copyright 2005-07 1 and privacy roger clarke xamax consultancy pty ltd, canberra visiting professor...
TRANSCRIPT
Copyright2005-07
1
and Privacy
Roger ClarkeXamax Consultancy Pty Ltd, Canberra
Visiting Professor in Cyberspace Law & Policy, U.N.S.W.,in eCommerce at Uni. of Hong Kong, & in Comp. Sci., A.N.U.
http://www.anu.edu.au/people/Roger.Clarke/…
…/DV/Googacy-070524 {.html, .ppt}
Uni Koblenz – 24 May 2007
Copyright2005-07
2
Google and PrivacyAgenda
Privacy
Google’s Business(es)1 A Search-Engine2 Content-Discovery
Services3 Content Services4 Data about Users
Privacy Protections• Consumer Protection
Law• Privacy Protection Law• Privacy Policy
Statements• DIY
Google Mythology
Copyright2005-07
3
Privacythe interest that individuals have in
sustaining a 'personal space',free from interference
by other people and organisations
Privacy Protectiona process of finding appropriate balances
between privacy and multiple competing interests
Copyright2005-07
4
Privacycf. Data Protection /
Datenschutz• Dimensions of privacy interest:
• The Physical Person• Personal Behaviour• Personal Communications• Personal Data
• Motivations for protecting privacy:
• Psychological• Social• Economic• Political
Copyright2005-07
5
‘Research Your Next Appointment’
• Their Site(s)/Blog(s)• Event Programs• Committee Minutes• Letters to the Editor• Postings
• email-lists• fora• blogs
• Logs (e.g. in court)• IAPs• ISPs• own machine
• Media Reports• as subject• as reporter• as commentator• as bystander
• Court Reports• ‘Little Black Books’• Commercial Databases• Dead Pages, from the
Wayback Machine• Specialist Sites, e.g.
Zoominfo.com
Copyright2005-07
6
Privacy Threats from Open Information
Discoverability• Data• Associations• Location• Habits
Consolidation, e.g. for:• Profiling• Manipulation• Character Assassination
Data Quality Problems• Out-of-Date• Incomplete• Acontextual• Inaccurate• Scurrilous• Spurious
Second-Round Effects• More Data Retention• More Data Capture
Copyright2005-07
7
SpiderCrawleror Robot
IndexerIndexor
Concordance
Phase 1 - Crawlingand Indexing
Phase 2 - UseCache TheInternet
SearchEngine
Operation
Copyright2005-07
8
Google’s Business(es)1. Content Discovery Services
• The Largest Coverage (size of the Reference List)
• The Smartest Precedence Algorithm (the sorting part of the Results Formatter)
• The Fastest, Simplest, Best? Search-Service (a UI for normal people, not specialists)
• Multiple Constrained Searches (images, blogs, Froogle)
• Multiple Extension Services (Answers, Scholar)
froo·gle (fru'gal) n. Smart shopping through Google
Copyright2005-07
9
Google’s Business(es)2. Content Services
• Google Earth• Google Base• Google Video /
YouTube• ...
• Google News • Google Library /
Print• ...
Copyright2005-07
10
Google’s Business(es)3. Data about Users
“We are moving to a Google that knows more about you”
Google’s CEO NYT, 10 Feb
2005
Round 1• Search-Terms• IP-address(es)• Click-Trail• Click-Throughs
Copyright2005-07
11
Google’s Business(es)3. Data about Users
“We are moving to a Google that knows more about you”
Google’s CEO NYT, 10 Feb
2005
Round 1• Search-Terms• IP-address(es)• Click-Trail• Click-Throughs
Round 2• Google Accounts:
• Email-Address as Username
• A Common Cookie
Copyright2005-07
12
Email – Long-Term Risk Exposures
Both Parties’s IAPs:• IP-address(es) used, disclosing location, trail• Authorised / unauthorised disclosure,
with/without notification• Traffic data retention, message retentionMail-Recipient’s ISP:• Access to, and use of traffic• Access to, and use of content• Authorised / unauthorised disclosure,
with/without notification• Message retention after downloadISP Mail-Hosting / Webmail• Message retention, long-term
Copyright2005-07
13
– Yet More Risk Exposures
Gmail Subscribers• Targeted Ads based on text
from senders => consumer manipulation
• Correlation with Data from Other Services
Senders to Gmail Addresses• Examination of Text• Long-Term Retention• Consolidation with Other
Sources• Long-Term Unauthorised
Disclosure, and no notification
Copyright2005-07
14
– Yet More Risk Exposures
Gmail Subscribers• Targeted Ads based on text
from senders => consumer manipulation
• Correlation with Data from Other Services
Senders to Gmail Addresses• Examination of Text• Long-Term Retention• Consolidation with Other
Sources• Long-Term Unauthorised
Disclosure, and no notification
‘Sorry, but I don’t talk via Gmail’
Copyright2005-07
15
– Yet More Risk Exposures
Gmail Subscribers• Targeted Ads based on text
from senders => consumer manipulation
• Correlation with Data from Other Services
Senders to Gmail Addresses• Examination of Text• Long-Term Retention• Consolidation with Other
Sources• Long-Term Unauthorised
Disclosure, and no notification
‘Sorry, but I don’t talk via Gmail’
Senders Generally• Postings to Lists where
even a single subscriber is a Gmail account
• Forwards to Gmail accounts
• Forwards to Lists where even a single subscriber is a Gmail account
Copyright2005-07
16
EPIC on Gmail• No Non-Subscribers Consent
to content extraction• Unlimited Data Retention• Profiling across Google
product line• Harms expectation of
privacy• Insufficient privacy policy• No data protection on
sale of company or change of company policy
http://www.epic.org/privacy/…… gmail/faq.html, August 2004
• Gmail is a privacy disaster• Google is attempting to
engage in indefinite data retention
• Google has publicly stated it will not discuss law enforcement requests for personal information. So we have no idea how Google responds to law enforcement, nor how many requests have been received
private email from EPIC, 8 Dec 2005
Copyright2005-07
17
v. 1 – October 2004
Search Within Your Own Computer“A desktop search application that provides full text search over your email, files, music, photos, chats, Gmail, web pages that you've viewed, ...”(cf. Apple’s Sherlock 1998, later Spotlight, and many third-party products for Wintel)It allows people to scan their computers for information in the same way that they use Google to search the web
http://desktop.google.com/about.html
Copyright2005-07
18
v. 3 – 9 Feb 2006
Search Across Your ComputersBUT“In order to share your indexed files between your computers, we securely transmit this content to Google Desktop servers located at Google”
cf. MS Passport data, centralised at Redmond WA
http://desktop.google.com/...features.html#searchremote
Copyright2005-07
19
Google’s ‘Social Networking Service’
• Profiles of Members• Self-Captured• Unauthenticated
• Profiles of People Nominated by Members• Captured by Members, e.g.
by upload of their address-books• Unauthenticated• Without Consent
• Traffic• Social Networks of Members and Non-Members
Copyright2005-07
20
Google’s Business(es)3. Data about Users
“We are moving to a Google that knows more about you”
- Google’s CEO NYT, 10 Feb
2005
Round 3• Gmail• Desktop• Desktop v.3• Orkut
Copyright2005-07
21
Google as Wireless Internet Access Provider
http://www.techworld.com/mobility/...features/index.cfm?featureid=1837
Acceptance of Google’s tender confirmed 5 April 2006
Copyright2005-07
22
And 1 Year Later?
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.
Copyright2005-07
23
Doubleclick
• Major Site-Owners let ad-space to DoubleClick• DoubleClick gathers data about all traffic
to all such sites, resulting in consumer profiles
Copyright2005-07
24
Doubleclick
• Major Site-Owners let ad-space to DoubleClick• DoubleClick gathers data about all traffic
to all such sites, resulting in consumer profiles
Google AdSense• Minor Page-Owners let ad-space to Google• Google gathers data about all traffic
to all sites that are ‘AdSense affiliates’
Copyright2005-07
25
Doubleclick
• Major Site-Owners let ad-space to DoubleClick• DoubleClick gathers data about all traffic
to all such sites, resulting in consumer profiles
Google AdSense• Minor Page-Owners let ad-space to Google• Google gathers data about all traffic
to all sites that are ‘AdSense affiliates’
On 13 Apr 2007, Google bought DoubleClick
Copyright2005-07
26
New York Consumer Protection Boardhttp://www.consumer.state.ny.us/pressreleases/2007/may092007.htm
“the combination of DoubleClick's Internet surfing history generated through consumers' pattern of clicking on specific advertisements, coupled with Google's database of consumers' past searches, will result in the creation of ‘super-profiles’, which will make up the world's single largest repository of both personally and non-personally identifiable information”.The Board expressed concern that these profiles expose consumers to the risk of disclosure of their data to third parties, as well as public disclosure as evidence in litigation or through data breaches.
Copyright2005-07
27
Google’s Business(es)3. Data about Users
“We are moving to a Google that knows more about you”
- Google’s CEO NYT, 10 Feb
2005
Round 3• Gmail• Desktop• Desktop v.3• Orkut
Round 4• Google as Wireless IAP
Gratis (i.e. ad-funded)• Ad Syndication (AdSense)• Consolidation of the
Consumer Profiles held by DoubleClick and Google
Copyright2005-07
28
Google and PrivacyAgenda
Privacy
Google’s Business(es)1 A Search-Engine2 Content-Discovery
Services3 Content Services4 Data about Users
Privacy Protections• Consumer Protection
Law• Privacy Protection Law• Privacy Policy
Statements• DIY
Google Mythology
Copyright2005-07
29
A Normative Template forTerms of Contract for Consumer
Transactionshttp://www.anu.edu.au/people/Roger.Clarke/EC/ICEC06.html#TN
T
• Information• Terms• Security• Choice• Consent• Recourse• Redress
Copyright2005-07
30
The Normative Template forMarketer-Consumer
Communications
• Information• Terms• Security• Choice• Consent• Recourse• Redress
Recourse• Enquiry and Complaints Process
• accessibility• prompt acknowledgement• copy into the consumer's email-archive• responsiveness to enquiry or complaint
• acknowledgement• resolution
• Restitution• product quality shortfalls
• own products and services• third-party products and services
• fulfilment quality shortfalls• payment errors
• External Complaints Mechanisms• information provided about them• prompt and appropriate communications with
regulators
Copyright2005-07
31
Google’s Challenges to Consumer Law
Consumer Benefits• Enormous• Gratis• But there is
consideration:acceptance of advertising, including intrusiveattention-grabbing devices (‘blink’, popups)
Terms:• Non-Negotiable• Non-Transparent• Changeable at whim• Not Version-Managed
Recourse• All-But Non-Existent
No sign of recovery of lostconsumer protectionse.g. WSIS 2005 is vacuous
Copyright2005-07
32
Information PrivacyThe interest an individual has in controlling,
or at least significantly influencing, the handling of data about themselves
• Regulation:Data Protection Law, enforced by a Regulator [EU, Others – ???]
• Co-Regulation:Privacy Policy Statements, enforced by a Regulatore.g. through Trade Practices Law [US – ??]
• Self-Regulation:Privacy Policy Statements without enforcement [US actual]
Achieved Through
Copyright2005-07
33
28th International Data Protection and Privacy Commissioners' Conference
London, United Kingdom – 2 and 3 November 2006
Resolution on Privacy Protection and Search Engines
http://www.bfdi.bund.de/cln_029/nn_533554/SharedDocs/Publikationen/EN/InternationalDS/ConferenceOfInternationalDataProtectionCommissioners2006-
ResolutionSearchEngines,templateId=raw,property=publicationFile.pdf/ConferenceOfInternationalDataProtectionCommissioners2006-
ResolutionSearchEngines.pdf
“… providers of search engines … shall not record any information about the search that can be linked to users or about the search engine users themselves.“After the end of a search session, no data that can be linked to an individual user should be kept stored unless the user has given his explicit, informed consent to have data necessary to provide a service stored (e.g. for use in future searches)”
Copyright2005-07
34
A Privacy Statement Templatehttp://www.anu.edu.au/people/Roger.Clarke/DV/PST-
051219.html
• Data Collection• Data Security• Data Use• Data Disclosure• Data Retention and Destruction• Access by You to Your Personal Data• Information about Data Handling Practices• Handling of Enquiries, General Concerns and Complaints• Enforcement• Changes to These Privacy Undertakings
• Definitions
Copyright2005-07
35
Google’s Privacy Statementhttp://www.anu.edu.au/people/Roger.Clarke/DV/PST-
Google.html
• Cookies not RFC2964-compliant• Cookies and Login (with Email-
Address as Username) enable the consolidation of a very substantial amount of identified personal data, without informed consent
• Purposes of Use and Disclosure vague but very extensive
• Storage in ‘Data Havens’ (such as the USA)
• Non-Consensual Use and Disclosure (presumption of consent, i.e. opt-out)
• Extraneous Disclosures not notified to the individual concerned
• No Information provided about Data-Handling Policies and Practices
• No Assurances whatsoever re:• Access by the Data Subject
[new WebHistory feature?]• Data Quality• Data Correction or Deletion• Data Relevance• Data Retention, Destruction
• No Consultation with Privacy Advocacy Organisations
• Deficient Complaint-Handling Procedures
• The Undertakings are Void in the event of merger, acquisition or sale of assets
• The Undertakings are Unenforced, and Probably Unenforceable
Copyright2005-07
36
Paranoia
http://www.google-watch.org/
Copyright2005-07
37
DIY Privacy-Protectionhttp://www.freenet.org.nz/misc/google-privacy.html
A simple HOWTO for stopping Google from logging your search history. In summary, the solution is to :
• clear all long-lasting cookies• set your browser to not keep cookies
between restarts• divert all google requests out
through an anonymous proxy
BUT ALSO !!!• Frequently re-start• Don’t register• Don’t use DeskTop, Gmail, …• Don’t send to Gmail accounts ...
Copyright2005-07
38
Google Mythology: “Do No Evil”• Two variants are evident on the web-site:
(1) number 6 of 'Ten things Google has found to be true':"you can make money without doing evil".But that statement is descriptive, not normative
(2) "Our informal corporate motto is 'Don't be evil' " But that statement is part of a ‘Code of Conduct’ communicated to investors, not customers, and is in any case completely non-binding
• There is an relevant corollary:• "You can make money without doing evil;
but you can make more money by doing evil"• Given the legal obligations of corporations,
the epithet actually implies that evil should be done
Copyright2005-07
39
Google and PrivacyRecapitulation
Privacy
Google’s Business(es)1 A Search-Engine2 Content-Discovery
Services3 Content Services4 Data about Users
Privacy Protections• Consumer Protection
Law• Privacy Protection Law• Privacy Policy
Statements• DIY
Google Mythology
Copyright2005-07
40
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Copyright2005-07
41
and Privacy
Roger ClarkeXamax Consultancy Pty Ltd, Canberra
Visiting Professor in Cyberspace Law & Policy, U.N.S.W.,in eCommerce at Uni. of Hong Kong, & in Comp. Sci., A.N.U.
http://www.anu.edu.au/people/Roger.Clarke/…
…/DV/Googacy-070524 {.html, .ppt}
Uni Koblenz – 24 May 2007
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.