Ryan Radia

Why Google won’t do evil

In response to Adam and Berin’s excellent introduction to their Googlephobia series, invaluable TLF commenter Richard Bennett succinctly sums up the rap on Google.

There’s no denying that Google has the capacity to do some pretty heinous things with all the sensitive data stored on its servers. But the relevant question isn’t whether Google could do evil, but whether it realistically will. What incentive is there for Google to do anything but keep private data as secure as humanly possible? Sure, Google could earn a nice chunk of change if it were to sell user search queries to the highest bidder. But why would Google put its entire business on the line for a comparatively insignificant short-term gain?

A major privacy breach is Google’s nightmare scenario. If anything happened to cause users to lose trust in Google, they’d go someplace else for email and search. Advertisers would follow suit, causing Google’s stock price to plummet. Google might never be able to recover from a severe privacy fiasco. Obviously, Google is well aware of its vulnerabilities on privacy, which is why Google has incredibly strong safeguards to ensure that sensitive data can’t be uncovered by a rogue product manager with an itchy trigger finger.

Then there’s the liability issue. The multi-billion dollar lawsuits that would ensue were Google to suffer a data breach or an internal leak would deal a serious financial blow to the company, especially because Google’s privacy policy is more than just a comforting statement—it’s legally binding.

We go about our lives everyday with the ever-present risk that companies that we do business with could, in theory, give out our personal details. Comcast could sell its subscribers’ web browsing histories. Bank of America could offer individual financial records for a small fee. AT&T could put its wireless subscribers’ GPS locations online for all to see. But like Google, all of these firms have an overwhelming incentive to not do “bad” things with personal data.

Many users are comfortable enough with Google to use its services frequently without even masking their IP address. And those users who are worried about the small chance that Google might fumble on privacy already have plenty of safeguards that have been discussed in great depth here on TLF. Even if you want to use Google’s services, there are several methods to prevent Google from being able to identify you.

Ultimately, the threat to privacy posed by Google is far less worrisome than the risk of government agencies or hackers doing evil things with our personal information. We should remain vigilant, and call out Google when its practices result in unecessary privacy risks. The growing anti-Google hysteria, however, is seriously overblown.

September 12, 2008 | Comments |

Viewing 6 Comments

    • ^
    • v
    Online privacy is potentially a "Superfund" problem. If example.com is a corporation that earns $1 million per year, has a market cap of $20 million, and has a 1% chance of an toxic leak that will cost its neighbors $1 billion, it's rational for the company's owners to keep operating it. The expected annual loss from a leak is only $200,000.
    • ^
    • v
    > There’s no denying that Google has the capacity to do some pretty heinous things with all the sensitive data stored on its servers.

    Okay, so we agree that all Google now needs is motivation to do evil; or, phrased differently, lack of motivation to behave virtuously.

    > But the relevant question isn’t whether Google could do evil, but whether it realistically will.

    Since the information they gather is theirs forever — the users certainly have no practical control over it once it's granted to Google — that “will” becomes “will, ever, at any point in the future”.

    > What incentive is there for Google to do anything but keep private data as secure as humanly possible?

    Here you make the fallacy of assuming that Google's *current* model is sufficient guarantee that they will *forever* have incentive to be virtuous with the data we give them every day over time.

    The correct question is: How likely is it that Google's model, leadership, or shareholder pressures, forever into the future, will always be sufficient to constrain Google to act virtuously with the data gathered on all parties that interact with them over their entire history?
    • ^
    • v
    Google doesn't keep its users' data forever. It anonymizes search logs after 9 months, and if you have a Gmail account, when you hit "Delete" that data will be completely wiped off Google's servers and its backups within a matter of months.

    And it's not even necessary for Google to care about behaving "virtuously." To do anything but safeguard privacy would be suicidal, even if Google's business model were to change down the line. Google can't change it privacy policies to the detriment of its users without their explicit permission.

    There are privacy risks to using Google's services, as there are with using any company's services where that company will have possession of personal info. With respect to Google, I think these risks are fairly trivial, but different people have different levels of risk aversion. Fortunately, nobody has to use Google--you don't even have to give Google your IP address to use it search engine (A topic I will be discussing in greater detail soon).
    • ^
    • v
    There's more than one way to be evil. Google's forays into the world of online content (e.g. knol, YouTube) puts their might, and their pagerank 10 domain directly in competition with other online content companies, many of whom monetize via Adsense. While the current team at Google does a great job, I think there is a valid concern that at some point in time they will be tempted by the financial incentive to place their own properties higher in the search results than they otherwise deserve.
    • ^
    • v
    I love Radia's effort to distinguish between big, bad government, and nice, gentle private corporations. That really worked in the NSA wiretap scenario--those big companies went toe-to-toe with big gov't to obey the law and keep user data secret. Not.

    Read the Cory Doctorow story, Scroogled. You give zero reassurance that the scenario he describes can't happen here:

    http://www.radaronline.com/from-the-magazine/20...

    It's absurd to assume that big companies that gather massive amounts of data won't simply give it up to the government secretly--as all the big telecoms did....except Qwest, which was then promptly denied government contracts.

    The libertarian belief that big gov't and big business are totally separate entities can sometimes approach the delusional. You're coming asymptotically close.
    • ^
    • v
    When Google was asked by the Justice Department to provide a list of user search queries, Google said no--unlike several other search providers. In fact, Google went to court, ultimately prevailing against the DoJ.

    Under its     legally binding privacy policy, Google cannot blindly comply with government data requests. Google has the right to hand over personal information only when there is a legally binding court order. Google also examines subpoenas to ensure they are not overly broad, and is even willing to negotiate agreements to protect user data when litigation puts privacy at risk.

    And unlike the telecoms, which are permitted by federal law to engage in warrantless wiretapping if they receive certification from the U.S. Attorney General, Google has no back door that allows it to violate users' privacy. If worst comes to worst, and Google abrogates its privacy policy, users are entitled to seek recourse in court.

    Of course, Congress could always grant immunity, just as it did for the telcos when they allowed the NSA to monitor customers’ phone calls and transmissions. But if Congress and the executive branch are ultimately responsible for violating our privacy, it makes little sense to focus the blame on the Googles of the world.

    What we need is a government that doesn’t trample over Constitutional protections and a Congress that checks executive power as the framers envisioned. Then we wouldn’t have to worry about our search provider being pressured to hand over our private data. No federal agency should be above the law, and consumers deserve the right to sue whenever a firm breaks its contractual obligations.

    Libertarians—at least those who post here on TLF—are fully aware of the troubling privacy violations that have been perpetrated by government when it works in collusion with private businesses. Yet the root of the problem isn’t that some companies have our personal data, but that government has the power to compel the production of this data with nothing more than a subpoena—and sometimes even less.

    Jim Harper has written numerous blog posts and a law review article against the Third-Party Doctrine, which holds that individuals have no reasonable expectation of privacy over personal information that has entered into the possession of a third party. And TLFers including Adam Thierer and Berin Szoka have discussed in great detail privacy-enhancing technologies that empower users to browse the Web anonymously. So I think it’s hardly reasonable to state that libertarians are “delusional” when it comes to the relationship between private companies and government.

Trackbacks

blog comments powered by Disqus