Alma Whitten became Director of Privacy for Product and Engineering in October 2010. I interviewed her some months earlier, when she was Google's Engineering Lead for Privacy. Within Google, she went from security technology to privacy. In the U.S., privacy is strongly linked to security and data protection, while in Europe, privacy is more centered on one’s personal privacy. In Europe privacy protection is more directed towards marketing, while in the U.S. and the U.K. it is geared more towards privacy breaches by the state.
You wrote in 2008 that the IP address should not be considered personal data, but EU privacy chiefs, united in Article 29 WP, think the opposite. What are your thoughts on the matter now?
"In retrospect, I believe that we at Google communicated our views on the topic badly. At that time, I reasoned from the point of view of a technician responsible for a system that had to protect our clients from privacy infringement. So, in a purely technical manner, we considered various opportunities for individuals to gain access to their own data, which was stored by us on the IP number, so that they could then potentially manage or delete this data themselves.
But if I, as the user behind an IP address, ask Google to show me everything it has on a certain IP address, this could potentially be an incredibly serious infringement of privacy for other customers who have contact with Google via the same computer connection. An IP address is not fixed to one, single individual. I don’t think we did a very good job, and I hope that we have improved on the communication front."
What did you do "not very well"?
"We gave the impression that we thought privacy on the basis of IP address was nothing to worry about. That's not the right impression, because the IP address is very much a privacy-sensitive issue. But we struggle in our efforts to build systems that do the right thing. This is a little more complicated than when people log in with their Google account and are able to use the Dashboard for privacy settings.
As for the IP address, it has different purposes. The first is to get data to your computer. The second is to combat click fraud and misuse. The third is to provide a rough indicator of geographic location, which is then used for location-related advertisements.”
In Europe, cookies are a hot topic. Brussels want an opt-in, whereas marketers and publishers oppose it because of the complexities. Would opt-in demand be a big disadvantage for Google?
"The ‘opt-in or opt-out’ discussion is not without its challenges. If you don’t have a Google account and there is weak proof that one and the same person is behind an IP address, then in some ways we see opt-out as a little bit safer than opt-in. Suppose there are five people living in my house and a number of us sometimes use the same browser. One of us has opt-in, yet the company on the other site is unable to identify whether it is that specific person is sitting behind the PC. They might then mistakenly regard everyone in the house as opted in, which might not be an optimal situation for household privacy.
If there is an opt-out model and one person opts out for cookies, then the company would mistakenly consider everyone to be opted out, which isn’t so harmful. That's one of the principles.
As a security specialist with many years in the community, I think we've struggled with warning messages to users. For example, if a pop-up appears to announce: "You're about to do something dangerous. Do you wish to continue?" users often still take the risk, simply because they want to follow their intentions through. The impact of an opt-in message is therefore limited.
If I were a company that strongly wanted people to opt in for my cookie or similar, persuading them is not particularly difficult. You put a reward, the ice-cream, at the other end of the opt-in.
What we first try to achieve is user understanding. Users should know what they’re doing online, how they communicate and what they give and get when they're using the internet, so that they can make choices. Sometimes opt-in will be the best solution, sometimes opt-out, sometimes something entirely different."
Does Google have problems with those households with multiple users behind one computer when it comes to displaying targeted advertising? Could an advertisement be shown to me based on data from my wife?
"We offer the Ads Preference Manager, a very non-controversial service, where people can sign up for categories of interest. Suppose you receive a travel ad that was actually meant for your wife? You probably won’t click on it, but no damage is done."
With the Ad Preferences Manager, you can specify preferences for advertising, but you can also completely unsubscribe from this service (on the basis of IP number). How many people have opted out?
"We get hundreds of thousands of page views a week on our Ads Preferences Manager. For every one user who opts out, more than nine remain opted in."
Of the two billion users, therefore, there are very few who do not want directed advertising – what with the low number of visitors and so few opt-out options…
"Relating this to all of our users would not be the right extrapolation. Relatively few people visit the Ads Manager Preferences, only those who are familiar with it."
Google holds information about users based on their Google registration (account), information on IP numbers from DoubleClick and AdWords cookies and search data. How does Google combine them?
"There's the Ad Preference Manager (linked with the DoubleClick cookie) there is search information on the IP number and there is account information for Gmail and other products. We don't combine data between different products unless this is made explicit to users. We do not combine data on IP numbers and data from the accounts, because we cannot know that the same IP number is linked to a customer's Gmail account.
Indeed, we use the IP number for Gmail, but only in the name of protection. We check for suspicious logins to Gmail and then warn you that you may want to change your password. This is temporary and not linked to Gmail or Web History content, search data, or advertising at Google."
Does Google use data from registered services for advertising?
"Yes, we do. We currently look at the user’s recent search history to provide us with a context and facilitate target ads for the search query. For example, by looking at the previous five queries within a single search session, as well as language and geographic location indicators, we are able to present users with the most relevant ads possible."
Google keeps search data for nine months. Is this also for advertising purposes?
“We solely keep this data to protect our services from abuse and to improve them."
So this should mean that Google does not use search history in a commercial context?
"In essence, the correct conclusion, but it depends on what you mean by 'commercial'. If you are registered and using Web History, we are able to personalize and improve your search results on the basis of websites that you have previously visited. We suspect that you will then use Google more frequently and more effectively, so we can show more ads to you. That’s indirectly commercial, but we do not use Web History to ensure more targeted advertisement.”
Even as an experienced user, it is not easy to set up privacy settings on Google Dashboard, and to opt out of Analytics, I have to go somewhere else. Is Google going to make this easier, even if overly-relevant ads for commercial purposes might seem creepy?
"We’re still working on it. The challenge is to find the right way to bring all of these services together in one place without overwhelming the user. We want to give users as much control as possible, but it cannot become so complex that it is unusable. It must be as clear as possible."
Does Google build personal profiles?
"No, we do not build user profiles based on individuals or IP numbers. There is no profile-targeted advertising."
Does Google plan to build up user profiles for advertising?
"We do not build personal ad profiles. The only related thing we have is the Ads Preferences Manager, where surfers themselves indicate the categories for which they wish to receive advertisements. If we were to build personal ad profiles, we would have to clarify immediately that we would be operating in this way from a specific point onwards."
When I started using Google+ there was an opt-out for this: "Google may use my information to personalize content and ads on non-Google web sites." Does this mean that Google is starting to profile for commercial reasons and if so, why?
"This is primarily related to +1. Enabling +1 on non-Google sites allows you to see recommendations from people you know when you view the same content that they've +1'd. Let’s say your friend clicks the +1 button on an entertainment site or a display ad. If you visit the site, you might see your friend’s recommendation next to the +1 button. Similarly, if you see the same display ad on another site, you might see your friend’s recommendation next to the ad.
By default, enabling +1 on non-Google sites does not share your or your friend’s information with the site you’re viewing. You can always change this setting under the ‘Personal Settings’ menu.
The +1 button isn’t used to track your visits across the web. Google doesn’t keep a constant record of your browsing history as part of the +1 button process or in any other way make use of the fact that you, personally, have visited a page with the +1 button. We may keep some information about your visit, usually for about two weeks, to maintain and debug systems. This information is not organized by individual profile, username, or URL."
Looking at my Dashboard, Google seems to have expanded the profiling, even to contacts of contacts from Google Plus. Does Google use this for targeting? Is there any way that my account information is linked to the IP number for profiling?
"We designed the Social Connections section of the Google Dashboard to provide greater transparency about the social connections we use to deliver more relevant search results. You can read up on Social Search in the blog post, and about how social connections are used through our Help Center."
Recently, Google decided to provide an Wi-Fi location opt-out service and therefore had to delete 3.6 million Dutch Wi-Fi SSIDs. Why not an opt-in? And why only delete them in one tiny country?
"Like other location service providers, we collect publicly-broadcast information from Wi-Fi access points to enable services enjoyed by hundreds of millions of people around the world. This information doesn’t identify individuals, but we do believe in giving people control.
That’s why we are building a tool to allow an access point owner to opt out of Google's location services. Once opted out, that access point will not be used to determine user locations. We will begin by complying with the DPA’s recommendations for SSIDs collected in the Netherlands. In the future, we intend to extend deletion to SSIDs collected globally, subject to any retention required by ongoing legal proceedings in specific jurisdictions."
From Whitten’s words, it appears that Google is not using its collection of personal data nearly as extensively as it could. Still, Whitten does admit that the collection of search information in combination with internet surfing data – even if this is not by individual name, but by IP address – can easily lead to personal profiling. This is just one more reason why Google needs to tread carefully. Yet the question remains as to whether Google is busy testing out boundaries and increasing risks. Privacy organizations would say so.
Danny Sullivan from San Francisco is the world's best-known analyst of search services. He built the company Search Engine Watch and after selling it started Search Engine Land.
What do you use Google for and are there limits to your use?
"Besides the search function I use Gmail, Google Docs, Analytics, AdWords and AdSense, Buzz and probably a few more. I’m very happy with them."
Is Google slowly becoming a monopolist in good indexing and easy access to information in the world?
"Google certainly has fewer competitors than it had in the past. It does makes a difference whether Google has deliberately thwarted other players or left them trailing seriously behind through fair competition. Google did not have the intention of making its effective information indexing a monopoly, but this is what it has, in fact, become. At this point in time, I do not see this as a threat."
Will there indeed be a danger if Google comes into hands other than those of Sergey and Larry – China, for example?
"Probably not. Larry and Sergey, together with other employees, keep a controlling share in the company, so a third party can't just change the direction. Should Google go too far, people will find an alternative. Google has a dominant gateway, but it does not own access to information."
The European Commission wants to regulate Google further. Is that necessary?
"I think Google should comply with all laws, and that it is what it does. Specific regulation seems unnecessary to me."
Google has the most information about individuals. Should that be addressed?
"This is always claimed by those who do not know the facts. The government of Great Britain, where I lived, probably has a great deal more data about its citizens; my credit card company has crates full of information on me and my spending patterns over the course of a lifetime. They do not give related feedback or the opportunity to delete this information, like Google does so neatly. With Google, you push a button and it's gone, but I can't do that for a lot of organizations gathering my personal information. So many companies store data throughout your whole life, but does that make them bad? Google made the removal of data possible even before it was an EU requirement."
Has Google shown us its evil side with Street View?
"Collecting Wi-Fi data was a stupid mistake, all the more so because it contributes to the image of Google as a company that is out of control; just doing its own thing. I don’t believe that Google would abuse the Wi-Fi data it gathered."
Does Google Analytics go too far in data collection of IP numbers, as a German privacy commissioner and judge maintain?
"I fear that they don't know how the internet works. Google Analytics collects data on internet use, a service which had already been offered for a long time by many businesses. And the information is not used for individual profiles. Besides, there are so many analytics tools which are not addressed by them.
I think it would be better to keep an eye on the Google Toolbar, used by tens of millions of people who voluntarily supply Google with far more data. Not to mention internet service providers to which people subscribe. They know everything about their subscribers and it is entirely unclear what they do with that data.
Now, Europe wants to forbid search engines from keeping data for longer than six months, while it wants member states to store phone and e-mail traffic data for a period of two years or 18 months. We should be much more concerned about the latter than about Google, because many people have access to these national databanks."
Are Europeans paranoid when it comes to privacy?
"Europe is not a unity. Even within Germany, the privacy officers of the different states hold different views. Some German states reacted fiercely to Street View and Analytics, while the British have absolutely no problem with Street View, because it is public space that is being photographed.
As a whole, Europeans tend to worry more about their privacy, but even that is not uniform. Britain’s tolerance of a huge number of CCTV cameras in the public space would not go down well with Americans.
Americans trust companies more and keep a closer eye on privacy infringements that the government might be making, whereas Europe is more lenient with governments, but sometimes reacts in a rather paranoid way about data use by companies.”
Do you use Google+ and like it? What did you make of the Google Wave issue? Many people were enthusiastic about it but ultimately did not use it because of its complexity?
"I do use Google+. I think the problem with Google Wave was that people simply didn't know what to do with it. Google+ is in the style of Facebook, so people know how it works."
Did you opt out for the gathering and use of personal information on third-party websites, as Google offered when you subscribed to Plus? Will this change Google’s data use from IP to personal?
"I haven't opted out, because I want to see the web as anyone else might see it. Then I will be able to report on it better."
You have 1,600 Facebook friends. Do you like Facebook?
"I like Facebook for some things, but it really hasn't suited me as well as Twitter."
Since 1994, Corien Prins has been Professor of Law and Informatization at the University of Tilburg. He has been a distinguished member of the Royal Academy of Arts and Sciences (KNAW) since 2008, and a council member of the Scientific Council for Government Policy (WRR).
Which Google services do you use?
"I use what one might call ‘the regular Google’ as well as Google Scholar to search academic publications. I don’t use other services, either because I do not need them or do not have time to use them."
Google stores all your searches on your IP number at home and at the university, and uses cookies to follow your browsing behavior. Did you know that there's an opt-out?
"That may well be, but I don’t have enough time to dedicate a lot of attention to these sorts of things. In any case, opting out should be very simple to do: on the homepage where Google offers the search window and not somewhere deep in a site."
How should the lower threshold be established?
"I am probably not the only one who does not know where and how to manage my privacy easily. It is up to the government, specifically the legislators, to ensure that anyone can adjust settings easily and quickly. That should put a stop to the massive collection of, use of and benefit from personal data, as well as the profiles that are made from it."
Do you know which companies, other than Google, keep an up-to-date profile of you?
"For marketing purposes, many companies create profiles of their users and customers. These individuals have absolutely no idea what these profiles look like and how they are generated. Any chance I could possibly be informed of profiles that are being created about me? According to what data and which categories I am classified? Measures taken by European and American governments should focus on compulsory transparency. This means insight into methods used for data collection and profile-building, the purposes for which they are used, plus right of access, correction and deletion of data, as well as those profiles stored about you in databases."
But the Dutch Data Protection Act (WBP) compels companies to respond to customer queries concerning the collection of personal data. Doesn't this work well?
"That's true, but how does one go about sending a query to Google? Would they really answer if you sent an e-mail? Companies can give substance through a privacy statement, but usually this is gobbledygook that even experts like me cannot make head or tail of. Google is making progress in this field, but privacy regulators should take action on rules that address keeping the public informed. Privacy information is often non-information, formulated merely to meet legal demands."
Philipp Lenssen is a German internet entrepreneur and the most significant Google-watcher in Europe with his weblog Blogoscoped. In 2006, Lenssen wrote the book 55 Ways to Have Fun with Google and in 2008 he wrote Google Apps Hacks. He currently lives in China. I held a brief interview with him.
Is Google powerful regarding access to information?
"Yes, very powerful. Google is probably the company with the most information about the web, its netizens, and perhaps even the world in general. Some intelligence agencies would love to have this mountain of information so easily accessible."
In 2004, Google made an April 1 joke about China buying it up. Would Google’s immense power become dangerous in hands other than those of Sergey and Larry?
“A change in leadership might tarnish some of the company’s principles. But as Google’s DNA is borne by many thousands of employees, it would probably not mutate overnight. It’s perhaps rather a question of step-by-step changes. In a certain sense, some of these steps have already happened. Google has ventured into many areas it didn’t really intend to move into.
Nowadays, Google has search results with navigation, animated banner ads and super bowl commercials, they are subject to censorship in China, they are strong in mobile with Android and Motorola, they’ve developed an operating system, and much more."
Should Google be regulated, and if so, in what aspects?
"I suppose that's for people to decide. When it comes to matters like copyright, the net is already overregulated. Via the internet, we need to gain better access to our past and its cultural treasures.
Think of the hurdles Google has to clear in order to scan books. Why not make the regulatory process even easier for companies, and have more companies scanning books? Why regulate the copying of information in those cases where the original creator's commercial interests aren't damaged in any way? I'd love a culture in which I could freely mix the works of our past.
However, when I say it's for people to decide, we must keep in mind that transparency is important in making a good decision. We should therefore urge Google, governments, and the government's relationship with Google (concerning censorship, court orders etc.) to be as transparent as possible."
Do you think it is right that Google should know everything you're searching for?
"If I log out of my Google Account then they may not see "me" in any sense of the word. An IP, usage patterns and so on can be tracked, but nothing that can be traced back to my real-life identity. Once I log in to my Google account, though, my name can be connected to my searches. Search History in the Google settings can be disabled, but that doesn't mean that information won't ever leak."
Which Google developments do you look upon most critically and why?
"I think all developments should be watched critically, though criticism can be positive or negative."
Are Europeans perhaps rather paranoid about these matters, in comparison with the Chinese, for example?
"Different cultures have different sets of broadly accepted standards. I'm from Germany, and there we have a number of regulations that restrict freedom, regulations that don't exist in China. But then in China there are restrictions which don't apply in Germany.
It's easy to criticize China from a German viewpoint, but I'd also like to see Germans criticize the restrictions they face themselves. The internet and other media, and freedom of speech in general are not fully free in Germany. Artistic and sometimes journalistic expression is often suppressed in Germany. German law says there should be no pre-censorship, and yet that is what happens in Germany when whole domains are missing from the Google search results, for instance."
So do you miss Google in China?
"I have Google in China. Google.com works normally most of the time. YouTube and Blogspot are blocked, as are some parts of Google. Results for image searches are only sporadically visible, for instance – and yes, it would be nice if all that weren't the case. I'd love to have a super-fast internet, and Wi-Fi freely available in all major cities – paid by taxes, just like roads are built with taxes.
It would be nice to see a country like Germany do something like this, but actually, Wi-Fi in Germany – and support for netizens, and net creators in general – is often hard to find. U.S.-Google services do work better from Germany, though, that's true."
Has Google+ enough communication to succeed? Now that Google is profiling using names, is privacy a bigger problem?
"Google+ has a huge amount of communication going on when I log in, but what you see in Google+ is completely subjective, because there is not one, single news feed. Rather, everyone's stream is completely dependent on those others people they have subscribed to."
In a way, Google+ largely clones what sites like FriendFeed.com had done previously. It's not a plain copy; it improves some things, changes others and adds features. But what really sets it apart is that Google pushes it across all of its products. It's almost impossible for a product to not amass users when you promote it on so many other popular products. And if the product is any good – as Google+ is – then people will pick up on it even faster.
With regard to privacy, you should only share what you want to share. If you post a text, then take a second to imagine this text on the front page of The New York Times (now, or a decade from now). Are you okay with that? If not, reconsider what you were about to post...and if you’re still not happy, perhaps look for networks which allow anonymity.
Google+, unfortunately, does not facilitate anonymity, which can cause problems with many topics- criticizing your work environment, for instance, or freely expressing minority views."
Google buying Motorola; is that a natural development?
"Growth seems to be natural for companies, but structures in nature sometimes do collapse. So far Google has done a good job of keeping lean while growing. In programming, we call this task refactoring: for every new line of code you add, you should reflect on how you might need to readapt all the old lines of code.
Let's wait another ten, twenty years to see if Google as a company is still flexible enough to do fast releases, and master the complexity it created."