Copyright 2005-07 1 and Privacy Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor, Department of Computer Science, A.N.U. and in Cyberspace.

Copyright2005-07

1

and Privacy

Roger ClarkeXamax Consultancy Pty Ltd, Canberra

Visiting Professor, Department of Computer Science, A.N.U.and in Cyberspace Law & Policy, U.N.S.W.,

and in eCommerce at Uni. of Hong Kong

http://www.anu.edu.au/people/Roger.Clarke/…

…/DV/Googacy-070919 {.html, .ppt}

ANU DCS – 19 September 2007

Copyright2005-07

2

Google and PrivacyAgenda

Privacy

Google’s Business(es)1 A Search-Engine2 Content-Discovery

Services3 Content Services4 Data about Users

Privacy Protections• Consumer Protection

Law• Privacy Protection Law• Privacy Policy

Statements• DIY

Google Mythology

Copyright2005-07

3

Privacythe interest that individuals have in

sustaining a 'personal space',free from interference

by other people and organisations

Privacy Protectiona process of finding appropriate balances

between privacy and multiple competing interests

Copyright2005-07

4

Privacy cf. Data Protection• Dimensions of privacy interest:

• The Physical Person• Personal Behaviour• Personal Communications• Personal Data

• Motivations for protecting privacy:

• Psychological• Social• Economic• Political

Copyright2005-07

5

‘Research Your Next Appointment’

• Their Site(s)/Blog(s)• Event Programs• Committee Minutes• Letters to the Editor• Postings

• email-lists• fora• blogs

• Logs (e.g. in court)• IAPs• ISPs• own machine

• Media Reports• as subject• as reporter• as commentator• as bystander

• 'Public Records'• Court Reports• ‘Little Black Books’• Commercial Databases• Dead Pages, from the

Wayback Machine• Specialist Sites, e.g.

Zoominfo.com, Spock.com

Copyright2005-07

6

Privacy Threats from Open Information

Discoverability• Data• Associations• Location• Habits

Consolidation, e.g. for:• Profiling• Manipulation• Character Assassination

Data Quality Problems• Out-of-Date• Incomplete• Acontextual• Inaccurate• Scurrilous• Spurious

Second-Round Effects• More Data Retention• More Data Capture

Copyright2005-07

7

SpiderCrawleror Robot

IndexerIndexor

Concordance

Phase 1 - Crawlingand Indexing

Phase 2 - UseCache TheInternet

SearchEngine

Operation

Copyright2005-07

8

Google’s Business(es)1. Content Discovery Services

• The Largest Coverage (size of the Reference List)

• The Smartest Precedence Algorithm (the sorting part of the Results Formatter)

• The Fastest, Simplest, Best? Search-Service (a UI for normal people, not specialists)

• Multiple Constrained Searches (images, blogs, Froogle)

• Multiple Extension Services (Answers, Scholar)

froo·gle (fru'gal) n. Smart shopping through Google

Copyright2005-07

9

Google’s Business(es)2. Content Services

• Google Earth• Google Base• Google Video /

YouTube• ...

• Google News • Google Library /

Print• ...

Copyright2005-07

10

Google’s Business(es)3. Data about Users

“We are moving to a Google that knows more about you”

Google’s CEO NYT, 10 Feb

2005

Round 1• Search-Terms• IP-address(es)• Click-Trail• Click-Throughs

Copyright2005-07

11

Google’s Business(es)3. Data about Users

“We are moving to a Google that knows more about you”

Google’s CEO NYT, 10 Feb

2005

Round 1• Search-Terms• IP-address(es)• Click-Trail• Click-Throughs

Round 2• Google Accounts:

• Email-Address as Username

• A Common Cookie

Copyright2005-07

12

Email – Long-Term Risk Exposures

Both Parties’s IAPs:• IP-address(es) used, disclosing location, trail• Authorised / unauthorised disclosure,

with/without notification• Traffic data retention, message retentionMail-Recipient’s ISP:• Access to, and use of traffic• Access to, and use of content• Authorised / unauthorised disclosure,

with/without notification• Message retention after downloadISP Mail-Hosting / Webmail• Message retention, long-term

Copyright2005-07

13

– Yet More Risk Exposures

Gmail Subscribers• Targeted Ads based on text from senders

=> consumer manipulation• Correlation with Data from Other

Services

Copyright2005-07

14

– Yet More Risk Exposures

Senders to Gmail Addresses

• Examination of Text• Long-Term Retention• Consolidation

with Other Sources• Long-Term Unauthorised

Disclosure• No notification of

disclosures

Senders Generally• Postings to Lists

if even a single subscriber is a Gmail account

• Forwards to Gmail accounts

• Forwards to Listsif even a single subscriber is a Gmail account

Copyright2005-07

15

Copyright2005-07

16

EPIC on Gmail• No Non-Subscribers Consent

to content extraction• Unlimited Data Retention• Profiling across Google

product line• Harms expectation of

privacy• Insufficient privacy policy• No data protection on

sale of company or change of company policy

http://www.epic.org/privacy/…… gmail/faq.html, August 2004

• Gmail is a privacy disaster• Google is engaging in

indefinite data retention• Google has publicly

stated it will not discuss law enforcement requests for personal information

• We have no idea how Google responds to law enforcement, nor how many requests have been received

private email from EPIC, 8 Dec 2005

Copyright2005-07

17

v. 1 – October 2004

Search Within Your Own Computer“A desktop search application that provides full text search over your email, files, music, photos, chats, Gmail, web pages that you've viewed, ...”(cf. Apple’s Sherlock 1998, later Spotlight, and many third-party products for Wintel)It allows people to scan their computers for information in the same way that they use Google to search the web

http://desktop.google.com/about.html

Copyright2005-07

18

v. 3 – 9 Feb 2006

Search Across Your ComputersBUT“In order to share your indexed files between your computers, we securely transmit this content to Google Desktop servers located at Google”

cf. MS Passport data, centralised at Redmond WA

http://desktop.google.com/...features.html#searchremote

Copyright2005-07

19

Would you trust this product ???Terms:

http://desktop.google.com.au/mac/install.html

Privacy Policy:Protecting users' privacy is very important to Google and the Third Parties. As a condition of downloading and using the Software, you agree to the terms of the Google Pack Privacy Policy ..., which may be updated from time to time and without notice.

No Read-Me File accompanies the download.There are no explanations as to how to de-install.It appears that the default may be set to

Promiscuous:http://desktop.google.com.au/en/mac/gettingstarted.html#prefs shows 'On'

Copyright2005-07

20

– Google’s ‘Social Networking Service’

• Requires a Google Account …• Is linked to Gmail ...• Profiles of Members are:

• Self-Captured• Unauthenticated

• Profiles of People Nominated by Members:• Captured by Members, e.g.

by upload of their address-books• Unauthenticated• Without Consent

• Discloses Traffic• Discloses Social Networks of Members and Non-

Members

Copyright2005-07

21

Google’s Business(es)3. Data about Users

“We are moving to a Google that knows more about you”

- Google’s CEO NYT, 10 Feb

2005

Round 3• Gmail• Desktop• Desktop v.3• Orkut

Copyright2005-07

22

Google as Wireless Internet Access Provider

http://www.techworld.com/mobility/...features/index.cfm?featureid=1837

Acceptance of Google’s tender confirmed 5 April 2006

Copyright2005-07

23

12 Months Later ...• WinterGreen Research, Inc. April 2007

Earthlink and San Francisco have finalised a Wi-Fi contract. The contract enables Earthlink to build a citywide wireless services network and Google to provide free Internet access

But, 4 Months After That ...• Blow as two ‘Muni WiFi’ schemes fail

Financial Times, 31 August 2007The San Francisco scheme … fell apart on Wednesday night after Earthlink, the [ISP], said it was pulling out of a contract to build the city’s WiFi network

Copyright2005-07

24

Doubleclick

• Major Site-Owners let ad-space to DoubleClick• DoubleClick gathers data about all traffic

to all such sites, resulting in consumer profiles

Copyright2005-07

25

Doubleclick

• Major Site-Owners let ad-space to DoubleClick• DoubleClick gathers data about all traffic

to all such sites, resulting in consumer profiles

Google AdSense• Minor Page-Owners let ad-space to Google• Google gathers data about all traffic

to all sites that are ‘AdSense affiliates’

Copyright2005-07

26

Doubleclick

• Major Site-Owners let ad-space to DoubleClick• DoubleClick gathers data about all traffic

to all such sites, resulting in consumer profiles

Google AdSense• Minor Page-Owners let ad-space to Google• Google gathers data about all traffic

to all sites that are ‘AdSense affiliates’

On 13 Apr 2007, Google bought DoubleClick

Copyright2005-07

27

New York Consumer Protection Boardhttp://www.consumer.state.ny.us/pressreleases/2007/may092007.htm

“the combination of DoubleClick's Internet surfing history generated through consumers' pattern of clicking on specific advertisements, coupled with Google's database of consumers' past searches, will result in the creation of ‘super-profiles’, which will make up the world's single largest repository of both personally and non-personally identifiable information”. [bigger than Acxiom?!]The Board expressed concern that these profiles expose consumers to the risk of disclosure of their data to third parties, as well as public disclosure as evidence in litigation or through data breaches.

Copyright2005-07

28

Current Regulatory Investigations

http://www.epic.org/privacy/ftc/google/

• US Federal Trade Commissionhttp://www.internetnews.com/bus-news/article.php/3680266

• EU Directorate on Competitionhttp://ec.europa.eu/comm/competition/index_en.html

• Aust Competition and Consumer Commissionhttp://www.accc.gov.au/content/index.phtml/itemId/788097

• EU Data Protection Commissionershttp://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_21_06_07_en.pdf

Copyright2005-07

29

Google’s Business(es)3. Data about Users

“We are moving to a Google that knows more about you”

- Google’s CEO NYT, 10 Feb

2005

Round 3• Gmail• Desktop• Desktop v.3• Orkut

Round 4• Google as Wireless IAP

Gratis (i.e. ad-funded)• Ad Syndication (AdSense)• Consolidation of the

Consumer Profiles held by DoubleClick and Google

Copyright2005-07

30

Google’s Business(es)3. Data about Users

“We are moving to a Google that knows more about you”

- Google’s CEO NYT, 10 Feb

2005

Round 3• Gmail• Desktop• Desktop v.3• Orkut

Round 4• Google as Wireless IAP

Gratis (i.e. ad-funded)• Ad Syndication

(AdSense)• Consolidation of the

Consumer Profiles held by DoubleClick and Google

Round 5• Psych profiles from

online gaming• Face Recognition

in Image Search• Street View• Facebook profiles• ...

Copyright2005-07

31

Google and PrivacyAgenda

Privacy

Google’s Business(es)1 A Search-Engine2 Content-Discovery

Services3 Content Services4 Data about Users

Privacy Protections• Consumer Protection

Law• Privacy Protection Law• Privacy Policy

Statements• DIY

Google Mythology

Copyright2005-07

32

A Normative Template forTerms of Contract for Consumer

Transactionshttp://www.anu.edu.au/people/Roger.Clarke/EC/ICEC06.html#TN

T

• Information• Terms• Security• Choice• Consent• Recourse• Redress

Copyright2005-07

33

The Normative Template forMarketer-Consumer

Communications

• Information• Terms• Security• Choice• Consent• Recourse• Redress

Recourse• Enquiry and Complaints Process

• accessibility• prompt acknowledgement• copy into the consumer's email-archive• responsiveness to enquiry or complaint

• acknowledgement• resolution

• Restitution• product quality shortfalls

• own products and services• third-party products and services

• fulfilment quality shortfalls• payment errors

• External Complaints Mechanisms• information provided about them• prompt and appropriate communications with

regulators

Copyright2005-07

34

Google’s Challenges to Consumer Law

Consumer Benefits• Enormous• Gratis• But there is

consideration:acceptance of advertising, including intrusiveattention-grabbing devices (‘blink’, popups)

Terms:• Non-Negotiable• Non-Transparent• Changeable at whim• Not Version-Managed

Recourse• All-But Non-Existent

No sign of recovery of lostconsumer protectionsWSIS 2005, IGF are

vacuous

Copyright2005-07

35

Information PrivacyThe interest an individual has in controlling,

or at least significantly influencing, the handling of data about themselves

• Regulation:Data Protection Law, enforced by a Regulator [EU, Others – ???]

• Co-Regulation:Privacy Policy Statements, enforced by a Regulatore.g. through Trade Practices Law [US – ??]

• Self-Regulation:Privacy Policy Statements without enforcement [US actual]

Achieved Through

Copyright2005-07

36

28th International Data Protection and Privacy Commissioners' Conference

London, United Kingdom – 2 and 3 November 2006

Resolution on Privacy Protection and Search Engines

http://www.bfdi.bund.de/cln_029/nn_533554/SharedDocs/Publikationen/EN/InternationalDS/ConferenceOfInternationalDataProtectionCommissioners2006-

ResolutionSearchEngines,templateId=raw,property=publicationFile.pdf/ConferenceOfInternationalDataProtectionCommissioners2006-

ResolutionSearchEngines.pdf

“… providers of search engines … shall not record any information about the search that can be linked to users or about the search engine users themselves.“After the end of a search session, no data that can be linked to an individual user should be kept stored unless the user has given his explicit, informed consent to have data necessary to provide a service stored (e.g. for use in future searches)”

Copyright2005-07

37

A Privacy Statement Templatehttp://www.anu.edu.au/people/Roger.Clarke/DV/PST-

051219.html

• Data Collection• Data Security• Data Use• Data Disclosure• Data Retention and Destruction• Access by You to Your Personal Data• Information about Data Handling Practices• Handling of Enquiries, General Concerns and

Complaints• Enforcement• Changes to These Privacy Undertakings

• Definitions

Copyright2005-07

38

Google’s Privacy Statementhttp://www.anu.edu.au/people/Roger.Clarke/DV/PST-

Google.html

• Cookies not RFC2964-compliant• Cookies and Login (with Email-

Address as Username) enable the consolidation of a very substantial amount of identified personal data, without informed consent

• Purposes of Use and Disclosure vague but very extensive

• Storage in ‘Data Havens’ (such as the USA)

• Non-Consensual Use and Disclosure (presumption of consent, i.e. opt-out)

• Extraneous Disclosures not notified to the individual concerned

• No Information provided about Data-Handling Policies and Practices

• No Assurances whatsoever re:• Access by the Data Subject

[new WebHistory feature?]• Data Quality• Data Correction or Deletion• Data Relevance• Data Retention, Destruction

• No Consultation with Privacy Advocacy Organisations

• Deficient Complaint-Handling Procedures

• The Undertakings are Void in the event of merger, acquisition or sale of assets

• The Undertakings are Unenforced, and Probably Unenforceable

Copyright2005-07

39

Paranoia

http://www.google-watch.org/

Copyright2005-07

40

DIY Privacy-Protectionhttp://www.freenet.org.nz/misc/google-privacy.html

A simple HOWTO for stopping Google from logging your search history. In summary, the solution is to :

• clear all long-lasting cookies• set your browser to not keep cookies

between restarts• divert all google requests out

through an anonymous proxy

BUT ALSO !!!• Frequently re-start• Don’t register• Don’t use DeskTop, Gmail, …• Don’t send to Gmail accounts ...

Copyright2005-07

41

Google Mythology: “Do No Evil”• Two variants are evident on the web-site:

(1) number 6 of 'Ten things Google has found to be true':"you can make money without doing evil".But that statement is descriptive, not normative

(2) "Our informal corporate motto is 'Don't be evil' " But that statement is part of a ‘Code of Conduct’ communicated to investors, not customers, and is in any case completely non-binding

• There is an relevant corollary:• "You can make money without doing evil;

but you can make more money by doing evil"• Given the legal obligations of corporations,

the epithet actually implies that evil should be done

Copyright2005-07

42

Google Mythology:"Protecting users' privacy is very important

to Google" • World's-Worst Privacy Policy stance• "We will remove IP-addresses after 18 mths"

(They don't need them beyond 18 seconds)• "We will auto-delete cookies 2 yrs after last visit"

(Gobbledygook. They're remote from them …And there's no need for long-term cookies at all. It's better to block cookies, auto-delete cookies, delete cookies, and/or use a nymous proxy-server)

• Argues at UNESCO for standardisation on the world's weakest code. (The APEC code was designed by privacy-hostile USA with Australian help, using privacy-hostile Asia as the excuse)

Copyright2005-07

43

Google and PrivacyRecapitulation

Privacy

Google’s Business(es)1 A Search-Engine2 Content-Discovery

Services3 Content Services4 Data about Users

Privacy Protections• Consumer Protection

Law• Privacy Protection Law• Privacy Policy

Statements• DIY

Google Mythology

Copyright2005-07

44

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Copyright2005-07

45

and Privacy

Roger ClarkeXamax Consultancy Pty Ltd, Canberra

Visiting Professor, Department of Computer Science, A.N.U.and in Cyberspace Law & Policy, U.N.S.W.,

and in eCommerce at Uni. of Hong Kong

http://www.anu.edu.au/people/Roger.Clarke/…

…/DV/Googacy-070919 {.html, .ppt}

ANU DCS – 19 September 2007

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.