Private Property: What Google's Unified Privacy Policy Means for You

"We've been tidying up a little, making our privacy policies and terms more consistent, easier to read and easier to understand. You see while privacy policies, ours included, may not be the most popular read on the Internet, we think they're important. So instead of over 60 policies for different Google products and features we're introducing just one with fewer words, simpler explanations and less legal gloop to wade through."

-Google Privacy Policy Update promotional video (24.01.2012)

One Policy to Rule them all

From 1 March Google is radically overhauling its privacy policies. In broad terms Google's numerous (70, not 60) policies will be replaced with just one. Consequently instead of a policy for Gmail, one for Google Calendar, one for YouTube, another for Search and so on they will be amalgamated and no longer tied to services, but accounts. Crucially Google will then share the information you provide across all these services, though not with third parties. Again the pitch is compelling:

"Over time it'll mean better search results and ads, we'll understand that when you search for Jaguar you're looking for a jaguar [animal] and not a Jaguar [car]," claims Google. "It can mean more accurate spelling suggestions because you've tagged a word before and it may even mean we'll be able to tell you when you'll be late for a meeting based on your location, your calendar and local traffic conditions. All of which means we're not just keeping your private stuff private, we're making it more useful to you in your daily life too."

These benefits are tangible. If you discuss your interest in something in an email YouTube may suggest videos about it and search results will be automatically refined to improve their effectiveness. For Google Apps (professional Google accounts) the situation is slightly different: core Apps services (Gmail, Calendar, Docs, Sites, Control Panel) have their own contract which takes precedence over the new privacy terms so they will be unaffected. Access non-core services (YouTube, Picasa, Blogger, etc) with your Google Apps account however and information will be shared between them.

Why you should be worried

Four key reasons: stubbornness, convergence, exposure and track record.

Stubbornness

Google is not budging over the implementation of its unified privacy policy, despite pressure from both the European Union and US Congress. "We call for a pause in the interests of ensuring that there can be no misunderstanding about Google's commitments to information rights of their users and EU citizens, until we have completed our analysis," said Jacob Kohnstamm, chairman of the group of 27 national privacy regulators in the EU, in a public letter to Google CEO Larry Page. Google declined in an open reply saying in pre-briefings "At no stage did any EU regulator suggest that any sort of pause would be appropriate."

"At the end of the day, I don't think their answers to us were very forthcoming," claimed Republican Mary Bono Mack after House lawmakers grilled Google officials about the unified policy on 2 February. "The concern of Congress is how much active participation does a user have to do to protect their own privacy," she added. Google has not publicly replied to this, but confirmed the 1 March switchover will go ahead regardless and - short of closing their accounts - users cannot opt out. Such a stance implies sharing user information across its services is a critical step in the continued evolution of Google's business model, so what comes next?

Convergence

Going hand-in-hand with Google's converging privacy policy is the wider convergence of all its products. The company's popular Android mobile platform requires a Google account in order to function - making an opt out all the more impractical - and subsequently unifying your privacy data not only across Google services, but across hardware platforms from PCs and laptops, to mobile phones, set top boxes and tablets.

"Given the increasingly personal and targeted information that services such as Google+, Android devices, Address books and Gmail collect it is not surprising that the proposition to aggregate and correlate all this information is worrying for the consumer," argues Rik Ferguson, director of security research and communication at Trend Micro. "It would be in the interest of consumer choice, not to mention privacy and security to give the user the choice of which services they allow to access this aggregated data and which are explicitly denied."

Exposure

The greatest fear to stem from convergence is the loss of your data. Immediate thoughts turn to theft - both physical and online via hackers - and greater sharing of privacy information risks wider exploitation from these parties. This is small beans, however, compared to key wording within the 'Information Sharing' section of the new policy. It answers the question of when Google will share your data with third parties:

"[If] We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law."

The vital part is (a): Google will release your data to any government to "satisfy any applicable law, regulation, legal process or enforceable governmental request". Be warned.

Track Record

Google famously lives by (and is frequently attacked using) its "Don't be evil" slogan and it has historically fallen down most often when it comes to privacy matters. Google Buzz exposed users' contacts and resulted in an FTC settlement, which included an $8.5m fine. Its Street View mapping service was criticised for taking unauthorised pictures of people and their homes and inadvertently collected over 600GB of data from users' WiFi connections in over 30 countries. These examples represent just a snapshot.

So given the new unified privacy policy actually still excludes key services (contrary to Google's marketing suggestions) including Chrome and Chrome OS, Google Books and Google Wallet how long before what you browse, read and buy are woven into Google's advertising efforts or deliberately/accidentally opened up to less scrupulous third parties?

Why you should not be worried

"It may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties... This approach is ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers... I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year."

This hugely insightful statement was made by Justice Sotomayor earlier this month in her closing comments of the United States vs Jones case in the US Supreme Court. In it the FBI was found to have violated the Fourth Amendment in attaching a tracking device to a defendant's car without a warrant. The case is significant because this concluding statement separates privacy from secrecy and frames it within the context of a digital age in which we use social media to tell people everything, but want organisations to know nothing.

Furthermore it sets a precedent that, despite Google's open house policy for governments to look into your data, there should be actual suspicion and due process before it can be accessed. This is in stark contrast to Google's own attitude. "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place" claims Eric Schmidt, Google's executive chairman. The statement may be glib, but he has a point.

There is a further elephant in the room: Google actually deserves credit. Yes people are complaining about the unified privacy policy, but arguably that is because they can now understand it. Reducing over 70 policies to just one, writing it in plain English and cutting the length to 2,046 words (Microsoft's is nearly twice the length) means users have little excuse not to be informed. Should you still wish to leave, Google provides a data Liberation tool, which exports all your information from Google services, after which accounts can be deleted. Despite the changes Google services like Maps and YouTube can also still be used without a Google account. None of this particularly bad customer service from a company that provides everything for free.

What about the complaints from the EU and the US Congress? The EU has no specific bone to pick and merely calls for consultation time while members of Congress call for greater clarity when it is undeniable this is what the shortened, simplified, unified privacy policy provides. The privacy topic is a vote winner after all and so we shouldn't be shocked to see politicians sabre rattling whenever possible.

As for the origins of the unified policy, its foundations have long been in place. Google maintains an archive of all its past policies and since October 2005 the company has stated: "We may combine the information you submit under your account with information from other Google services or third parties in order to provide you with a better experience and to improve the quality of our services." You were warned.

Why Is Google Doing This?

Aside from the rights and wrongs, a bigger question needs to be asked: what motivates Google to unify user data in the first place? The answer is simple: Google is losing.

For all its plethora of products and services, at its heart Google is an ad provider. Everything it offers is simply a spoonful of sugar to help the advertising go down and its 'free' business model only works if users keep clicking. In order to achieve those clicks, ads need to be a) as relevant as possible, and b) better than competitors because there are only so many ads users are inclined to click per day. In this regard someone is doing it far better... Facebook.

For ad providers our digital identities are now the key asset to revenue growth and while Google makes a lot of intelligent guesses what it actually knows when put to the test is surprisingly vague. Click on Google's Ads Preferences Manager and you will find it may have your age group right, your sex and your areas of general interest. By contrast Facebook knows not only your age, sex and specific interests, but also your location, friends, social life and day-to-day thoughts - and it is encouraging you to backdate them.

The unified privacy policy is Google's attempt to fight back, to better gauge your identity and needs in the hope of providing more compelling ads and content. Of course Google has also tried to compete directly with Facebook in the past, but Orkut and Buzz have failed and while Google+ popularity is murky it again appears to work more as an identity aggregator than true social network.

"A bad situation for privacy is bound to get much, much worse," argues Paul Ohm, associate professor of law at the University of Colorado School of Law. "It's especially bad because now we've got really vigorous competition between Google and Facebook, and they're competing on our secrets, basically. Whoever can make money out of our secrets is going to win this battle."

Google is not alone. Take just the last few months: TomTom has teamed up with Motaquote to track our driving in exchange for lower insurance premiums, Apple has launched free iBooks publishing in exchange for exclusivity over our work and Amazon's new Silk browser receives your web history in exchange for potentially optimised loading times. All the while tensions are rising as companies begin to bash heads.

Speaking in 1999 Sun Microsystems CEO Scott McNealy famously proclaimed, "You already have zero privacy. Get over it." He was right then and he's right today, but at least companies are willing to give you things for it...