Google

The elephant in the room: The Google privacy situation

Google has taken a lot of heat over the issue of privacy. Learn what this issue means to you and your organization.

Hey, you. Yes, you over there - you systems administrators, CIOs, Marketing VPs, HR Directors, company presidents; anyone who uses Google products in their business. We need to talk about the elephant in the room, which has been making a lot of noise as of late. The elephant's name is "Privacy" and it has a potential impact you need to be aware of.

The subject at hand

The subject of Google Privacy has been in the news quite a bit this year (the Miami Herald has a good article discussing the subject). Earlier this month it was reported that Google was fined $22 million after it was found to have violated an agreement and placed cookies on Apple iPhones using the Safari web browser. This strategy, used for targeting ads to users, was reported in the Wall Street Journal back in February.

My job isn't to represent Google on this issue; it's to tell you what the facts are so you can assess your involvement with the elephant; whether it will trample on your objectives or sit unobtrusively in the corner without incident. I'll weigh in with my opinions, but from the basis of being a Google Apps administrator and end user, not as a tech writer for the "Google in the Enterprise" blog.

Privacy in the year 2012

What does privacy really mean these days, in an era where satellites orbit overhead, online maps and street views can show every detail of a house or neighborhood (I myself use Google Street View to virtually explore the town I grew up in hundreds of miles away and see how things have changed), and Facebook/Google/Twitter can display our life's history to the rest of the planet, including where we checked in for lunch ten minutes ago?

Privacy, like many terms, is subjective. Back in the simple seventies it pretty much meant not having to worry about neighbors peeking in your windows or watching you in your backyard. Today, the word carries a whole new set of meanings, whether social, technological, or legal. To me, privacy means keeping your confidential information securely out of the hands of those whom you do not wish to have it (obviously for criminals seeking evasion from the law this definition may not necessarily apply). Some people are thrilled to have the world see them holding a frosty margarita in their Facebook profile picture (personally, I'd be more thrilled drinking the actual margarita). Others don't want to even have a profile picture, much less one that might identify their tastes or habits. It's up to the user.

No devil in the details

Google's Privacy Policy is short and almost entirely legible even to those of us who aren't lawyers (note there are also separate-but-similar policies for Chrome, Books, Wallet and Fiber available on that page). The base policy states, in essence, that when people sign in to use Google products, the information they provide can be collected "from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content - like giving you more relevant search results and ads." The customized ads do not utilize "sensitive categories" such as "race, religion, sexual orientation or health," so if you search for athlete's foot cures you needn't worry about ads for embarrassing medications popping up on your laptop in front of other people.

Google states they won't share your personal information outside of their organization except in the following conditions:

  • You specifically opt in.
  • You have a Google Apps account with a domain administrator (to whom your information is made available as a result of his or her access privileges; this is no different than with in-house email).
  • For "external processing" - this is ambiguous, but seems to apply to Google products connected to related services at other companies.
  • For legal reasons - for instance in a law enforcement investigation. This doesn't just apply to Google searches, but also email, maps, Youtube videos, Google+ interactions, items purchased with Google Wallet and other examples.

What does that mean to me?

Well, that's a good question. I can't tell you what it means to you. I have found a very wide spectrum of opinions when it comes to the topic of privacy.

Some people are ultra-concerned about anything that even resembles a privacy risk to them, assuming that if they store their email or data in a cloud service like Google's then it may lead to rogue system administrators or "highest bidders" getting their hands on this information to look for secrets or gossip which can then blackmail, humiliate or ruin the individuals or companies involved.

These folks aren't just concerned with what Google says they do with user data, but what they fear Google may also do with it (or what some other agency may do to Google to get it). I have friends with this mindset who refuse to get Facebook accounts out of an Orwellian conviction that the government will start compiling dossiers on them.

Other people have a devil-may-care attitude and either assume they're small fish in a big pond who aren't likely to encounter adverse consequences from using Google services, or they feel safe trusting their data to an organization that stands to lose far more than it will gain by misusing customer data.

They may also abide by the notion that one only needs to safeguard their privacy if they've done something wrong (or are planning to do so); that it's the Casey Anthonys of the world conducting Google searches on how to pull off suspicious activities that need to worry about scrutiny (in Anthony's case the computer history and not Google was referenced in court, but the example holds valid in terms of what people assume is being tracked nowadays).

Then there are the folks in the middle, who don't necessarily believe their data will be misused or sold off to corporate spies but resent the concept of it being used to benefit marketing departments in a creepy stalking "We noticed you bought hiking boots, want to buy a tent too?" way. They may also have misgivings about Google data breaches they cannot control - or perhaps may not even be made aware of.

Here in the middle

As a system administrator and a regular Internet user, my take on the Google privacy policy is somewhere in the middle. If we put data somewhere other than our own systems, it's our job not to blindly assume everything will be just fine and that the forest is full of friendly Smurfs who mean us no harm. A lackadaisical attitude towards security is far more damaging than a hyper-vigilant outlook, and this applies to admins and users.

However, in Google's case, their organization gets the bulk of its money from advertisers, and their deployment of user-specific ads based on consumer data is part of that strategy. Like them, hate them, or ignore them - ads are a part of the Internet and while I don't mind (or even notice) the innocuous ones, the obnoxious ones are a plague to deal with. Popups, videos that play automatically, ads that even scroll down with you and block the content you're reading - all of these fit in the "going too far" category.

We're all familiar with the film "Minority Report" and how customized advertising was taken to an evil extreme in this futuristic world - with billboards actually calling out the names of passersby in an effort to convince them to buy various products. Google isn't even close to doing that.

I think the checks and balances of the technical community (which can investigate and expose any privacy violations as with the $22 million fine outlined above) combined with potential consumer backlash serves to keep the risk of Google privacy violations at an acceptable level for most small companies. Yes, Google was just fined for placing cookies when they weren't supposed to. Although some might argue this issue speaks to their credibility more than their actions, Google claimed that their assurance that they would not deploy these cookies came from an outdated web page from 2009 which should have been updated.

Nevertheless, this endeavor is a far cry from Google leaking pictures of the new iPhone after an Apple employee sent them via Gmail. I write crime fiction as a hobby and frequently conduct searches for story topics that might raise the eyebrows of police or federal officials ("recovery time for gunshot wounds" or "bank fraud prison sentence" for instance) and yet I do not have a concern that this will result in a visit from the men in suits, sunglasses, and Chevy Suburbans, nor that I am being flagged by Google as a "person of interest."

Furthermore, the sharing of data across services (such as your using search to be able to locate results in your own Google Docs files) isn't necessarily a concern if the data lives only within Google or, if transferred elsewhere (such as via "external processing" as outlined in one of the conditions above) it is securely encrypted. Google claims that Google Apps data stored on their systems is stored "in fragments across multiple servers and across multiple data centers to both enhance reliability and provide greater security." In other words, if this is correct, your Google Apps email cannot just be accessed and perused, say by a bored technician interested in your love life. Just to be safe, however, I recommend not storing or sending any unencrypted data crucial to your organization via any service if the potential repercussions of an incident outweigh the benefits.

Of course, there is also the option to log out from your Google account where possible if you really don't want to have your information utilized by Google. You can also use third-party add-ons where applicable to help assist you in protecting your data on Google systems, such as encrypting Google Docs or using the free open source Truecrypt program to store critical data in a secure file before uploading it to Google. Options are out there and are only a Google search away - or a search on any competing engine.

Conclusion

I don't feel the use of a service like Google Apps poses a threat to the confidentiality or data integrity of my personal or business operations. However, in dealing with any cloud-based organization, each company has to weigh the risks and adhere to applicable standards such as PCI, SAS70 or HIPAA to make sure they are in compliance with what's required of them before they sign up in the Google realm. They also have to decide what makes the most sense from an administrative and technical stance.

Personally I feel large organizations would be better served by relying on in-house systems and staff where possible; I'm not convinced the cloud is presently the best option for these entities, except possibly in a secondary service capacity for backup purposes or communication/collaboration with other organizations. I also believe any company with heightened security practices, whether because they handle credit card information, engage in top-secret military work, or otherwise need to ensure absolute control of their data should also operate their own systems and keep their data local. And if like me, you decide Google services are the right fit for your particular needs it's critical to always keep up on the latest developments so you can reassess and plan accordingly, if need be.

Further information

Marketingland.com has some worthwhile reading on the topic if you'd like to get more information. In particular, I found the articles by Danny Sullivan to be quite useful.

Also read:

About

Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.

6 comments
Tony Hopkinson
Tony Hopkinson

If one of us uses a 3rd party to store data and there's an apparent violation of the agreement, then that's us versus them in court, an extensive legal cost, and damages if our casde is upheld. If we used a 3rd party to provide a service to our customers and there's an apparent violation of privacy. Who's in the dock first? This is a straight risk/reward proposition, greed is simply making fools concentrate on the latter.

hforman
hforman

After reading Google Docs terms of service as to what they do with your documents (Scan, read) and what they say they CAN do with your uploads, I'm still waiting for the HIPAA police to come on very stronly with users who put their patients information on Google. The same applies to law enforcement who put CJIS criminal data there or, what concerns me the most, is companies who put their customer's credit card information on the site. Especially knowing that Google has datacenters world-wide and that Google says that they are not resoinsible for your HIPAA certification and that no public cloud service is CJIS certified (of course, there is box.net and datamaxx and others...). It is one thing to put your own data up on these sites. It's an entirely other matter to take your customers' personal and private data and put that in the cloud where sites like Google and Dropbox tell you, up front, what happens to your uploads in their terms of service. So far, I have not heard anything about the HIPAA police arresting any doctor's for doing this.

BlueCollarCritic
BlueCollarCritic

"and yet I do not have a concern that this will result in a visit from the men in suits, sunglasses, and Chevy Suburbans" Thats about as obvious as your Orwellian reference and its just as insulting. Having a valid concern about what will be done with ones data is not some outdated Orwellian consporacy theory idea. This latest violation involving Google is NOT the first violation of privacy/trust and it certainly will not be the last. If you want to blindly embrace the cloud and trust others with your data then you should have the right to do that. But don't criticize the rest of (thru carefully disguissed insults) who are cautious and don't just blindly follow.

HAL 9000
HAL 9000

To firmly believe that everyone else on the road particularly car drivers would go out of their way to try to [b]Kill You.[/b] Sure it's Paranoid but the end result is also true. It doesn't matter to your corpse if the person who ran you down was deliberately trying to kill you or just didn't bother looking and ran you down by not seeing you till it was way too late. True you don't have to be Paranoid but I always found it far more painful that if you didn't firmly believe that other road users would go out of their way to try to kill you and you feel all warm and fuzzy and safe you'll end up in a position of Broken Bones long Hospital stays and the like because the idiot did something without looking and hurt you as a direct result. Things like that happen when there is only a stationary car on the side of the road and no other traffic at all but you riding down the road. That driver who you didn't know was there will decide to start their car and do a U Turn without looking and run you down. Or that driver behind you at the lights will suddenly think that they can go and will not worry about the motorcycle in front of them, they think that they can get into a gap in the traffic so they believe that everyone will get out of their way to allow them to go where they want to. Regardless they didn't specifically set out to run you down and Kill/Mame you or even hurt you but the end result is always the same you get hurt sometimes seriously the car driver says that they didn't see you even though they had been parked behind you for over a minute and tried to push you through a red light into the stream of oncoming traffic or whatever. Basically if you trust others to do the [b]Right Thing[/b] you are going to be continually let down as they will do what they see as best for them. Be that a Person or Company and it's always way too late after the event to ask Why Me? Things get even worse when you allow that Company to decide what it is that they will do so I have to suppose that I fall into the [b]Never Trust Anyone Camp. Paranoid is far less PAINFUL![/b] And remember just because a person is Paranoid doesn't mean that someone isn't following them. ;) Col

Mark W. Kaelin
Mark W. Kaelin

What category best describes you? Never trust Google? Always trust Google? Trust, but verify? Does the issue of privacy keep you away from Google Apps and other cloud-friendly tech?

smmatteson
smmatteson

... my writing style can be tongue in cheek; I should have included some emoticons - my bad. I do enthusiastically support having a valid concern about your data and keeping it safe and secure. Also, nobody should blindly embrace any technology and ought to maintain a healthy dose of skepticism as you indicated.