ghosts in the machine: Google

Showing posts with label Google. Show all posts

Tuesday, September 9, 2008

Google Responds to Privacy Concerns with Chrome

Google plans to anonymize the IP addresses and cookies that track users when they enter search terms or URLs into Google’s new browser, Chrome.

Privacy advocates have been concerned about the potential of the browser to allow Google even more ability to track users’ online habits and develop extensive user profiles.

Electronic Frontier Foundation technologist Peter Eckersley says: “We're worried that Chrome will be another giant conveyer belt moving private information about our use of the Web into Google's data vaults. Google already knows far too much about what everybody is thinking at any given moment."

Google also plans to anonymize user IP addresses nine months after they have been collected.

Regulators and policymakers have been scrutinizing Google’s privacy practices for the past year, and this seems to be yet another example of the company’s lack of attention to privacy and failure to fully disclose how data will be used.

Image by Randy Zhang

Tuesday, August 21, 2007

Andrew Feldmar on the Colbert Report

Back in April, I wrote about Canadian researcher Andrew Feldmar, who was held at the border and subsequently barred from entry into the U.S. because a border guard googled his name and discovered he'd tried LSD in the name of scholarly research over 30 years ago.

Last night, the Colbert Report submitted a "Nailed 'em" report on Feldmar's story, which you can view today on the show's website. Today, the Tyee published an account by Feldmar's son about filming the episode, which in typical Colbert style points out the lunacy behind a policy that would bar from entry into the U.S. a respected researcher who has never been charged or convicted of a criminal offense.

Wednesday, July 25, 2007

Ask.com and Microsoft call for privacy standards

According to PC World, Ask.com will be the first major search engine to offer an anonymous searching option to users. Their new AskEraser feature will give users the option to request that their search data not be stored.

This is in stark contrast to Google’s recent announcement that they will reduce the time they save search data from over 30 years to “only” two years. In spite of Google’s voluntary reduction in cookie life, European privacy experts, among others, have soundly criticized the lifespan of Google’s cookies:

"Compared to the previous lifetime of 30 years, the period of two years seems to be short," Schaar wrote in an email. "But from a data-protection perspective, and considering the fact that the user's search behaviour is recorded and can be analysed for any purposes, this period is still too long."

Meanwhile, Microsoft has joined Ask.com in calling on technology leaders to find a way to meet their need for advertising data without compromising user privacy:

"The first step is, we'll be in contact with all the other players in this space and talk about what a summit might look like," said Cullen. "We're very happy to host it, if that's the answer ... both Microsoft and Ask.com think that this is the time to make this happen."

Microsoft is planning to allow users to opt out of having their search data used to generate targeted advertising on Microsoft's Web sites, and under a new privacy policy, plans to scrub all search query data of any user-identifiable information after 18 months. While this is in part a shot at Google, it is encouraging to see some leadership within the industry to safeguard the privacy of their users’ search data.

The ability to search anonymously is essential in allowing individuals to explore any area of inquiry without fear of discovery or retribution. When companies track user data, their primary motivation is to inform their decisions about advertising. The abuse of search data has additional implications if the data is merged with that of advertisers, as I wrote in an earlier post about the proposed Google and DoubleClick merger.

When search data is breached, the consequences could be far more serious than mere embarassment. About a year ago, AOL inadvertently released the search data for about 650,000 searches on their site and New York Times reporters were actually able to identify one of the searchers. Breaches of this magnitude and specificity could ruin careers and reputations, while creating a chilling effect on the exploration and sharing of ideas over the Internet.

Google needs to stop hedging on privacy and get on board with this initiative.

Monday, May 7, 2007

Shooting the messenger : Taking the Internet to court

Just for a moment, put yourself in the shoes of these two men:

Case No. 1: You’re just an average guy who meets a nice girl and you begin dating. After a few months, the new relationship sours and you decide to move on. But your ex-girlfriend doesn’t move on. She is angry and decides to warn everyone about you on a website called dontdatehimgirl.com. Using an anonymous username, she posts a photo of you, along with your full name, city and state and writes an invective-laden comment, accusing you of being a herpes-infected homosexual or bisexual, who passed on a sexually transmitted disease, and fathered numerous illegitimate children. You ask the website owner to pull the post, but learn that your only recourse is to post a comment as rebuttal to the offending post. The original post will remain, searchable to anyone who accesses the site, just by looking up your name.

Case No. 2: You’re a prominent businessman, with clients primarily in the legal and judicial profession. You decide to join a fledgling political party and soon become the party’s campaign manager and financier. You make some decisions that aren’t popular with some of the party members and they use websites such as Wikipedia and P2Pnet to criticize your decisions. But some go further, posting anonymous statements which you maintain are untrue and which you fear will seriously damage your professional and political reputation. You ask the site hosts to remove the offending posts, but they are either unable or unwilling to comply with your requests, or they do not comply quickly enough.

What would you – what could you – do next? Ignore the posts? Put up your own website to refute the libelous statements against you? Try to track down the anonymous posters and sue them? Or, sue the site hosts?

In both cases, the men at the centre of these attacks decided to fight back in court by suing the site hosts.

In the first scenario, Todd Hollis took the owner of website dontdatehimgirl.com, Tasha Cunningham to court for allowing the posts in the first place and for refusing to pull them down. (Shout out to one-eyed view for bringing this site to my attention. He has an interesting post about it here). The factors leading to the judge’s decision to dismiss the case were not about the damage that may have been done to the plaintiff, nor about the fact that Ms. Cunningham is merely the messenger, not the originator of the message. The decision was made based on old-fashioned jurisdictional law: because the website originates in Florida and the lawsuit was filed in Pennsylvania, it was determined, through statistics from the site’s on-line shop, that few people in Pennsylvania would have seen the site. Therefore, the contacts in Pennsylvania were limited. It seems the door is open for Hollis to re-file his suit in Florida. In the meantime, he is planning to sue the woman who anonymously made the posting, which remains to this day on dondatehimgirl.com.

In the second scenario, Wayne Crookes decided last month to file suit against three sites: Google, P2Pnet.net and openpolitics.ca. Because Crookes is Canadian, this case has been filed in British Columbia, Canada. In a recent interview with the Globe and Mail, Crookes says that he is holding the site hosts responsible for the offending anonymous posts:

"I hope that the outcome is that people will realize they have obligations
and that they will be forced to accept responsibility for their actions. The
larger the organization, the greater the expectation that they will be held
accountable for their actions."

Both of these cases have wide implications for site hosts, free speech and anonymity.

Already, the Wikipedia article about Wayne Crookes has been all but expunged to the point that it is challenging to find the posts which ignited the lawsuit in the first place. What chilling effect will this particular lawsuit and others like it have on site hosts, as the laws vary from one jurisdiction to another?

Will more individuals feel less inclined to put their names to posts, even if they strongly feel they are serving a wider public good? Should there be a looser set of criteria for libel if one is a public figure, working in the public trust, such as Mr. Crookes, versus a more rigorous standard for the average citizen, like Mr. Hollis?

Anonymity on the internet is essential to giving a voice to those who might otherwise be silenced. We don’t all live in truly democratic nations, and the Internet is a global community. Even in Western democratic nations, whistleblowers still need extraordinary protections if they choose to go public.

It will be interesting to follow these two cases on both sides of the border – one private citizen, one public figure. How will the judges decide what is more important – the greater good, or the rights of the individual? The odds seem to favour the greater good, which will likely be small comfort to Mr Hollis and Mr. Crookes.

Just put yourself in their shoes.

Monday, April 23, 2007

Google-DoubleClick Merger Privacy Threat

From Reuters:

Consumer privacy groups on Friday sought to derail Google Inc.'s $3.1 billion deal to buy online ad supplier DoubleClick Inc., filing a complaint with U.S. regulators to block the merger on privacy grounds.

Groups led by the Electronic Privacy Information Center have filed the complaint with the U.S. Federal Trade Commission arguing the merger would violate agreed limits on how much data advertisers collect on consumers and seeking an injunction.

"Google's proposed acquisition of DoubleClick will give one company access to more information about the Internet activities of consumers than any other company in the world," the complaint by the privacy activist groups argues.

DoubleClick provides graphical ads from corporate marketers on thousands of sites across the Web. With the proposed merger, Google would emerge as an even more powerful force in the online ad market. Both Google and DoubleClick are denying that their data tracking capabilities would also be merged.

EPIC, along with the CDD (Centre for Digital Democracy) and US PIRG (Public Interest Research Group) are concerned about Google’s ability to record, analyze, track, and profile the activities of Internet users with data that is both personally identifiable and data that is not personally identifiable. The complaint urges the Federal Trade Commission to require Google to present a public plan to comply with well-established government and industry privacy standards such as the OECD Privacy Guidelines. The OECD guidelines include a fundamental principle of openness:

There should be a general policy of openness about developments, practices and
policies with respect to personal data. Means should be readily available of
establishing the existence and nature of personal data, and the main purposes of
their use, as well as the identity and usual residence of the data
controller.

EPIC led the move in 2000 to prevent DoubleClick from automatically combining data from a national marketing database it had acquired and its own anonymous data collected from the computers of Web surfers. DoubleClick eventually backed down and provided users with an “opt-out” option.

Corporate mergers of this type are a serious threat to privacy as search histories and web site visits could be combined, allowing an individual's activities to be tracked across a wide range of websites. In the U.S., the only law that specifically regulates privacy applies to children under the age of 13. EPIC is urging strong privacy legislation, similar to that in the EU and in Canada.