'Do you trust Google?' is the wrong question
Don't mind Google knowing your real name, or putting your photo against the keywords you search for? Or - as it turns out - against the keywords you search for on the US Inland Revenue Service site?
Google's announcement that it's merging the privacy policies for all its services into one policy and explicitly sharing data it tracks about you on one Google service with your searches on another Google service has garnered two main reactions.
Firstly, the Google backlash that I've been expecting any time these last five years; after the Nym Wars where Google appeared to be dictating what a Real Name could be and the ever-more-spam-clogged search results, for some people this hits the limit on what they’re comfortable having a service correlate in a similar way to Facebook’s ever-encroaching tracking settings. Bing is getting a lot of unhappy ex-Google users, many of whom are surprised to find that yes, Bing has turned into a good and mostly spam-free search engine.
Or secondly, that Google is a free service and disclosing information is how you pay for it, and besides, it gets you more accurate ads so it’s probably a good thing.
Both reactions are to Google and what Google is doing with your data, but with Data Privacy Day coming around on January 28th and the EU announcing the proposed reforms to its data protection rules, it’s important to think more widely about this.
The right to be deleted, the right to be forgotten
The EU will finally make companies in Europe who lose customer data tell the customer - or better yet, either not keep so much information or encrypt the data so if it's lost, no-one can use it. It's also giving you the right to delete data about you, or move it to another service.
The ‘I trust Google with my information’ reaction often comes with a side order of ‘all the other services track you too’ and that – along with the pervasiveness of Google Analytics and other Google services – is a bigger issue. Many services do track you, more extensively than you might think. In 150 milliseconds while a page loads, there are ad services that will geolocate you from your IP address, look up what they know about you and auction off your eyeballs to the most lucrative bidder.
Few sites tell you who they share information with. It’s a salutary lesson to fire up IE9, add in one of the Tracking Protection lists from Abine or EasyPrivacy and see just how many pages show the little blue block icon in the address bar. For a good explanation of what TPLs do, look at the new Privacy International site, where you’ll soon be able to get blocking lists specifically for child protection, web analytics and behavioural tracking.
Et tu, Bing? Not quite
One of the frequent comments to the ‘I’m switching to Bing’ announcements is to declare that Microsoft tracks you too, and must be just as evil as Google (should you consider Google to have broken its own policy, which is these days described as “you don’t have to be evil to be in business”). Here’s what Microsoft told us last time we asked about the Bing and Windows Live privacy policy.
"We use a technical method (known as a one-way cryptographic hash) to store search terms separately from account holders’ personal information, such as name, email address, etc. so they can’t be systematically recombined. As a result of this “de-identification” process, when Microsoft’s online ad targeting platform serves individually targeted ads, it selects them based only on data that does not personally and directly identify the individual. As a matter of policy, Microsoft takes steps to separate any information that can be used to personally and directly identify a use from the information in its ad selection system.
“Additionally, consistent with our privacy policy, Windows Live users who do not wish to receive targeted advertising can opt-out at the following site. We’ve also taken an extra step and made the opt out “roamable.” This allows people to have their opt-out choice apply to any computer they log onto with their Windows Live ID."
Google: utility or enabler?
The issue with the IRS site is that the embedded YouTube video and Google Analytics code on the page generate cookies and tracking images that are also used on the search results page. That’s not a conspiracy; that’s sloppy coding. But the pervasiveness of Google tools and services means that all the information Google is getting about you is rather more than you expect. Whether or not you trust Google to do good with your information rather than evil isn’t the issue. It’s not even that Google is being rather more transparent than most services; it’s an improvement on the game of Find The Lady that Facebook plays with its privacy settings from month to month. For me, it’s that normalizing this level of data gathering for a service that’s so widely used that it’s practically an information utility is a step towards massive and routine information gathering, just as the EU right to be forgotten and proposals like Do No Track suggest that there’s too much tracking and not enough informing going on already.
Google sounded tone deaf on the issue of pseudonyms in Google+ (and the latest improvements still seem to leave Google deciding if your pseudonym is really good enough). Now it’s sounding out of tune with the EU and with a lot of users. This is a problem that’s far bigger than Google, but because Google is so big, what it does around tracking has wide implications.
Mary Branscombe
P.S. Incidentally, I’m expecting the Bing team to be flattered this week. Not only are there are the ‘I’m switching to Bing and hey, I like it’ comments floating around, but every time Larry Page talks about making a ‘beautiful’ service I think not of iOS eye candy but of the delightful Bing daily images (which Google briefly and embarrassingly copied) and the Windows Phone emphasis on design and typography in the Metro interface (to which the Google IO 2001 page bears what I can only call a startling resemblance).