10 minute read
2.4 Results access requests
Privacy Company has had lengthy discussions with Google about different options to inspect the contents of the telemetry data. Google allowed Privacy Company to view (not capture or document) an example of telemetry traffic collected by Google in a test account from an engineer during a meeting, but did not provide any documentation about the entire path of the data collection or show any results of specific actions requested by Privacy Company. In reply to this DPIA, Google points to the export possibility in Vault. This functionality allows administrators to export emails (contents, headers and folders) from Gmail and documents from Drive. The exports from Drive contain the created and modified dates for each file, with document types and titles.111 However, this export only provides a very limited view on the Diagnostic Data Google collects about every user activity in its Core Services on its servers. The export does not include any information about the type of device and unique identifiers collected by Google about the user in telemetry and website data, nor does this export provide information about the use of Features, and whether Google collects fragments of content of documents stored in Drive. Other information also misses, as defined in Article 14(2), subsections a to g of the GDPR.
Additionally, Google noted in its response that end users can view certain Diagnostic Data like Drive or Gmail search queries112 and review Diagnostic Data through the Drive activity dashboards.113 However, the first option does not yield results if an end user has chosen privacy friendly settings. In that case, the user can no longer see the registration by Google of activities, but that doesn’t mean Google has deleted the data.114 Google explains that the activity data are no longer used when a user deletes activity from the dashboard.115
Advertisement
The second option (Drive activity dashboards) only shows what other end users have viewed a file an end user has actively shared. This does not constitute detailed information about the collection of Diagnostic Data.
Because of the lack of transparency, Privacy Company cannot determine the contents of the telemetry data. The telemetry that Privacy Company was able to analyse, contained personal data and sensitive content from files (in the Enhanced Spellcheck in Chrome, and in telemetry data about app usage). It cannot be ruled out that some, or all telemetry data contain (1) personal data in the form of unique end user and device information (2) information about app usage with timestamps, and (3) in some cases (sensitive) content that Google obtained as a data processor for Customer Data.
2.4 Results access requests
Google explains in its G Suite DPA that it is the customer’s responsibility to answer data subject access requests.
“...if Google’s Cloud Data Protection Team receives a request from a data subject in relation to Customer Personal Data, and the request identifies Customer, Google will advise the data subject to submit their request to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.”116
111 https://support.google.com/vault/answer/6099459 112 https://myactivity.google.com/ . 113 Google, View the activity on your Google Docs, Sheets & Slides, URL: https://support.google.com/docs/answer/7378739 114 Google, How Google helps you manage data with My Activity, URL: https://support.google.com/accounts/answer/9784401 Google writes: “If you delete activity, it’s no longer used to personalize your Google experience.” 115 Idem. 116 Google G Suite DPA, Sections 9.2.1 and 9.2.2.
Where Google is a data processor, it should provide the data controller (i.e. the government organisations) with information necessary to comply with data subject access requests. As explained in Section 2.3, the access Google provides to the personal data it processes in the available audit logs does not provide a complete overview of all information about all personal data processed by Google. This means that Google, in its role as data processor, does not provide customers with sufficient information to adequately respond to data subject access requests.
As analysed in more detail in Section 5 of this report, Google considers itself to be an independent data controller for the processing of Diagnostic Data, data relating to the Google Account (except when used in conjunction with a Core Service), data relating to the Additional Services, to Feedback, and data relating to ChromeOS and the Chrome browser. Where Google is an independent data controller, data subject access requests must be filed with Google.
To obtain access to these personal data, two formal data subject access requests were sent to Google for the personal data relating to the two test accounts.
Google responded by email of 27 February 2020, referring the researchers to the administrator log files.
“Please contact your account administrator, who has access to tooling and functionality to respond directly to your request. Your account administrator can provide you with personal data associated with your account and detailed logs of what actions you have taken while using G Suite Core Services. This would include, for example, what files you have created, read, updated, deleted or shared in Drive, email sent and received.
Additionally, some of the information you seek is already available to you via the end user interfaces of the products you are using and a number of secure online tools we provide to all end users to access their data. Please see the table below which provides an overview of these tools.”117
Google provided hyperlinks to five download tools for the end-user.
As listed in Table 9 below, none of these self-service tools show all the personal data Google collects, such as unique identifiers and content data, through (1) use of the Google Account in the Core Services, Additional Services and Other related services such as Feedback and the Enhanced Spellcheck in the Chrome browser, (2) the cookies and similar technologies used, plus the information recorded in the webserver access logs with information about IP address, end user and device to keep track of use of services through websites and apps and (3) information collected by the Chrome browser and Chrome OS, including device information from the Chromebook with Android apps that had access to the Play Store.
117 Google email reply to data subject access requests for the test accounts, 27 February 2020.
Table 9: Google overview of self-service tools for end users
Resource Google explanation
User data export118 A tool which enables end users to export and download [content] data.
My Activity119 and view your Google Dashboard120 Allows end users to see and actively manage their recent activity and to manage the data in their Google Account.
Drive Activity Dashboard121
Review how you share data with third-party apps and sites122
Google’s use of cookies123 Administrators and end users can access personal information related to their Drive file activity through the Drive Activity Dashboard. G Suite administrators can control whether end users see each other's file activity on an Activity Dashboard. File activity includes the names of end users who have viewed Docs, Sheets, and Slides files and the time they viewed them. Users can control whether their file-viewing information is displayed in the Activity dashboard. For example, if an administrator turns an end user’s view history On, that end user can still choose privacy settings to hide the file views from the Drive Activity dashboard.
List of sites and apps with access to the end user’s Google Account.
A description and list of the cookies Google uses
Google added: “We are a data processor of Customer Personal Data as defined in the G Suite DPA. Our goal is to protect the privacy and security of our end users and we do not want to provide data to the wrong person. As discussed, we do not provide information where we do not believe there is a secure means of after-the-fact offline reidentification of a data subject in the context of a Subject Access Request, for example in situations where two or more individuals may use a device. Mobile Device Management is a solution for admins to control user/device policies and access.”124
If end users have chosen privacy friendly settings, they cannot see any activity data in their personal dashboard. As explained above, in Section 2.3.1, this does not mean Google deletes the data.
Google explains in its (consumer) Privacy Policy:
118 Google, Download your data, URL: https://support.google.com/accounts/answer/3024190?hl=en 119 Google, My Google Activity, URL: https://myactivity.google.com/myactivity 120 Google Dashboard, See and manage the data in your Google Account, URL: https://myaccount.google.com/dashboard?pli=1 121 Google, View the activity on your Google Docs, Sheets & Slides, URL: https://support.google.com/docs/answer/7378739?co=GENIE.Platform%3DDeskto p&hl=en 122 Google, Apps with access to your account, URL: https://myaccount.google.com/permissions 123 Google, How Google uses cookies, URL: https://policies.google.com/technologies/cookies?hl=en 124 Google response 5 June 2020.
“Activity you keep helps Google provide you with a more personalized experience, including faster searches, automatic recommendations, and a better YouTube homepage. If you delete activity, it’s no longer used to personalize your Google experience. (…) For business or legal compliance purposes Google must retain certain types of data for an extended period of time.”
Google also explains that it does not provide certain personal data in reply to a data subject access request, because (i) it is impossible to reliably verify the identity of the data subject as that of the requester and (ii) in some cases such transparency would hurt Google’s efforts to protect the security of its systems
Google continues with an explanation why Google does not provide certain personal data, because Google finds it impossible to reliably verify the identity of the data subject as that of the requester, or because such transparency would hurt Google’s own efforts to protect the security of its systems.
Google writes: “Please note that certain personal data is not included in our responses to data subject access requests. For example, data is not included to the extent we are unable to verify that the person making the request is the data subject to which it relates (Article 11(2) and Article 12(2) GDPR). This applies, for example, to data that is associated with unique identifiers (e.g. so-called cookie IDs) where we are unable to verify that they relate to the person making the request. Additionally, data is not included to the extent that providing a copy of such data would adversely affect the rights and freedoms of others (Article 15 (4) GDPR). This applies, for example, to data we are processing in the context of detecting threats to the security of our system, the disclosure of which could impact the ability of others to safely use the services.”125
The researchers have offered Google multiple ways to verify their identity and properties of the (test)devices used to perform the scenarios, including providing detailed device, access and cookie identifiers, access to the intercepted data and a physical or virtual visit to a location to prove their identity, if necessary with copies of their passports. Google has refused all these options.
In sum, sections 2.2 to 2.4 show that the Diagnostic Data from the Core Services are personal data. The review of the audit logs available for administrators shows they contain IP addresses, end user and account identifiers, and sometimes email addresses. The telemetry logs recorded in Android Atoms and through the Chrome browser contain IP addresses, hashed MAC address and app usage data, and sometimes sensitive content of files (collected through use of the Enhanced Spellcheck).
Google only provides limited access to some usage data collected (in its role as data processor) about the use of some Core Services and the Google Account. These Diagnostic Data are generally personal data, since these data are generated by (and protected by access credentials) the activities of individual end users (data subjects).
Google fails to provide access to Diagnostic Data about the use of the Features and Additional Services, including the Chrome OS and Chrome browser. Google acknowledges in its reply to the data subject access requests that some data, such as cookie identifiers, are personal data, but Google states it cannot reliably verify that the person making the data subject access request is the data subject that these
125 Google response 5 June 2020.
