'Do you trust Google?' is the wrong question

'Do you trust Google?' is the wrong question

Summary: Don't mind Google knowing your real name, or putting your photo against the keywords you search for? Or - as it turns out - against the keywords you search for on the US Inland Revenue Service site?

SHARE:
TOPICS: Windows
16

Don't mind Google knowing your real name, or putting your photo against the keywords you search for? Or - as it turns out - against the keywords you search for on the US Inland Revenue Service site?

Google's announcement that it's merging the privacy policies for all its services into one policy and explicitly sharing data it tracks about you on one Google service with your searches on another Google service has garnered two main reactions.

Firstly, the Google backlash that I've been expecting any time these last five years; after the Nym Wars where Google appeared to be dictating what a Real Name could be and the ever-more-spam-clogged search results, for some people this hits the limit on what they’re comfortable having a service correlate in a similar way to Facebook’s ever-encroaching tracking settings. Bing is getting a lot of unhappy ex-Google users, many of whom are surprised to find that yes, Bing has turned into a good and mostly spam-free search engine.

Or secondly, that Google is a free service and disclosing information is how you pay for it, and besides, it gets you more accurate ads so it’s probably a good thing.

Both reactions are to Google and what Google is doing with your data, but with Data Privacy Day coming around on January 28th and the EU announcing the proposed reforms to its data protection rules, it’s important to think more widely about this.

The right to be deleted, the right to be forgotten

The EU will finally make companies in Europe who lose customer data tell the customer - or better yet, either not keep so much information or encrypt the data so if it's lost, no-one can use it. It's also giving you the right to delete data about you, or move it to another service.

The ‘I trust Google with my information’ reaction often comes with a side order of ‘all the other services track you too’ and that – along with the pervasiveness of Google Analytics and other Google services – is a bigger issue. Many services do track you, more extensively than you might think. In 150 milliseconds while a page loads, there are ad services that will geolocate you from your IP address, look up what they know about you and auction off your eyeballs to the most lucrative bidder.

Few sites tell you who they share information with. It’s a salutary lesson to fire up IE9, add in one of the Tracking Protection lists from Abine or EasyPrivacy and see just how many pages show the little blue block icon in the address bar. For a good explanation of what TPLs do, look at the new Privacy International site, where you’ll soon be able to get blocking lists specifically for child protection, web analytics and behavioural tracking.

Et tu, Bing? Not quite

One of the frequent comments to the ‘I’m switching to Bing’ announcements is to declare that Microsoft tracks you too, and must be just as evil as Google (should you consider Google to have broken its own policy, which is these days described as “you don’t have to be evil to be in business”). Here’s what Microsoft told us last time we asked about the Bing and Windows Live privacy policy.

"We use a technical method (known as a one-way cryptographic hash) to store search terms separately from account holders’ personal information, such as name, email address, etc. so they can’t be systematically recombined. As a result of this “de-identification” process, when Microsoft’s online ad targeting platform serves individually targeted ads, it selects them based only on data that does not personally and directly identify the individual. As a matter of policy, Microsoft takes steps to separate any information that can be used to personally and directly identify a use from the information in its ad selection system.

“Additionally, consistent with our privacy policy, Windows Live users who do not wish to receive targeted advertising can opt-out at the following site. We’ve also taken an extra step and made the opt out “roamable.” This allows people to have their opt-out choice apply to any computer they log onto with their Windows Live ID."

Google: utility or enabler?

The issue with the IRS site is that the embedded YouTube video and Google Analytics code on the page generate cookies and tracking images that are also used on the search results page. That’s not a conspiracy; that’s sloppy coding. But the pervasiveness of Google tools and services means that all the information Google is getting about you is rather more than you expect. Whether or not you trust Google to do good with your information rather than evil isn’t the issue. It’s not even that Google is being rather more transparent than most services; it’s an improvement on the game of Find The Lady that Facebook plays with its privacy settings from month to month. For me, it’s that normalizing this level of data gathering for a service that’s so widely used that it’s practically an information utility is a step towards massive and routine information gathering, just as the EU right to be forgotten and proposals like Do No Track suggest that there’s too much tracking and not enough informing going on already.

Google sounded tone deaf on the issue of pseudonyms in Google+ (and the latest improvements still seem to leave Google deciding if your pseudonym is really good enough). Now it’s sounding out of tune with the EU and with a lot of users. This is a problem that’s far bigger than Google, but because Google is so big, what it does around tracking has wide implications.

Mary Branscombe

P.S. Incidentally, I’m expecting the Bing team to be flattered this week. Not only are there are the ‘I’m switching to Bing and hey, I like it’ comments floating around, but every time Larry Page talks about making a ‘beautiful’ service I think not of iOS eye candy but of the delightful Bing daily images (which Google briefly and embarrassingly copied) and the Windows Phone emphasis on design and typography in the Metro interface (to which the Google IO 2001 page bears what I can only call a startling resemblance).

Topic: Windows

Simon Bisson

About Simon Bisson

Simon Bisson is a freelance technology journalist. He specialises in architecture and enterprise IT. He ran one of the UK's first national ISPs and moved to writing around the time of the collapse of the first dotcom boom. He still writes code.

Mary Branscombe

About Mary Branscombe

Mary Branscombe is a freelance tech journalist. Mary has been a technology writer for nearly two decades, covering everything from early versions of Windows and Office to the first smartphones, the arrival of the web and most things inbetween.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • Google and any of these services aren't going to know your name and personal data, other than your IP address, client, etc. that is obtainable through the browser without the user submitting it. So we must educate the users of these sites, that if they don't want their information stored at Google, then they shouldn't submit anything to Google in the first place.
    Chris_Clay
  • Ironically I have just re-read / re-listened-to Cory Doctorow's "Scroogled" which just shows that, thus far, Google is not that Evil at all.
    natalieford
  • @apexwm

    Google puts a long-life cookie on your hard drive, and a Wall Street Journal article found it tracked you more than anybody else because it has ads almost everywhere. Quote:

    "Google was the most prevalent tracker in The Wall Street Journal's survey of popular websites, with tracking code appearing on 49 of the 50 sites tested."
    http://www.wallstreetjournal.de/article/SB10001424052748703999304575399041849931612.html

    Google also owns Double Click. I assume you warmly support DC's pioneering efforts at tracking web users as well.

    But, well, OK, you're right: users can just not visit any sites that carry any Google or Double Click ads.
    Jack Schofield
  • Jack :
    I am not saying I agree with Google excessively tracking users. But, I think social networks (i.e. Facebook, Google+) are doing much worse than tracking your IP address and your browsing history (which in many cases, changes on a regular basis with many ISPs anyway), because they have personal information that is submitted by the users right from the start.

    Interestingly enough, I see that Google does offer their "Google Analytics Opt-out Browser Add-on" for the mainstream browsers. The URLs are blocked in comments here, but searching for this will lead to the link for it. It does seem silly that this needs to be controlled via a plugin, rather than simply allowing the user to modify the data collection settings directly.
    Chris_Clay
  • @apexwm

    I was simply pointing out the naivety of your statement that "if they don't want their information stored at Google, then they shouldn't submit anything to Google in the first place." Google is all over the web like a rash thanks to its advertising networks, and I don't think the average user can actually avoid Google search (which has a monopoly market share) or YouTube.

    The number of people who know they can opt out is tiny, and the number who will opt out is even tinier, so ultimately the opt-out option doesn't matter. It has no effect.

    If people are publishing personal info on Facebook etc, then they are doing it deliberately. That might not be smart but it's absolutely different from being tracked everywhere without their knowledge.
    Jack Schofield
  • Jack - not just the advertising but the Web tools, like Google Analytics, which is how Google can associate you searching for say 'how do I declare that income I forgot to report' with your search profile. It's the pervasiveness that's the issue for me.
    M
    Simon Bisson and Mary Branscombe
  • @Mary Branscombe. "....... It's the pervasiveness that's the issue for me." Absolutely, I concur 100% that pervasiveness and creep are serious issues to be confronted, along with unintended consequences.
    The Former Moley
  • Great article but there is something missing in current discussions between policy makers where privacy and security become blurred in up coming (and current) legislation.

    It's 100% fair to bring to light how pervasive tracking of customers is but it's also important to note than what customers increasingly demand is a personalised experience.

    Amazon, eBay, Zappos and Google etc. are industry leaders because they use customer data to provide the customers with a better experience than other websites.

    Customers should know what data is being used but just as importantly be educated as to why it's being taken and what it's being taken for.

    Google Maps had no real reason to take IP and wi-fi data readings other than to pry into levels of heavy internet users, Google Places and Ad's within Google Maps were increased after this which I sincerely doubt was a coincidence.

    However, if customers don't give us data or worse, we're not allowed to keep or store that data, then how can we structure our businesses to meet their needs.

    Web Analytics data and preference information performs the same function as a loyalty card for an offline retailer - you analyse habits and target marketing to create better customer experiences.

    This new debate seems to have become much more focused on the rights of the consumer as advocated by pressure groups and less to do with research based on online customers and what they want.

    People opt-out from marketing communications because they are NOT targeted, if we take a too draconian route to regulation the customer is worse off not better off.

    What we need are better, and more heavily enforced data protection policies around security and data ownership, not just to restrict the whole online industry in the collection of data that benefits consumers.

    Feel free to disagree :)
    AlexTimlin
  • Alex; one of the issues between privacy and customisation is where that information is used and for whose benefit. If you want Amazon to know a lot about you to suggest better products, do you want other sites to have that same information about you? Do you want Google to get all that same information about say which financial self-help books you research or which medical conditions you read about and tag that with your photo and G+ details so that some other site you visit can present relevant products when you visit for the first time? That's the issue with data crossing site boundaries, which to me is rather different from tracking you within a single site.
    M
    Simon Bisson and Mary Branscombe
  • Nope, never have, never will. It doesn't matter what they, or their employees spout, the ultimate game here is money, money, money and that brings with it a level of mis-trust when it comes to my personal identity- after all, it's worth money to them (albeit a few pence/ cents or whatever you want to call it).

    However, I've had a love hate relationship with Google since I started web des and SEO 7 years ago, so it's no wonder I dislike the company. I do, however believe that the results they're throwing up now are more accurate, although tainted by Google places. As for cross account sharing of personal data.... How about you just buy yourself a disposable mobile phone, sign up with a fake ID and hey presto, your identity is safe online.... only costs some £15 to do in the UK!
    webmaster@...
  • "If people are publishing personal info on Facebook etc, then they are doing it deliberately. That might not be smart but it's absolutely different from being tracked everywhere without their knowledge."

    Yes, that is true that people publish info on Facebook intentionally. But what Facebook does with the data that users submit, is another thing. The scary one for me was the face recognition and other things they are doing. Why would they do this, and even when deleting content, how do we know it is deleted? We don't, and there's no way to ensure that data in Facebook isn't being shared with other parties. Even scarier, many people that use Facebook are not aware of any of this.
    Chris_Clay
  • @apexwm

    You're an Anonymous Coward so we've no idea what you give away on Facebook, if anything. However, Google *knows* what you searched for in private, whether that was for aids or cancer treatment or just books and toys for kids. It also knows which sites you visited. I agree that Facebook privacy is scary for some people (though not for me) but Google is *potentially* orders of magnitude scarier.
    Jack Schofield
  • @Jack, @apex The 'trust us, we're not evil' argument has worked for Google for a lot longer than I personally expected (Gmail scanning for ads was a step too far for me: Clippy style 'it's looks like you're breaking up with your girlfriend, would you like help with that' ads cross the uncanny valley on a zipline as far as I'm concerned) but with this scale of data collection, it comes down to A Do you trust Google and B Even if Google is utterly trustworthy, who else is going to do it now that Google has made it acceptable and do you trust them, and their imitators and their government and their partners and....
    M
    Simon Bisson and Mary Branscombe
  • Mary,

    I think our best bet is user awareness and education of browser cookies and what they do, and how to disable them by site. Some may want to take the approach of disabling cookies for all sites, and enabling them only for sites that they trust. It would be interesting to see how far that gets, as we know some sites require cookies in order to function at all so it's a case by case basis. Google is not the only one to install tracking cookies; YouTube, Facebook, and many others have them.

    A less invasive approach might be to use a browser plugin, like BetterPrivacy for Firefox:
    https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/
    And a cookie removal tool, like Nixory (multi-platform among Windows, Mac OS X, and Linux):
    http://linuxpoison.blogspot.com/2011/09/open-source-antispyware-tool-nixory.html
    Chris_Clay
  • @apex - cookie removal isn't enough; look at the Privacy International links on the various embedded tracking systems. TPLs in IE9 aren't the only way to do this; there's a cross-platform browser extension for Internet Explorer, Opera, Mozilla Firefox, Apple Safari, and Google Chrome called Ghostery that's worth a look.
    M
    Simon Bisson and Mary Branscombe
  • And user education isn't going to work; we ahve to do it, but it hasn't stopped malware and social engineering... there have to be tools and there has to be regulation
    M
    Simon Bisson and Mary Branscombe