A while back I wrote a piece in which I expressed concerns about how Google might use data it has on individuals, and suggesting that I and perhaps others have hit their “Google saturation point.” The post elicited alot of comments, including Matt Cutts of Google, who promised to respond with some policy clarifications. Well, the response got stuck in his mailbox, but he just posted it now. Here is the highlight:
For example, our internal user data access agreement explicitly mentions that Google employees are not allowed to try to access data on any public figure, any employee at a particular company, or any acquaintance. To do so would be grounds for immediate termination. So for the case that you’re worried about (running a start-up using Google’s tools), we have mechanisms and policies in place that specifically protect your privacy in that situation.
But…this allows them, from what I can tell, to access information on anyone who is not a “public figure, any employee at a particular company, or any acquaintance.”
The way it’s worded, it seems to be pretty easy to get around. “Hey Joe, do you know Battelle?” “No, who’s he?” “Never mind, can you just go check out his files for me?”
Anyway….
BTW, The search on your site is broken, was trying to search of your last past by KW and I get a MoveableType error!
Also, when was the last time a “policy” stopped someone from doing something they were motivated to do. Just like the 55 MPH policy on the interstate keeps from going 70.
Google needs to design their system (data storage) to protect *us* from *them*.
I’ll give you my quick/unofficial impression, which is that this would still go against the user data access agreement and be grounds for being fired. Google takes the privacy of our users really really seriously, because we know that users have to trust Google to use it often. I’ll be happy to check for an official response though.
Now I want to ask a follow-up question. 🙂 The reason for your original post was that you decided not to go with Google Calendar. Several months down the road, I was curious: did you stick with a desktop program for your calendar, or go with something web-based?
Hey Matt, no, so far, using a calendar system that syncs with BBerry and Mac, our folks said Google Cal is not robust enough yet…but I imagine it might be soon if not already…
I believe that the data on the “ordinary” user is pretty safe with google, at least in most countries.
But I can imagine that as we perform our daily search on people we meet or communicate with, Google may do their “internal” search on competitors and possible threats to their business model ;)?
Data Mining Blog, the internal access agreement that says “Google employees are not allowed to try to access data on … any employee at a particular company” is exactly what would protect and prevent against any sort of abuse. Accessing Google-stored data that belongs to a competitor would be grounds for immediate termination.
how many employees have been terminated, maybe zero. is that agreement applies to decision makers / executives?, the real threat is from top executives
‘Accessing Google-stored data that belongs to a competitor would be grounds for immediate termination’
if this is true, brin is the first one to go
I’ve got to go with Johnny Fry on this one – if my privacy is violated it doesn’t do me any good that Google will fire that person. If I’m reading Matt’s responses correctly, Google is even scarier than I thought. I figured through encryption or other security measures, Google employees would not be able to access this type of data. Firing after the fact (assuming the act is even discovered) is pretty much the weakest security system I can think of and certainly does not “protect and prevent against any form of abuse” as Matt claims. I’ve got to believe he’s smarter than that comment. And yes, I canceled my Facebook account last year.
Ultimately, it comes down to a judgment call. From CEO all the way down chain, *someone* eventually makes a judgment call on what *they* think is right and what *they* think is wrong.
It’s the same situation that GOOG ran into with doing the China deal. I’ll leave my personal opinion, just that – personal. But at some point someone had to make a call that they thought doing the China deal was *right*. It was the *right* thing to do – maybe morally, maybe from a business standpoint – I don’t really know. But someone within the walls of Google said it. They made a judgment call.
Think about some of the things you’ve typed into Google over the past 8 years. What if someone saw that? What if your wife, or mom saw that, what if your boss saw that, what if your kids saw that? Really stop and think about it – what if one bad apple in the GOOG compromised everything you have ever typed into that unassuming textbox at http://google.com. Maybe on accident, maybe purposely – but *what if* that information got out. It is really quite plausible, I would even fancy to say *inevitable*. Remember when your contact list got exposed in GMail, and all it took was a single script tag to snake off people’s *entire contact list* from GMail. Humans will continue to prove to be exactly that, fallibly human.
There are solutions to the problem at hand.
1) Encrypt all stored data with a key only the user knows. This eliminates the ability to do “offline” data mining for Google – but it would protect your deepest darkest from the start pipe to the end pipe. The NSA (is supposed to) use a similar technique – doing frequency analysis and pattern decomposition, you can put together a broad picture from the sum of the *anonymous* data. Another, similar, approach here would be to require certificates on each client machine – then the data is only decrypted once it reaches the end-pipe. Both of these are complex, make no mistake, but we’re thinking pie-in-the-sky here anyways.
2) Not store search data. Pretty self explanatory – you can’t disclose what you don’t have.
3) Only store anonymous data. I think Tivo has a similar approach.
Anyone have other solutions?
Erik,
“I figured through encryption or other security measures, Google employees would not be able to access this type of data”
Google’s 99% income comes from ad, they can’t display targeted ads if the data is encrypted
Johnny Fry,
“Anyone have other solutions?”
Google could provide a scanning tool, users should have the ability to run it in his machine to get a list of keywords. Then user can encrypt the data and send the encrypted data with keywords to Google. Now Google got keywords for advertisement, users got better security.
I don’t know, Google health service is encrypting health records or not but uses SAME userid/password that we use for other Google services.
Saran-
Google targets its ads on the content of the search query or the content of the page a user is on, not on the identity or demographics of the user. You are totally off base on that comment. And even if Google did target on the demographic (which they typically do not), they wouldn’t need to tie an identity to a demographic.
Naked we are
when we come to this world
A first photo is up
on name.blogger.hot
Smartass posts on
hack-forum dot gully dot net
is it wrong o_^? to express
your political bet?
Stupid groups joined on facebook
or on AbmahnVZ
Awkward feeling
explaining the profiles to Matt
Once in business
you hope,
work and think like a tank
Feet make steps,
steps form trails
…
Every doubleclick noted,
matched and sorted and stored
Yeah! Those harddisks indeed
never ever get bored!
Naked we are
yet again, once again
when we set off to go
that untraceable track
The last picture is taken
for forensics and stuff
Information can’t ever
be really ENOUGH!
What lasts is an image
yet blurry and gray
that gets sharper and flashy
once the heir gets the key
Google’s personal_healthcare_gmail_brainwave_GUID
gets an upgrade to version Generation_2b
(c) or something by Iwan Uswak 😉
Erik,
I said it for sensitive data that we store in google servers, for example: Sensitive Emails, Docs, Health records etc.
Encryption for search queries? This is going to be a dream. ask.com is doing little better in this case.
“even if Google did target on the demographic (which they typically do not), they wouldn’t need to tie an identity to a demographic”
1) IP = local ads
2) mobile + gps = mobile ads, for example, when you are going across dunkin donuts.
A widget ad would pop up in your mobile and tell you… “hey Erik, its coffee time!, get any size FREE coffee with donut”
3) Mall robots + mobile + gps = http://www.wipo.int/pctdb/en/ia.jsp?IA=US2007072578&DISPLAY=DESC
Google previously said
“IP does not say who you are or exactly where you are..” –
Google today said
“Sometimes an IP address can be considered as personal data and sometimes not; it depends on the context, and which personal information it reveals”
http://googlepublicpolicy.blogspot.com/2008/02/are-ip-addresses-personal.html
Tomorrow when we have ipv6, Google may say
“IP Address uniquely identifies any device (static), but not any person”
Google trying very hard to explain that they are not trapping.
Erik, of course we have a wide variety of technical measures in place to prevent abuse, in addition to our internal policies that limit logs access to a very small set of employees. If you’d like to know more, I did a declaration in the DOJ case a couple years ago. You can read the declaration here: http://www.mattcutts.com/blog/google-responds-to-doj-subpoena/ Section 8 is the most relevant, but you might enjoy other parts of the PDF.
curious Matt, is there an audit trail established of who accesses any data sorting by “an individual” – it seems to me you would need this, but it would also form a great alert system to protect the user – i.e., anytime an individual user view is accessed, it’s logged for audit AND for a privacy officer review.
just thinking out loud…
Thank, Matt. I have to give you a lot of credit for being so helpful on this and many other issues.
Data Mining Blog, the internal access agreement that says “Google employees are not allowed to try to access data on …
Don’t be evil! 🙂
another variant on the question to consider (and i hope you do): a narrative scenario presented in-situ:
my husband just died of suspicious circumstances. I do not trust the law enforcement agencies that Google has agreed to share data with because the situation is akin to ‘LA Confidential’. John, i’m wondering, is there any way I can get my husband’s gmail/docs/searches/health records/etc. from Google?
It may be possible to track individuals to some extent in countries where the computer and Internet penetration is high. How can one track individuals in countries like Philppines where most users use Internet cafes?
for the case that you’re worried about (running a start-up using Google’s tools), we have mechanisms and policies in place that specifically protect your privacy in that situation
When my startup was in an early stage of due diligence talks with Google a couple years ago, I was surprised when they indicated they already knew how much revenue my startup was getting from Google AdSense.
However, I do not know if they got that knowledge from accessing my AdSense account or somehow got it from elsewhere.