Overview

As one who uses the Internet - a lot - I find myself using the concepts of security and privacy interchangeably. I intuitively know this to be wrong, and I actually know this to be wrong after having attended Open Data 2007. The issue of privacy permeated the discussion, and was driven home by the comments I blogged about last week. The ramifications of violating personal privacy were highlighted by Abdur Chowdhury, former Chief Architect at AOL Search, in his recounting the AOL release of search queries that led to the specific identification of people and their searches (and the subsequent firestorm that engulfed AOL). Three key questions concerning privacy and data that emerged from his harrowing experience:

• Why open up data? If you give up control, you hope/expect to make things better. If not, don't do it.
• What are you going to do once you open up the data? If 50 people ping you in a week to discuss the data, but you can speak to maybe 2-3 per week, how do you handle this?
• What are you going to do if something bad happens? Because companies fundamentally can't handle when stuff like this happens.

The New York Times ran a story last week about Google strengthening their privacy measures. After having read it, however, I think they would have been skewered by most of the Open Data attendees. Why?

Because the issue isn't simply the ability to protect your privacy, but the knowledge and awareness of how to protect your privacy. Is it Google's (and Microsoft's and Yahoo!'s and Ask's) responsibility to inform and educate, or to merely provide the tools to exercise personal privacy?

This is the $64,000 question.

Who's Really in Control?

My sense is that market forces will dictate what people will accept and that education concerning privacy and the ways of exercising it will eventually be free-flowing and available, but that there will be a significant lag between now and when this degree of awareness takes hold. Some excerpts from the NYT article are provided below.

The company (Google) keeps logs of all searches, along with digital identifiers linking them to specific computers and Internet browsers. It said on Wednesday that it would start to make those logs anonymous after 18 to 24 months, making it much harder to connect search records to a person. Under current practices, the company keeps the logs intact indefinitely.

********************

But it is unclear whether the change will have its intended effect. Privacy advocates reacted with a mix of praise and dismay to it.

“This is really the first time we have seen them make a decision to try and work out the conflict between wanting to be pro-privacy and collecting all the world’s information,” said Ari Schwartz, deputy director of the Center for Democracy and Technology, an advocacy group. “They are not going to keep a profile on you indefinitely.”

Others were less enthusiastic.

“I think it is an absolute disaster for online privacy,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center. Mr. Rotenberg said his organization has been trying to combat efforts by law enforcement officials to require online services to retain search records for long periods of time.

He said that 18 to 24 months was too long, and added that because of Google’s dominant position, it would most likely set a de facto standard for data retention.

********************

Just how personally revealing such data can be became evident last year, when AOL released records of the searches conducted by 657,000 Americans for the benefit of researchers. While AOL did not identify the people behind the searches, reporters from The New York Times  were able to track down some of them quickly through their search requests.

The ensuing flap caused AOL to tighten its privacy policies. The company now keeps search histories for only 13 months and does not link them to Internet protocol addresses — digital tags that can identify a specific computer.

For its part, Yahoo keeps search data for “as long as it is useful,” said a spokeswoman, Nissa Anklesaria. And Microsoft said that while it does not keep search histories alongside I.P. addresses, it can connect the two if law enforcement requests it.

********************

Google may be tightening its privacy policy around search logs, but the company recently relaxed its privacy practices in another area. Earlier this year, Google users who signed up for services like Gmail that require them to sign in started to be automatically enrolled in a service called personalized search. The service tracks a user’s search history and tailors search results accordingly. Previously, users had to specifically choose to enroll in personalized search.

Users can opt out of the personalized search service and delete their search history. Still, some analysts believe Google should give users more notice.

“I don’t know that a lot of people have realized that that kind of change has happened,” said Danny Sullivan, who edits the blog SearchEngineLand.com. “You can delete your search history at any time —  if you remember.”

The Punch Line

Google's own policies and those of the other search giants reveal a very squishy and amorphous series of practices relating to privacy. Of course this is all about money - what else? Behavioral targeting. Getting more bang for your advertising buck. And sure, as consumers, don't you want ads that better target you and your interests? Well, some do and some don't. But the fundamental question remains - is it the consumers' responsibility to be aware of these privacy issues or the search engine providers' responsibility to inform? Does this, in fact, represent a kind of externality, where the search engine provider receives the lion's share of the benefit (ad revenues) off the backs of the consumer (loss of privacy)? Good question.

One thing is for sure: there are more PR firestorms to come. And given Google's current flap over YouTube, they might want to get out in front of this one and proactively create a set of "best practices" relating to privacy with which to lead the industry. Because it is the right thing to do and they can use all the good PR they can get.