Europe’s push to rein in Big Tech is ramping up, with the European Commission planning to announce new regulations for Google next month. The rules could see Google forced to play nicer with its EU competitors, but the company has some concerns. Google is framing this not as a manifestation of its anticompetitive bent, but as genuine concern for user privacy.
Heather Adkins, Google’s VP of security engineering, told Wired that the EU’s proposals could lead to serious security and privacy issues. The potential changes come in two forms. First, regulators want Gemini dethroned as the sole integrated AI service on Android. This would mean letting users integrate other AI models and give them Gemini-like system access. Separately, the EU wants Google to share anonymized search data with other companies.
“If implemented as described today, I think within a short period of time on Android, we’d see a significant increase in fraud in the EU,” said Adkins, who noted these events could happen within weeks of pushing through the changes.
Gemini’s special status on Android devices gives it access to user files, screen content, and enhanced voice interactions. Adkins doesn’t go into much detail here, but the implication seems to be that bad actors would leverage these new options to install malicious AI services that could steal data and manipulate the user experience.
Google has more detailed concerns with the anonymized data sharing. According to the draft of the European Commission’s proposal, Google would have to provide anonymized search data to competitors that is similar to what Google sees internally. That could include the content of searches, ranking, and click rates. This data is core to Google’s search product and has not been provided at this level of granularity before.
“Anonymization is hard, and you’ve got to have the right technical experts at the table to come up with the solutions,” Adkins told Wired.
We have known for years that it’s very possible to unmask people in supposedly anonymous data. In fact, Google suggests that the broad availability of powerful AI models makes it easier than ever to de-anonymize large data sets (that also checks out). Google’s internal security teams have reportedly been able to link this anonymous search data to individual users in as little as two hours using so-called “linkage attacks.”
Googlers expressed to Wired that giving this data to smaller EU firms in accordance with the law will make them targets. Google seemingly trusts itself to keep that data secure, but some rinky-dink startup in Europe? Maybe not.
Are you ever anonymous?
Requiring Google to share data and system access with competitors may come with some security risks, but Google undeniably has a vested interest in maintaining its market position. Both of those things can be true, but is one maybe a little more true than the other? That’s the issue with which the European Commission must grapple.
The EU is undertaking this effort under the auspices of the Digital Markets Act (DMA), which has designated Google, Meta, Amazon, and other giant tech firms as “gatekeepers” that are subject to additional regulation. Google has openly opposed the DMA, calling for the law to be reworked. With significant market shares across a number of tech sectors—including more than 90 percent of web search—the company doesn’t have much reason to support increased regulation.
There are many ways to anonymize user data in aggregate, and Google would know—it frequently leverages anonymized user data, and it stresses the privacy-protecting aspects of this process. Sometimes it hides identities by merging all the data for a group that shares some trait, like a postal code. Google also might mix different types of search queries together to hide connections to a sensitive topic. When that’s not enough, Google may add random noise to the data that can further obscure identities.
Google uses these techniques across services—search queries, location data, advertising profiles, app usage, and more. It’s all there in Google’s privacy terms, and we are regularly assured that the data is sufficiently anonymous that it’s no problem even when Google shares it with third parties of its choosing. But when the EU requires Google to give this anonymized search data to its competitors, it’s suddenly an untenable privacy issue. Perhaps all of these anonymized data sets are a problem, whether they’re held by Google or not.
Regardless, there are some real privacy concerns at issue in this specific regulatory action. Google is essentially contending that the granular nature of the data makes it too vulnerable to being unmasked. If the data is stolen, it seems like a safe bet that at least some of it could be de-anonymized.
The European Commission will have to walk a fine line as Google’s business interests would be served by not sharing data, and the goal of regulators is to weaken Google’s monopoly. But nothing is set in stone yet. The comment period ended on May 1, and the commission is determining how to enforce the new rules. It expects to have a final decision on July 27, which will be legally binding for Google as a designated gatekeeper under the DMA. So the exact nature of the AI access and data anonymization is still up in the air.
