I started working on an overdue post this morning and, as I started to do that, I realised it would be really helpful to first publish this guide, "Privacy law in a nutshell", as an introduction to South African privacy law (some of the principles apply elsewhere too). It is a pretty brief overview but if you are not familiar with some of the basic legal principles and considerations relating to privacy, this should help.
Google's recent privacy policy update has caused great consternation. Some commentators have expressed concern about the new policy's compliance with various privacy law frameworks (particularly the EU's data protection laws); the aggregation of users' personal information and others have made ridiculous claims about the policy being the "end of privacy as we know it". We took a close look at the new privacy policy, what has changed from October's version and what this really means for users. It turns out much of the fuss is uninformed, sensationalist and unjustified.
Essentially Google has taken a number of privacy policies spread across multiple services and consolidated them into a single privacy policy that covers personal information processing across all Google services. This isn't as simple as it sounds and its benefits are not immediately apparent. One of the disadvantages of having multiple privacy policies governing multiple services is that you can't be sure that your personal information will be handled consistently from service to service or even that all of the policies process your personal information in a way that doesn't prejudice you unreasonably. This also potentially means diminished transparency, less informed consent and greater uncertainty – all less than desirable features of a document of such importance. With a unified policy users have greater certainty as to what personal information Google is collecting and what it is doing with that personal information. To add to this, the new privacy policy continues Google's practice of writing very clear and plain policies (when I am looking for inspiration for legal terms, I often look to Google's terms for their clarity and emphasis on good, plain language).
Another thing Google does it publish comparisons between policy versions. This is part of the comparison between the October 2011 version and the March 2012 version:
Google does a terrific job purely from the perspective of transparency. Users are advised in advance what changes are going to be made and are shown not only the new policy document but also the changes from one version to the next. This behaviour doesn't receive enough attention. Not many companies go to such lengths to be so transparent about these sorts of changes.
The policy, for the most part, doesn't change the privacy framework under the previous model. Users haven't lost control over their personal information and haven't been forced to be more public than they may wish to be. This approach largely fell away a couple years after the Facebook privacy debacles. In the last year or so Google, Facebook and other services have been more careful with users' personal information and their privacy policies reflect this.
The new policy clarifies how users can "make meaningful choices about how" Google uses their personal information. Users have a couple of options available should they wish to access and review personal information Google holds; adjust their ad preferences; control who they share their personal information with and even if they choose to export their personal information from Google's services. The new policy also states that browsers can be set to block or moderate cookies but cautions about diminished functionality in its services if users choose to do so (this is the incentive for users not to moderate cookies).
A change I found very interesting is this sentence:
We will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent.
Previously the privacy policy allowed for personal information on an opt-out basis:
Google uses the DoubleClick advertising cookie on AdSense partner sites and certain Google services to help advertisers and publishers serve and manage ads across the web. You can view and manage your ads preferences associated with this cookie by accessing the Ads Preferences Manager. In addition, you may choose to opt out of the DoubleClick cookie at any time by using DoubleClick’s opt-out cookie.
The primary reason most commentators seem to be concerned about the new privacy policy is the following clauses:
We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads.
We may use the name you provide for your Google Profile across all of the services we offer that require a Google Account. In addition, we may replace past names associated with your Google Account so that you are represented consistently across all our services. If other users already have your email, or other information that identifies you, we may show them your publicly visible Google Profile information, such as your name and photo.
...
...
We may combine personal information from one service with information, including personal information, from other Google services – for example to make it easier to share things with people you know. We will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent.
We will ask for your consent before using information for a purpose other than those that are set out in this Privacy Policy.
Essentially Google is consolidating the personal information it has from its users across its various services into a more complete, useful and valuable database. Previous the various privacy frameworks and notionally distinct services meant that a user could have varying exposure to personalised ads and to personal information processing. Under the more consolidated model, users can be more readily and more accurately profiled and better targeted with ads. Their experience of Google's services can also be improved where data can be shared across services (another reason for the change) to enhance users' general Google experience.
This change reflects increasing integration of Google's services into a more cohesive set of services not dissimilar to Facebook which has always been regarded as a single, multi-faceted service but one which permits personal information published through one aspect of the service to be used with other aspects of the Facebook service as well as to better target ads.
Some of the clauses are mixed bags. This next clause makes an important point that sensitive personal information won't be associated with cookies and then glosses over the implications of those cookies and other technologies like pixel tags by explaining their value in setting the correct language preferences:
We use information collected from cookies and other technologies, like pixel tags, to improve your user experience and the overall quality of our services. For example, by saving your language preferences, we’ll be able to have our services appear in the language you prefer. When showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health.
Google has been viewed with suspicion for some time now due to its size and presence in our daily lives. There is no question that Google uses personal information to personalise its ads and users' experience of many of its services. That said, Google works to be more transparent about its disclosure of personal information to governments (one of the times Google will hand over your personal information is in response to a valid and legally binding request from a government). Contrary to the article in a recent issue of the Star titled, "Big Brother has nothing on Google" (this article is largely a series of exaggerations, some of which are factually questionable), the new policy does not give Google carte blanche to sell user data at will. The policy is fairly clear on this point:
Information we shareWe do not share personal information with companies, organizations and individuals outside of Google unless one of the following circumstances apply:
With your consent
We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so. We require opt-in consent for the sharing of any sensitive personal information.
With domain administrators
If your Google Account is managed for you by a domain administrator (for example, for Google Apps users) then your domain administrator and resellers who provide user support to your organization will have access to your Google Account information (including your email and other data). Your domain administrator may be able to:
- view statistics regarding your account, like statistics regarding applications you install.
- change your account password.
- suspend or terminate your account access.
- access or retain information stored as part of your account.
- receive your account information in order to satisfy applicable law, regulation, legal process or enforceable governmental request.
- restrict your ability to delete or edit information or privacy settings.
Please refer to your domain administrator’s privacy policy for more information.
For external processing
We provide personal information to our affiliates or other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.
For legal reasons
We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
- meet any applicable law, regulation, legal process or enforceable governmental request.
- enforce applicable Terms of Service, including investigation of potential violations.
- detect, prevent, or otherwise address fraud, security or technical issues.
- protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.
We may share aggregated, non-personally identifiable information publicly and with our partners – like publishers, advertisers or connected sites. For example, we may share information publicly to show trends about the general use of our services.
If Google is involved in a merger, acquisition or asset sale, we will continue to ensure the confidentiality of any personal information and give affected users notice before personal information is transferred or becomes subject to a different privacy policy.
While Google has given itself the ability to exchange your personal information across its services for various reasons, it does not mention selling users' personal information to 3rd party advertisers. If anything, the policy wording tends to rule that out subject to Google's ability to disclose your personal information for those sorts of purposes if you consent to it or if the person administering the domain your Google account forms part of does something similar (Google leaves it up to those administrators to develop their own privacy framework).
Many commentators criticise Google and other companies, ostensibly on the mistaken assumption that they are entitled to a particular range of services or to be subject to terms and conditions or privacy policies they find more favourable. This is a flawed assumption. Google is a "for profit" company and, at the same time, it makes a concerted effort to strike a balance between its commercial interests and its users'. The outcomes of that effort include clearly written policies which inform users what happens to their personal information from the time they submit it to Google. The document's clarity means that users are more likely to understand it and its implications and give their informed consent to Google. That is what a privacy policy should strive for.
In addition, this policy does not make further inroads into user privacy. The general exception is the extent to which aggregating personal information across Google's services impacts on user privacy more extensively.
Google has also given users the tools to control their personal information fairly effectively by removing it, blocking its collection or correcting it. I say "fairly" because the policy also mentions that users have control over "many" of Google's services, not all of them.
Ultimately personal information is the price users pay to use Google's (and other) services and while the choice to use other services often isn't as appealing, it remains an option. Users also have tools independent of Google to help protect their privacy. One such tool is alternative browsers like Firefox which includes various settings to help protect users' privacy. Even Google's Chrome gives users the ability to better control their personal information.
Much of the new policy is a clarification of the previous version with paragraphs being restructured or otherwise amended to improve them from a usability perspective. All the hype and fuss about the privacy policy seems to be mostly bluster and much ado about very little after all.
Update: I found out about this great video on This Week in Law 147 which presents a great perspective on the policy changes:
Nastassja de la Guerre helped out with a more detailed comparison between the October 2011 and March 2012 versions and an assessment of the impact of those changes. Nastassja is a candidate attorney at Jacobson Attorneys.
TechCentral published an article by Richard Mullins, titled "Data, the hidden treasure in publishing" which raises a number of important issues. The premise of the article and the challenge facing publishers is nicely summarised in these two paragraphs in the article:
Their biggest hope of making money lies in unlocking the value of the reams of data they collect about their audience. This data is the most valuable commodity they are sitting on, yet it can be as hard to access as veins of gold buried deep below the surface of the earth. Over the years, publishers have built their online operations in a fragmented and ad hoc manner, adding in new technologies, tools and channels as they have needed to.
and
Yet the opportunity for publishers to package all their information and resell it to digital marketers is one they cannot afford to ignore any longer. It is the greatest value they have to sell their advertisers and they need to start thinking of how they are going to deliver the value and monetise the gold they are sitting on.
Mullins talks about this data as if publishers have acquired it and are free to do as they wish, if only they develop the infrastructure to exploit it more effectively. He highlights a need we're seeing in various industries – the need to make better use of data stored in silos in the organisation to market the organisation's products and services more effectively. At first glance this makes a lot of sense but this approach to the data begins to smell a little funky when you take a few steps back and consider whose data we're talking about here.
The Protection of Personal Information Bill's 5th working draft recognises 3 principles as the basis for the legislation:
- section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy;
- the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information;
- the State must respect, protect, promote and fulfil the rights in the Bill of Rights;
The Bill goes on to record a number of rights "data subjects" (defined as the "person to whom personal information relates") enjoy. These rights are designed to give data subjects more meaningful control over their personal information (privacy under Protection of Personal Information Bill is not about secrecy, its about informational self-determination). Included in the Bill are provisions which deal specifically with direct marketing as a use of this personal information. "Unlocking the value of the reams of data" the publishers have collected is a euphemism for marketing using that personal information or even selling that data. Both activities will be regulated in Protection of Personal Information Bill and direct marketing is already regulated, in varying degrees, by a combination of the Consumer Protection Act, the Electronic Communications and Transactions Act and industry codes of conduct.
The trend reflected by these industry codes of conduct and Protection of Personal Information Bill is towards a requirement that marketers obtain specific and informed consent from consumers before processing that data (the definition of "processing" isn't settled in Protection of Personal Information Bill but the current options cover virtually any use of the data from collection to aggregation to making more direct uses of it). The sort of consent contemplated by Protection of Personal Information Bill is fairly specific. At the very least a customer must have given informed consent in the context of a sale of a product or service to receive marketing information pertaining to the marketer's "own similar products or services". There are also restrictions on how marketers can source the personal information they wish to collect. Generally speaking they should obtain the personal information directly from the data subject.
While publishers may see the personal information they possess as a goldmine to be exploited, most (if not all) that personal information pertains to consumers whose consent the publisher may well require before it can do any of that exploiting. There are a number of ways to secure that consent, both before and after the personal information is collected, and the appropriate methods will very much depend on the publishers' specific circumstances.
Leaving aside consent requirements, a related issue which will likely come to the forefront of the debate is data ownership and data portability. The one area where we will see this issue arise is, interestingly enough, in online banking. I spoke to Christo Davel from 22seven about a week and a half ago (you can read our report titled "Your 22seven risks and where banks draw the line" for more about 22seven and related issues) and he raised data portability as a key issue going forward. 22seven collates information about its users' transactions, potentially from a variety of banks, in order to conduct the analyses it conducts and render its services. The banks objecting to their customers using 22seven seemed to ignore the fact that the transactional information under their care belongs to their customers. If their customers want to disclose their data to 22seven or other providers then the banks should make reasonable efforts to alert customers to the risks, limit access insofar as is required to reasonably protect their infrastructure and otherwise permit customers to take their data out. This is one area where Google has innovated with the Data Liberation initiative.
Data portability could create some fairly interesting situations for providers. One relates to competition between similar providers and how users wanting to move their data from one provider to another could affect ordinary competition. If users are given the ability to export their lists of contacts, connections, preferences and so on and import those data into a competing provider's platform, what would the constraints be on providers as between each other. At what point would a provider be competing unlawfully?
Returning to Mullins' point about publishers and their untapped and data silos, publishers shouldn't lose sight of whose data they are mining and the consents they may well require before passing it around their various operating divisions and partners.
That said, better use of that data can be in consumers' interests too (if the appropriate consents are obtained). Google has been arguing for years that knowing more about potential customers gives marketers the ability to present them with more relevant advertising. Facebook customises ads on the fly as you update your status and connect to people and Pages. As Mullins put it –
The publisher can help an advertiser to remarket to and re-target that customer who has, for example searched for LCD TVs online, read reviews and clicked on an ad; and is clearly in the market for a new television.
The middle ground is respecting consumers' rights and working within the parameters established by the law and prevailing legal frameworks with a view to presenting customers with marketing material they want.
When people think about online reputation management they frequently think about expression on social services like Twitter and Facebook. Equally important is the link between online sharing and reputation. Microsoft published a report last month titled "Online Reputation Management Is a Two-Way Street" which considered the impact public sharing has on reputation. The report has some interesting findings –
- While 91 percent of people have done something to manage their overall online profile at some point, 67 percent feel in control of their online reputation, and 44 percent of adults actively think about the long-term consequences of their online activities.
- 14 percent of people believe they have been negatively impacted by the online activities of others, even unintentionally so. Of those, 21 percent believed it led to being fired from a job, 16 percent being refused health care, 16 percent being turned down for a job, and 15 percent being turned down for a mortgage.
Taking more effective steps to safeguard your reputation means being more circumspect about what you share and with whom. As Microsoft's Chief Privacy Officer points out –
“Your online reputation is shaped by your interactions in the online world and spans the disparate and varied data about you, whether created and posted by you or others. This information can have a lasting presence online, and can affect your life in many ways – from maintaining friendships, to helping you keep or land a new job,” says Microsoft’s chief privacy officer Brendon Lynch.
Some practical steps you can take to better protect your reputation and your privacy include the following:
Privacy, as is secrecy, is a rarity and we share more and more each day (roughly 50 million tweets per day and Facebook had 845 million users at the end of December 2011). Moreover, there is an increasing number of services that can create aggregated profiles based on information drawn from a variety of online sources. If your reputation is important to you, it is essential that you start paying attention to what you share and think carefully about the possible ramifications for your reputation in the months and years to come.
Instapaper's creator, Marco Arment, made a good point on his blog about permissions and your phone's address book in the wake of the Path privacy controversy. It probably came as something of a surprise to many users that their iPhones are habitually handing over their address books to a variety of social services we use daily without as much as a prompt requesting permission to do so.
The popular Path app was caught uploading and permanently storing people’s entire address books on Path’s servers. People were upset, but what’s scarier is the bigger issue: apparently, this is a very common practice among popular apps.
Mobile applications are becoming more and more popular as more people start using smartphones instead of feature phones. These apps are increasingly social and that means that users are often prompted or otherwise given an opportunity to share their social graph with these apps and their underlying services. Users' social graphs may take the form of Facebook or Twitter connections (in which cases users are probably familiar with the more secure OAuth-based authentication processes to give 3rd party apps and services access to their profile information) or address books stored on the devices concerned.
Path partially addressed concerns about how it uploaded users' address books through the social app in a blog post titled "We are sorry.". The post was a terrific reputation management exercise and diffused much of the anger directed at Path. That said, the general practice of uploading address books remains in place for the most part (although you can imagine that reputation conscious developers will probably alert users to this practice in their apps going forward). What hasn't really been addressed is the permissions set at a device level which makes this possible. As Arment points out –
When implementing these features, I felt like iOS had given me far too much access to Address Book without forcing a user prompt. It felt a bit dirty. Even though I was only accessing the data when a customer explicitly asked me to, I wanted to look at only what I needed to and get out of there as quickly as possible. I never even considered storing the data server-side or looking at more than I needed to.
This, apparently, is not a common implementation courtesy.
We can’t prevent services with poor judgment or low ethical standards from doing creepy things with the data once it’s sent to them. We can’t even realistically use App Review to only permit access to the Address Book fields (email, name, phone, etc.) that are justifiable for any given app to access, because there are too many gray areas.
One of the problems with allowing your address book to be uploaded is that you lose whatever control you may have had over that data once it leaves your device. In contrast, when users authorise Facebook or Twitter to grant access to their contacts to 3rd party services, they notionally retain the ability to revoke that permission and deny the 3rd party service further access to that data. With address book uploads, its pretty much as the saying goes: you can't unscramble the egg.
As Arment proposes, one solution is that device manufacturers or smartphone OS developers build device or OS-level permissions into address book APIs such that users are clearly prompted for permission to upload or otherwise grant access to their address books when apps request it. Another option is that users should be more circumspect about granting this sort of access to their address books to 3rd party apps and services. Users frequently have a combination of sensitive and generally available personal information on their devices and simply granting access to their address books can prove to be problematic not just to those users but to the people who have entrusted their personal information to those users, sometimes with specific purposes in mind which exclude being shared with the popular social app of the day.
Update: Ars Technica has a related post titled "Developers say Apple needs to overhaul iOS user information security" about this issue which is worth reading.
Share this article