The elephant in the room: The Google privacy situation

Google has taken a lot of heat over the issue of privacy. Learn what this issue means to you and your organization.

Hey, you. Yes, you over there - you systems administrators, CIOs, Marketing VPs, HR Directors, company presidents; anyone who uses Google products in their business. We need to talk about the elephant in the room, which has been making a lot of noise as of late. The elephant's name is "Privacy" and it has a potential impact you need to be aware of.

The subject at hand

The subject of Google Privacy has been in the news quite a bit this year (the Miami Herald has a good article discussing the subject). Earlier this month it was reported that Google was fined $22 million after it was found to have violated an agreement and placed cookies on Apple iPhones using the Safari web browser. This strategy, used for targeting ads to users, was reported in the Wall Street Journal back in February.

My job isn't to represent Google on this issue; it's to tell you what the facts are so you can assess your involvement with the elephant; whether it will trample on your objectives or sit unobtrusively in the corner without incident. I'll weigh in with my opinions, but from the basis of being a Google Apps administrator and end user, not as a tech writer for the "Google in the Enterprise" blog.

Privacy in the year 2012

What does privacy really mean these days, in an era where satellites orbit overhead, online maps and street views can show every detail of a house or neighborhood (I myself use Google Street View to virtually explore the town I grew up in hundreds of miles away and see how things have changed), and Facebook/Google/Twitter can display our life's history to the rest of the planet, including where we checked in for lunch ten minutes ago?

Privacy, like many terms, is subjective. Back in the simple seventies it pretty much meant not having to worry about neighbors peeking in your windows or watching you in your backyard. Today, the word carries a whole new set of meanings, whether social, technological, or legal. To me, privacy means keeping your confidential information securely out of the hands of those whom you do not wish to have it (obviously for criminals seeking evasion from the law this definition may not necessarily apply). Some people are thrilled to have the world see them holding a frosty margarita in their Facebook profile picture (personally, I'd be more thrilled drinking the actual margarita). Others don't want to even have a profile picture, much less one that might identify their tastes or habits. It's up to the user.

No devil in the details

Google's Privacy Policy is short and almost entirely legible even to those of us who aren't lawyers (note there are also separate-but-similar policies for Chrome, Books, Wallet and Fiber available on that page). The base policy states, in essence, that when people sign in to use Google products, the information they provide can be collected "from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content - like giving you more relevant search results and ads." The customized ads do not utilize "sensitive categories" such as "race, religion, sexual orientation or health," so if you search for athlete's foot cures you needn't worry about ads for embarrassing medications popping up on your laptop in front of other people.

Google states they won't share your personal information outside of their organization except in the following conditions:

  • You specifically opt in.
  • You have a Google Apps account with a domain administrator (to whom your information is made available as a result of his or her access privileges; this is no different than with in-house email).
  • For "external processing" - this is ambiguous, but seems to apply to Google products connected to related services at other companies.
  • For legal reasons - for instance in a law enforcement investigation. This doesn't just apply to Google searches, but also email, maps, Youtube videos, Google+ interactions, items purchased with Google Wallet and other examples.

What does that mean to me?

Well, that's a good question. I can't tell you what it means to you. I have found a very wide spectrum of opinions when it comes to the topic of privacy.

Some people are ultra-concerned about anything that even resembles a privacy risk to them, assuming that if they store their email or data in a cloud service like Google's then it may lead to rogue system administrators or "highest bidders" getting their hands on this information to look for secrets or gossip which can then blackmail, humiliate or ruin the individuals or companies involved.

These folks aren't just concerned with what Google says they do with user data, but what they fear Google may also do with it (or what some other agency may do to Google to get it). I have friends with this mindset who refuse to get Facebook accounts out of an Orwellian conviction that the government will start compiling dossiers on them.

Other people have a devil-may-care attitude and either assume they're small fish in a big pond who aren't likely to encounter adverse consequences from using Google services, or they feel safe trusting their data to an organization that stands to lose far more than it will gain by misusing customer data.

They may also abide by the notion that one only needs to safeguard their privacy if they've done something wrong (or are planning to do so); that it's the Casey Anthonys of the world conducting Google searches on how to pull off suspicious activities that need to worry about scrutiny (in Anthony's case the computer history and not Google was referenced in court, but the example holds valid in terms of what people assume is being tracked nowadays).

Then there are the folks in the middle, who don't necessarily believe their data will be misused or sold off to corporate spies but resent the concept of it being used to benefit marketing departments in a creepy stalking "We noticed you bought hiking boots, want to buy a tent too?" way. They may also have misgivings about Google data breaches they cannot control - or perhaps may not even be made aware of.

Here in the middle

As a system administrator and a regular Internet user, my take on the Google privacy policy is somewhere in the middle. If we put data somewhere other than our own systems, it's our job not to blindly assume everything will be just fine and that the forest is full of friendly Smurfs who mean us no harm. A lackadaisical attitude towards security is far more damaging than a hyper-vigilant outlook, and this applies to admins and users.

However, in Google's case, their organization gets the bulk of its money from advertisers, and their deployment of user-specific ads based on consumer data is part of that strategy. Like them, hate them, or ignore them - ads are a part of the Internet and while I don't mind (or even notice) the innocuous ones, the obnoxious ones are a plague to deal with. Popups, videos that play automatically, ads that even scroll down with you and block the content you're reading - all of these fit in the "going too far" category.

We're all familiar with the film "Minority Report" and how customized advertising was taken to an evil extreme in this futuristic world - with billboards actually calling out the names of passersby in an effort to convince them to buy various products. Google isn't even close to doing that.

I think the checks and balances of the technical community (which can investigate and expose any privacy violations as with the $22 million fine outlined above) combined with potential consumer backlash serves to keep the risk of Google privacy violations at an acceptable level for most small companies. Yes, Google was just fined for placing cookies when they weren't supposed to. Although some might argue this issue speaks to their credibility more than their actions, Google claimed that their assurance that they would not deploy these cookies came from an outdated web page from 2009 which should have been updated.

Nevertheless, this endeavor is a far cry from Google leaking pictures of the new iPhone after an Apple employee sent them via Gmail. I write crime fiction as a hobby and frequently conduct searches for story topics that might raise the eyebrows of police or federal officials ("recovery time for gunshot wounds" or "bank fraud prison sentence" for instance) and yet I do not have a concern that this will result in a visit from the men in suits, sunglasses, and Chevy Suburbans, nor that I am being flagged by Google as a "person of interest."

Furthermore, the sharing of data across services (such as your using search to be able to locate results in your own Google Docs files) isn't necessarily a concern if the data lives only within Google or, if transferred elsewhere (such as via "external processing" as outlined in one of the conditions above) it is securely encrypted. Google claims that Google Apps data stored on their systems is stored "in fragments across multiple servers and across multiple data centers to both enhance reliability and provide greater security." In other words, if this is correct, your Google Apps email cannot just be accessed and perused, say by a bored technician interested in your love life. Just to be safe, however, I recommend not storing or sending any unencrypted data crucial to your organization via any service if the potential repercussions of an incident outweigh the benefits.

Of course, there is also the option to log out from your Google account where possible if you really don't want to have your information utilized by Google. You can also use third-party add-ons where applicable to help assist you in protecting your data on Google systems, such as encrypting Google Docs or using the free open source Truecrypt program to store critical data in a secure file before uploading it to Google. Options are out there and are only a Google search away - or a search on any competing engine.


I don't feel the use of a service like Google Apps poses a threat to the confidentiality or data integrity of my personal or business operations. However, in dealing with any cloud-based organization, each company has to weigh the risks and adhere to applicable standards such as PCI, SAS70 or HIPAA to make sure they are in compliance with what's required of them before they sign up in the Google realm. They also have to decide what makes the most sense from an administrative and technical stance.

Personally I feel large organizations would be better served by relying on in-house systems and staff where possible; I'm not convinced the cloud is presently the best option for these entities, except possibly in a secondary service capacity for backup purposes or communication/collaboration with other organizations. I also believe any company with heightened security practices, whether because they handle credit card information, engage in top-secret military work, or otherwise need to ensure absolute control of their data should also operate their own systems and keep their data local. And if like me, you decide Google services are the right fit for your particular needs it's critical to always keep up on the latest developments so you can reassess and plan accordingly, if need be.

Further information has some worthwhile reading on the topic if you'd like to get more information. In particular, I found the articles by Danny Sullivan to be quite useful.

Also read:


Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.

Editor's Picks