Why it’s time for Google to open up

I do not think internet companies take privacy seriously, or that many of them even understand it – and why should they? So long as they comply with the data protection compliance laws in their operating territories, there is no mandate for them to protect privacy.

Yes, internet companies must protect their shareholders’ interests; yes, they must comply with relevant laws (particularly for regulated industries such as finance or healthcare); yes, they must protect their brands; yes, they must secure their data assets. But it is up to their executives to decide whether offering greater privacy than that mandated by law (and most processing is permissible under the Data Protection Act if you word your consent notices in a suitably weasel way) is something of value to the business.

Perhaps the biggest problem companies like Google have is the global nature of their marketplace. Processing that is permissible in the UK might be illegal in Germany; processing that is culturally unacceptable in Europe might not merit a second glance in Asia. Companies that pursue the highest standards of privacy may find themselves hampered by their own policies in markets where privacy simply is not an issue. A global privacy strategy is very difficult to implement.

Of course, when companies fail to take privacy seriously – normally characterised by the ‘trust us, we know what we’re doing’ approach to their public relations – things can go spectacularly wrong, as they did for the likes of Phorm (online behavioural advertising company) or Connectivity (provider of mobile directory enquiries). Those who fail to take privacy seriously when they should be are the ones who suffer.

That said, I am not particularly concerned by the collection of private data broadcast over wifi networks. Any ‘war driver’ (a person scouting for wireless networks) could do that. What concerns me more is Google’s continued assertion that this was an accident – an accident that happened for three years in 30 countries, supported by a patent application for the collection process. I’m not suggesting that Google is lying to us, but neither do I feel that we have heard all of the truth yet. It’s that uncertainty that worries me, the possibility that one of the world’s largest companies is allegedly aggregating personal information and not being transparent about its motives.

Recent reports around the company’s privacy-related breaches have been publicity that Google could well do with out. There is a complicated mix of factors that is undermining Google’s privacy profile. People are naturally mistrustful of innovative new uses of personal information regardless of whether the intent is benign or otherwise (consider the examples of Phorm, national identity cards, road-user charging). Google is in a near-monopolistic position that many instinctively mistrust (Microsoft is another company that has had experience of this). The company operates globally and is struggling to cut a path through the myriad of ever-changing privacy laws with a single customer proposition.

But perhaps most importantly, there is a perceived arrogance to Google’s public image that grates with those who care about privacy and civil liberties: its informal motto of ‘don’t be evil’ does not always seem to be reflected in its day-to-day practices. Google’s alleged collusion in censoring users in China and handing over information to the authorities there, and the myriad of complaints (both meaningful and irrelevant) about Google Earth and Street View images were not always met with decisive, timely or consistent responses. This undermined confidence in Google and spurred doubts that it was truthful in its defence. It is that element of doubt that will always engender mistrust and uncertainty about the company’s intentions. And each time it makes these kinds of mistakes, trust becomes even harder to regain.

So what should Google do now? It needs to brief and empower its spokespeople so that we receive a prompt, consistent, transparent and accurate response from the company when there is a problem. Furthermore, Google – and for that matter any company that gathers and processes personal information – has to accept that the same technologies that allow this massive data collection and processing have to be made available to data subjects so that they can easily view, correct and delete the information held about them.

This complete transparency of processing is essential if Google is to regain any degree of trust from the public, and might even give it a competitive edge: once individuals can be sure that correct and appropriate data is being processed, they are likely to be much more comfortable about the processing that is taking place.

Toby Stevens is director of the Enterprise Privacy Group.