Google’s new privacy policy is probably pretty old news to you by now. After all, for every search that you do, you get a nice notification from Google that its privacy policy is changing and that “This stuff matters…”. If you’ve bothered to read it, you will know that Google intends to amalgamate all of the data that they collect about you into a single account profile. Unsurprisingly, the new policy has divided reception across the internet.
Google fans can’t see any wrong in what Google is up to, while people on the other side of the fence are pretty upset about where things are going. Indeed, Microsoft has taken advantage of the furor to put Google’s privacy policy at the center of its latest marketing campaign. I was, therefore, not very surprised to see Kim Cameron, the chief Identity and Access architect at Microsoft, posting a bit of a rant levelled against Google on his blog. What did come as a surprise was the news that the National Association of Attorneys General in the United States had written a scathing letter to Larry Page requesting a meeting to discuss the privacy policy further.
No ad to show here.
Cameron has posted a number of articles attacking Google’s identity policies, particularly with regard to the internet giant’s Real Name policy and its opposition to various movements toward having the “right to be forgotten”. As somebody who has worked in the identity management market for some time, I keep track of the things that people like Kim Cameron have to say.
After all, these people are responsible for many of the decisions being made about how identity information is stored and shared in the software that we use. While I am hesitant to endorse everything that Cameron has to say, particularly in light of all of the FUD that Microsoft seems to be publishing about Google at the moment, his 7 Laws of Identity have been used by many specialists in the field to help define and build identity management systems for many years now. When he points out that Google is breaking three rules that most identity management professionals would feel are entirely reasonable, it is worth taking a few minutes to listen to what he has to say.
Most Google fans are quick to point out that Google has all of this data already and that nothing within its existing policies has prevented them from correlating data and making sense of it. After all, some people claim, the abundance of different policies actually makes it more difficult for users to know exactly what their rights are and how data is used for each different service. On Google’s side, maintaining a multitude of policies is a costly legal exercise and opens the search behemoth up to a range of potential legal battles in the future. By creating a single consolidated privacy policy, users can make more sense of what the rules for all of Google’s services actually are. In some ways, Google’s new privacy policy makes things more transparent. However, the Attorneys General (and Kim Cameron) don’t think that this is the case. Here is a quick summary of the problems the Attorneys General have raised:
- Invasion of consumer privacy by automatically sharing personal information across Google applications
- Lack of consumer control over what data is shared between applications
- It is not fair to expect users to simply choose not to use a system that the Internet has come to rely on
- The cost for individuals and business to migrate away from Google in response to the change in policy, including the cost to tax-payers in order for governmental bodies to be able to migrate to alternative platforms
- An impossible “choice” for Android users, who would need to replace their phones at personal cost if in disagreement with the new policy
- Increased security risk to end-users as more personally identifiable data is stored within a single profile
- Divergence from Google’s original marketing message, which cultivated a respect for privacy in order to woo users
- The choice to participate should be ‘Opt-In’ as opposed to ‘Opt-Out’. There is no meaningful ‘Opt-Out’ option.
Some of those points are reiterations of each other and some simply seem ungrounded in anything that has the faintest whiff of legal. Certainly, it seems to me that if Google feels that its applications will function better by being able to share data between themselves, then that’s really up to Google. After all, Google can argue that it is ultimately providing a platform. An operating system cannot function properly if it can’t share personally identifiable data between different components and applications that make up the service that it offers. Nobody should get upset about that, in itself. Your privacy is not really being invaded any more than it already was. However, I do think that there are a number of very interesting and powerful points that come out of this.
For one, it is true that when collecting personally identifiable data and storing it, we generally expect to have control over what data is collected and shared and when this happens. We also expect to have the option to opt-in to be able to take advantage of the benefits that we will gain (in exchange for the cost of giving up some of our privacy) or at least to opt-out to make use of a reduced service (when the cost of giving up our privacy just doesn’t seem worth it). Particularly when the software that we are using has been marketed to us with a continual mantra of do-no-evil.
Naysayers will say that we are free to choose not to make use of Google services. This is just naive. To begin with, as the Attorneys General point out, that would require a whole bunch of people to simply throw out their mobile phones, or for businesses to suddenly bear the massive costs of migration to an alternative platform after having been wooed with promises of finer grained control over the privacy of their data. Furthermore, a point not covered by any of these commentators is that the internet simply starts to break when you try to remove Google from it. Nearly every site nowadays seems to make use of Google APIs or Google Analytics. You simply can’t avoid being tracked by Google. Firefox plugins like NoScript are helpful in this regard, but often just serve to remind you of how poor the internet becomes the moment you try to remove Google from your life.
I agree that there seems to be something wrong with a situation where a company can be held to ransom with regard to the decisions it can make about how it progresses with its own software development, merely because it has been so successful. There’s not much we can all do about this mess other than hope that our Search Overlord listens to its loyal subjects. After all, this stuff matters…