Google Data Mining Changes: Privacy Reform Needed
Google's decision to end its practice of scanning student emails for advertising purposes -- and to make "similar changes" for all Google Apps customers -- is a major victory for privacy but raises new questions.
Google announced in a company blog post April 30 that it will end its practice of scanning student emails for advertising purposes and will stop displaying ads to Google Apps for Education customers. This is a major victory for privacy advocates who have been calling on Google for years to keep its advertising interests separate from its education products.
As the announcement explicitly states, "Google cannot collect or use student data in Apps for Education services for advertising purposes." But Google also said that it is "making similar changes for all our Google Apps customers, including Business, Government and for legacy users of the free version."
Although the announcement is an important step, it raises questions about the company's practices in the past -- and for the future. Will Google stay committed to the "free" education space when it can no longer monetize student data?
Data mining government emails
As part of the announcement, Google said it will no longer collect or use data for advertising purposes from its Google Apps for Government customers. This admission raises some critical questions concerning Google's past privacy practices. For example, has Google been using government data collected from its Google Apps users for advertising purposes all along? What will happen to the data that was collected in the past? Will the company keep it or remove it from its servers?
[Big data raises serious privacy concerns for the Obama administration. Read White House Big Data Report: 5 Privacy Takeaways.]
When Google first announced its new privacy policy in February 2012, SafeGov.org, an online IT forum led by experts and privacy advocates, raised flags about Google's use of government customers' data. In response, Google said it had special agreements in place that governed the use of its education, government, and business data.
However, recent court documents have in fact shown that Google's permissive privacy policy is in effect for all users. Google's statement reaffirms this has been the company's practice to date. If Google has been mining and monetizing government data for its own purposes, the company should not only commit to ceasing this practice, but should also remove this data from its servers and face potential sanctions from government agencies whose private data has been misused.
It's time for a new privacy policy
In order for Google to fulfill the intention promised in its latest announcement, the company must immediately change its consumer-oriented privacy policy. A single privacy policy sounds like a good idea, but this ignores the fact that there are disparate interests, expectations, and laws that govern how user data can be accessed and combined across different customer segments.
To that end, Google needs a business-oriented privacy policy for government, enterprise, and education users that clearly states customer data will be used only to deliver services with no secondary data use such as improving search or developing new services. It's not good enough to state that data won't be used for advertising purposes.
What does this mean for federal CIOs?
The bottom line for federal CIOs is the importance of reading the terms of service and privacy policies for all services and devices. If the terms are not appropriate, federal CIOs should negotiate new conditions or look for alternative offerings.
This is particularly important when considering new offerings or developing BYOD policies. Under no circumstances should data be used for purposes that are not directly related to delivering the offering.
What about Android?
Google's Android operating system has grown to be the dominant mobile device platform in the market. Android phone and tablet customers include government workers, business users, and students. Google's terms of service cover these devices as well. The terms give Google broad rights to use all data that passes through an Android device to improve its search offering or develop new services.
This open-ended license is over-reaching for consumers, and it is definitely unsuitable for government, business, and education users. Mobile communications and content stored on or passing through mobile devices should remain private.
New era for privacy
With the collapse of InBloom last week and Google's announcement last week, privacy activism has been brought to the forefront. Simply put, privacy is having a real impact on how businesses operate and treat private user data in the cloud.
Google's announcement is a step in the right direction, but much more needs to be done to address government, business, and education users' expectation of privacy. Using cloud services and mobile devices should not result in a loss of privacy or a misuse of data. We hope that Google's announcement is the first of many steps toward restoring real privacy.
The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)
About the Author
You May Also Like
2024 InformationWeek US IT Salary Report
May 29, 20242022 State of ITOps and SecOps
Jun 21, 2022