Well, Google just doesn’t seem to be able to stay out of the spotlight at the moment. I’m not going to try and comment on how much of the adverse attention is merited, as opposed to feeding-frenzy – but having just heard Google’s Alma Whitten present at the Trust in the Information Society conference this morning, some of the news items did have a little more resonance than usual.
First, a quick note to the Marketing Dept at Google: Alma has certainly taken the corporate messaging on board. The phrase “organizing the world’s information and making it accessible and useful” occurred more than once, believe me.
Hence the first hum of resonance, when I read that a number of bloggers on Google-hosted services have had their blogs summarily removed, archives deleted etc., for alleged violation of terms of service relating to music copyright. According to the article, some of the blogs were in fact only publishing music with the consent (and in some cases outright collaboration) of the artists and/or publishers.
Far be it from me to play devil’s advocate, but one reply might be that Google is only doing its best to winnow out offenders in the interests of copyright holders. The trouble is, that sits ill with Monday’s Radio Five Live programme about the Google Books project; in that broadcast, several authors made the argument that their work had appeared without their consent on the Google Books project (copyright page and all), and expressed their fundamental objection to the notion that they should be required to opt out explicitly if they wished their (prior and existing) assertions of copyright to be honoured.
So, is this just Google being “damned if they do and damned if they don’t”? Or does this illustrate that if you want to either re-publish copyright works or prosecute copyright violations on the scale to which Google aspires, a blanket approach will always fail?
And so to resonance number three: those authors who objected to the implicit opt-in are unlikely, on that basis, to be signing up for Google’s new Buzz service. Molly Wood gives a damning analysis, here, of several of the ways in which that, aggressively and by default, assumes a comprehensive opt-in on the part of the user. From what she says, in a number of instances that assumption goes well beyond the reasonable[*].
As I say, I’m not going to pass judgement on whether this is just the media laying into their favourite whipping-boy of the moment, but I think it’s legitimate to ask how these anecdotes contrast with some of the stated aims, goals and indeed values which Google professes.
As I heard repeatedly this morning, Google wants to innovate and satisfy user requirements. On the face of it, who could argue with that? But innovation is not sufficient justification for compromising users’ privacy. And in that respect, there is an absolutely critical difference between satisfying the requirements which users apparently express via whatever privacy-related options they may be offered, and satisfying the requirements which lead to the privacy outcomes which users would choose if they were in a position to do so.
In a piercing analysis, Mireille Hildebrandt of the Vreie Universiteit Brussel pointed out that a user’s behaviour (and the data that implicitly discloses) often reveals a far more accurate picture of their real attitudes than are their answers to questions about what they want. Why’s that relevant here? Well, because if you give users the option of not explicitly disclosing personal information (for instance, name, address and so on), but you collect (and even anonymise) behavioural data without giving the user the ability to opt out of that, you have created an illusion of privacy-respecting choice while in fact providing no such thing.
In other words, users’ behaviour may be at odds both with their stated preferences and their best interests. It might sound as though I’m calling for data custodians in general to adopt a very paternalistic attitude towards user privacy – but I’m not. What I am calling for is a much more mature approach to the responsibilities which data custodians take on, when they gather data which users don’t even know they are disclosing, and which reveal things about the user which they may not even be aware of.
I’ve posted and ranted elsewhere about the inadequacy of the term ‘ownership’ to describe our relationship to data about ourselves, and that is as true here as anywhere. I’m not calling for data custodians to take (or relinquish) ‘ownership’ of such data, and I’m not calling for ‘ownership’ of it to be assigned to the data subject. But I do think there needs to be a lot more transparency in the following areas:
– what data is collected about users, either explicitly or (more important) implicitly;
– what categorisations and inferences are made on the basis of that data;
– what actions are taken, which affect one user, on the basis of inferences from data about other users;
– what rights a user is assumed to have concerning data about them;
– what responsibilities a data custodian is assumed to have regarding that data and those rights.
Admittedly, this is a long way from anything you would find in the current generation of Privacy Statements and Privacy Policies (let alone privacy laws) – but that doesn’t mean we shouldn’t be seeking to improve as we eye the next generation of privacy measures.
As the European Commission, the OECD and other bodies review the current set of Data Protection Principles, these are among the questions they should be seeking to address. Frankly, the initial reaction suggests that Google Buzz has set off in entirely the other direction.
The mission statement of “organising the world’s data…” is a goal which sets Google up to have a lot of stakeholders – and individually or in aggregate, those stakeholders have rights and expectations which deserve to be satisfied. “The world’s data” is not a privacy-neutral concept, and “organising it” is even less privacy-neutral.
The danger of favouring commercial objectives over the other stakeholder rights is that it creates the impression of selling out, rather than shouldering the responsibility of satisfying the non-commercial stakeholders to the appropriate degree. Rudyard Kipling described “Power without responsibility” as “the prerogative of the harlot”. That’s not an alluring brush with which to be tarred…
*[A further brief update: the introduction of Buzz, in its simplest form, consists of a ‘splash screen’ as you log into your gmail account. This offers you the choice of “Trying Buzz” or “No thanks, just take me to my inbox”. Simple enough – except that if you choose the latter, Gmail will turn Buzz on anyway. I’m at a loss to understand why that is the appropriate unilateral action for Google to take, especially after clearly giving the impression that you have already opted out.
It cannot be good practice that we have to rely on third party sources to instruct users on how to disable the Buzz service. Nor, surely, can it be good practice to turn the service on, by default, before the user even gets a chance to turn it off.]