When Google launched Google Latitude 9 months ago, they took steps to ensure users’ locational privacy was protected. Among the most important privacy-protecting features was the fact that Google didn’t keep a log of user locations on its servers; only the most recent locational ping was stored. Not even law enforcement could gain access to a user’s location history. This design decision, apparently made in consultation with the Electronic Frontier Foundation, was a very positive step for Google, who I have taken issue in the past with regard to its approach to (not) protecting locational privacy.
Last week, however, this all changed. Google announced two new “features” in Latitude: Location History and Location Alerts.
Location History allows users to opt-in to having Google keep a history of their locational data tracked by Latitude. Only you can see it, and you can remove items from your history, which is great. But for everyone who activates this service, there’s now a log in Mountain View of everywhere your cellphone has been, a log that could be shared with third parties in according with its privacy policy.
More people might activate Location History when they learn about Location Alerts, a service that notifies you if a friend happens to be nearby. The beauty of Location Alerts is that you won’t be altered when people are simply engaging in their routine activities (ie, you won’t be alerted every time your coworker sits down at their cubicle across from you) . Instead, it “learns” what users’ “normal” locations are, and only notifies friends if they are nearby in an unusual place or time. To make this work, you need to have Location History activated, and in the process, Google is able to create a type of “locational profile” for each user. It is unclear whether this profile might be used for other purposes (ie, targeted advertising).
Google, of course, realizes the privacy implications of all this, and again takes some steps to help mitigate these concerns. there are FAQs for each product detailing how they work and the privacy concerns; the services are op-in; users are reminded periodically when they have Location History activated (Google should do this for all products, btw).
But all this makes me wonder: did Google plan to provide these services from the start, just with a delay? Did Google learn the lessons of Facebook, who repeatedly bites off more than it can chew as it relates to users’ privacy, and decided to launch Latitude without these features, thereby winning the praises of privacy advocates (guilty), and then strategically add them 9 months later, claiming it is simply in response to user demand?
If my fears are true, it’s not quite what I had in mind when calling on Google to engage in value-conscious design in order to protect user privacy.
MichaelZimmer.org 