Real win vs. privacy theater: Google’s new personal information removal policy

In 2015, Ranking Digital Rights, a non-profit research initiative, graded top tech companies, including Google, on their privacy policies, features, and commitments. No company scored higher than a D. 

Privacy may have been important to many people back then, but big tech felt little reason to take meaningful action. 

Now, with data privacy top of mind for the majority of US consumers and pro-privacy legislation gathering steam at the state level, the tide is turning. By letting individuals make removal requests for phone numbers, email and home addresses, and other sensitive PII, Google is the latest tech giant to bend to public pressure on user privacy. 

Previously, users could only ask Google to remove information threat actors could use to commit identity theft and financial fraud, i.e., Social Security numbers, credit card details, or medical data. Individuals whose contact information was disclosed through doxxing and who experienced “explicit or implicit threats” and “calls to action for others to harm and harass” could also ask Google to delete this information from its search results. Doxing refers to the malicious sharing of personal data online.

This latest development lets users request that Google remove their PII if it “has potential to create […] harmful direct contact, or other specific harms”. 

Google’s recognition of “other specific harms” that may come as a result of personal information glut is long overdue. Easily available PII can contribute to a whole spectrum of threats, including location tracking/stalking of individuals as well as doxxing by social media flash mobs. 

In addition, search engines like Google are routinely leveraged by cybercriminals. Threat actors use Google Search to identify potential targets for corporate phishing campaigns that lead to ransomware (for example, Colonial Pipeline), tailor robocalls to specific consumers, and build synthetic identities. 

Even for cynical privacy advocates like me, Google’s policy shift is a welcome step forward for the industry. However, average internet users may still find the process overly complex and an insufficient way of addressing the growing problem of online privacy.

A watershed moment but limited impact

Google giving individuals the ability to remove more PII from appearing in search results is a key moment in the struggle for consumer privacy. For the first time, the tech giant is recognizing the danger that a lack of privacy creates for individuals. 

This recognition is welcome. However, the direct opt-out option now allowed by Google will not turn the dial on individual privacy by itself. 

The ability to flag PII appearances on websites that otherwise have no legal or regulatory obligation to remove PII on request is valuable. But in a world where it’s in everyone’s interest, except for individuals themselves, to keep harvesting, selling, and sharing PII, Google’s move still leaves users without easy ways to opt-out at scale. Between 2019 to 2021, the volume of online PII exposure increased by over 150%. From public bodies keen to digitize records to data brokers whose business model is built on harvesting and selling personal data, PII is a hotly traded commodity. With a 68% rise in the number of data breaches last year, cybercriminals make hefty profits through stealing and exploiting PII. 

Google’s opt-out process falls short because it makes users do all the work of identifying information at risk and documenting it. Anyone who wants their PII taken down from Google’s search engine needs to specify every individual site where their personal information appears, submit multiple copies of their ID, tell Google whether there is “doxing intent” or not, and what search terms bring up the information. 

Based on our experience, individuals will likely have to iterate the request process hundreds of times, creating inevitable bottlenecks. The need for users to submit screenshots with their opt-out requests further complicates this process, creating a user flow that discourages opting out. This is not a scalable process.

How Google can help privacy protection scale

Turning an underwhelming but still useful opt-out option into a powerful tool requires Google to create a pathway for automated PII removal. To do this, Google could easily leverage its new policy shift to build an API for delivering automatic PII detection and removal for individuals and organizations concerned about privacy by partnering with recognized privacy service providers.

This move would help create a virtuous circle for individual online privacy. With automated and scalable PII removal, the incentive for commercial organizations to allow exposure, like that done by data brokers who relist information every four to six months, would dwindle. In turn, PII would become harder to find, keeping individuals safer and reducing the problem PII exposure creates for our society.

As this policy change shows, Google has a lot of power over individuals’ online lives. For anyone impacted by doxing, stalking, and other threats, small policy changes can make massive differences. If they want to truly help their users, Google needs to build on this latest policy shift to make privacy actions match intent.

Rob Shavell is cofounder and CEO of DeleteMe.