May 26, 2007

Google, Privacy, the EU, and a Question of Attitude

Greetings. You may have heard that the European Union Article 29 Working Party, which deals with privacy issues, has recently sent Google a letter asking for "clarification" of their data retention policies and related matters. While the chairman of the working party seemed to express significant support for Google's position, it's increasingly clear that individual member countries have their own not always identical privacy concerns.

There are reasonable arguments on both sides of the equation when it comes to search engine privacy. When Google recently announced some positive changes in their retention policy, I applauded this publicly as a good first step, though the amount of Google-retained data still potentially linkable to individuals is vast.

But in reports of Google privacy chief Peter Fleischer's comments relating to the EU query, a bit of the old Google "arrogance" is starting to push through, and this is not to Google's long-term advantage. Peter and I have had cordial communications in the past, and he's a good guy. Obviously, I have had differences with Google regarding their data retention policies in particular. I have never asserted evil motives by Google, rather, my main concern is that their policies may enable others to do evil with Google collected data.

My proposal a year ago for a Google Privacy Initiative didn't seem to have much impact at the time, nor did related calls for a broad, industry-wide approach for dealing with these issues.

Google's Peter Fleischer now appears to be pushing for a single global approach for data protection and a global privacy treaty:

"We as a company have a single approach to privacy right across the world. We can't run a system that has different privacy levels for, say Google.com and the Dutch site Google.nl -- that would be crazy... So if we can do it why can't policymakers?"

As attractive as such a concept might be in theory (but only if that single approach were strong enough in terms of protecting privacy), I suspect that it is unrealistic. And that's where that touch of Google arrogance I mentioned above comes in, and it's a problem a lot of techies share (and as a techie of long standing myself, I'm not entirely immune either!)

It's natural for technologically-oriented people to see straightforward, logical, encompassing approaches to dealing with problems. That's part of how advanced technology is thought up and engineered.

But when we try to map that attitude onto the non-technical world, we can easily step into the quicksand of decidedly non-technical human emotions and concerns. In particular, the key aspects regarding the very concept of privacy vary widely around the globe. For that matter, they vary significantly among the different states here in the U.S., and even between different courts at the state and federal level.

This suggests that a formal "one world policy" when it comes to privacy is unlikely to be formulated and/or maintained, though individual subtopic agreements regarding particular forms of data transfer and the like are always possible.

By seeming to push for the governments of the world to conform their privacy views with Google's technological approaches, I believe that Google is setting a very high bar that diverts us from more achievable goals of better protecting user data while preserving its value for Google and other search engines. In essence, Google seems to be saying that it wants the world to change to match what Google wants to do, rather than Google adjusting to the world's privacy sensibilities. This is probably not a winning position in the final analysis.

Apart from the current EU query, which I don't suspect will end up being a particularly big issue, there are much more serious privacy-related threats to Google's current business models waiting in the wings at the hands of legislators and courts, and these will be pulling at Google from the opposite extremes of demanding both stronger and laxer privacy protections in particular contexts. Talk about being between a rock and a hard place.

Peter Fleischer makes some excellent points when he notes the difficulty of meeting a widely disparate range of privacy rules. He's right, but that's the ball game right now, and there are legitimate reasons for those disparities in many cases. We should work toward harmonization where appropriate, but that's likely to go only so far. Peter also called on Yahoo! and Microsoft to clarify their data retention policies and practices. I completely agree with this call, though as the industry leader and trendsetter by far, it's obvious why the spotlight tends to stay firmly affixed on Google.

Speaking of policymakers and the global debate over privacy, Peter also said:

"We need to start talking now. We in the industry have to start the debate."

Many of us have been calling for just such a debate and discussion for years. We're well past the time when this dialogue should have been initiated. The privacy dilemmas now facing Google and other Internet services have been long predicted, and specific palliative approaches have been suggested from various quarters but generally ignored by the major players.

That's history, and it's tomorrow that must mainly concern us when it comes to such issues, not yesterday. So perhaps the time is finally right for really reaching the core of both the technological and non-technological aspects of privacy at Google, and at their competitors as well, around the world.

Let's get to work.

--Lauren--

Posted by Lauren at May 26, 2007 09:10 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein