Secret Ties in Google’s "Open" Android

Disclosure: I serve as a consultant to various companies that compete with Google. That work is ongoing and covers varied subjects, most commonly advertising fraud. I write on my own—not at the suggestion or request of any client, without approval or payment from any client.

Google claims that its Android mobile operating system is “open” and “open source”—hence a benefit to competition. Little-known contract restrictions reveal otherwise: In order to obtain key mobile apps, including Google’s own Search, Maps, and YouTube, manufacturers must agree to install all the apps Google specifies, with the prominence Google requires, including setting these apps as default where Google instructs. It’s a classic tie and an instance of full line forcing: If a phone manufacturer wants any of the apps Google offers, it must take the others also.

In this piece, I present relevant provisions from key documents not previously available for public examination. I then consider the effects on consumers, competitors, and competition, and I compare these revelations to what was previously known about Google’s mobile rules. I conclude by connecting Google’s mobile practices to Google’s use of tying more broadly

The Mobile Application Distribution Agreement

To distribute Google’s mobile applications—Google Search, Maps, YouTube, Calendar, Gmail, Talk, the Play app store, and more—a phone manufacturer needs a license from Google, called a Mobile Application Distribution Agreement (MADA). Key provisions of the MADA:

“Devices may only be distributed if all Google Applications [listed elsewhere in the agreement] … are pre-installed on the Device.” See MADA section 2.1.

The phone manufacturer must “preload all Google Applications approved in the applicable Territory … on each device.” See MADA section 3.4(1).

The phone manufacturer must place “Google’s Search and the Android Market Client icon [Google Play] … at least on the panel immediately adjacent to the Default Home Screen,” with “all other Google Applications … no more than one level below the Phone Top.” See MADA Section 3.4(2)-(3).

The phone manufacturer must set “Google Search … as the default search provider for all Web search access points.” See MADA Section 3.4(4).

Google’s Network Location Provider service must be preloaded and the default. See MADA Section 3.8(c).

These provisions are confidential and are not ordinarily available to the public. MADA provision 6.1 prohibits a phone manufacturer from sharing any Confidential Information (as defined), and Google labels the MADA documents as “Confidential” which makes the MADA subject to this restriction.

I know, cite, and quote these provisions—and I am able to share them with the public—because two MADA documents became available during recent litigation: In Oracle America v. Google, the HTC MADA and Samsung MADA were admitted as Trial Exhibit 286 and 2775, respectively. Though both documents indicate in their footers that they are “highly confidential – attorney’s eyes only,” both documents were admitted in open court (the clerk’s minutes indicate no admission under seal), and court staff confirm that both documents are available in the case records in the court clerk’s office. (However, the documents are not available for direct download in PACER. Instead, PACER docket number 1205 references “five boxes of trial exhibits placed on overflow shelf.”)

Effects on Consumers, Competitors, and Competition

These MADA provisions serve both to help Google expand into areas where competition could otherwise occur, and to prevent competitors from gaining traction.

Consider the impact on a phone manufacturer that seeks to substitute an offering that competes with a Google app. For example, a phone manufacturer might conclude that some non-Google service is preferable to one of the listed Google Applications—perhaps faster, easier to use, or more protective of user privacy. Alternatively, a phone manufacturer might conclude that its users care more about a lower price than about preinstalled Google apps. Such a manufacturer might be willing to install an app from some other search engine, location provider, or other developer in exchange for a payment, which would be partially shared with consumers via a lower selling price for the phone. Google’s MADA restrictions disallow any such configuration if the phone is to include any of the listed Google apps.

Tying its apps together helps Google whenever a phone manufacturer sees no substitute to even one of Google’s apps. Manufacturers may perceive that Bing Search, Duckduckgo, Yahoo Search, and others are reasonable substitutes to Google Search. Manufacturers may perceive that Bing Maps, Mapquest, Yahoo Maps, and others are reasonable substitutes to Google Maps. But it is not clear what other app store a manufacturer could preinstall onto a smartphone in order to offer a comprehensive set of apps. Furthermore, a manufacturer would struggle to offer a phone without a preinstalled YouTube app: Without the short-format entertainment videos that are YouTube’s specialty, a phone would be unattractive to many consumers—undermining carriers’ efforts to sell data plans, and putting the phone at heightened risk of commercial failure. Needing Google Play and YouTube, a manufacturer must then accept Google Search, Maps, Network Location Provider, and more—even if the manufacturer prefers a competitor’s offering or prefers a payment for installing some alternative.

In principle, the MADA allows a phone manufacturer to install certain third-party applications in addition to the listed Google Applications. For example, the phone manufacturer could install other search, maps, or email apps in addition to those offered by Google. But multiple apps are duplicative, confusing to users, and a drain on limited device resources. Moreover, in the key categories of search and location, Google requires that its apps be the default, and Google demands prominent placements for its search app and app store. These factors sharply limit users’ attention to other preloaded apps, reducing competitors’ willingness to pay for preinstallation. Thus, even if phone manufacturers or carriers preload multiple applications in a given category, the multiple apps are unlikely to significantly weaken the effects of the tie.

These MADA restrictions suppress competition. Thanks to the MADA, alternative vendors of search, maps, location, email, and other apps cannot outcompete Google on the merits; even if a competitor offers an app that’s better than Google’s offering, the carrier is obliged to install Google’s app also, and Google can readily amend the MADA to require making its app the default in the corresponding category (for those apps that don’t already have this additional protection). Furthermore, competitors are impeded in using the obvious strategy of paying manufacturers for distribution; to the extent that manufacturers can install competitors’ apps, they can offer only inferior placement adjacent to Google, with Google left as the default in key sectors—preventing competitors from achieving scale or outbidding Google for prominent or default placement on a given device.

These MADA restrictions harm consumers. One direct harm is that competing app vendors face greatly reduced ability to subsidize phones through payments to manufacturers for preinstallation or default placement; Google’s rules leave manufacturers with much less to sell. Furthermore, these restrictions insulate Google from competition. If competing vendors were nipping at Google’s heels, Google would be forced to offer greater benefits to consumers—perhaps fewer ads or greater protections against deceptive offers. Instead, the MADA restrictions increase Google’s confidence of outmaneuvering competitors—insulating Google from the usual competitive pressures.

One might reasonably compare these MADA restrictions to other recent Google rules — also secret — apparently requiring phone manufacturers to install only a recent version of Android if they want to install Google apps (even if the apps run on earlier versions, which in general they do). But there are plausible pro-consumer benefits for Google to require that manufacturers move to the latest version of Android, including facilitating upgrades and coordinating platform usage on the latest version of Android. In contrast, there are no plausible pro-consumer benefits to the Google MADA restrictions I analyze above. For example, consumers do not benefit when Google prevents phone manufacturers from installing apps in whatever combination consumers prefer.

Little Prior Public Understanding of Google’s Restrictions on Phone Manufacturers

To date, these MADA restrictions have been unknown to the public. Meanwhile, Google’s public statements indicate few to no significant restrictions on use of the Android operating system or Google’s apps for Android—leading reasonable observers and even industry experts to conclude, mistakenly, that Google allows its apps to be installed in any combination that manufacturers prefer.

For example, on the “Welcome to the Android Open Source Project!” page, the first sentence touts that “Android is an open source software stack.” Nothing on that page indicates that the Android platform, or Google’s apps for Android, suffer any restriction or limitation on the flexibility standard for open source software.

Moreover, senior Google executives have emphasized the importance of Google’s openness in mobile. Google SVP Jonathan Rosenberg offered a 4300-word analysis of the benefits of openness for Google generally and in mobile in particular. For example, Rosenberg argued: “In an open system, a competitive advantage doesn’t derive from locking in customers, but rather from understanding the fast-moving system better than anyone else and using that knowledge to generate better, more innovative products.” Rosenberg also argued that openness “allow[s] innovation at all levels—from the operating system to the application layer—not just at the top”—a design which he said helps facilitate “freedom of choice for consumers” as well as “competitive ecosystem” for providers. Rosenberg says nothing about MADA provisions or restrictions on what apps manufacturers can install. I see no way to reconcile the MADA restrictions with Rosenberg’s claim of “allow[ing] innovation at all levels” and claimed “freedom of choice for consumers.”

Andy Rubin, then Senior Vice President of Mobile at Google, in 2011 claimed that “[D]evice makers are free to modify Android to customize any range of features for Android devices.” He continued: “If someone wishes to market a device as Android-compatible or include Google applications on the device, we do require the device to conform with some basic compatibility requirements [hyperlink in the original]. (After all, it would not be realistic to expect Google applications—or any applications for that matter—to operate flawlessly across incompatible devices).” Rubin’s post does not explicitly indicate that the referenced “basic compatibility requirements” are the only requirements Google imposes, but that’s the natural interpretation. Reading Rubin’s remarks, particularly in light of his introduction that Android is “an open platform,” most readers would conclude that there are no significant restrictions on app installation or search defaults.

Google Chairman Eric Schmidt offered particularly far-reaching remarks on Google’s rules about mobile apps and search defaults. After a 2011 Senate hearing about competition in online search, Senator Kohl asked Schmidt (question 8.a):

Has Google demanded that smartphone manufacturers make Google the default search engine as a condition of using the Android operating system?

Schmidt responded:

Google does not demand that smartphone manufacturers make Google the default search engine as a condition of using the Android operating system. …

One of the greatest benefits of Android is that it fosters competition at every level of the mobile market—including among application developers. Google respects the freedom of manufacturers to choose which applications should be pre-loaded on Android devices. Google does not condition access to or use of Android on pre-installation of any Google applications or on making Google the default search engine. …

Manufacturers can choose to pre-install Google applications on Android devices, but they can also choose to pre-install competing search applications like Yahoo! and Microsoft’s Bing. Many Android devices have pre-installed the Microsoft Bing and Yahoo! search applications. No matter which applications come pre-installed, the user can easily download Yahoo!, Microsoft’s Bing, and Google applications for free from the Android Market.

Schmidt’s response to Lee (question 15.b), to Franken (question 7), and to Blumenthal (question 7) were similar and, in sections, verbatim identical.

Taken on its own, Schmidt’s statement seems to offer a categorical denial that Google in any way restricts what apps manufacturers and carriers install. But in fact Schmidt’s statement is much narrower. For example, reread Schmidt’s assertion that “Google does not condition access to or use of Android on pre-installation of any Google applications or on making Google the default search engine.” The natural interpretation is that no Google rule requires manufacturers to preinstall any Google app or make Google the default search. But Schmidt actually leaves open the possibility that some other Google-granted benefit, other than permission to use Android, imposes exactly these requirements. Indeed, the above-referenced documents reveal that Google imposes these requirements if a manufacturer seeks any of the listed Google apps. But Schmidt’s statement indicates nothing of the sort.

Similarly, notice the ambiguity in Schmidt’s statement that “Manufacturers can choose to pre-install Google applications on Android devices, but they can also choose to pre-install competing search applications like Yahoo! and Microsoft’s Bing.” The clear implication is that manufacturers can pre-install Google, Yahoo, Microsoft, and other applications in any combination they choose. But her too, Schmidt’s carefully-worded response is narrower. Specifically, Schmidt indicates that manufacturers can install Google apps or they can install competitors’ apps. With the benefit of the above-referenced MADA, we see the gaps in Schmidt’s representation—leaving open the possibility that, as the MADA reveals, the choice is all-or-nothing. Yet ordinary readers have no reason to suspect the possibility of an all-or-nothing choice, and Schmidt’s response does nothing to suggest any such requirement. Schmidt’s statements—at best incomplete, and I believe affirmatively misleading—gave the senators and the general public a mistaken sense that Google apps and competing apps could be installed in any combination.

Even when industry experts have inquired, they have struggled to uncover Google’s true rules for mobile app preinstallations. Consider the September 2012 post entitled Google Doesn’t Require Google Search On Android by Danny Sullivan, arguably the web’s leading search engine expert. In that analysis, Sullivan consults publicly available sources to attempt to determine whether Google allows Android manufacturers to change Android default search while installing other Google apps. Finding no prohibition in any available document, Sullivan tentatively concludes that such changes are permitted. Sullivan clearly recognizes the difficulty of the question—he resorts to four separate postscripts as he consults additional sources. But with no document indicating that Google imposes any such restriction, Sullivan has no grounds to conclude that such a restriction exists. As it turns out, Sullivan’s conclusion is manifestly contrary to the plain language of the MADA: Sullivan concludes, for example, that a carrier could configure phones to “use the Android app store if [the carrier] made Bing [Search] the default.” In fact, a manufacturer must accept a MADA in order to obtain App Store access, and MADA Section 3.4(4) then imposes the requirement that Google Search be the default search at all web access points. But Sullivan had no access to a MADA, and MADA provision 6.1 prohibited manufacturers from telling Sullivan about MADA terms. No wonder Sullivan concluded there was no such restriction.

Similarly, when tech journalist Charles Arthur examined “why Google Android software is not as free or open-source as you may think,” he had to resort to unnamed sources and inferences from publicly-available materials. Arthur’s hypothesis was correct. But by keeping MADA’s secret, Google prevented Arthur from substantiating his allegations.

In principle, the public could have learned about MADA provisions through periodic company disclosures of key supplier contracts. Indeed, in 2011 Motorola circulated a redacted MADA as an exhibit to an SEC filing. But Motorola removed crucial provisions from the public version of this document. For example, the redacted Motorola MADA removes the most important sentence of MADA section 2.1—leaving only a placeholder where the original document stated “Devices may only be distributed if all Google Applications … are pre-installed.” Thus, even if a reader is savvy enough to find this SEC filing, the MADA’s key provisions remain unavailable.

MADA secrecy advances Google’s strategic objectives. By keeping MADA restrictions confidential and little-known, Google can suppress the competitive response. If users, app developers, and the concerned public knew about MADA restrictions, they would criticize the tension between the restrictions and Google’s promise that Android is “open” and “open source.” Moreover, if MADA restrictions were widely known, regulators would be more likely to reject Google’s arguments that Android’s “openness” should reduce or eliminate regulatory scrutiny of Google’s mobile practices. In contrast, by keeping the restrictions secret, Google avoids such scrutiny and is better able to continue to advance its strategic interests through tying, compulsory installation, and defaults.

Relatedly, MADA secrecy helps prevent standard market forces from disciplining Google’s restriction. Suppose consumers understood that Google uses tying and full-line-forcing to prevent manufacturers from offering phones with alternative apps, which could drive down phone prices. Then consumers would be angry and would likely make their complaints known both to regulators and to phone manufacturers. Instead, Google makes the ubiquitous presence of Google apps and the virtual absence of competitors look like a market outcome, falsely suggesting that no one actually wants to have or distribute competing apps.

Tying to Benefit Google’s Other Services

If a phone manufacturer wants to offer desired Google functions without close substitutes, the MADA provides that the manufacturer must install all other Google apps that Google specifies, including the defaults and placements that Google specifies. These requirements are properly understood as a tie: A manufacturer may want YouTube only, but Google makes the manufacturer accept Google Search, Google Maps, Google Network Location Provider, and more. Then a vendor with offerings only in some sectors—perhaps only a maps tool, but no video service—cannot replace Google’s full suite of services.

I have repeatedly flagged Google using its various popular and dominant services to compel use of other services. For example, in 2009-2010, to obtain image advertisements in AdWords campaigns, an advertiser had to join Google Affiliate Network. Since the rollout of Google+, a publisher seeking top algorithmic search traffic de facto must participate in Google’s social network. In this light, numerous Google practices entail important elements of tying:

If a ___ wants ___ Then it must accept ___
If a consumer wants to use Google Search Google Finance, Images, Maps, News, Products, Shopping, YouTube, and more
If a mobile carrier wants to preinstall YouTube for Android Google Search, Google Maps (even if a competitor is willing to pay to be default)
If an advertiser wants to advertise on any AdWords Search Network Partner All AdWords Search Network sites (in whatever proportion Google specifies)
If an advertiser wants to advertise on Google Search as viewed on computers   Tablet placements and, with limited restrictions, smartphone placements
If an advertiser wants image ads Google Affiliate Network (historic)
If an advertiser wants a logo in search ads Google Checkout (historic)
If a video producer wants preferred video indexing YouTube hosting
If a web site publisher wants preferred search indexing Google Plus participation

Looking at Google’s dominance, many critics focus on Google’s power in search and search advertising. But this table shows the breadth of Google’s dominant services and the many ways in which Google uses its dominant services to cause usage of its less popular offerings.

I do not claim that tying always makes Google’s products succeed. Weak offerings, strong competition, and competitors’ network effects can all still stand in the way. But by tying its offerings in these ways detailed above, Google increases the likelihood that its offerings will succeed. One might reasonably ask, for example, what chance Google Checkout should have had: Reaching users a decade after Paypal and competing with Paypal’s huge user base, by ordinary measures Checkout should have been entirely stillborn. Indeed Checkout’s growth has been slow. But what would have happened if, rather than featuring a special logo only for AdWords advertisers who joined Checkout, Google had shown such logos for all popular payment intermediaries? Surely equal treatment of Checkout versus competitors would have reduced Checkout’s adoption and harmed Checkout’s relative prospects. Yet equal treatment would have provided consumers with timely and actionable information, and would have facilitated genuine competition on the merits.

Google used a similar technique in its 2003 launch of AdSense. At the time, advertisers largely sought Google’s AdWords placements within Google’s search engine. Upon launching AdSense, Google required advertisers to accept placements through Google’s new contextual network. These placements offered additional exposure which some advertisers surely valued. But publishers have an obvious incentive to commit click fraud—increasing the amount that Google pays to advertisers, but at the same time inflating advertisers’ costs. Furthermore, some publishers present material that advertisers would not want to be associated with (such as adult material and copyright infringement). Many advertisers would have declined to participate in the contextual network had they been asked to make a decision one way or the other. By insisting that advertisers accept such placements, Google gave itself instant scale—hence ample resources to pay publishers and outbid other networks seeking space on publishers’ sites. In contrast, competing ad platforms had to recruit skeptical advertisers through long sales pitches, performance guarantees, and lower prices—yielding fewer advertisers, lower payments to publishers, and a weaker competitive position. No wonder AdSense achieved scale while competitors struggled—but Google’s success should be attributed as much to the tie as to the genuine merits of Google’s offering.

In a forthcoming article, I’ll explore these and other contexts in which Google ties its services together. Applicable antitrust law can be complicated: Some ties yield useful efficiencies, and not all ties reduce welfare. But Google’s use of tying gives it a leg up in numerous markets that would otherwise enjoy vibrant competition. Given Google’s dominance in so many sectors, this practice deserves a closer look.

Comments to European Commission on Proposed Google Commitments with Zhenyu Lai

The European Commission last month posted a restatement of its concerns at certain Google practices as well as Google’s proposed commitments. This week I filed two comments, including one with Zhenyu Lai, critiquing Google’s proposal. They are available here:

Comments on AT.39740 (Edelman and Lai) as to Google’s exclusive use of screen space to promote its own specialized services, and as to an alternative remedy to preserve competition and user choice in the area of specialized search services.

Comments on AT.39740 (Edelman) as to the failure of Google’s proposed commitments to undo the harm of Google’s past violations, and alternative remedies preserve competition in the area of specialized search services, taking data from publishers, providing advertising services to publishers, and allowing advertisers to use multiple ad platforms.

Our suggested remedy for Google favoring its own vertical search services: Let users choose from competing offeringsAs to Google’s decision to favor its own specialized search services, Zhenyu and I question whether Google’s proposed commitments would effectively preserve competition. In our recent measurement of the effects of Google Flight Search, we found that Google’s large Flight Search “onebox” displays sharply reduced traffic to other online travel agencies as well as driving up the proportion of clicks to AdWords advertising. Google proposes to display a few small “Rival Links” to competitors, but these links would be placed and formatted in ways that make them unlikely to attract users’ attention or facilitate competitive markets.

Instead, we suggest a “ballot box” in which users can choose their preferred specialized search services in any area where Google offers and favors its own specialized search services. For example, the first time a user runs a hotel search or flight search, the user would be presented with a menu of options — reminiscent of the “browser ballot box” a user sees when first booting Windows in Europe. This approach is entirely feasible: Facebook has long merged content from myriad independent developers; numerous developers quickly built browser add-ons to disable Google Search Plus Your World when they found its initial results unhelpful; and the G++ for Google Plus browser add-on integrates other social networks with G+ even though Google declines to provide such integration. Indeed, search engine guru Danny Sullivan in September 2011 suggested that Google “let[] people choose their shopping, local, etc one box provider?”, echoing my February 2011 call for interchangeable components for competing specialized search services. In our comment, Zhenyu and I explore a proposed implementation of this concept.

As to the Commission’s concerns more generally, my comment addresses Google’s failure to undo the harm resulting from Google’s past violations. For each of the Commission’s concerns, I present alternative remedies focused on protecting competition and affirmatively undoing the harm from Google’s past violations. I also flag the need for tough penalties to deter further violations by Google and others.

Reuters yesterday reported that the Commission is likely to require further concessions from Google, including improved remedies. Comments to the Commission are due by June 27.

Google’s Exclusive Flight Search OneBox with Zhenyu Lai

Google often shows “OneBox” search results promoting its own services. These results have prompted antitrust scrutiny: Google awards these preferred placements exclusively to Google’s own services, such as Google Flight Search and Google Maps, but never to competing services such as Kayak or Mapquest. Moreover, Google presents OneBox with special format, including distinctive layouts, extra images, and even in-page interactivity — benefits not available to ordinary listings for other sites. Regulators and competitors sense that these exclusive practices can undermine competition and innovation by denying traffic to would-be competitors. But how large is the effect? How much does Google’s exclusive OneBox placement impact search engine traffic to adjacent online markets?

In a working paper, Zhenyu Lai and I measure the impact of OneBox by using a quasi-experiment before and after the introduction of Google Flight Search. Using a third-party data service, we compare user behavior on searches across thousands of search queries like “cheap flights from sfo to san ” (which displayed a OneBox for Google Flight Search), and similar search queries like “cheaper flights from sfo to san” (emphasis added) (which did not display OneBox). We find that Google’s display of Flight Search in an exclusive OneBox decreased user click-through rates on unpaid search results by 65 percent, and increased user click-through rates on paid advertising links by 85 percent. This effect was disproportionately evident among online travel agencies that were popular destinations for affected search queries.

Our draft provides detailed empirical results as well as a model of how a search engine’s incentives to divert search depend on consumers’ perceptions of the difference between non-paid and paid placements.

Exclusive Preferential Placement as Search Diversion: Evidence from Flight Search

(update: published as Edelman, Benjamin, and Zhenyu Lai. “Design of Search Engine Services: Channel Interdependence in Search Engine Results.” Journal of Marketing Research (JMR) 53, no. 6 (December 2016): 881-900.)

Privacy Puzzles at Google Play

Last week app developer Dan Nolan noticed that Google transaction records were giving him the name, geographic region, and email address of every user who bought an Android app he sold via Google Play. Dan’s bottom line was simple: “Under no circumstances should [a developer] be able to get the information of the people who are buying [his] apps unless [the customers] opt into it and it’s made crystal clear to them that [app developers are] getting this information.” Dan called on Google to cease these data leaks immediately, but Google instead tried to downplay the problem.

In this post, I examine Google’s relevant privacy commitments and argue that Google has promised not to reveal users’ data to developers. I then critique Google’s response and suggest appropriate next steps.

Google’s Android Privacy Promise

In its overarching Google Privacy Policy, Google promises to keep users’ data confidential. Specifically, at the heading “Information we share”, Google promises that “We do not share personal information with companies, organizations and individuals outside of Google unless one of the following circumstances apply”. Google then lists four specific exceptions: “With your consent”, “With domain administrators”, “For external processing”, and “For legal reasons.” None of these exceptions applies: users were never told that their information would be shared (not to mention “consent[ing]” to such sharing; Google shared data with app developers, not domain administrators; app developers do not process data for Google, and the data was never processed nor provided for processing; and no legal reason required the sharing of this information. Under Google’s standard privacy policy, users’ data simply should not have been shared.

Users purchase Android apps via the Google Play service, so Google Play policies also limit how Google may share users’ information. But the Google Play Terms of Service say nothing about Google sharing users’ details with app developers. Quite the contrary, the Play TOS indicate that Google will not share users’ information with app developers. At heading 10, Magazines on Google Play, Google specifically notes the additional “Information Google Shares with Magazine Publishers”: customer “name, email address, [and] mailing address.” But Google makes no special mention of information shared with any other type of Google Play content provider. Notice: Google notes that it shares certain extra information with magazine publishers, but it makes no corresponding mention of sharing with other content providers. The only plausible interpretation is that Google does not share the listed information with any other kind of content provider.

Users’ Google Play purchases are processed via Google Wallet, so Google Wallet policies also limit how Google may share users’ information. But the Google Wallet privacy policy says nothing about Google sharing users’ details with app developers. Indeed, the Google Wallet privacy policy is particularly narrow in its statement of when Google may share users’ personal information:

Information we share
We will only share your personal information with other companies or individuals outside of Google in the following circumstances:
* As permitted under the Google Privacy Policy.
* As necessary to process your transaction and maintain your account.
* To complete your registration for a service provided by a third party.

None of these exceptions applies to Google sharing users’ details with app developers. The preceding analysis confirms that the Google Privacy Policy says nothing of sharing users’ information with app developers, so the first exception is inapplicable. Nolan’s post confirms that app developers do not need users’ details in order to provide the apps users request; Google’s app delivery system already provides apps to authorized users. And app developers need not communicate with users by email, making it unnecessary for Google to provide an app developer with a user’s email address. Google might argue that it could be useful, in certain circumstances, for app developers to be able to email the users who had bought their apps. But this certainly is not “necessary.” Indeed, Nolan had successfully sold apps for months without doing so. The third exception does not apply to any app that does not require “registration” (most do not). Even if we interpret “registration” as installation and perhaps ongoing use, Nolan’s experience confirms why the third exception is also inapplicable: Nolan was easily able to do everything needed to sell and service the apps he sold without ever using users’ email addresses.

Even if it were necessary for Google to let developers contact the users who bought their apps, such communications do not require that Google provide developers with users’ email addresses. Quite the contrary, Google could provide remailer email addresses: a developer would write to an email address that Google specifies, and Google would forward the message as needed. Alternatively, Google could develop an API to let developers contact users. These suggestions are more than speculative: Google Checkout uses exactly the former technique to shield users’ email address from sellers. (From Google’s 2006 announcement: “To provide more control over email spam, Google Checkout lets shoppers choose whether or not to keep email addresses confidential or turnoff unwanted email from the stores where they shop”) Similarly, Google Wallet creates single-use credit card numbers (“Virtual OneTime Card”) to let users make purchases without revealing their payment details developers. Having developed such sophisticated methods to protect user privacy in other contexts, including more complicated contexts, Google cannot credibly argue that it was “necessary” to reveal users’ email addresses to app developers.

Evaluating Google’s Defenses

Siliconvalley.com quotes an unnamed Google representative defending Google’s approach:

“Google Wallet shares the information necessary to process a transaction, which is clearly spelled out in the Google Wallet Privacy Notice.”

I emphatically disagree. First, it simply is not “necessary” to provide developers with access to customer names or email addresses in order to process customer transactions. Apple has long run a similar but larger app marketplace without doing so. Scores of developers, Nolan among many others, successfully provide apps without using (and often without even knowing they are receiving) customer names and email addresses. To claim that it is “necessary” to provide this information to developers, Google would need to establish that there is truly no alternative — a high bar, which Google has not even attempted to reach.

Second, this data sharing is not “spelled out in the Google Wallet Privacy Notice” and certainly is not “clear[]” there. The preceding section analyzes the relevant section of the Google Wallet privacy policy. Nothing in that document “clearly” states that Google shares users’ email addresses with third-party developers. The only conceivable argument for such sharing is that such sharing is “necessary” — but that immediately returns us to the arguments discussed above.

Resolution

Google widely promises to protect users’ private information. Google makes these promises equally in mobile. Having promised protection and delivered the opposite, Google should not be surprised to find users angry.

Some app developers defend Google’s decision to provide developers with customer details. For example, the Application Developers Alliance commented that “in the Google Play environment the app purchaser customer data (e.g., name and email address) belongs to the developer who is the seller” — arguing that it is therefore appropriate that Google provide this information to app developers. Barry Schwartz of Marketing Land added “I want to be able to service my customers” and indicated that sharing customer names and emails helps with support and refunds. Perhaps there are good reasons to provide customer data to developers. But these arguments offer no reason why Google did not tell users that their details would be sent to app developers. The Application Developers Alliance suggests that anyone uncertain about data sharing should “carefully review the Google Play and Google Wallet terms of service.” But these documents nowhere state that users’ information is provided to app developers (recall the analysis above), and in fact the documents indicate exactly the opposite.

Meanwhile, sharing users’ details with app developers risks significant harms. Nolan noted two clear problems: First, a developer could use customer contact details to track and harass users who left negative reviews or sought refunds. Second, an attacker could write malware that, running on app developers’ computers, logs into Google’s systems to collect user data. While one might hope app developers would keep their computers secure from such malware, there are tens of thousands of Android developers. Some are bound to have poor security on some local machines. Users’ data shouldn’t be vulnerable to the weakest link among these thousands of developers. An attacker could devise a highly deceptive attack with information about which users bought which apps when — yielding customized, accurate emails inviting users to provide passwords (actually phishing) or install updates (actually malware).

Moreover, Google is under a heightened obligation to abide by its privacy commitments. For one, privacy policies have the force of contract, so any company breaching its privacy policy risks litigation by harmed consumers. Meanwhile, Google’s prior privacy blunders have put Google under higher scrutiny: Google’s Buzz consent order includes twenty years of FTC oversight of Google’s privacy practices. After Google violated the FTC consent order by installing special code to monitor Apple Safari users whose browser settings specifically indicated they did not want to be tracked, the FTC imposed a $22.5 million fine, its largest ever. Now Google has again violated its privacy policies. A further investigation is surely in order.

A full investigation of Google’s activities in this area will confirm who knew what when. Though Nolan’s complaint was the first to gain widespread notice, at least three other developers had previously raised the same concern (1, 2, 3), dating back to June 2012 or earlier. An FTC investigation will confirm whether Google staff noted these concerns and, if they noticed, why they failed to take action. Perhaps some Google staff proposed updating or clarifying applicable privacy policies; an investigation would determine why such improvements were not made. An investigation would also confirm the allegation (presented in an update to News.com.au reporting on this subject) that prior to October 2012, Google intentionally protected users’ email addresses by providing aliases — letting app developers contact users without receiving users’ email addresses. Given the clear reduction in privacy resulting from eliminating aliases, an investigation would check whether and why Google made this change.

Even before that investigation, Google can take steps to begin to make this right. First, Google should immediately remove users’ details from developers’ screens. Google should simultaneously contact developers who had impermissible access and ask them to destroy any copies that they made. If Google has a contractual basis to require developers to destroy these copies, it should invoke those rights. In parallel, Google should contact victim users to let them know that Google shared their information in a way that was not permitted under Google’s own policies. Google should offer affected users Google’s unqualified apologies as well as appropriate monetary compensation. Since Google revealed users’ information only after users purchased paid apps, users’ payments offer a natural remedy: Google should provide affected users with a full refund for any apps where Google’s privacy practices did not live up to Google’s commitments.

The Right Remedies for Google’s AdWords API Restrictions

Last week the FTC closed its 21-month investigation of Google after Google made several small concessions, among them dropping certain restrictions on use of Google’s AdWords API — rules that previously limited how advertisers and tool-makers may copy advertisers’ own data from Google’s servers. Removing the restrictions is a step forward for advertisers and for competition. But the FTC could and should have demanded more from Google in order to address the harm resulting from seven years of these restrictions.

I first flagged Google’s AdWords API restrictions in my June 2008 senate testimony and in greater detail in PPC Platform Competition and Google’s “May Not Copy” Restriction. In short, the restrictions prohibited making and sharing tools to quickly copy and synchronize ad campaigns across multiple ad platforms — effectively compelling small to midsized advertisers to use Google only, for lack of tools to manage their campaigns on multiple platforms. Google enforces this prohibition with a system of tool passwords and audits — letting Google swiftly and completely disable any tool that Google deems impermissible. Indeed, any tool-maker found offering a noncompliant tool would immediately lose all access to Google’s AdWords API, as to all of its tool-using subscribers, a devastating blow that kept tool-makers under Google’s thumb.

As I pointed out, these AdWords API restrictions let Google charge prices higher than competing platforms: Thanks to these restrictions, a small to midsized advertiser would struggle to buy some placements from Yahoo or Microsoft, even if those vendors offered lower prices. Higher advertising costs directly harm advertisers, and higher prices get passed to consumers (according to the relative elasticity of supply and demand). I also pointed out harms to others in the advertising ecosystem: Competing ad platforms struggle to attract advertisers, hence showing less relevant advertising (discouraging users from clicking ads) and enjoying less auction pressure to push prices upward. Meanwhile, I noted, the AdWords API restrictions give Google that much more leverage in its negotiations with publishers: by weakening other ad platforms’ monetization, Google can more easily win deals for publishers’ inventory, granting publishers lesser compensation for the content they post.

Strikingly, Google has never seriously defended the AdWords API restrictions. In June 2008, Doug Raymond, Product Manager for AdWords API, argued that advertisers are free to export their data in other ways, e.g. as a CSV text file. But that far-inferior manual export is ad-hoc, time-consuming, and error-prone — a poor fit for high-priced online advertising. Indeed, this manual approach is a sharp contrast from a modern automation API, and a far cry from what Google offers in other contexts.

By all indications, competition regulators share my concerns. In a November 2010 press release, the European Commission flagged “restrictions on the portability of online advertising campaign data” as its fourth concern in reviewing Google’s conduct, a concern most recently reiterated in December 2012 remarks by EC Competition Commissioner Joaquín Almunia. Last week’s statement by FTC Chairman Leibowitz is in accord: “Some Commissioners were concerned by the tendency of Google’s restrictions to raise the costs of small businesses to use the power of internet search advertising to grow their businesses.”

So everyone but Google agrees that the AdWords API restrictions are improper, and even Google has little to say in its defense. Indeed, despite abandoning most other aspects of its investigation, the FTC did pursue this matter. But the FTC reports only that Google is to remove AdWords API restrictions and that, the FTC indicates, ends the FTC’s concern on this subject. I am surprised by such a narrow remedy. The AdWords API restrictions have been in place for more than five years. Were it not for these restrictions, advertisers for five years would have enjoyed lower prices. For five years, third-party publishers would have received higher payment for their ad space. For five years, consumers would have seen more relevant ads at competing ad platforms, perhaps helping to increase competitors’ market shares and put a check on Google’s dominance. Moreover, for five years competing ad platforms would have enjoyed higher advertising revenues and higher ad click-through rates. It’s all well and good for Google to remove the API restriction going forward. But that does nothing at all to address past harm to advertisers and others.

Three Appropriate Remedies

What remedies would be appropriate for Google’s seven years of improper AdWords API restrictions? Let me offer three suggestions:

First, after years of improper conduct in this area, Google should expect to pay monetary damages. Google’s AdWords API restrictions inflated the prices charged to advertisers. Google should disgorge these ill-gotten gains via pro-rata refunds to advertisers.

Second, Google’s changes should be formal binding commitments formalized in a consent agreement. The 1969 Report of the American Bar Association Commission to Study the Federal Trade Commission recognized that voluntary commitments were ineffective, and the FTC largely discontinued voluntary commitments after that report. Indeed, FTC Commissioner Rosch last week noted that the FTC’s voluntary commitment approach lets Google offer a statement of its current intent, which Google could reverse or alter at any time. Moreover, an order would have required the FTC to take a clearer position on whether Google’s conduct violated the law: An order would have required the FTC to file a complaint, which in turn requires a finding by the FTC that there is reason to believe a violation has occurred. This formality would offer a useful confirmation of the FTC’s view — either the FTC believes a violation occurred, or it does not, but the voluntary commitment process lets the FTC avoid a public statement on this subject. Finally, orders are also vetted with third parties to make sure they will be effective. Microsoft’s Dave Heiner immediately offered several gaps in the FTC’s approach on AdWords API restrictions. I would have offered additional feedback had I been asked.

Finally, the FTC’s investigation surely found documents or records confirming the intent and effect of Google’s AdWords API restrictions. The FTC should at least describe those documents — if not release them in full. Describing or releasing these documents would let concerned parties determine what private claims they may have against Google. If the documents confirm meritorious claims, victims can pursue these claims through private litigation (here too, as Commissioner Rosch suggested).

Google’s AdWords API restrictions were a direct assault on competition — indefensible rules serving only to hinder advertisers’ efforts to efficiently use competing search engines, without any plausible pro-competitive justification. On this clear-cut issue, the FTC should have pursued every remedy permissible under its authority. Fortunately it’s not too late for state attorneys general and the European Commission to insist on more.

Flash-Based Cookie-Stuffer Using Google AdSense to Claim Unearned Affiliate Commissions from Amazon with Wesley Brandi

Merchants face special challenges when operating large affiliate marketing programs: rogue affiliates can claim to refer users who would have purchased from those merchants anyway. In particular, rogue “cookie-stuffer” affiliates deposit cookies invisibly and unrequested — knowing that a portion of users will make purchases from large merchants in the subsequent days and weeks. This tactic is particularly effective in defrauding large merchants: the more popular a merchant becomes, the more users will happen to buy from that merchant within a given referral period.

To cookie-stuff at scale, an attacker needs a reliable and significant source of user traffic. In February we showed a rogue affiliate hacking forum sites to drop cookies when users merely browse forums. But that’s just one of many strategies. I previously found various cookie-stuffing on sites hoping to receive search traffic. In a 2009 complaint, eBay alleges that rogue affiliates used a banner ad network to deposit eBay affiliate cookies when users merely browsed web pages showing certain banner ads. See also my 2008 report of an affiliate using Yahoo’s Right Media ad network to deposit multiple affiliate cookies invisibly — defrauding security vendors McAfee and Symantec.

As the eBay litigation indicates, display advertising networks can be a mechanism for cookie-stuffing. Of course diligent ad networks inspect ads and refuse cookie-stuffers (among other forms of malvertising). So we were particularly surprised to see Google AdSense running ads that cookie-stuff Amazon.

The 'Review Different Headphones' ad actually drops Amazon Associates affiliate cookies.
This innocuous-looking banner ad sets Amazon Associates cookies invisibly.
The Imgwithsmiles attack

We have uncovered scores of web sites running the banner ad shown at right. On 40 sites, on various days from February 6 to May 2, our crawlers found this banner ad dropping Amazon Associates affiliate cookies automatically and invisibly. All 40 sites include display advertising from Google AdSense. Google returns a Flash ad from Imgwithsmiles. To an ordinary user, the ad looks completely innocuous — the unremarkable “review different headphones” image shown at right. However, the ad actually creates an invisible IMG (image) tag loading an Amazon Associates link and setting cookies accordingly. Here’s how:

First, the ad’s Flash code creates an invisible IMG tag (10×10 pixels) (yellow highlighting below) loading the URL http://imgwithsmiles.com/img/f/e.jpg (green).

function Stuff() {
  if (z < links.length) {
    txt.htmltext = links[z];
    z++;
    return(undefined);
  }
  clearinterval(timer);
}
links = new array();
links[0] = "<img src="http://imgwithsmiles.com/img/f/e.jpg" width="10" height="10"/>";z = 0;timer = setinterval(Stuff, 2000);

While /img/f/e.jpg features a .jpg extension consistent with a genuine image file, it is actually a redirect to an Amazon Associates link. See the three redirects preserved below (blue), including a tricky HTTPS redirect (orange) that would block many detection systems. Nonetheless, traffic ultimately ends up at Amazon with an Associates tag (red) specifying that affiliate charslibr-20 is to be paid for these referrals.

GET /img/f/e.jpg HTTP/1.0
Accept: */*
Accept-Language: en-US
Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CICAgICQvuXgahDQAhiYAjII3bQHU19r_Isx-flash-version: 10,3,183,7User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; ...)Host: imgwithsmiles.comConnection: Keep-AliveHTTP/1.1 302 Moved TemporarilyDate: Wed, 02 May 2012 19:56:59 GMTServer: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=174272468a212dd0862eabf8d956e4e0; path=/
Location: https://imgwithsmiles.com/img/kick/f/e.jpg
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html-

HTTPS redirect decoded via separate manual request
GET /img/kick/f/e.jpg HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: ... Accept-Encoding: gzip, deflate Host: imgwithsmiles.com Connection: Keep-AliveHTTP/1.1 302 Moved Temporarily Date: ... Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.17 Location: http://imgwithsmiles.com/img/t/f/e.jpg Content-Length: 0 Connection: close Content-Type: text/html-GET /img/t/f/e.jpg HTTP/1.0 Accept: */* Accept-Language: en-US x-flash-version: 10,3,183,7 User-Agent: Mozilla/4.0 (compatible; ...) Connection: Keep-Alive Host: imgwithsmiles.com Cookie: PHPSESSID=174272468a212dd0862eabf8d956e4e0HTTP/1.1 302 Moved TemporarilyDate: Wed, 02 May 2012 19:56:59 GMT Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.2.17 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: http://www.amazon.com/gp/product/B002L3RREQ?ie=UTF8&tag=charslibr-20 Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html

If a user happens to make a purchase from Amazon within the subsequent 24 hours, Amazon will pay a commission to this affiliate — even though the affiliate did nothing at all to cause or encourage the user to make that purchase.

Does Amazon know?

The available information does not reveal whether or not Amazon knew about this affiliate’s practices. Nor can we easily determine whether, as of the May 2, 2012 observations presented above, this affiliate was still in good standing and receiving payment for the traffic it sent to Amazon.

On one hand, Amazon is diligent and technically sophisticated. Because Amazon runs one of the web’s largest affiliate programs, Amazon is necessarily familiar with affiliate fraud. And Amazon has ample incentive to catch affiliate fraud: Every dollar paid to fraudulent affiliates is money completely wasted, coming straight from the bottom line.

On the other hand, we have observed this same affiliate cheating Amazon for three months nonstop. All told, we’ve seen this affiliate rotating through 49 different Associates IDs. If Amazon had caught the affiliate, we would have expected the affiliate to shift away from any disabled affiliate accounts, most likely by shifting traffic to new accounts. Of the 28 Associates IDs we observed during February 2012, we still saw 6 in use during May 2012 (month-to-date) — suggesting that while Amazon may be catching some of the affiliate’s traffic, Amazon probably is not catching it all.

A further indication of the affiliate’s earnings comes from the affiliate’s willingness to incur out-of-pocket costs to buy media (AdSense placements from Google) with which to deliver Amazon cookies. As best we can tell, Amazon is the affiliate’s sole source of revenue. Meanwhile, the affiliate must pay Google for the display ad inventory the affiliate receives. These direct incremental costs give the affiliate a clear incentive to cease operation if it concludes that payment from Amazon will not be forthcoming. From the affiliate’s ongoing actions we can infer that the affiliate finds this scheme profitable — that its earnings to date have exceeded its expenses to date.

How profitable is this affiliate’s attack? Conservatively, suppose 40% of users are Amazon shoppers and make an average of four purchases from Amazon per year. Then 0.4*4/365=0.44% of users are likely to make purchases from Amazon in any given 24-hour period. Suppose the affiliate buys 1,000,000 CPM impressions from Google. Then the affiliate will enjoy commission on 0.44%*1,000,000=4,384 purchases. At an average purchase size of $30 and a 6.5% commission, this would be $8,547 of revenue per million cookie-stuffing incidents. How much would the affiliate have to pay Google for 1,000,000 CPM impressions? We’ve seen this affiliate on a variety of sites, but largely sites in moderate to low-priced verticals. At $2 CPM, the affiliate’s costs would be $2,000 — meaning the affiliate would still be slightly profitable even if Amazon caught 3/4 of its affiliate IDs before the first payment!

We alerted our contact at Amazon Associates to our observations. We will update this post with any information Amazon provides.

Earnings and Ratings at Google Answers

Edelman, Benjamin. “Earnings and Ratings at Google Answers.” Economic Inquiry 50, no. 2 (April 2012): 309-320. (draft as first circulated in 2004.)

I analyze all questions and answers from the inception of the Google Answers service through November 2003, and I find notable trends in answerer behavior: more experienced answerers provide answers with the characteristics askers most value, receiving higher ratings as a result. Answerer earnings increase in experience, consistent with learning on the job. Answerers who focus on particular question categories provide answers of higher quality but earn lower pay per hour (perhaps reflecting a lack of versatility). Answers provided during the business day receive higher payments per hour (a compensating differential for working when outside options are most attractive), but more experienced answerers tend to forego these opportunities.

Google Tying Google Plus and Many More

Disclosure: I serve as a consultant to various companies that compete with Google. But I write on my own — not at the suggestion or request of any client, without approval or payment from any client.

This week Google announced Google Search Plus Your World (“Google Search Plus” for short). Reaction has been critical. Danny Sullivan says Google Search Plus “pushes Google+ over relevancy,” and he offers compelling examples demonstrating this favored treatment. Meanwhile, EPIC executive director Marc Rotenberg argues that Google is “using its market dominance in a separate sector [search] … to fight off its challenger Facebook” — essentially, alleging that Google is tying Google+ to Google Search, forcing users to accept the former if they want the latter.

As Danny and Marc point out, Google is favoring its own ancillary services even when other destinations are objectively superior, and Google is using its dominance in search to compel users to accept Google’s other offerings. But this problem is much bigger than Google Search Plus: Google has used similar tying tactics to push dozens of its products for years. I’m working on a detailed article with numerous examples plus relevant antitrust analysis. But with Google Search Plus prompting so much interest, I wanted to flag other areas where Google has invoked these tactics.

This piece proceeds in three parts: I evaluate the competitive implications of Google favoring its own services, including the special benefits Google grants to its own services. I show how Google penalizes those who decline to participate in its tied offerings, including using tying to force others to submit to Google’s will even in areas where Google is not yet dominant. Finally, I briefly survey the legal implications and propose a promising but lightweight remedy to begin to curtail the harmful effects of Google’s tying.

My takeaway: Google’s tying tactics should not be permitted. Google’s dominant position in search requires that the company hold itself to a higher level of conduct, including avoiding tying its other products to its dominant search service. Google has repeatedly crossed the line, and antitrust enforcement action is required to put a stop to these practices.

The Competitive Implications of Favoring Google’s Own Services

I’ve found more than a dozen Google services receiving favored placement in Google search results. Consider Google Blog Search, Google Book Search, Google Checkout, Google Health, Google Images, Google Maps, Google News, Google Realtime, Google Shopping, and Google Video. Some have developed into solid products with loyal users. Others are far weaker. But each enjoys a level of favored placement in Google search results that other services can only dream of.

Google uses premium placements and traffic guarantees to address the “chicken and egg” problem that undermines the launch of many online businesses. For example, many retailers might be pleased to be listed (and even be willing to pay to be listed) in a review site or product search site that has many readers. But finding those readers cost-effectively requires algorithmic search traffic, which a new site cannot guarantee — hindering the site’s efforts to attract advertisers. So too for books, local search, movies, travel, and myriad other sectors. Ordinary sites struggle to overcome these challenges — for example, buying expensive pay-per-click advertising to drive traffic to their sites, or beginning with a period in which they have undesirably few participants. In contrast, anyone assessing the prospects of a new Google service knows that Google can grant its services ample free traffic, on demand and substantially guaranteed. Thus, the success of a new Google service is much more predictable — reducing Google’s barriers to expansion into new sectors. Indeed, if partners recognize that Google can send such traffic whenever it chooses to do so, they may even be willing to join before Google turns on the spigot.

Conversely, Google’s ability to favor its own service dulls the incentive for others to even try to compete. Who would risk capital, energy, and talent in building a new image search engine when Google presents Google Image Search results automatically? A new entrant might be 20% better, by whatever metric, but Google’s automatic provision of a “good enough” option dulls users’ interest in finding a best-of-breed alternative. The problem is particularly acute because the top-most result enjoys 34%+ of all clicks — so when Google takes that position for itself, there’s far less for everyone else.

Google also grants its ancillary services the benefit of certain placement. Ordinary sites have little assurance of what algorithmic search traffic they will receive. They may rank highly for some terms and worse for others. Furthermore, rankings often vary over time, including sudden changes for no apparent reason. As a result, most sites struggle to build business plans around algorithmic search traffic; indeed, companies have laid off staff after unexpected drops in algorithmic search traffic. In contrast, Google’s own services can feel confident in the traffic they will receive from Google — allowing them to plan budgets, advertising sales, hardware requirements, and overall strategy.

By all indications, free traffic from Google Search has played a valuable role in launching many Google businesses. For example, Google Maps usage remained sluggish until Google started to present inline Google Maps directly within Search Results, a practice that began in earnest in 2007. As Consumer Watchdog’s 2010 “Traffic Report” shows, this change precipitated a sharp increase in Google Maps’ market share: Traffic to Google Maps tripled while traffic to competing map sites fell by half.

So too for Google’s launch of Google Finance. service. For example, as of December 2006, Hitwise reported that fully 57% of traffic to Google Finance came from Google Search. By 2009, just 29% of Google Finance traffic came from other Google properties. By providing its ancillary services with additional traffic, when desired and in large quantities unavailable to others, Google gives its ancillary services a greater chance of achieving widespread usage and attracting users and advertisers.

The Special Benefits Google Reserves for Its Own Services

When Google presents its ancillary services within search results, it gives its services distinctive layout and format benefits unavailable to other sites. For example, Google Maps appears with an oversized full-color embedded map, whereas links to other map services appear only as plain hyperlinks. So too for links to Google Shopping, which often feature tabular reports of product pictures, vendors, and prices, whereas competing comparison shopping search engines receive only bare text. Until June 2011, Google Checkout advertisers enjoyed a special logo adjacent to their AdWords ads — particularly valuable since image advertisements were essentially nonexistent throughout that period. But advertisers who chose other streamlined checkout tools (like Paypal) got no such benefit. Favored treatment extends to the most obscure Google services. Even Google Health listings received a distinctive layout and colored image.

Furthermore, when Google favors its own ancillary services, it sometimes bypasses the algorithms that ordinarily allocate search results. By all indications, Google staff manually override algorithmic results, manually specifying that specific Google services are to appear in specific positions for specific keywords. Of course no other site enjoys such overrides.

Google also seems to exempt its own services from the “host crowding” rules that ordinarily assure source diversity. In 2007, Google’s Matt Cutts stated that a single page of results will feature “up to two results” from a single host, though he added that for a domain that “is really relevant” Google “may still return several results from that domain” (emphasis added). But it seems Google waives this rule for its own services. In April 2011, Aaron Wall flagged a search yielding five separate Google Books results among the ten links shown in the first page of Google Search. A commenter found another search term for which nine separate results all pointed to Google Books. (I have a screenshot on file.) On one view, Google Books indexes the work of multiple authors and publishers, and diversity among those authors and publishers provides adequate representation of alternative viewpoints. Yet other repositories also aggregate material from independent authors (consider books at Amazon, or any of thousands of online discussion forums), but only Google seems to enjoy an exception from “host crowding” rules.

Google Effectively Penalizes Those who Decline to Participate In Its Tied Offerings

I joined Google Plus not because I wanted to participate, not to take a look around, but because I perceived that Google would grant my site preferred placement — more algorithmic traffic — if I linked my Google Plus account to my web site and online publications. It’s hard to figure out whether I was right. But SEO forums are full of users who had the same idea. So Google can force users to join Google Plus to avoid receiving, or expecting to receive, lower algorithmic search ranking. Certainly myriad sites added Google +1 buttons (giving Google both data and real estate) not because they genuinely wanted Google buttons on their sites, but because they feared others would overtake them in search results if they failed to employ Google’s newest service.

If an airline declines to participate in Google Flights, its listings are labeled 'no booking links available.' Google fails to offer a more helpful link or booking shortcut, even though it could easily do so.If an airline declines to participate in Google Flights, its listings are labeled “no booking links available.” Google fails to offer a more helpful link or booking shortcut, even though it could easily do so.

Google uses similar tying tactics to compel use of its other services. Consider airlines negotiating terms for appearance in Google Flight Search. If Southwest Airlines prefers not to be included in Expedia, it can easily stay out (and in fact it has). Better yet, a diligent airline can negotiate with various travel sites to seek improved terms — playing one travel site against another to reduce fees. But Google’s dominant position impedes any such negotiation. There’s only one Google Flight Search at the top of Google search results, and any airline that refuses Google’s terms is left behind: Google presents a “no booking links available” bubble, even though Google could easily send bookings to an airline web site without any commercial relationship with the site and without requiring payment from the site. (For an example, click to browse Southwest flights Boston-BWI in May — simple HTML and JavaScript, essentially a “deep link.”)

At the very least, Google could link to an airline’s home page in the bottom right, where the “Book” link usually appears; the bottom-right corner is the standard location for a button to continue a multi-step process, and that’s the location where Google has trained users to look to proceed with booking. In contrast, Google’s bottom-left links are easily overlooked. With so many better options available to Google, Google’s decision to withhold this link looks like intentional punishment for any airline that rejected Google’s terms.

Google links to the 'owner site' only at the far bottom of the drop-down -- putting all advertisers in more prominent positions.Google links to the “owner site” only at the far bottom of the drop-down — putting all advertisers in more prominent positions.

Meanwhile, by effectively compelling participation, Google enjoys high revenue from competing bidders. Consider the drop-down lists Google now shows with hotel listings, presenting advertisements for multiple booking services. A user can enter desired dates to receive a price quote from each booking service, with one-click access to the chosen vendor. But some users prefers to book with a hotel directly — perhaps to reduce booking complexity (less finger-pointing if something goes wrong) or enjoy loyalty program benefits. (Users may also know that hotels pay substantial commissions to the web sites that gather reservations, and some users may wish to spare hotels those costs.) If a consumer clicks the “owner site” link, the consumer will find that his booking dates are discarded, requiring reentry. And even though the “owner site” is the single most authoritative listing for a given property, Google puts all booking services above — here too, favoring advertising revenue over user convenience. It’s an experience savvy hotels would decline completely if Google offered that choice. Instead, Google makes this drop-down compulsory, and there’s no way a hotel can opt out.

To its credit, Twitter has recognized the value of the data it holds and has declined to let Google harvest that data on terms Google dictates. But when Twitter complained about Google’s favored treatment of Google Search Plus, Google responded: “We are a bit surprised by Twitter’s comments about Search plus Your World, because they chose not to renew their agreement with us last summer.” Google’s response completely misses the point. For one, as Danny Sullivan points out, Google fails to use Facebook and Twitter content it knows about (without needing a data license). Furthermore, Google equally fails to use content from thousands of other sources — from smaller social networks, for example. Instead, Google favors its own service.

Over and over, Google has tied its services in various combinations to compel (or attempt to compel) others to bend to its will.

  • Google told Yelp it had to let Google present Yelp reviews in Google Places if Yelp wanted to remain in ordinary Google Search. That is, Google tied its dominant search service (where Yelp wanted to stay visible) to its upstart Places service (which Yelp did not care to support).
  • Google’s contradictory statements left newspapers believing for years that they had to participate in Google News if they wanted to remain in Google Search. (See e.g. the multiple contradictory postscripts in Danny Sullivan’s August 2009 posting about newspapers’ concerns — indicating that even he struggled to understand Google’s true policy. I have other inconsistent statements on file.) For newspapers, then, Google also effectively tied its dominant search service (where newspapers absolutely wanted to be listed) to Google News (which newspapers tended to view skeptically). By the time Google clearly stated that newspapers could exit Google News while staying in Google Search, Google News had achieved enough traction that leaving was a much less desirable choice.
  • For years, Google’s YouTube offered filtering technology (to identify and remove copyrighted works) only to companies that granted licenses to YouTube, on the terms YouTube sought, but not on companies that refuse Google’s terms. To get the filter — the only quick, effective way to block infringing content — rights-holders had to accept Google’s license terms.

I’ll have more examples in my forthcoming paper.

On one level, these are standard “all-or-nothing” tactics: Google has something others want, and Google only provides the desired service if it gets it way. But the impact is clear: Google’s multiple mutually-reinforcing tying arrangements extend Google’s position of dominance, forcing prospective business partners to bend to Google’s will, and enlarging Google’s control over ever more sectors.

Legal Implications

When Google presents its ancillary services in its search results, it engages in classic “tying” behavior, raising concern under US and European antitrust law. Certainly Google’s search service is dominant, and US and EU investigations have already held as much — triggering the heightened duties of those with a dominant position.

Yet Google offers its search results only with its own ancillary services. In particular, Google gives no mechanism for users to obtain Google Search with others’ ancillary services or with no ancillary services at all. This tactic has already led Google to dominance in blog search, book search, image search, maps, news, and product search, and it is amply clear how this tactic could soon lead Google to dominance in reviews, local search, and travel search (satisfying the “dangerous probability” test in Verizon v. Trinko note 4). Is Google likely to succeed in social? It seems network effects offer somewhat greater protection to Facebook and Twitter than they do to review sites or travel search sites. But when Google uses the same tying strategy to claim a leg up in myriad sectors, it’s no great stretch to view the strategy with equal skepticism wherever it arises.

In Remedies for Search Bias, I offered several suggestions to blunt the worst of these practices. Most relevant: Google should let users swap its own services for competitors’ offerings. Consider users’ ability to choose their preferred web browser, media player, email program, and myriad other applications — choices that facilitates continued competition and innovation in all these areas. Yet a user at Google.com has zero ability to eschew Google Maps for Mapquest, or to replace Google Places reviews with Yelp. The first time a user runs a search calling for a review, Google could ask the user for his preferred review provider, and an unobtrusive drop-down box would let the user make changes later. Similar prompts would appear, as needed, for other key sectors — limited, of course, to areas where Google seeks to promote an offering of its own. I was thrilled when, in a little-noticed remark last summer, Danny Sullivan endorsed this approach (“hey eric: how about letting people choose their shopping, local, etc. one box provider?”). It’s an elegant and straightforward solution, sidestepping the most complicated questions of “regulating search” but putting an important check on Google’s abuse of its dominant position in search.