Google and Viacom: a privacy “Exxon Valdez?”

Might the court order that Google hand over YouTube viewer records become, as Ed Felten and others termed a few years back, an “Exxon Valdez” of privacy that makes informational privacy a national priority?  Unfortunately, I suspect not.  If the parties reach an agreement to anonymize the data and keep it out of the direct hands of Viacom, then public anger may subside.

What would be enough to mobilize the public?  In 2006, Ed Felten suggested that a privacy Exxon Valdez “will have to be a leak of information so sensitive as to be life-shattering.”  But how sensitive is our viewing of, for example, Harry Potter Puppet Pals?  It’s creepy to think of lawyers having access to it, but is it life-shattering?  Nonetheless, it appears that the public, companies, and Congress are becoming more attuned to privacy matters.  Just last week, Google and Yahoo both recently endorsed the idea of privacy legislation before the Senate Commerce Committee.

In the meantime, what the the litigants doing?  The NYTimes BITS blog notes, “A week after Google and Viacom both said they hoped to agree to make YouTube viewing data anonymous before Google hands the information to Viacom, no agreement has been signed.”  (Emphasis added.)  The parties blame each another.  A Google lawyer says: “If Viacom refuses to allow us to anonymize viewing history, we will seek review by the court.”  A Viacom spokesperson counters:

Viacom suggested the initiative to anonymize the data, and we have been prepared to accept anonymous information since day one.  We hope that Google will turn its focus back to anonymizing the data they are required to deliver, and spend less time making statements about why they won’t get it done.

It’s not especially clear what the parties are doing or how things might be resolved.  As I blogged recently, an earlier Times article initially stated that the parties were “working to protect the anonymity of YouTube viewers.”  (Emphasis added.)  A few hours later, the Times article was edited to say that the parties were “hoping to come up with a way to protect the anonymity of YouTube viewers.”  (Emphasis added.)  Apparently the parties’ resolve was tempered from “work” to mere “hope.”  The parties need to do better, especially Google, which collected and retained all the information.

Google finally posts privacy link on homepage

Yesterday, Google finally posted a privacy link on its homepage, replacing the word “Google” in the footer with “Privacy.”  A step in the right direction, but the link is in the smallest text, below larger links for “Advertising Programs,” “Business Solutions,” and “About Google.”  See below:

google-privacy-link

Hmm.  I wonder if the timing of Google’s change-of-heart had anything to do with this week’s court order that Google produce records of millions of YouTube user’s viewing habits.

The privacy paradox and Google

At the New York Times BITS blog, Brad Stone reports on a study about to be released by George Loewenstein and several other Carnegie Mellon researchers about people’s parodoxical attitudes towards privacy and personal information.  In one experiment, some people were given express assurances of privacy whereas others were given none.  Strangely, the people given no assurances of privacy were twice as likely to admit to copying someone else’s homework.

In one sense, that’s paradoxical because assurances of privacy are intended to foster open communications, as with the attorney-client privilege.  But in another sense, the behavior is not paradoxical at all.  Express assurances of privacy may serve the socially useful prophylactic purpose — albeit sometimes unintended — of reminding people of the risks of volunteering personal information.  Even if people don’t really read privacy policies, seeing a conspicuous “privacy policy” link may serve as a cold glass of water to the face, reminding people that they are volunteering personal information, and that they should look before they leap.

That brings to mind the scrutiny Google has recently garnered for its refusal to put a conspicuous link to its privacy policy on its homepage.  Is Google concerned that a link will remind people of the implications of continually using the myriad Google services?  C’mon.  How many times did you use Google today?  And when, if ever, did you think about how much information Google may have about you?  As noted by The Register,

The company still indexes your email.  It still stores your IP address alongside your search history for at least 18 to 24 months.  And if it does “anonymize” your IP address after 24 months – and that’s a big if – it still refuses to anonymize the whole thing.

So if conspicuous reminders of privacy concerns are important, why won’t Google put a simple link on its homepage?  According to another post at BITS, a Google competitor stated that Google co-founder Larry Page “didn’t want a privacy link ‘on that beautiful clean home page.'”

I rather doubt that Page’s concerns are fueled by aesthetics.  One more link won’t change the site’s minimalistic look.  But the starkness of the Google homepage may largely explain why Google doesn’t want that link.  On most e-commerce sites, the visual clutter — think Yahoo — makes it unlikely that a privacy policy link will stand out.  But on Google’s “beautiful clean home page,” such a link would be significantly more conspicuous.

And paradoxically, perhaps more likely to serve its purpose.

What about mail surveillance?

Yesterday’s posting on unconsented cell phone surveillance reminded me of an excellent column that Peter Shane wrote a while back in Jurist where he pointed out that any technical legality of the NSA surveillance program is besides the point.  Shane asked, what if the Post Office created a database with the addresses contained on every piece of mail it handles.  Even if, hypothetically, such a program were legal:

An America in which ordinary citizens have their mail “surveilled” would be a different America from the country in which virtually all of us think we live.  Our freedom would be lost not because a law was broken, but because of the breakdown in respect for the norms of liberty and government self-restraint.

I think much the same could be said of the ends-justifies-the-means thinking of the Northeastern University researchers who got a European cell phone provider to give them individualized location information on 100,000 unknowing customers. Just because you can do something doesn’t mean that you should.

Ends, means, and cell phone surveillance

As Wired.com reports, researchers affiliated with Northeastern University “secretly tracked the locations of 100,000 people outside the United States through their cell phone use and concluded that most people rarely stray more than a few miles from home.” In the report on their study in the journal Nature (excerpt available online), the authors stated:

[O]ur understanding of the basic laws governing human motion remains limited owing to the lack of tools to monitor the time-resolved location of individuals. Here we study the trajectory of 100,000 anonymized mobile phone users whose position is tracked for a six-month period.

There’s no doubt that such a study is useful.  As one of the researchers noted, “[k]nowing people’s travel patterns can help design better transportation systems and give doctors guidance in fighting the spread of contagious diseases.”  Important and useful.

But information’s usefulness does not alone justify its acquisition.  What about privacy and ethics? This isn’t simply a study of aggregate data (such as how many people saw Iron Man), but rather a study of the specific movements of numerous individuals.  As noted in the New York Times, “The location of the user was revealed whenever he made or received a call or text message; the telephone company would record the nearest cell tower and time.”

So was an ethics panel consulted?  No.  According to Wired, one of the researchers stated no ethics panel was consulted, and another said they didn’t have to (a quote here, but apparently a paraphrase in Wired) “because the experiment involved physics, not biology.”

Say what?  Ok, so the study concerned the movement of people.  People are objects.  Physics studies the movement of objects.  I get the “physics” connection. But how does that justify tracking individuals’ cellphones and movements without their permission? Although the researchers took steps to anonymize and secure the data, how does that justify intrusions into the personal activities of 100,000 people?

According to Wired, FCC spokesman Rob Kenny stated that such unconsented tracking would be illegal if done inside the United States.  Instead, says the New York Times, the surveillance was done with the cooperation of an unnamed European cell phone provider.  But why should it be ok for an American university to go outside of the United States to do what would be illegal within?