Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: If I use GSuite does Google mine my data for their own purposes?
65 points by plg on Nov 14, 2018 | hide | past | favorite | 57 comments
If I pay for GSuite and I browse the web while logged on to my GSuite account using Chrome, for example, does Google mine my data/metadata/behavior for the purposes of advancing their business model? Or just to "help deliver my services"



(I'm a software engineer on Google Drive.)

The answer is no. To the point where it's actually a pain in the ass for us because developing any ML-assisted capabilities for G Suite requires us to only get training data from specific subsets of customers who are under special contract conditions.

If you buy G Suite from a reseller then they might be doing shady shit but we'd terminate their reseller account if we found out about it.

I know people like to bitch about this kinda shit on HN but honestly I and my coworkers spend so much time on protecting our customers' data from literally everyone -- including ourselves -- that I want the chance to bitch back about how hard my job is.


The ironic thing is the big 4 style companies are usually labeled as being careless with user data yet they probably have some of the strictest internal rules/procedures for user data classification and handling.

It’s the startups consumers should be more worried about IMO.


As a Cloud Platform customer I find security and data privacy it is handed with a lot of care.

Also, I believe all enterprise product purchases are made on trust foundations.

If someone did weird stuff with customer data, it will be out of the market in a couple of days. It might be also a felony in some parts of the world.


I wonder if this commitment is reflected in any official terms or pledges?


"Google Cloud Security and Compliance Whitepaper" linked elsewhere on this thread: https://storage.googleapis.com/gfw-touched-accounts-pdfs/goo...

Relevant bits start at page 12:

"G Suite customers own their data, not Google."

"There is no advertising in the G Suite Core Services, and we have no plans to change this in the future"

etc.

Ultimately the biggest cudgel you have to wield here is in the sales contract you're signing, but my understanding is that the baseline privacy guarantees are standard for all customers at the strictest level -- people actually opt to reduce the restrictions on their data so that new features get built with their use cases in mind (otherwise we wouldn't know what those actual use cases were).

A lot of companies use G Suite and a lot of them have very strict privacy + security requirements. This is the same platform used by fintech companies, healthcare companies, MegaCorps, etc.

Sort of a thing with all non-web-search Google products: I can't fathom how people see the $5B/quarter "other revenue" line on our earnings statements and think that just doesn't matter and somehow we have to get the "real" money from ads. We definitely did ads-supported-consumer first and we've been doing it the longest and it makes the most money, but how many email providers would kill to have half of that quarter as their annual revenue? G Suite, Cloud, etc are very real businesses in their own right and that's even while being very young and coming from a company that didn't start with any inherent strengths in enterprise markets.


I believe Google is a surveillance company, and I like to think that anything they do has something to do with that. I would love someone to prove me wrong though, because what they're doing is so dystopian.


As another reply notes, this is a very strange burden of proof you're suggesting. That said...

I don't think modeling Google as a surveillance company is a particularly good model. If you need to pick something reductionist, it's probably safest to model Google as a corporation that seeks to make money, although that's not particularly unique or (obviously) a sufficiently refined model.

I use a lot of Google services, own some Google hardware (phone, smart speakers and the like). But I also have reservations and concerns about Google, and I try to regularly reexamine my relationship with Google to see if I'm still comfortable with everything!

One step I took was to really dig into the My Activity dashboard that Google provides. I was really interested, after letting a Google Home into my life, to see what I could learn. The most obvious step I took was to listen to the recordings Google keeps of every interaction I have with the Home, and ensure there weren't things presented that I hadn't intended Google to be listening to.

But! What if Google is actually recording everything, and then only presenting me with the things that were actual instructions to my Google Home in the dashboard? (Let's disregard network traffic analysis and the like for the moment.) If Google were up to this kind of shenanigans, they would have to be very, very careful to have an appropriately conservative filter in place to ensure none of the secret recordings were ever presented to me.

So, to test this, I proceeded to independently record every interaction I had with the Google Home (just took a quick note on paper) for a couple days. I later went to the My Activity dashboard to see if every interaction was present. (They were.) At this point, I am reduced to a narrower set of options: Google is actually doing what they told me they would, or their super-AI is so advanced that is is capable of covert monitoring and reporting on my activity along with _perfect_ filtering such that there are no false positives or false negatives.

This obviously isn't exhaustive or comprehensive. But I find myself coming back to "why?" The things that Google tells me they do with my data, up front, are sufficient to explain their business activities and revenues. The disincentives around doing anything more nefarious are rather large. I reevaluate the relationship periodically, but I am generally comfortable looking at the terms of the deal (I share some data, they provide me a lot of value) and accepting them.

Honestly, the thing I find far scarier is their absolute shit-tier support and draconian account suspension policies. I found myself entertaining becoming a Google One subscriber even though I have no need for more cloud storage. I was literally entertaining the notion of paying them a nominal fee every month so that I might be somewhat less likely to lose my account and all of the association information for some minor (possibly merely perceived) transgression. That's a bit scary!


Don’t. As someone who recently tried Google One out and had to deal with their support repeatedly during my first month as a Google One subscriber, it’s abysmal. I eventually cancelled and left. The process somehow also screwed up my account and made everything a mess. The whole ordeal basically made me want to never pay Google for anything ever again.


> would love someone to prove me wrong though

The burden of proof lies on the person making claims. I'm not asserting that your claims are wrong, but if you want people to take your statements seriously you need to provide proof.

In order to practice what I teach, here's an article: https://en.wikipedia.org/wiki/Burden_of_proof_(philosophy).

EDIT: Fixed paragraph formatting


I mean, it's literally no secret that Google collects user information, contents of emails, browsing history, etc and uses it to target advertisements to users. If you use a google product or service for more than 5 minutes, you literally see it happening.


OK, I guess that depends on how you define surveillance. I think of surveillance as having some kind of relation to the state, for example a private investigator looking into a court matter, a company sharing information with the government (outside of warrants), etc. If we're taking surveillance to mean general tracking, then yes the OP's statement probably doesn't need further evidence.


I think most folks associate surveillance with this definition of the word: "continuous observation of a place, person, group, or ongoing activity in order to gather information"


The distinction is basically none. Allowing tracking is a kin to state surveillance. If the data is tracked, you should assume the government has it and I’d cite Snowden and the political climate chipping away at privacy rights.


Thanks for this. I assumed anyone that visits HN knows what Google does, especially after the whistleblowing and revelations in the past few years. I agree that it would’ve been better for me to add a few citations or proof, so here’s [0] the first search result when searching for google+surveillance on DDG. [0]:https://www.theguardian.com/commentisfree/2017/jun/18/google...


Google will capture your data whether you're a paying customer of not. They will tell you they capture "some data" to personalise their service and make your life more convenient. In reality, they capture everything they can and it's all grist to their advertising mill.

But Google is not the only company doing this. Facebook and Amazon will track you across the internet, and even Microsoft is now adopting similar strategies.

Your best defence is to minimise the attack surface. Own your own data by paying for cloud storage and email. Use a browser like Brave, or Firefox with the new privacy control turned on. Don't post anything to social media you wouldn't be happy for the whole world to know.


If you can cope with living in a walled garden, replace all your devices with Apple products.


My hardware is all apple. My OS's are all apple. But I use GSuite for email/calendar. Email because I use my own domain and Calendar because we use it at my workplace for scheduling shared resources (conference rooms etc).

I suppose I could easily switch to another email provider (e.g. Fastmail).

I also suppose I could stop using Google Calendar for my own calendar and only use it for scheduling conference rooms at my workplace. Or get someone else to schedule rooms for me using their google account.

I still use google for search but I suppose I could switch.

I use apple maps 99.9% of the time and it's fine.


I find it really hard to tell if you are cynical or not :-)

Not making any statement about the current Apple, of course... which I know next to nothing about since I've never owned any Apple devices.


Apple makes some pretty strong claims about your privacy as a customer:

https://www.apple.com/privacy/


Yes, and they are known to scan it and kick people off for "inappropriate" content under a very subjective and not equally enforced set of standards. This is why I don't recommend Google Cloud to clients.


Do you mean they scan your files and will kick you off for running a porn business because of the content in your slides/sheets/files. Or are you saying, if you run a church they will kick you off for occasional porn browsing?

Using porn as an example of possibile subjective inappropriateness


It means that storing child pornography on the cloud is against the tos.


Yes on two levels:

1. If you're logged into Chrome or using Google properties, they're using your behavior along with everyone else's to see what patterns people have, what sites are popular, which ads convert, etc. If they were to stop doing that tracking whenever you're logged into a GSuite account, they'd publicize that loudly and clearly as a selling point. Given that they don't, I think it's reasonable to believe that they treat GSuite customers' behavioral data the same as all other users'.

2. Specifically your use/behavior of the GSuite products they will also use to improve the GSuite products themselves (and sell more, thereby advancing their business model). For example, if they see that nobody is using a particular feature, they may change where it shows up or eliminate it.

What they clearly publicize that they don't do is mine the content of your documents or put advertising inside the GSuite products themselves. But all the behavioral data/metadata you generate will still be used alongside everyone else's.



I used to pay for GSuite and still found my content being mined. With all due respect to Google, I find it hard to believe that they're as consistent as they believe with filtering paid vs free accounts across the service.

I could be, and am open to being, wrong, though. I'm not Google. Just found myself with substantially less targeted advertising once I left.

And actually that's slightly interesting - how does one determine a bug re: being the recipient of targeted ads when you shouldn't be? Probably wording it wrong without coffee in me, but I hadn't thought of it like that.


> found my content being mined

How?


turc1656 (other direct reply to you) noted what I was getting at, but to expand on it...

I'm pretty careful about what I share with various services. Facebook (Instagram, etc) are all silo'd off to separate access points, phone is devoid of any of them, you get the gist. The only thing I didn't mind was Google, since I was paying for it, and it's easy to think that paying for it means it'll work how you expect it to and your privacy is intact.

Thus I'd keep Google apps signed in to the account, and I'd keep a tab open with Gmail all day, so short of incognito tabs, I was almost always signed into it.

Your _email_ isn't scanned, but Google doesn't even do that for free email accounts since..., what, 2014? Most people who decry the whole Gmail reading emails angle don't seem to understand this. They still track you as you move around for advertising purposes, though, and that was enough to make me just not want a Google account.

Siloing social media probably reduced my targeted advertising by 20%, and the absolute biggest reduction I found in my life was by getting rid of Google. It's honestly jaw dropping how much tailored content you get shoved at you that "waking up" from it can blow your mind (read: less depression, fomo, and so on, which more people seem to be catching on to).

YMMV though. I don't hate advertising and think it certainly has a place in society, and some people find it useful/fine/acceptable. Just noting my experiences.


> They still track you as you move around for advertising purposes, though, and that was enough to make me just not want a Google account.

Firefox containers solved[1] this for me. They are probably the biggest privacy boost I've felt for a decade. I've got three separate Google containers (private Google account and general Google properties like youtube, and two separate Gsuite accounts), individual Facebook, Reddit and HN containers, a separate containers for various banks I interact with, another separate for online purchases (plus goodreads, because I don't want Amazon to leak), and an individual Pandora one (because why not?).

1: Well, "solved" in that it's harder for them. They can still track me, but at least now they get conflicting cookies from different types of sites but the same IP which might confuse their metrics some. I'm aware I'm probably just making it harder to state anything about me with too much confidence at most.


Yes, but Firefox on Mac is honestly nowhere near the level of polish that other browsers are, so I only use it for social media. My default browser is Safari, which never sees a Google signin anymore. shrug

Highly recommended tho.


Besides what the parent already mentioned, I was also a paying GSuite user for some years (when it was still called Google Apps for Applications/Business). And I had e-mail contacts (Google Mail is covered by GApps) appear as suggested profiles, etc. in Google+ (then not covered by GApps).

Even if there is no malice, it seems that they are not enforcing strict boundaries between their products.


> And I had e-mail contacts (Google Mail is covered by GApps) appear as suggested profiles, etc. in Google+ (then not covered by GApps).

It's still a Google service tied to your account, gsuite or not. It doesn't surprise me one bit that there's still a bit of integration there. They already have your email and the emails of others in your address book that you willingly gave them. It's not like they're mining you to steal those and give you creepy suggestions.


OP indicated the reason for the conclusion - "...found myself with substantially less targeted advertising once I left"


Care to summarize your conclusion so we all don't have to download the PDF?


For the lazy...

> G Suite customers own their data, not Google. The data that G Suite organizations and users put into our systems is theirs, and we do not scan it for advertisements nor sell it to third parties. We offer our customers a detailed data processing amendment that describes our commitment to protecting customer data. Furthermore, if customers delete their data, we commit to deleting it from our systems within 180 days. Finally, we provide tools that make it easy for customer administrators to take their data with them if they choose to stop using our services, without penalty or additional cost imposed by Google

>No advertising in G Suite There is no advertising in the G Suite Core Services, and we have no plans to change this in the future. Google does not collect, scan or use data in G Suite Core Services for advertising purposes. Customer administrators can restrict access to Non-Core Services from the Google Admin console. Google indexes customer data to provide beneficial services, such as spam filtering, virus detection, spellcheck and the ability to search for emails and files within an individual account.

Data Processing Amendment: https://gsuite.google.com/terms/dpa_terms.html


The specificity of "for advertising purposes" leaves wide open the likelihood that it is scanned for "their own purposes", per the question that was asked.


Or for the purposes of, “spam filtering, virus detection, spellcheck and the ability to search for emails and files…”, which seems reasonable and fair.


Would "anthropology for the purpose of strategy" be reasonable/fair?


Listing multiple items does not exclude others.


I like to think of myself as having "alternative" priorities :) Thanks a bunch!


In my (non-expert) opinion, one of the most important parts of the linked DPA is where Google claims that they are a Processor and not a Controller under GDPR.

A Controller has discretion of what processing takes place and how it is used. A Controller also has greater responsibilities under GDPR to both the data subject and to the authorities. If Google wants to limit their exposure to GDPR (and I see every indication that this is their current strategy), then they need to make sure they only carry out the processing activities outlined in the DPA.


Does it stop them from finding generalities in the data and selling that info?


I don't think so.


It looks like a lot of people went straight to "Google said they don't scan your documents for advertising purposes" and skipped over your actual question, which was "does Google scan everything I do in Chrome when I'm logged in even if I pay for GSuite" and I'm pretty sure the answer is yes.


I'd be very surprised if Google wasn't doing that with your data. It's their business model.


Except when someone's paying them cold hard cash for something like G Suite, you'd think that should be enough of a business model for them...but I think you're right to remain skeptical of that. :\


Officially not.

In reality, nobody knows, and given their business model I wouldn’t be surprised if they did anyway.


Based on the Googler's comment above, I think both are true. I can fully believe that test data has to be obtained from certain sources for development and whatnot. But once the algorithm is in production , I'm sure its sifting though your stuff as you are browsing just like everything else.


Ill link to the official docs from Google:

https://gsuite.google.com/learn-more/security/security-white...


If you want an answer from someone who actually knows, consider contacting your gsuites account rep or asking on the support forum for gsuite. It is apparent from the other responses find their root in uninformed paranoia rather than actual knowledge.

(I don’t actually know either, and I think it depends on what you mean by “scan” and what program you’re worried is doing said scanning. It also depends what you mean by “for their own benefit.”)


Anecdotally, a couple of weeks ago I made a "budget" spreadsheet in google sheets and since then I've been getting the same youtube ad for a money management app, over and over again. I hadn't seen the ad before and the spreadsheet is the only change in my behaviour on google services that I can think of.


Did you search for anything budget related?


I don’t belive they scan the contents of your documents/emails, but I do beleive they use metadata and behavior.

I’m conflicted because part of me thinks using their paid services encourages them to pursue a more Apple-link business model where advertising dollars are not the end goal, but it just doesn’t seem to be their mission at all.


Your data are on their server? If yes you simply can't no and (the need of) trust is a weakness. Since you can only trust them you are in a weak position as a user, be confident enough than that your data's will be used is some way.


Of course they do. How could you be so naive?


No.


This is one of the reasons why I wrote my essay/overview, to investigate these problems.


it's a FAANG world and we just live under it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: