michaelzimmer.org

Last month I noted that Google’s Street View service was being challenged by German data privacy authorities, who insisted that Google must permanently remove personally-identifying images from their databases (not just blur them in the user interface). Google argued that the original images are necessary to help the system “learn” how to automatically blur better in the future, but Germany feels (and I agree) that privacy must trump. engineering in this case.

Google has conceded, and will now erase identifiable raw data depicting people, property, or cars upon request.

This is a first, and it is significant, but it is an exception only for Germany.

Rather than taking a broader value-centered approach to designing its systems, Google continues to base their decisions based (primarily) on local laws. The U.S. lacks laws guaranteeing individuals “privacy in public,” so Google launches street view with minimal (and poorly-executed) ability to protect one’s privacy. Canada, however, does have such laws, so Google decided to blur faces there (but only applies that engineering solution to Canada). Now, Germany wants the source data purged, so Google will only provide this privacy-protecting measure to that local authority.

A broader values-centered approach would (learning from the Canadian and EU legal environment) recognize that protecting one’s privacy in public might indeed be a fundamental right, and perhaps is something that must be designed into such a potentially privacy-invasive tool as Street View.

I’ve informally chatted with Google folks about these issues, and I applaud that they do have law/policy folks on every product team. But too often, when asked about something like “why didn’t you blur the faces in the U.S. version”, the answer is “the law doesn’t require it”. Such a strict legal approach to designing (or not) ethics into products is extremely shortsighted.

Do we need to start calling for Chief Ethical Officers in our corporations?

Google, Privacy in Public, Street View, Values in Design

Today, a six page letter was sent to Google’s CEO, Eric Schmidt, asking Google to honor the important privacy promises it has made to its customers and protect users’ communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.

The open letter is signed by 38 researchers and academics in the fields of computer science, information security and privacy law — myself included. The letter was spearheaded by Christopher Soghoian, a computer researcher, programmer and privacy activist, and it has already received some press coverage at Wired and NY Times.

From the letter’s executive summary:

This six page letter to Google’s CEO, Eric Schmidt, is signed by 38 researchers and academics in the fields of computer science, information security and privacy law. Together, they ask Google to honor the important privacy promises it has made to its customers and protect users’ communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.

Google already uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption  technology to protect customers’ login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.

Google supports HTTPS encryption for the entire Gmail, Docs or Calendar session.  However, this is disabled by default, and the configuration option controlling this security mechanism is not easy to discover. Few users know the risks they face when logging into Google’s Web applications from an unsecured network, and Google’s existing efforts are little help.

Support for HTTPS is built into every Web browser and is widely used in the finance and health industries to protect consumers’ sensitive information. Google even uses HTTPS encryption, enabled by default, to protect customers using Google Voice, Health, AdSense and Adwords. Google should now extend this degree of protection to users of Gmail, Docs and Calendar.

Rather than forcing its customers to “opt-in” to adequate security, Google should make security and privacy the default.

HTTPS is commonly used by banks and e-commerce websites to protect sensitive user information in transit; it ensures that anyone “snooping” on the network cannot see your password or credit card information “in the clear”. While Google does use HTTPS when you log into your GMail or Docs account, thereby protecting your password, the remainder of your activities on those applications occur unencrypted, leaving everything you do and type susceptible to snooping. Google does allow users to turn on HTTPS for all of their activities, but the default setting is for less-secure processing, and Google does a poor job of promoting and explaining the benfits of using a secured connetion (sound familiar?).

The letter asks the following of Google:

[R]ather than forcing users to “opt-in” to adequate security, we strongly urge you to make security and privacy the default setting, and allow informed users to “opt-out” of the encryption if they feel it is an unnecessary burden.

If Google insists on not enabling these encryption-based protective measures by default, the company should at least make the consequences of this decision more prominent, so that users make a fully informed choice. Few users know the risks they face when logging into Google’s Web applications from an unsecured network, and Google’s existing efforts are little help. We suggest that, at minimum, Google do four things:

1. Place a link or checkbox on the login page for Gmail, Docs, and Calendar, that causes that session to be conducted entirely over HTTPS. This is similar to the “remember me on this computer” option already listed on various Google login pages. As an example, the text next to the option could read “protect all my data using encryption.”
2. Increase visibility of the “always use https” configuration option in Gmail. It should not be the last option on the Settings page, and users should not need to scroll down to see it.
3. Rename this option to increase clarity, and expand the accompanying description so that its importance and functionality is understandable to the average user.
4. Make the “always use https” option universal, so that it applies to all of Google’s products.  Gmail users who set this option should have their Docs and Calendar sessions equally protected.

Google has responded, acknowledging these concerns, but stating they “want to more completely understand the impact on people’s experience” before making HTTPS the default. Google seems most concerned about HTTPS’s impact on speed, asking rhetorically “Does it load fast enough? Is it responsive enough?”. These are loaded questions, since users typically don’t know what “enough” is, especially when they aren’t fully told the security risks of not using HTTPS.

We further address this issue of latency in the letter:

Once a user has loaded Google Mail or Docs in their browser, performance does not depend upon a low latency Internet connection. The user’s interactions with Google’s applications typically do not depend on an immediate response from Google’s servers. This separation of the application from the Internet connection enables Google to offer ‘offline’ versions of its most popular Web applications.

Even when low latency is important, financial firms such as Bank of America and American Express have demonstrated how to provide users with a pleasant, low-latency browsing experience, while still implementing strong encryption by default. Likewise, Adobe’s cloud-based Photoshop Express lets users interactively edit images via a Web application that is 100% encrypted by default.

Other Google applications demonstrate that security need not come at the cost of performance. Google’s Health service enables users to browse through and manage their private health information online. Google’s Voice service lets customers initiate VOIP phone calls, send text messages, and manage voicemail inboxes.  However, unlike with its Gmail, Docs, and Calendar products, Google only provides access to Health and Voice via HTTPS encrypted communications sessions, recognizing the highly sensitive health and call record information users entrust to Google.  Likewise, Google’s AdWords and AdSense products, which are the backbone of Google’s advertising business, can only be managed by customers using a secure HTTPS connection.

Google’s engineers have created a low-latency, enjoyable experience for users of Health, Voice, AdWords and AdSense – we are confident that these same skilled engineers can make any necessary tweaks to make Gmail, Docs, and Calendar work equally well in order to enable encryption by default.

I hope Google does the right thing and put the privacy and security of its customers first by making the changes described in this important letter.

Google, Privacy, Security, Values in Design

Google’s Street View product has been criticized by privacy advocates since its very inception, including various posts on this blog. Two years after its release, Google continues to face challenges over its collection and treatment of potentially personally-identifiable images of people in public spaces.

Most recently, Germany has noted that Google’s (reluctant) blurring of faces and license plates is not enough, demanding that the original images themselves be permanently removed from their databases. Google argues that the original images are necessary to help the system “learn” how to automatically blur better in the future. This sounds like a valid need from an engineering perspective, but the key dilemma here is how to manage the balance between engineering and ethics. Just because the engineers want to have access to the original images doesn’t mean they should remain.

These are difficult decisions to make, but we’re here to help…

Meanwhile, I’ll take this opportunity to reiterate what I’ve previously suggested Google do to alleviate some of the privacy concerns with Street View:

1. Make use of their own facial recognition technology to automatically scan the Street View image database to identify and blur all faces, thereby protecting privacy and differentiating themselves from Microsoft’s offering. This should be done in all Street View products, not just the Canadian version.
2. Make reporting inappropriate images easier by placing a specific  “report this image” link on each image screen, not just a generic “help” link.
3. Think harder about privacy in public, and recognize that just because a random person can take another random person’s picture in public doesn’t mean there’s no difference in having a similar image available on Google.

Google, Privacy in Public, Street View, Values in Design

I’ve written frequently about how the shift from accessing information in offline spaces to online spaces has particular privacy implications. For example, strikingly different privacy norms and expectations emerge when comparing information-seeking activities in libraries vs. bookstores vs. Google Book Search.

Today, Fred Stutzman revealed a particularly troublesome example of how relying on the “My Library” feature of Google Book Search might mean you have even less privacy with regard to your online intellectual endeavors:

I was shocked to find out that saving a book to your library requires that the book be added to your “shared library”, a public listing tied to your Google account.

There is no way to save a book privately in Google Booksearch.  As Google writes in their FAQ, “When you add reviews, ratings, notes, or labels to a book—or when you add a book to your my Library page—that information will be publicly displayed on Google Book Search.”  They go on to write that “No matter where you use these features, the information you submit will be displayed publicly.”

I couldn’t believe it either.  If you want to set up a Google Library, even if it is just for convenience sake, you have to show the world what you’ve been reading.  As far as I can tell, there’s no good technical or legal reason why one can’t save a book privately, or limit their book-sharing to a group of friends.  This decision seems arbitrary and downright scary (or at least terribly ill-advised).

Stutzman points out the incongruence between Google’s policy and the American Library Association’s longstanding code of ethics, bill of rights, and core values, including their commitment to protecting patron privacy:

I must wonder why Google is not adhering to ALA policy, and the broader cultural norm of protecting library patron privacy.  As Google partners with large institutions and attempts to monetize Booksearch, failing to respect patron privacy seems foolish and potentially dangerous.  A patron researching a sensitive topic, or a topic that reveals information about the patron (for example, books about a health condition) will have their information revealed publicly if they add such a book to their library.

I also suggest a read of the comment thread on Stutzman’s post, where a suggestion has been made (channelling Zuckerberg) that all your favorited books should be public in an ideal world. Stutzman aptly counters such a proposition.

This is a serious design flaw (or a seriously flawed design decision). Google must act quickly to give users control over which books in their library are publicly viewable.

Google Book Search, Google Print, Intellectual Privacy, Libraries

News reports indicate that Google will begin providing free music downloads in China.

Apparently Chinese Internet users have grown so accustomed to downloading music online, that piracy and illegal downloading has impacted music sales there more than even what the RIAA claims to be such a huge problem here in the U.S. Relatedly, Google has been struggling to take market share away from Baidu, the leading Chinese search engine.

The win-win solution seems to be for the music companies to join forces with Google to create a free music download option for the Chinese market. In the deal, Google will start directing music searchers to Top100.cn, a Chinese Web site in which Google owns a stake, which will provide free downloads that have been properly licensed from music industry. Top100.cn will sell advertising on its website, and the music industry will reportedly earn 50% of that revenue. Google hopes to get increased search activity due to the lure of free (and better quality?) downloads.

The obvious question: if this business model is good enough for the 300 million Internet users in China, why not adopt a similar model for the 300 million users in the EU, or the 220 million in the U.S.?

China, Google, Intellectual Property, Music

[Via Ann Bartow at Madisonian.net, via Bits & Pieces, etc]

UPDATE: Adam Thierer at Technology Liberation Front jokes this is where increasing privacy regulations might lead us. I disagree, as this would have the opposite effect of any privacy-protecting regulation.

To work, I’d need to give Google my home address to return the results, Google would gain the ability to construct my psychological profile based on handwriting analysis, log my ink preferences, discover which post office I use, etc.  

Google