This privacy policy overview for Google Meet, Duo, and Hangouts is part of a series looking at the privacy practices of commonly used videoconferencing services.The series includes:
- Introduction — the introduction provides background information on the scope of this work, and a summary of general findings
- An overview of Google Meet, Duo, and Hangouts (this document)
- An overview of Microsoft Skype and Teams
- An overview of Cisco WebEx
This policy overview for Google Meet has three sections:
- Summary Notes, general observations about the privacy policy and service offering;
- Rubric Mapping, a more structured look at the services, mapping the language in the privacy policy to 10 defined categories; and
- Policy Notes, a series of excerpts from the privacy policy, with commentary on what the language means.
The privacy policy analysis is based on the publicly available policy at https://policies.google.com/privacy?hl=en-US. This policy was last updated on March 31, 2020.
1. Summary Notes
1. Google’s terms are very broad, as they apply across a large swath of Google Services. As such, these terms address data collection in general, but specific information about how data collected via Meets and Hangouts — especially the video data — is difficult to find in any concise form.
2. Google’s terms explicitly allow them to use data they collect to develop new products. Based on the rights Google claims in their privacy policy, they could theoretically use data collected during video calls to develop or tune facial recognition products, or voice recognition products that could be used to “voice print” an individual.
3. Like most companies, Google’s terms also note that they consider the data they collect to be an asset that can be sold, and users will be notified when a sale occurs. However, the terms are not clear about whether or not the sale of video data or audio data would trigger any additional protection or notice, or whether or not there are any explicit prohibitions on audio or video data being sold to a company that developed facial recognition or voice printing products.
4. Google Meet can be accessed in multiple ways. For example, a person can initiate a meeting with a consumer account, or as part of a range of different GSuite offerings. If a person has access to Google Meet as part of an organization’s GSuite offerings, then the administrator of the organization’s GSuite instance has the ability to both affect the default privacy and security settings, and/or to provide access to live meetings and stored recordings of meetings. In practice, the power of GSuite admins to affect the privacy and security of the people in their organization means that it’s difficult to make universally accurate statements about the privacy and security of GSuite, as the defaults will vary widely based on the decisions and skill of the GSuite admin. The potential of data leaks or breaches based on admins is another facet to consider when assessing the potential privacy and security issues within Google Meet, or other products accessed via an organization’s GSuite instance.
5. The privacy landscape gets more jumbled when we think about interactions between users with different types of Google or GSuite accounts. For example, what are the tracking implications when a parent with a consumer Google account attends a Google Meet initiated from within an educational GSuite account? What happens when a student with a K12 GSuite account attends a Google Meet hosted by a non-edu host? What are the privacy implications when a person is logged in to their organizational and personal GMail account in the same browser? Preliminary testing indicates that in most situations, the tracking defaults to the most permissive, but the terms do not provide any clarity about these common use cases.
2. Google Meet aligned to the Rubric
This rubric is based on the policy notes found below.
Personal Data Leak
Google Meet (or Hangouts), like all videoconferencing services, have the potential for leaking personal data. For some GSuite accounts, hosts can record calls and potentially share those recordings. Additionally, other participants could potentially use a smart phone or other video recording device to make surreptitious recordings of calls without the knowledge or consent of participants.
When participating in any videoconference, if you are not aware whether or not a call is being recorded, ask the host. If it is not possible to ask the host, assume that the call is being recorded, and adjust your level of participation in the call to whatever feels comfortable.
First Party Data Collection
Google collects a broad range of identifiers about devices used when a person uses a Google service. Individually, these data elements could be used to identify a person even in the absence of a name, email address, or physical address. However, because these data elements are often connected to a Google account that can include an email address, phone number, name, and profile photo, these data elements provide multiple ways to precisely identify an individual.
Data Enhancement
Google’s terms state that Google augments data with information from multiple third party sources. The language in their policies covers advertising partners, but the terms also explicitly mention that Google can collect information pulled from local storage or server logs.
Third Party Access
Google’s terms clearly disclose that they use data collected for advertising purposes. Google’s terms state that Google does not “share information that personally identifies you with advertisers, such as your name or email, unless you ask us to.” The terms are not clear about whether or not advertisers who receive data from Google can attempt to re-identify people with data received from Google.
Google’s terms also state that data can be shared with third parties with consent, but consent mechanisms are not thoroughly defined in Google’s terms. While they say that they will get “consent” or “explicit consent” they do not thoroughly define what that means in practice.
Implications of Employer or School Sponsorship of Service
When GSuite is made available through a school or business, the privacy of end users is only as solid as the administrator setting up GSuite. Admins have the ability to access data in individual accounts, and to restrict the ability of people to modify some of their privacy settings.
Data Deletion and Retention
Google’s terms describe multiple different rules for retaining data. These rules carve out advertising data as distinct from other forms of data, but the terms do not provide clear descriptions of retention periods. The terms link to a different page (https://policies.google.com/technologies/retention) on data retention, but even the information on that page defines terms that are vague or overly broad (i.e., removing cookie information after 18 months).
Differentiation between data collected from hosts versus participants
The terms do not contain clear provisions or descriptions that detail how data collected from hosts are treated differently than data collected from participants.
The distinction between a meeting host and a meeting participant matters because meeting hosts have made some general choice to use a specific platform, where meeting participants might not have any real choice about whether or not they want to trust a platform with their information.
Information Used for Product Improvement
Google’s terms explicitly define Google’s right to use the data they collect to develop new products. Given that Google collects voice and video information during video calls, location information from phones and computers we use, interests from search, web browsing history from ad tracking and analytics, and people with whom we communicate or share content, Google has access to a trove of information about us, our habits, and our contacts.
The combination of a large amount of accurate, sensitive information — paired with the ability to use that information to develop just about any new product — creates a significant privacy risk.
Data That Can Be Sold or Shared as Part of a Transaction
In case of a merger, acquisition, or sale of assets, Google defines data as an asset and promises to provide notice that data will be transferred, but does not state that it will provide an opportunity for users to delete their information or block transfer before any transfer happens. Given that Google collects voice and video information during video calls, location information from phones and computers we use, interests from search, web browsing history from ad tracking and analytics, and people with whom we communicate or share content, Google has access to a trove of information about us, our habits, and our contacts.
The combination of a large amount of accurate, sensitive information, paired with the ability to transfer that information as part of a merger, acquisition, or sale, creates a significant privacy risk.
Access to Data for Machine Learning, AI Analysis, or Human Review
Google’s terms contain general descriptions that show that they reserve the right to access data for AI analysis and automated review.
3. Privacy Policy Notes
The rough notes below include direct quotations from Google’s Privacy Policy, and commentary on the potential implications of the policy language. These notes are not legal advice.
The larger excerpts of policy language are in italics.
— — — — — — — — — — — — — — — –
Google’s introductory language is very clear about the intent of their privacy policy. It’s not about user control, or user agency, or choice. Google’s Privacy Policy is explicitly about telling people the rules Google has set down, and that people using their service need to follow. However, because Google is such a huge company, it would be close to impossible to be online and not interact with Google in some way. This is doubly true for people whose organizations require the use of Google services for work. This is where the concept of “notice” is meaningless — because we can’t take meaningful actions in response to what we have been told. Additionally, the concept of “consent” in this context rings hollow — when there are no other real options, how can a person not “consent?”
“This Privacy Policy is meant to help you understand what information we collect, why we collect it, and how you can update, manage, export, and delete your information.”
— — — — — — — — — — — — — — — –
Google uses some interesting framing in their privacy policy:
“You can use our services in a variety of ways to manage your privacy. For example, you can sign up for a Google Account if you want to create and manage content like emails and photos, or see more relevant search results. And you can use many Google services when you’re signed out or without creating an account at all, like searching on Google or watching YouTube videos. You can also choose to browse the web privately using Chrome in Incognito mode. And across our services, you can adjust your privacy settings to control what we collect and how your information is used.”
What Google calls “managing your privacy” is more accurately described as using Google services and storing information on Google’s infrastructure. Browsing YouTube videos while logged out doesn’t offer substantial protections, as Google can connect unauthenticated activity to authenticated activity via cookies and other forms of tracking. Incognito mode in Chrome offers protection against someone with physical access to your computer accessing your browsing history, but Incognito mode should not be considered as a general way to protect privacy.
— — — — — — — — — — — — — — — –
First Party Collection
Google collects a broad range of identifiers about devices used when a person uses a Google service. Individually, these data elements could be used to identify a person even in the absence of a name, email address, or physical address. However, because these data elements are often connected to a Google account that can include an email address, phone number, name, and profile photo, these data elements provide multiple ways to precisely identify an individual.
“We collect information about the apps, browsers, and devices you use to access Google services, which helps us provide features like automatic product updates and dimming your screen if your battery runs low.
The information we collect includes unique identifiers, browser type and settings, device type and settings, operating system, mobile network information including carrier name and phone number, and application version number. We also collect information about the interaction of your apps, browsers, and devices with our services, including IP address, crash reports, system activity, and the date, time, and referrer URL of your request.
We collect this information when a Google service on your device contacts our servers — for example, when you install an app from the Play Store or when a service checks for automatic updates. If you’re using an Android device with Google apps, your device periodically contacts Google servers to provide information about your device and connection to our services. This information includes things like your device type, carrier name, crash reports, and which apps you’ve installed.”
— — — — — — — — — — — — — — — –
First Party Collection
Google tracks a broad range of information about how people use the web, how people use Google services, what people watch, who they call, and voice and audio information.
“We collect information about your activity in our services, which we use to do things like recommend a YouTube video you might like. The activity information we collect may include:
Terms you search for
Videos you watch
Views and interactions with content and ads
Voice and audio information when you use audio features
Purchase activity
People with whom you communicate or share content
Activity on third-party sites and apps that use our services
Chrome browsing history you’ve synced with your Google Account
If you use our services to make and receive calls or send and receive messages, we may collect telephony log information like your phone number, calling-party number, receiving-party number, forwarding numbers, time and date of calls and messages, duration of calls, routing information, and types of calls.”
— — — — — — — — — — — — — — — –
First Party Collection
Google collects precise information about a person’s location using multiple different means. Some of the ways of collecting, storing, sharing, and reusing location information are probably not broadly understood by end users.
“We collect information about your location when you use our services, which helps us offer features like driving directions for your weekend getaway or showtimes for movies playing near you.
Your location can be determined with varying degrees of accuracy by:
GPS
IP address
Sensor data from your device
Information about things near your device, such as Wi-Fi access points, cell towers, and Bluetooth-enabled devices
The types of location data we collect depend in part on your device and account settings. For example, you can turn your Android device’s location on or off using the device’s settings app. You can also turn on Location History if you want to create a private map of where you go with your signed-in devices.”
— — — — — — — — — — — — — — — –
Data Enhancement
First Party Collection
Google augments data with information from multiple third party sources. The language in their policies covers advertising partners, but the terms also explicitly mention that Google can collect information pulled from local storage. Potentially, this could be read as a disclosure that Google claims the right to collect and store data from local storage in mobile apps and browser caches. The potential sensitivity of data written to local storage can vary widely based on the app or web site, and most users would not expect this information to be accessible to Google. Additionally, Google’s reference to collecting data from server logs could allow Google to collect and use sensitive information that is accidentally sent in URLs. Some services (such as Google Search and Google Analytics) send potentially sensitive information in URLs.
“In some circumstances, Google also collects information about you from publicly accessible sources. For example, if your name appears in your local newspaper, Google’s Search engine may index that article and display it to other people if they search for your name. We may also collect information about you from trusted partners, including marketing partners who provide us with information about potential customers of our business services, and security partners who provide us with information to protect against abuse. We also receive information from advertisers to provide advertising and research services on their behalf.
We use various technologies to collect and store information, including cookies, pixel tags, local storage, such as browser web storage or application data caches, databases, and server logs.”
— — — — — — — — — — — — — — — –
Product Improvement
Google’s terms explicitly define Google’s right to use the data they collect to develop new products. This creates the potential that data collected during video calls could be used to train a range of services from voice identification to facial recognition services. While their terms do not explicitly mention either of these services, the data they collect could easily be used to develop products like this. If there are specific types of products that Google will not develop based on videoconferencing data (or other data in their possession, they could clearly define these commitments in their privacy policies. But, as these policies are currently written, Google places few real limits on how it uses the data it holds.
“We use the information we collect in existing services to help us develop new ones. For example, understanding how people organized their photos in Picasa, Google’s first photos app, helped us design and launch Google Photos.”
— — — — — — — — — — — — — — — –
Data Enhancement
Third Party Access
Google can potentially combine information about people from sites that use both Google Analytics and ad services controlled by Google.
“we also use data about the ads you interact with to help advertisers understand the performance of their ad campaigns. We use a variety of tools to do this, including Google Analytics. When you visit sites that use Google Analytics, Google and a Google Analytics customer may link information about your activity from that site with activity from other sites that use our ad services.”
— — — — — — — — — — — — — — — –
Data Enhancement
Product Improvement
Google can combine information it collects from different Google-controlled services, and from different devices it ties to an individual user. While they don’t explicitly call this out here, this language strongly implies that this data combination occurs over time. The language here also implies that Google connects specific devices to specific individuals. While smaller companies would need to do comparable data enhancement using data from third parties, because Google is so large the data sources can come from other Google-controlled affiliates.
Because this language also states that Google can use the data they collect, assemble, and store to “improve Google’s services” that gives Google broad license to use data as Google deems necessary.
“We may combine the information we collect among our services and across your devices for the purposes described above. For example, if you watch videos of guitar players on YouTube, you might see an ad for guitar lessons on a site that uses our ad products. Depending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google.”
— — — — — — — — — — — — — — — –
Other
Google offers a range of features that allow people to modify how some data collected by Google are used. Google also allows people to export information they have created using Google services (most of the exports are available via Takeout) — for Hangouts, this appears to be limited to photos and files shared during conversations, and conversation history. However, the functionality is fragmented across multiple services, which can make accessing the features needed to export or access data difficult to use. Additionally, it’s not clear if or how the profiles Google creates (for example, the information Google collects and combines across multiple Google services and across multiple devices) is accessible via Google’s standard tools.
For example, it’s unclear how Google would answer this question: “Can I see a record of every piece of data associated with John Doe, using email johndoe@gmail.com, including any data collected via Google ad services on different sites, Google Analytics on different sites, and any devices associated with John Doe or johndoe@gmail.com?” The dataset that would come back from a complete answer to this question is almost certainly broader than the data elements that are currently fragmented and exposed across Google Takeout and Google’s privacy controls.
— — — — — — — — — — — — — — — –
Third Party Access
Consent mechanisms are not clearly defined in Google’s terms. While they say that they will get “consent” or “explicit consent” they do not define what that means in practice. Does “explicit consent” mean agreeing to the terms of service and privacy policy when signing up for a service?
“We’ll share personal information outside of Google when we have your consent. For example, if you use Google Home to make a reservation through a booking service, we’ll get your permission before sharing your name or phone number with the restaurant. We’ll ask for your explicit consent to share any sensitive personal information.”
— — — — — — — — — — — — — — — –
Employer Surveillance
Personal Data Leak
When GSuite is made available through a school or business, the privacy of end users is only as solid as the administrator setting up GSuite. Admins have the ability to access data in individual accounts, and to restrict the ability of people to modify some of their privacy settings.
In addition, if a person is logged into a personal Google account and an organizational Google account on the same browser (a common use case for people who have a personal and a work email), some general testing indicates that their work/school activity will potentially be tracked and tied to their personal account.
“If you’re a student or work for an organization that uses Google services (like G Suite), your domain administrator and resellers who manage your account will have access to your Google Account. They may be able to:
Access and retain information stored in your account, like your email
View statistics regarding your account, like how many apps you install
Change your account password
Suspend or terminate your account access
Receive your account information in order to satisfy applicable law, regulation, legal process, or enforceable governmental request
Restrict your ability to delete or edit your information or your privacy settings”
— — — — — — — — — — — — — — — –
Legal Requests
Google, like most other companies, will share data to comply with legal requests. Google also publishes a Transparency Report.
“We will share personal information outside of Google if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to:
Meet any applicable law, regulation, legal process, or enforceable governmental request. We share information about the number and type of requests we receive from governments in our Transparency Report.”
— — — — — — — — — — — — — — — –
Onward Transfer
Google promises to provide notice that data will be transferred, but does not state that it will provide an opportunity for users to delete their information before any transfer happens.
“If Google is involved in a merger, acquisition, or sale of assets, we’ll continue to ensure the confidentiality of your personal information and give affected users notice before personal information is transferred or becomes subject to a different privacy policy.”
— — — — — — — — — — — — — — — –
Data Retention
Google offers options for people to delete data that they have created using Google services. However, accessing these options requires manually navigating multiple screens for multiple services. The lack of centralized, simplified controls can be understood as a layered series of dark patterns that make real options difficult to find, and even if a person finds them, makes the meaning of the options difficult to understand.
“To delete your information, you can:
Delete your content from specific Google services
Search for and then delete specific items from your account using My Activity
Delete specific Google products, including your information associated with those products
Delete your entire Google Account”
— — — — — — — — — — — — — — — –
Data Retention
Google’s terms describe multiple different rules for retaining data. These rules carve out advertising data as distinct from other forms of data, but the terms do not provide clear descriptions of retention periods. The terms link to a different page (https://policies.google.com/technologies/retention) on data retention, but even the information on that page defines terms that are vague or overly broad (ie, removing cookie information after 18 months).
“Some data you can delete whenever you like, such as the content you create or upload. You can also delete activity information saved in your account, or choose to have it deleted automatically after a set period of time.
Other data is deleted or anonymized automatically after a set period of time, such as advertising data in server logs.
We keep some data until you delete your Google Account, such as information about how often you use our services.
And some data we retain for longer periods of time when necessary for legitimate business or legal purposes, such as security, fraud and abuse prevention, or financial record-keeping.”
— — — — — — — — — — — — — — — –
Access to Data for Machine Learning, AI Analysis, or Human Review
Google’s terms contain general descriptions that show that they reserve the right to access data for AI analysis and automated review.
“We use different technologies to process your information for these purposes. We use automated systems that analyze your content to provide you with things like customized search results, personalized ads, or other features tailored to how you use our services. And we analyze your content to help us detect abuse such as spam, malware, and illegal content. We also use algorithms to recognize patterns in data. For example, Google Translate helps people communicate across languages by detecting common language patterns in phrases you ask it to translate.”
UPDATE May 27: Based on reader feedback, the language describing how participants can potentially use a smart phone or other video recording device to record a video conference was edited for clarity. END UPDATE.