Journalism Research and Random Meanderings

Thursday, April 08, 2004

Google Gmail privacy debate shows we are big brother but we just don't want to admit it to ourselves. 

The World Privacy Forum in conjunction with 27 other privacy and civil liberty organisations wrote a letter (dated April 6, 2004) outlining their concerns and calling on Google to 'suspend Gmail service' citing major privacy concerns even though Google's Gmail press release announced on April 1 that "a handful of users will begin testing the preview version of Gmail."

I admit I'm a Google fan, but in Gmail's defense there's not much privacy to be had on the 'net anyway. Keep in mind the Internet was intended for the open sharing of information. Any form of discourse on the 'net is akin to having a conversation on a crowded bus. The only thing that keeps it private is social convention.

What is Google doing that's so wrong? E-mail is already scanned for viruses and spam and we'd be upset if it wasn't. E-mail would be unusable without filtering and to expect service providers (commercial or otherwise) to ask every e-mail user for permission before opening a 'private' message is to place an undue burden on organisations that could conceivably be held responsible if they let the wrong message through. While that's not the same as letting a for-profit enterprise open e-mail and stick ads in it they're only held apart by an opt-in check box.

In practical terms, one mouse-click on a registration form (and sometimes not even that) is all it takes to give up the same level of privacy that Gmail would take from its users. Subscribing to Gmail is the same as opting-in to receive ads when you join Lavalife.

No criticism of Lavalife's privacy policy is intended here. I just picked it arbitrarily as an example of how deeply personal information about something like our dating and mating behaviours is exposed on the 'net.

Lavalife's privacy policy states they are "a licensee of the TRUSTe Privacy Seal Program which is an independent, non-profit initiative dedicated to enabling individuals and organizations to establish trusting relationships based on respect for personal identity and information in the evolving networked world." It states; what personally identifiable information is collected through the web site, how the information is used, with whom the information may be shared, the choices available regarding collection, use and distribution of the information, their security procedures and how you can update your information.

Essentially it says they do analyse your online behaviour for advertising purposes but avoid personally identifying you. What people may not think about is that the advertising they facilitate may have different privacy policies Lavalife can't control. Privacy policies interlock into a lowest common denominator patchwork where the protection efforts of many well-intended, ethical entities can be obviated by one unscrupulous or simply negligent one.

We may feel better reading a company's privacy policy but the truth is there is nothing to stop an organisation from collecting one sort of data from one source and another somewhere else, aggregating them and putting together a dossier on an individual.

More deeply disturbing to me is that, as a computer tech that has worked with the confidential data of literally hundreds of businesses over twenty years, nobody has EVER checked my background or asked me to formally declare my respect for any sort of confidentiality. There are no licensing programs for IT staff. We've been looking down your data pants from the word go.

There are hundreds of thousands of IT people on the planet. Any number of them can, with a few keystrokes, siphon off reams of confidential information for personal gain. Even if the breach is discovered, if they have taken steps to falsify their identity going in or cover their tracks going out, there is little that can be done about it after the fact. The only thing protecting confidential data is the possibility of legal repercussions and social convention. Given the lenient sentences handed out for white-collar crime (in Canada at least) somebody could decide the financial gain is worth a short stint in Club Fed.

Keeping things in perspective, this is not a phenomena unique to the 'net. In the physical world locks and alarms only keep out honest people. A determined professional will circumvent or simply ignore these and go in and get what they want anyway.

There is another point that needs to be made here. So far I have only talked information flowing in one direction: from the individual to the organisation. What about information that comes _to_ us from the 'net? Continuing with the example of a social network like Lavalife, how much should we trust the other people in that network? It's rather doubtful they have all been honest about who and what they are. There is no way for the administrators of a social network to verify this without checking the personal information of the users. How much privacy would you give up to know that everyone else on your dating board is who they say they are?

Gmail quite openly states they are going to look at every message. This will be done by machines, mostly because there's no practical way for humans to do it, but there will be errors and exceptions that will have to be handled by humans and you can be sure human programmers will be looking at some of the messages of the test users for the purposes of correcting and improving the code.

What if Google is on to something here? All we're hanging onto at this point is the tenuous illusion of a permeable shell of privacy. What if we just dropped the rotting veil of pretense and opened everything up? We have the technical and storage capacity to track everything and audit the smallest transactions. There are some potentially awesome benefits. How would our public servants and elected officials behave if they knew that anyone could see everything they did on our behalf because certified and licensed IT staff manned secure systems that recorded everything?

If we expect transparency from others we have to be ready to offer transparency ourselves. Me, I believe that *all* information should be free. Not because no harm will come from that but because the good that comes from it outweighs the potential harm. Trust is too valuable a commodity for us to bandy about willy-nilly and besides, I don't trust trust - I want to know for sure.