Robin Wilton

A member of the Gartner Blog Network

Robin Wilton
Research Director
26 years IT industry

Robin Wilton is a research director with a particular interest in digital identity and privacy (and their relationship to public policy), access control and single sign-on, and the productive use of public key infrastructures. Read Full Bio

Coverage Areas:

Do Google ‘get’ privacy yet?

by Robin Wilton  |  March 5, 2012  |  2 Comments

There’s a lot of Twitter traffic currently about whether regulators are right to challenge Google’s recent privacy policy changes. In case you missed it, the key change is that Google will, as of March 1st, retrospectively link the data collected about users across all its different services. Before that, the services were operated under discrete privacy policies, each with its own privacy policy statement. Google’s counsel, Peter Fleischer, has essentially said ‘there’s no pleasing the EU regulators… they asked us to simplify our 60-odd privacy policies and we’ve reduced them to one… but they’re still not happy’.

Google’s reaction to the regulators is significant for two reasons: first, Mr Fleischer is choosing to conflate “privacy policy” with “privacy policy statement”, as if they were the same thing – which they aren’t. A privacy policy is the internal set of controls and processes which enables the organisation to meet its privacy goals. A privacy policy statement is an externally-published document setting out, for users and others, what the organisation intends to do about privacy.

It may well be true that Google’s newly drafted privacy policy statement is clearer and simpler than what preceded it, but that in itself does not discharge Google’s privacy policy-related obligations. Peter Fleischer, of all people, cannot plausibly be ignorant of that, which raises the question of why he’s using language that perpetuates the misunderstanding.

The second reason their response is significant is that users need to decide whether Google’s user privacy posture is genuinely changing for the better, as they would have us believe, or whether their consolidation of user data across multiple services represents a privacy threat. And by “users”, let me be clear that I include the growing number of business who use services like Google Docs…

It has been quite hard not to be aware of the privacy policy statement change; Google’s services have had fairly prominent notices warning users about it and linking to more information. But ultimately, of course, even if you read the policy there is a limit to how much you can do to mitigate any privacy-eroding effects, as long as you remain a user.

Contrast that with another privacy-related change Google has made recently. In November 2011 Google announced that domestic wi-fi networks could opt out of its Street View geolocation database (you remember… the one which was populated by Google’s war-driving camera cars, sniffing packets of network traffic all the while…).

Here’s a blog post about why that was a bad thing at the time, and here’s one from last November questioning whether the introduction of an opt-out mechanism was good enough.

My question is this: were you aware that this wi-fi opt-out existed? It doesn’t feel to me like Google made much noise about it… and though I could guess why, I don’t have any inside information about that. Objectively, the point is that it is not in Google’s interest for users to have an effective opt-out mechanism.

It’s interesting, too, to see how Google describe the opt-out:

“An SSID-based opt out substantially decreases the risk of abusive or fraudulent opt-out requests – for example, it helps protect against others opting out your access point without permission. This method of opt out can also be seen by other location service providers, and we hope the industry will respect the “_nomap” tag. This would benefit users by saving them the hassle of having to request several separate opt outs.”

I have a few simple observations to make about this:

1 – You know what else would have users the hassle of requesting several opt-outs? An “opted-out by default” policy.

2 – You know what would be simpler than hoping that ‘the industry’ will respect the “_nomap” kludge? An “opted-out by default” policy, and a law that says you’re not entitled to intercept traffic on domestic networks. Oh, wait, we already have one the latter (in the UK, at least… it’s called RIPA).

3 – An SSID-based opt-out ‘prevents others from opting my network out without my permission’? Whuh… This is so about-face that I keep looking around to make sure I didn’t step through the looking-glass without noticing, and to check that giant chess pieces aren’t sneaking upon me from behind. Really, Google – you’re too kind. I hadn’t considered the possibility that fiendish hackers might maliciously opt my network out of having its SSID sniffed by a third party. Thank goodness you’re on the case. Again – you know what would be a simpler and more effective defence against malicious third-party opt-out attacks? An “opted-out by default” approach…

So, on the one hand we have the obfuscation about “privacy policy” versus “privacy policy statement”. On the other, an approach to wi-fi privacy which seems to go to any length to avoid the most obvious solution: opting users out by default, rather than in.

So do Google really ‘get’ privacy yet? Sorry, but I’m not convinced. On that basis, I think the aggregation of data across their multiple services represents a privacy risk which individual and corporate users should not ignore. But what do you think?

2 Comments »

Category: Uncategorized     Tags:

2 responses so far ↓

  • 1 Robin Wilton – Gartner: Do Google ‘get’ privacy yet? http://blogs.gartner.com/robin-wilto… « oracle fusion identity   March 5, 2012 at 8:54 am

    [...] Wilton – Gartner: Do Google 'get' privacy yet? http://blogs.gartner.com/robin-wilton/2012/03/05/do-google-get-privacy-yet/ https://plus.google.com/113340044616880088383/posts/1R2qTXPuBdu http://bit.ly/OracleIdM Share [...]

  • 2 Stephen Wilson   March 5, 2012 at 2:18 pm

    Google is one of the biggest companies in the world, whose only asset is information (funny, in days gone by, you’d call that an intangible asset!). The more they know about their users, the more valuable the asset. There is a deep tension for Google in privacy, because it devalues their assets.

    The cornerstones of Information Privacy or Data Protection as legislated in many parts of the world are Collection Limitation (only gather the personally identifiable information you really need), Use Limitation (do not use PII for new unrelated purposes without consent) and Openness (let people know what PII you have and what you do with it).

    So in this instance, Google has been open, but their linking of all services is a manifest failure of the more important Use Limitation principle. People did not upload YouTubes or blogger posts expecting that their content was going to be indexed one day for Google’s other advertising purposes. Scanning peoples’ posts for marketing intelligence is not a reasonable related secondary purpose for all that data. Lord only knows how much geolocation information they have at their disposal now to mash up with their maps!

    Actions speak louder than words. When we look at some of their past missteps — like automatically populating Buzz accounts, or harvesting wifi transmissions as Google StreetView cars went about collecting SSIDs — we can see that deep in Google’s DNA is a disregard for Collection Limitation and Use Limitation. Their business model is based on collecting as much information as possible, and putting it to whatever “innovative” use they like.

    To answer the question — does Google get privacy? — I suspect the answer is yes, they do, they know exactly what they’re doing. In the same way as Big Tobacco got that their products were dangerous.

    Google boasts it has Privacy Officers but they’re employed for much the same reason as tobacco companies hire oncologists.