Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Thoughts on Google's policy changes

Last month, within thirty seconds of the BBC publishing a quotation from me on the latest round of the nymwars and Google+, my phone rang. Caller ID indicated that it was someone I know who works at Google. "Had I said something wrong?" was my first thought. I quickly retraced in my mind what it was that I had said to the journalist; I had responded in the article that Google's recent announcement could be seen as positive but really it was a sidestepping of the larger challenge of identity management. Yes, I'm surprised that the BBC printed the quotation too. Must have been a slow news day.

I answered the phone with trepidation, wondering if it was something I had said. Then I learned quickly that no, it was something that Google had done. It felt like 2010 all over again, that terrible year when Google released Buzz. And announced WiSpy. And countless ridiculous statements from Eric Schmidt.

This time Google announced that they were only merging their privacy policies under one single policy. This was the small development. This is not a good idea for so many boring reasons that most people won't quite understand. People don't read privacy policies. They are almost always inane statements of things that we are not meant to understand unless you are a privacy geek or a lawyer. What I liked about Google's previous myriad of policies, and other organizations with detailed policies, was that if you cared enough to read it you could find out exactly what Google was doing with your personal information. By bringing them altogether under one regime, the risk of vagueness increases. A privacy policy may become even more pointless for everyone involved.

But the main development from Google, and linked to the nymwars announcement, is that this was all about identity management.

Desktop deviation

In the world of the desktop computer, you have an operating system that cares not about who you are. It just asks if you have the privileges to install new applications, make core changes to the operating system, etc. Identity is meaningless.

In turn, you run applications. Your email client allows you to have multiple email addresses, and in turn multiple identities. I have three different accounts; I know people with many more (work, play, clubs and hobbies, etc.). Then you have a calendar -- or like many people, many calendars (again, work, play, clubs, family, friends, etc.). These apps don't really care about who you are, but the servers involved may: for instance, your work email server may care that you are the employee you purport to be before letting you download information.

In essence, you are the master of your domain and can have as many identities as possible. You can even set up multiple users on your computer. Your operating system may know the links between your identities, but it really doesn't care. But Google does care, and this is the real change that is occurring.

Google's ambition

Google is trying to move everything off your desktop. This is not necessarily problematic, though it does raise some security and privacy implications, but I'm not going to belabor those, at least not on this occasion.

Where Google is going wrong is that it wants all these identities to be merged into one single identity: you. Previously, you had a Gmail account; and separately at YouTube account, Buzz, G+. Now they want one policy and one identity to rule them all. They believe there is only one you, and that they need to know it.

I'm not saying necessarily they want your rank, file and serial number. In a sense, this was resolved slightly with the announcement last month that Google+ would permit you to have a pseudonym. But they still expect that beneath that nickname, Google will still know you.

Yes, you can fake your name. But this isn't about your name. It is about your identity. Google is imagining a world where you only have one identity at the core of everything. And they want to know that core: that beneath that nickname, there is someone who's interests they know based on your emails, searches, locations, friends, etc. Across all their platforms they want to treat you as a single person. Sure you can have multiple email accounts, multiple calendars, etc., but they want to know the person behind it all.

My computer cares not about who is behind all of the activities. But now your mobile phone that runs Android will signal to Google what you do; Gmail will signal what you do; when logged in, search will do the same, as will all the other products and services.

Google is doing this for two reasons. The first is obvious: they can better know what to advertise to you. This is not inherently a terrible thing, and they let you opt out if you want, or you can log out of some services if you like; and Google is notable for letting you have access to some of the data that they hold on you. It's not like they're a government and want to know everything about you, or create an ID card in order to monitor your activities.

Except, that this is the second reason: Google wants to be able to provide an ID card equivalent for the Internet. And there's a reason why.

Blame Facebook

Facebook has been quickly moving to establish itself as the ‘identity layer' for the internet. Want to log in to your favorite newspaper's website? You can of course create a username and ID, or you can use your Facebook account. Spotify has done this as well. By doing so, Facebook can become part of the transaction. And Facebook can also know what it is you're up to.

Facebook does want to know your name. And it will boot you off for not giving the right one. And Facebook believes anonymity is bad. This is because they want to advertise to you, and to know you. And they want to make billions of dollars doing so. Governments may be keen to identify internet users, but Facebook is actively changing the rules of the internet, for their own purposes.

Google wants some of this pie. After all, it can better know you for advertising purposes if it is involved in your interactions outside of Google's services. Sure they know your email use, and your mobile phone usage; but they don't quite know your wider use of the internet on domains they do not own. But if they were part of the authentication process, they could know ever more about you.

Optimism?

The most amusing thing is that 12 years ago Microsoft tried the same thing with its Passport. They wanted to hold on to all the keys for all your accounts, to make life easier for you. But nobody, for good reason, trusted Microsoft. How did Microsoft respond? They went off and started to do some fascinating research and product development on novel identity systems that empowered users, allowed multiple identities, selective disclosure, and resisted models where powerful central bodies oversaw all transactions.

But Microsoft knows best how to kill off good products, and so nothing much has happened with all that great research and development. This is where Google, if it is as smart as we all believe it is, can succeed: develop an online identity environment where there is no one central God overlooking every transaction, playing the role of authenticator in chief.

Unfortunately, so long as two of the enfants terrible of Internet privacy compete against each other for revenues and control, we'll have to watch from the sidelines as bad ideas are embedded into key internet services and labelled as ‘innovation'. And in today's environment, we can't question innovation.
 

This post was previously published on FlipTheMedia.

Add new comment