Google, Privacy, and You 30 June, 2007 — 17 commentsStuart Brown

On giant robots and dirty laundry

Posted in Google, Analysis
Tagged with: , , ,

Google as a giant robot

A secret ceases to be a secret if it is once confided - it is like a dollar bill, once broken, it is never a dollar again. (Josh Billings, 'Affurisms. From Josh Billings: His Sayings (1865)')

Google was recently touted as 'worst on privacy' out of a sample of online organisations, according to a study by Privacy International. Whether you agree with the verdict or not, there's no doubting that Google is in a powerful position as far as sensitive user information is concerned.

Google's popularity as a search engine is so far ahead of the competition that it is almost a sure bet that you, the reader, have performed a Google search recently. But never mind the sordid secrets of your search history, Google also has information from each of their seemingly-pervasive services - email, instant messenger, your location, what you've been shopping for, when you sleep, etc - all of which builds up a comprehensive profile about you and your interests.

With information like that, and the algorithms to match, Google could very well know more about you than you think.

'But how can they identify me?'

There are a number of distinct ways Google can track your activity - the most direct and simplest is by using your IP address. Whilst it is true for most people that the IP address will change over time, Google also employs the use of a HTTP cookie to track usage on a given computer - and the cookie in question is set to expire many years in the future.

With this combination of cookie and IP, Google can link you activity fairly closely on any single computer - but this system doesn't take into account situations where a user may access the internet from multiple locations, using different computers. Tracking across multiple access points like this is not so easy with IP and cookie alone - but should you use a Google service where you have to log in (such as Gmail, Google Reader, etc.), then even distinct sessions on completely separate networks can be linked together.

Put simply, for a user of Google's authenticated services, Google can track you whether you're at work, at home, or on holiday.

Location, Location, Location

The AdWords system may analyze a searcher's query (for example "London florist") to establish what location that person is searching for. The system may also take note of the person's Internet Protocol (IP) address to see where he or she is searching from. (from Regional and Local Targeting: Sharpen Your Advertising Focus)

Your IP address reveals more about you than you might think - it's more than just your location on a network. Most IP addresses can be geographically traced - usually down to your city, but often with greater accuracy - if your workplace has their own IP range, then Google know where you work.

If you use Google in more than one location - and if you sign in to a Google service - then you can be sure they put the information together, forming a profile of IP addresses and geographic locales you frequent - and possibly your place of work, the hours you spend there, and which days you have off.

This sort of information can be used to form a comprehensive profile on your activities - with knowledge of your geographic location, (potentially) your workplace and working hours (and hence gain an idea of your job sector), Google can build a up a profile of your life and employment habits. They potentially know whether you're a student, unemployed, working full-time or part-time, and based on your demographic and job sector, they may even have a good estimate as to how much your salary is.

Why would they build up a picture of your demographic and estimate your earning potential? Makes perfect sense if you're selling advertising - and with their AdWords program, Google are very interested in selling advertising space.

Not just Google.com

Speaking of advertising, you may be familiar with Google's own blend of text adverts. They're everywhere, and unless you specifically block them you're connecting with Google's own servers every time you see one. Presumably, this means that Google can track precisely which sites you're visiting - further helping to build up a profile of what sort of thing you're interested in.

It's not just AdWords, either - many sites (including this one) track visitors using Google Analytics, a free service that supplies visitor information to Google.

And if you've got the Google toolbar installed, every single site you visit is transmitted back, so there could be a massive web history linked together with your searching activity. The potential amount of information stored against each individual user is staggering.

But why collect this information?

Demographic site selection will help you choose sites where you're very likely to find the people you want to reach. (from AdWords Help Center: What is demographic site selection?)

Simple: ad targeting. A targeted advert is multiple times better than the blunderbuss approach, and Google's business model revolves around their advertising becoming very targeted. AdWords is a lot more complex than simply offering the same set of adverts for the same set of keywords - they know (based on previous ad performance and the information they've collected on you) which ads are more likely to appeal, and thus which are more likely to result in a sale.

By supplying the most relevant ads, they keep their advertisers happy by offering the maximum possible efficiency of their advertisements - and they maintain their high levels of income from such advertisers.

Of course, it's not just the advertisers Google have to keep happy - the search users themselves also need a reason to keep on coming back, and the information Google collect about your search history is now coming into play in the non-paid search results.

If Google knows is familiar with your particular interests, certain searches can be altered based on personal factors. For much of the search engine's history, Google has essentially performed 'dumb searches' - i.e. a certain keyword would return a certain result set, regardless of the user. More recently, however, Google have been introducing changes to the results based on parameters determined by the user - language and locale are two of the simpler variables, but you can be certain there are more in play, and Google are no doubt keen to incorporate their full knowledge of your past activity to maximise both their ad performance and their relevant search results.

Where does the personalisation end?

More relevant results are all very well and good, but as Google works to improve its knowledge of you, there is an increase in the number of ethical and privacy issues which they will encounter. Never mind the censorship issue in China, with advanced profiling there could be some moral quandaries.

Google is a company - they are a money-seeking organisation. At what point does ad-targeting stop becoming 'efficient' and enter the 'ruthless' territory?

Should Google identify your interests to such a strong degree that it knows precisely what you covet, what is to stop them from bombarding you with targeted adverts until you finally relent? Could this be the beginning of a new surge in targeted consumerism?

Imagine advertising desirable consumer products to those who can't afford it, waiting until they run up massive debts, then offering advertisements for 'debt relief services'. An autonomous system designed for making money is a dangerous thing indeed.

And what if, with their extensive profiling, Google were able to identify deeply personal issues with their searchers? Imagine if Google knew about your love life and marital status (think Google Romance, but in real life). What if the 'plex knew your marriage was on the rocks - would offering advertisements for divorce lawyers be a suitable thing to do?

What if Google noticed you'd recently lost your job, your wife, and that you were feeling a little depressed? If Google had you pegged as a suicide risk, would they serve public service ads for a suicide hotline?

Legal responsibilities

Contextual advertising is one thing, but the long arm of the law is another. What if Google knew you were conspiring to commit a crime? Would they ignore it, like a cold mindless machine, or would they intervene? Would a subpoena force their hand? Could anti-terrorism laws force a handover of information regarding everybody who's searched for 'how to make a bomb'? (The more paranoid reader may want to avoid clicking that last link)

There's simply no legal precedent for this sort of thing - nobody has been brought to trial for simply performing a search, but given the possibility for identifying high-risk individuals and the moral panic over terrorism, anything is possible.

Early 2006 saw a series of subpoenas issued to major search engines under the premise of the Child Online Protection Act. All the search engines, with the exception of Google, complied.

Make no mistake, though - this sort of thing will rear its ugly head once again, and Google will again face a tough time in terms of keeping user information private. Where moral panic arises, the requests for information from the search engines will follow again, and Google may yet be forced to supply information. The USA PATRIOT Act makes very liberal allowance for the use of surveillance by the US Government, should they suspect any criminal activity - and no doubt should any additional rights be needed under the guise of national security, new acts will be passed.

Despite garnering most of the Nineteen Eighty-Four-based ire, CCTV is a comparatively minor threat to privacy compared to the Orwellian ramifications of user profiling via the information Google collects. Should there ever be a case when someone is convicted based solely on their online activity, it will be a very dangerous precedent indeed.

A cause for panic?

The above is not to be taken too heavily. The information collected by Google at this moment in time is extensive, but it is largely used to determine the actions of Google's algorithms at the macroscopic, rather than the individual level. But personalisation is one of the key elements in Google's strategy, and will likely to dominate their plans over the next decade. I have no doubt that they aim to improve their services through individual targeting, but they more than anyone will be aware of some of the ramifications of doing so.

Those who do use Google should be aware - if not mildly concerned - that their information is being stored. There are, of course, countermeasures, such as deleting (or blocking) cookies from Google, and electing to use services other than Google's own. The adverts from Google can be blocked, also - but for the majority they will continue to be served, providing Google with their profits, and subsequently, the information with which to make profit more efficiently.

Caution is the watchword, then, as the future approaches - we must ensure Google doesn't become too powerful, lest we become dependent on it. For the time being, Google's internal motto, 'Don't Be Evil', serves as thin reassurance that the giant has our best interests at heart.

∗  View/add comments on this post (17)