Google’s move doesn’t surprise me. In fact, three years ago, I gave a presentation at an RSA conference saying that the information that Google was gathering through its wide-ranging services was just too tempting and that consolidation of that data was inevitable, despite the compromise of privacy that would result. (
The title of my presentation was “Is Google Evil?” Now, as then, I think the answer is no. It is a business. It exists in order to create value, and it has done that by making use of personal information that consumers freely give to it. Consolidation of that information carries serious privacy implications, but the company that does such a thing isn’t evil. Companies will do what they can within the law to get the most value out of their assets. We’ll get to the question of just what should be allowed by law when it comes to personal information, but let’s drop the name-calling. Companies are expected to extract value where they can, and when they do so they can’t be called evil any more than a lion that chases down and tears into the weakest gazelle.
That said, there is plenty to get upset about regarding Google’s new policy. Google has managed to wriggle into just about every area of our lives. It all started with Google search, of course, and that seemed innocuous. But later you could sign up for a Gmail account, and suddenly any searches you did while signed onto Gmail could have an identity assigned to them — and Google roughly knew what was on your mind. Google Docs was another chance to gather data, and the social network Google+ really ups the ante. Every post is captured, and Google has access to information such as who is in your circles — not only that you know those people, but what your relationship is to them, because you’ve defined your circles so carefully (family, friends, colleagues, fellow alumni). Google Calendar reveals where you are going to be. Google Maps gleans where you are considering going. Google Latitude knows exactly where you are right now. Picasa stores pictures, and if you carefully tag them, you have provided more information about where you have been and whom you have been with. Google Chrome keeps track of your browsing habits and history. Google Checkout and Google Wallet know what you are buying and where you are. The Android operating system can track every aspect of your cellphone usage, including the apps you have loaded. YouTube searches can reveal proclivities that you might not want other people to know about.
Until now, we could think of all of these as stand-alone services. Each had information about us, but the threat of privacy invasion seemed manageable. It’s a different story when it all gets consolidated. Now, for all practical purposes, a single entity has the ability to put together your past, present and future. Who calls you on your Android phone can be combined with what you are searching. The interests you repeatedly post about can be combined with your location. Your appointments can be cross-referenced with your acquaintances’ appointments.
What we know is that Google tries to monetize the information it has about the users of its services by selling advertising that is carefully targeted to their interests. Facebook and other companies do similar things. Some people have been sized up pretty well just based on their searches. Others have not. Wired recently ran a short piece on how Google currently can be inaccurate in its current analysis of a user’s searches . After consolidation, though, there will be little ambiguity.
The argument is that presenting you with ads that you are really interested in serves both you and the advertisers. As things stand now, there’s potential for unintended humor when things go awry. (This is only slightly fanciful: “I called my boss a pain in the butt on Facebook, and now I’m getting ads for hemorrhoid treatments.”) With consolidation, the potential is for real mischief. With all that information at Google’s fingertips, it might serve up ads like these:
“Your grandmother purchased a 30-day supply of fungicide and it is about to run out. Consider buying some for her upcoming birthday.”
“Stephen browses lesbian porn on YouTube. Consider buying these videos for him as an anniversary present.”
“Your employee John is currently in your competitor’s office. Would you like to wish him well?”
“Your husband is scheduled to meet Linda at the Best Western. There is an Applebee’s next door. Would you like to buy them a gift certificate for dinner?”
“Mary just purchased a new vibrator. Recommend batteries for her.”
Extreme examples perhaps, but I’m pretty sure that embarrassment and humiliation via Google await all of us. And I am able to imagine all of these things while assuming that Google is not evil. Should it ever cross the line, then all of that information it has could be used for truly nefarious and malicious purposes, including extortion and harassment.
But that’s just paranoia, right? After all, Google is saying that its new policy of consolidation will only be used in ways that are helpful to its users. OK, that sounds good. But wait a minute. Didn’t Google used to say that all that information wouldn’t be consolidated? And now it is being consolidated. Which means: Google can change its mind. It can rewrite its policies anytime it wants so that they say anything it wants.
Meanwhile, Google just keeps on growing. A few short years ago, how many people foresaw all that Google would eventually involve itself in? Not many, considering the non-reaction to my presentation at RSA. Chances are, more growth is coming. And it’s a pretty good guess that every move will bring the company a little deeper into our lives.
Still, technically not evil. Google is just a very intelligently run business that is making the best legal use of the resources it has. So the question we really need to ask is, “What should be legal when it comes to the use of personal information that is freely given up to a corporation?”
My thought is that regulators and privacy professionals should rethink the concept of privacy protection. When companies are allowed to set their own privacy policies and retain the right to change them at will, do privacy policies mean anything at all? The Google case suggests that voluntary privacy policies, always subject to change, provide no protection.
Now, you could argue that any company that did that had to induce people to use its services under false pretenses. And that sounds, well, evil.
In the wake of Google’s policy change, eight members of Congress sent the company a list of questions about the new policy’s effects on privacy. Google responded on Monday, basically saying that its approach to privacy has not changed . My expectation is that in the end Google will make some small concessions, and the lawmakers and various privacy advocates will play those up so we’ll all think they’re looking after our welfare. To my mind, that’s not nearly good enough. If Google is really going to live up to its corporate mantra of “Don’t be evil,” then it should undo this latest move and support regulation that would stop other companies from making similar changes. Because, unlike lions on the savannah, a company’s worst impulses can be constrained.
Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, irawinkler.com.