Google Feature Raises Legal, Privacy Issues

Unless you’re not on the Internet, you can hardly have missed the brouhaha being raised over the latest upgrade to Google Desktop Search. It’s marvelously convenient to be able to search all of the computers you own for the file you need, regardless of what computer you’re presently working on. But is it worth the privacy you must give up to use it?

Normally I’d be very excited about new features offered for services coming from Google. If they hold the promise of helping me to get better organized by finding what I’m looking for more quickly, I’m all over it. And indeed, the newest upgrade to Google Desktop Search makes me and lots of other Google watchers very excited — but probably not quite in the way that the search engine giant intended.

Google targeted the new feature to users who work regularly at more than one computer — a home PC and a work PC, for example. Presumably it would also work as well with laptops or PDAs. The feature, which is an upgrade to Google’s Desktop Search, allows users to search any of the computers in their personal network for a file, and grab that file. So if you’re at home and you need some files from work, or — all too common — you’re on the road with your laptop and you suddenly find you left the most up-to-date version of that important presentation on your computer at work, there’s no need to panic or feel frustrated.

There’s a catch, however, to the way Google enables the function to work. All of the computers that you will be searching must have copies of Google Desktop 3. The software then indexes the information on the computers’ hard drives — by default, Google Desktop 3 indexes everything unless you tell it otherwise (that’s an important point that I will return to later). Google Desktop 3 then sends copies of these files to Google’s own storage system. That’s right, if you want to use the computer-to-computer search function, you must agree to allow Google to hold your data!

Google has said that it will encrypt all data that it receives from users’ hard drives, and that it will hold no data longer than 30 days. Furthermore, it will restrict access to this data to only a very small number of its employees. Call me paranoid, but that isn’t very reassuring to me. If you don’t see the legal and privacy ramifications inherent in Google holding this kind of data, even for a short period of time, don’t worry, I’m about to spell them out for you.

{mospagebreak title=Privacy Policy — Not Enough Privacy?}

Marissa Mayer, Google’s vice president of search products and user experience, made an important observation about the new feature: “We think this will be a very useful tool, but you will have to give up some of your privacy. For many of us, that trade off will make a lot of sense.” True enough — but for many of us, it won’t. It’s worth doing a little digging to find out exactly what we might be giving up in terms of privacy.

For that, we need to take a look at Google’s privacy policy. The policy was just updated on February 9, 2006, to take the upgrade to Google Desktop Search into account. Google treats your indexed files from your computer as “personal information.” There are certain circumstances under which Google does share personal information “with other companies or individuals outside of Google.” It’s the vagaries of the third condition that the search engine lists that raise the hairs on the back of my neck:

“We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of Google, its users or the public as required or permitted by law.”

First of all, if you were trying to comfort yourself with the thought that “there’s no way Google actually looks at all that data,” you can forget that right now. The mere fact that this condition is there indicates that Google does look at the data, at least with machine algorithms — how else would they even get a “good faith belief”? My guess is that, if the algorithms find something “odd,” your data may get looked at by real people to determine whether it breaks Google’s Terms of Service — or any actual laws.

In fact, you should take another look at (a), and think in terms of a wide interpretation. Have you pirated a game and have a crack for it on your PC? Google can bust you. What about pirated movies or music? Yep, Google can get you for that too. In short, if you agree to use the computer-to-computer search feature, you might as well be signing a piece of paper that says “I give Google permission to act as a personal police officer on my back.”

{mospagebreak title=A Government Information Grab}

These issues are particularly alarming in light of recent activity from the U.S. government. The Bush administration is trying to revive the Child Online Protection Act (COPA), a 1998 pornography law that was struck down by the U.S. Supreme Court two years ago. The law sought to ban Internet sites from displaying content that the government deems “harmful to minors.” The Supreme Court blocked it on the grounds that it was too intrusive, and stated that it should not be enforced unless less intrusive measures such as Internet filtering are shown to be inadequate.

That’s where the U.S. Justice Department comes in. In late January, it subpoenaed Google in an attempt to prove that pornography is so pervasive it requires a federal law to shield minors. The department is seeking a sample of a million websites from the billions that Google currently indexes, plus all of the search terms typed into the services during a one-week period. Yahoo!, MSN, and AOL have already complied with the subpoena; they say they have done so without compromising their users’ privacy. As of this writing, Google has refused to comply, on the grounds that it violates its users’ privacy and its own trade secrets. “Google is not a party to this lawsuit and their demand for information overreaches,” maintains Nicole Wong, Google’s associate general counsel. “We intend to resist their motion vigorously.”

While Google correctly realizes that this is a fishing expedition, it might not have strong legal ground to stand on. To understand that, we need to go back in history, to 1986, when the Electronic Communication Privacy Act was enacted. This law was created in the days before the Internet became widely used, and before people stored large amounts of information (such as emails) on places other than their own computers. Basically, files stored with online service providers can be obtained by lawyers merely by filing a subpoena. If those same files are stored on your computer, it takes a court order to get them in the hands of a lawyer, which is a little more difficult to obtain than a subpoena.

The Electronic Communication Privacy Act was not forward-looking as far as technology is concerned. It was mainly created with the idea of preventing email and similar providers from sharing their customers’ personal data with third parties, so it didn’t consider how search engines and other companies might collect data on their users. So even what little privacy protection the law provides might not extend to data collected by Google or the other search engines. Which means that a government lawyer — or even a civil one, such as a divorce lawyer — simply has to send Google a subpoena.

The Justice Department claims that it is not seeking information that is personally identified with anyone; it just wants aggregate information. But the truth is, it wouldn’t take much technical work for that information to be attached to individuals; Google can do it now. Take another look at one of the conditions under which Google shares information with third parties, cited above. If the government wanted to send a subpoena to Google asking for a list of the names or Internet addresses that searched for “how to cheat the IRS” or “how to build a terrorist bomb,” Google could probably provide them with that list — and indeed, given that it would presumably be part of some sort of legal investigation, the search engine would be on shaky ground trying to turn them down.

{mospagebreak title=Dell — An Unwitting Accomplice?}

You don’t have Google Desktop Search installed on your computer, and you don’t use any of Google’s services except maybe its search engine, so you think the privacy issue would have limited impact for you. If you’re planning to buy a Dell computer in the future, think again. Google and Dell are considering a partnership that would see some of the search engine’s software installed on Dell products.

What software exactly is being considered? “We can confirm that we are running a test with Google that could include a Google-powered home page, Google desktop search and a Google toolbar,” according to Dell spokesman Bob Kaufman. The move, incidentally, is reminiscent of how Microsoft gained its monopoly on the desktop, by making deals with computer manufacturers to have its operating system installed by default.

I admit, like most people, once the software is installed on my computer, I don’t bother with alternatives. I did get Firefox for both my home and my work PCs, but I’ll just as often use IE. So I’m sure most people will be glad to use Google Desktop Search on their brand spanking new Dells, and probably not change it out of the default mode of operation (where it indexes everything on the hard drive). To quote Electronic Frontier Foundation attorney Fred von Lohmann, “Unless you go to the trouble of configuring Google Desktop carefully, it will cough up your tax returns, medical and financial records, and any other text files you happen to have.” This is potentially more power than even Microsoft ever dreamed of having.

[gp-comments width="770" linklove="off" ]