Sunday 4 March 2012

To Google-bash or not to Google-bash?

After months of work-induced hiatus, Matron has recently started tentatively to participate in life outside the ivory tower again. Among other things, this means that she has started to follow some of the discussions that are currently going on various "conspiracy-lists" of which she is a member. On one of those list, a very interesting question has just arisen with regard to Google's recent move to unify the privacy policy of its various services.

As many of Matron's readers will know, the EU's Article 29 Working Party has called on Google to agree to a "pause" with regard to the introduction of the new policy to give regulators across Europe the chance to review whether the new policy complies with EU data protection law. Google has so far rejected this request, pointing out that it has run the new policy by some (though admittedly not all) of the EU regulators already and that it sees no reason for further delay. It also seems convinced that the new policy does in fact comply with the law.

The Working Party is not so sure and the French data protection authority CNIL has now sent a second letter to Google on behalf of the Working Party in which it sets out its particular issues. A US-EU consumer rights organisation, the Trans-Atlantic Consumer Dialogue (TACD), has sided with the Working Party and written its own letter to Google CEO, Larry Page.

At the heart of the matter are concerns about


  1. a lack of transparency of the new policy and

  2. the allegation that Google may has given itself a right to combine personal data collected across all of its services that it did not have before. In particular, CNIL's preliminary investigations seem to show that it is difficult to know exactly which data is being combined between which services and for which purposes.
Never one to rely on the allegations made by others, Matron thought she might have a look and compare the new privacy policy with the last version before that (from October 2011). And indeed, there are some things that the average privacy advocate could take umbrage with.

Combination of data across services

Back in October 2011, Google's policy said:

"We may combine the information that you submit under your account with information from other Google services or third parties in order to provide you with a better experience and to improve the quality of our services. For certain services, we may give you the opportunity to opt out of combining such information."

The new policy reads:

"We may combine personal information from one service with information, including personal information, from other Google services – for example, to make it easier to share things with people you know."

To Matron the main two differences seem to be that:


  • under the older version combining data across service was allowed for the specific purpose of "providing you with a better experience and to improve service quality".


  • under the old policy, users were given the opportunity to opt out of having their data combined for certain services. That opt-out right now seems to have been removed across the board.
As far as the right to combine data is concerned, Matron has used this kind of wording herself many a time when drafting privacy policies for her clients. It is specifically designed to cover a wide range of processing activities, and in Google's case one could probably think of anything from improvements to the search algorithm to targeted advertising and personalisation. It was therefore a pretty wide-ranging right already and maybe we shouldn't get our knickers in a twist about this given that no one seems to have complained so far.



However, the old policy did at least tie the right to combine data to some kind of specified purpose, albeit a big and expansive one. Under the new policy, Google seems to have removed any purpose restriction whatsoever and just given itself the right to combine whatever data it holds about us as it sees fit. As a data protection lawyer, Matron would have to agree with CNIL, that that is at least questionable under EU data protection law which only allows for personal data to be processed (and combining is an act of processing) for specified purposes.

Also, in practical terms it would certainly suggest that Google is now doing something (or planning to do, or at the very least give themselves the option to do, something in the near future) that it wasn't doing before. Why else go to this length? As always, we could of course blame incompetence before looking for bad intent, but Google must be able to afford some of the best data protection lawyers in Europe, so maybe we can rule that out.



As for removing the users' right to object to the combining of their data, this is quite an important change and one whose repercussions we cannot yet really assess. For Matron personally, this means, for example, that Google may now technically be permitted to combine the data it collects about her via this blog (which one of it's subsidiaries hosts) with her search history. Because when registering with Blogger, Matron used an e-mail address that includes her real name (more fool her, many of her techie friends will say, but probably something that many other average users would have done as well) and given that this is the same e-mail address she used when opening a Google account, Google as a group of companies (not just as one or two of its subsidiaries) now knows the real name of the person who writes a formerly relatively pseudonymous blog (for Matron's feelings about this sort of thing, see here).

The question is, of course, how long it may now take until Google finds a creative use for all this combined data? For example, how long until a Google search for Matron's real name brings up this blog in the search results? Google may say that it has no plans to do this and be quite right at this point in time. But stranger things have happened at sea and on Facebook than an online provider changing its mind, business model or algorithm. They point is that it now can.



Transparency

Also, and this seems to be the main point of CNIL/WP29 criticism, it could justifiably be said that the new policy has indeed become a lot less transparent for the average user. This is because Google has now basically put up two big buckets:



  • In bucket A are all the types of data Google may collect from users of any of its services.


  • In bucket B are all the purposes for which Google may process personal data.
The new policy is basically construed in a way that allows Google to process any type of data from bucket A for any purpose from bucket B.

Given that in the EU data controllers are under an obligation to tell data subjects specifically in each case what type of data they are processing for what purpose, Google's approach is probably not enough to fulfil its obligation to provide data subjects with the required "fair processing information" as it's know in the trade.

Given also, that Google is likely to justify its processing activities on the basis of the user consent that it implies through the new privacy policy, users must be able to understand properly what it is that they are consenting to for the consent to be valid. And therein, as they say, lies the rub.



The "conspiracy list" on which this discussion arose consists of around 25 people, learned men and woman all, with backgrounds and tertiary degrees in law, IT, politics and many other cognate areas. After several rounds in the ring, members seemed to be unable to agree on what the new policy actually means. If it is ambiguous enough so that this type of user can't figure it out, the "normal" Internet user (as in most of Matron's examples consisting of a sample n=2, being Matron's and Pangloss' mothers) stand no chance. So, Matron can't help agreeing with CNIL that on the facts, at the very least, the latest development in Googleland warrants closer inspection and maybe the requested "pause".


To Google bash?

However, for Matron the most interesting and most frustrating aspect of the discussion on her list was not whether or not Google's latest peccadillo was of sufficient quality to finally taint the "don't be evil" image, but whether or not we, as a group of critical individuals, should be drawn into this affair (and a number of other affairs which involve Google, like, for example, the issues with the security gap in the Safari browser's cookie preferences) in the first place.



The reasons given for "not jumping on the Google-fear bandwagon" went along the following lines:



  • We shouldn't get caught up in a campaign to "take down Google", that was effectively organised and financed by a group of competitors.


  • There are other organisations who do the same or worse and so we need to be even-handed in our criticism.


  • We should focus on the principles and not on individual companies and single cases.


  • We should stick to our work and avoid chasing headlines.
None of this is easy to argue against, and yet the fact that we had this discussion in the first place and that we had it (it felt like) because this concerned one of the tech community's beloved darlings, left a bad taste in Matron's mouth.



That very same group of people has in the past both co-operated with and criticised companies, institutions and organisations like BT, Microsoft, Virgin Media, Phorm, the Information Commissioner's Office, the Home Office, the European Commission, O2, the UK security services, several rightsholders and their associations and even Apple (until recently another "Untouchable") without having had similar discussions about whether or not we should "single them out" for their transgressions. So why was this different?

And even if in this case Google's approach is specifically selected for criticism and comment, is this really so unjustified? If a country like, say, the US were to start violating certain human rights - lets assume for a moment that one day they may decide to detain certain undesirable individuals in prisons without a fair trial for an indefinite period of time - would we really bellyache about whether or not we can criticise the US for that just because any number of tin pot dictators all over the world have done the same for decades without us making a big deal about it?

Contrary to all the constant affirmation given to men by women all around the globe, size does matter. Reach matters. And relative and absolute power matters. If a big and powerful country like the US does something that flies in the face of a general feeling of what is right or wrong, this does two things:



  • its actions alone are likely to affect a massively larger number of people than the actions of smaller, less powerful countries.


  • its actions set a standard that other, smaller and less powerful players will adopt as soon as they get the chance.
It used to be said that if the US sneezes, the world catches a cold. On the internet, it seems - to Matron at least - that the same now applies to Google and a handful of other players. Those are the companies with the money, know how and lobbying power to shape both the technology we will be using in the future and to influence the way in which that technology will be regulated. Those are the companies that - everyday - test the boundaries of what users, competitors and regulators will allow them to get away with (see also Facebook for the "two steps ahead, one step back" approach to user conditioning). And once these companies have established the new "normal" and made it part of their established business model, others will follow.



The only way to counteract this, is for those of us with the relevant skills to pick them up on any transgressions as and when they happen. We must do this by analysing their actions; by bringing any unlawfulness to the public's and the regulators' attention; by working with regulators and other stakeholders in relation to enforcement and by trying to shape policy designed to address and/or prevent future transgressions.

And at no point in this process should we ever ask ourselves, "Should we be doing this because it could be construed as Google (or Apple, or Microsoft) bashing?"



Just saying...

No comments:

Post a Comment