U.S. laws prevent those companies and others from collecting all manner of information - ranging from credit cards numbers and real names and addresses to buying patterns and Web surfing habits - then selling the data to advertisers and other third parties.
Aside from special protections for credit report information, medical records and a few other narrow categories, virtually anything is fair game.
Companies generally face legal threats or a user backlash only after violating their own published privacy policies or being discovered subverting consumer wishes.
Last week Twitter, Path and other firms were found to be vacuuming users' iPhone contact lists even though Apple Inc's policies forbade it. On Friday, a Wall Street Journal report showed that Google was tweaking ads on Apple's Safari Web browser to install tracking cookies which, while commonplace on other browsers, are blocked on Safari unless the user specifically allows them.
Reps. Edward J. Markey (D-Mass.) and Joe Barton (R-Texas), co-chairmen of the Congressional Privacy Caucus asked for a Google probe by the Federal Trade Commission, which declined to comment. Google said Friday that its intentions were innocuous but it nontheless dropped the practice. Twitter and Path said they would seek explicit permission before grabbing address-book contents, and Apple said it would update its software to prevent further leaks.
The developments fit what is by now a well-established pattern that has thus far kept major new laws off the books, longtime policy specialists said.
A company over-reaches, gets caught, and promises to do better. If a greater than usual display of outrage prompts introduction of plausible legislation, the industry counters with a new plan for self-regulation, such as the publication of privacy policies that users seldom read.
Sooner or later, the plan is rendered obsolete by new technologies in the data arms race, and the cycle repeats.
Google and Facebook last year both agreed to 20 years of privacy audits by the Federal Trade Commission after they made public customer information that users had considered private. But with few restrictions on data collection, the audits are not likely to have a major impact on business practices.
Internet companies and their investors argue that data-collection is essential to their businesses, and enables them to provide services that would otherwise be impossible. Consumers get more accurate search results, more relevant advertising, and more intimate connections with friends and others when Internet companies know something about them.
"For that value tradeoff, they're willing to provide information," said Ron Conway, a well-known Internet investor.
"I don't like people tracking my location, but I want to know, 'what are some nearby Italian restaurants that my friends have liked,'" said Auren Hoffman, CEO of Rapleaf, which compiles profiles of Internet users.
The equation is different in Europe, which has long-standing data protection laws that limit some practices that are standard in the United States. The European Union is now weighing updated rules that would allow any resident to ask companies to delete the information on file about them; the United States only has equivalent rights for those under age 13.
Privacy advocates in the United States say they do not expect big changes anytime soon.
"Trying to pass a bill through Congress that's actually going to safeguard user records, especially when you've got huge advertiser lobbies trying to defang that law, is an incredible challenge," said Rainey Reitman, activism director with the Electronic Frontier Foundation.
At best, they say, a law might allow consumers to opt out of some tracking.
"That is more likely today than it was 24 hours ago," said Justin Brookman, director of consumer privacy at the Center for Democracy & Technology, which gets funding from foundations and major technology companies.
"But the 'right-to-be forgotten,' erase-button thing, you would see more of a fight."
(Reporting by Joseph Menn. Additional reporting by Alexei Oreskovic in San Francisco. Editing by Jonathan Weber and Richard Chang)