At the Crossroads of Media, Culture and Technology

What the New Privacy Policy at Google Really Means

Gus Hosein is the executive director of Privacy International, a leading international watchdog organization regarding privacy and technology policy reform.

Within thirty seconds of the BBC publishing a quotation from me on the latest round of the nymwars and Google+, my phone rang. Caller ID indicated that it was my colleague at Google. “Had I said something wrong?” was my first thought. I quickly retraced in my mind what it was that I had said to the journalist; I had responded in the article that Google’s recent announcement could be seen as positive but really it was a sidestepping of the larger challenge of identity management. Yes, I’m surprised that the BBC printed the quotation too. Must have been a slow news day.

I answered the phone with trepidation, wondering if it was something I had said. Then I learned quickly that no, it was something that Google had done. It felt like 2010 all over again, that terrible year when Google released Buzz. And announced WiSpy. And countless ridiculous statements from Eric Schmidt

This time Google announced that they were only merging their privacy policies under one single policy. This was the small development. This is not a good idea for so many boring reasons that most people won’t quite understand. People don’t read privacy policies. They are almost always inane statements of things that we are not meant to understand unless you are a privacy geek or a lawyer. What I liked about Google’s previous myriad of policies, and other organizations with detailed policies, was that if you cared enough to read it you could find out exactly what Google was doing with your personal information. By bringing them altogether under one regime, the risk of vagueness increases. A privacy policy may become even more pointless for everyone involved.

But the main development from Google, and linked to the nymwars announcement, is that this was all about identity management.

Desktop Deviation
In the world of the desktop computer, you have an operating system that cares not about who you are. It just asks if you have the privileges to install new applications, make core changes to the operating system, etc. Identity is meaningless.

In turn, you run applications. Your email client allows you to have multiple email addresses, and in turn multiple identities. I have three different accounts; I know people with many more (work, play, clubs and hobbies, etc.). Then you have a calendar — or like many people, many calendars (again, work, play, clubs, family, friends, etc.). These apps don’t really care about who you are, but the servers involved may: for instance, your work email server may care that you are the employee you purport to be before letting you download information.

In essence, you are the master of your domain and can have as many identities as possible. You can even set up multiple users on your computer. Your operating system may know the links between your identities, but it really doesn’t care. But Google does care, and this is the real change that is occurring.

Google’s Ambition
Google is trying to move everything off your desktop. This is not necessarily problematic, though it does raise some security and privacy implications, but I’m not going to belabor those, at least not on this occasion.

Where Google is going wrong is that it wants all these identities to be merged into one single identity: you. Previously, you had a Gmail account; and separately at YouTube account, Buzz, G+. Now they want one policy and one identity to rule them all. They believe there is only one you, and that they need to know it.

I’m not saying necessarily they want your rank, file and serial number. In a sense, this was resolved slightly with the announcement last Monday that Google+ would permit you to have a pseudonym. But they still expect that beneath that nickname, Google will still know you.

Yes, you can fake your name. But this isn’t about your name. It is about your identity. Google is imagining a world where you only have one identity at the core of everything. And they want to know that core: that beneath that nickname, there is someone who’s interests they know based on your emails, searches, locations, friends, etc. Across all their platforms they want to treat you as a single person. Sure you can have multiple email accounts, multiple calendars, etc., but they want to know the person behind it all.

My computer cares not about who is behind all of the activities. But now your mobile phone that runs Android will signal to Google what you do; Gmail will signal what you do; when logged in, search will do the same, as will all the other products and services.

Google is doing this for two reasons. The first is obvious: they can better know what to advertise to you. This is not inherently a terrible thing, and they let you opt out if you want, or you can log out of some services if you like; and Google is notable for letting you have access to some of the data that they hold on you. It’s not like they’re a government and want to know everything about you, or create an ID card in order to monitor your activities.

Except, that this is the second reason: Google wants to be able to provide an ID card equivalent for the Internet. And there’s a reason why.

Blame Facebook
Facebook has been quickly moving to establish itself as the ‘identity layer’ for the internet. Want to log in to your favorite newspaper’s website? You can of course create a username and ID, or you can use your Facebook account. Spotify has done this as well. By doing so, Facebook can become part of the transaction. And Facebook can also know what it is you’re up to.

Facebook does want to know your name. And it will boot you off for not giving the right one. And Facebook believes anonymity is bad. This is because they want to advertise to you, and to know you. And they want to make billions of dollars doing so. Governments may be keen to identify internet users, but Facebook is actively changing the rules of the internet, for their own purposes.

Google wants some of this pie. After all, it can better know you for advertising purposes if it is involved in your interactions outside of Google’s services. Sure they know your email use, and your mobile phone usage; but they don’t quite know your wider use of the internet on domains they do not own. But if they were part of the authentication process, they could know ever more about you.

The most amusing thing is that 12 years ago Microsoft tried the same thing with its Passport. They wanted to hold on to all the keys for all your accounts, to make life easier for you. But nobody, for good reason, trusted Microsoft. How did Microsoft respond? They went off and started to do some fascinating research and product development on novel identity systems that empowered users, allowed multiple identities, selective disclosure, and resisted models where powerful central bodies oversaw all transactions.

But Microsoft knows best how to kill off good products, and so nothing much has happened with all that great research and development. This is where Google, if it is as smart as we all believe it is, can succeed: develop an online identity environment where there is no one central God overlooking every transaction, playing the role of authenticator in chief.

Unfortunately, so long as two of the enfants terrible of Internet privacy compete against each other for revenues and control, we’ll have to watch from the sidelines as bad ideas are embedded into key internet services and labelled as ‘innovation’. And in today’s environment, we can’t question innovation .

This post is categorized in: Social Media

5 Responses to What the New Privacy Policy at Google Really Means

  1. Pingback: What the New Privacy Policy at Google Really Means – Flip the Media « Technology « Direct Global Media

  2. (if it’s not obvious, then the necessary disclosure: the author of this post is my brother).

    I’m on Facebook. Google+. I use Android. None of this makes me happy. This week, I’ve been contemplating either dumping Facebook, or jettisoning my current profile and starting all over again with the barest of details. And now I have to think twice about my mobile OS. I probably knew this day would come with Android. But now I’m wondering whether the last remaining refuge is….Microsoft? A desktop with software on my hard drive and a Windows Phone?

    Or do we just throw up our hands in defeat and stick with whomever offends us the least and provides the most convenience?

  3. David Gerard says:

    Hanson – CyanogenMod. It’s an open source fork of Android without the Google accoutrements. A bit like running Ubuntu instead of Windows, but if you want to be free of these vampire ticks that’s what you need.

  4. Ryan Steeves says:

    Microsoft is positioning itself as the Google alternative.

  5. Shava Nerad says:

    I propagated this over on G+, being the somewhat loyal opposition, slowly turning into a gadfly. As execdir of Tor, I used to train people to use gmail to establish pseudonymous email to blog. Now I am somewhat horrified at that judgment. Obviously nothing is ever sure or secure in this world — “safety” is so often used as a binary myth to control behavior. Still.

    The point here is that if you want to maintain a nym you can never be 100% sure that Google will retroactively remove any promised privacy back to day one, and maybe later close a barn door and go oops! after the horses have been sold.

    Does that metaphor make things a little clearer?

    Let me elaborate. Say, you have company data on Google. It’s private, right? So if they can change their privacy policy at any time, retcon your contract with them as an individual, can’t they do that to you as a small business if it makes better sense to them to sell you maybe sloppily aggregated anonymized data on short notice off Docs or Apps to your larger competitors?

    If they gave you 30 days notice, could you move your company off their cloud and would you understand why you should? What would it cost you (consulting time, hw/sw, staff, servers, saas,…) to move?


    What’s evil about giving people notice they don’t understand fully?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>