George Costanza would hate Google’s new privacy policy. The “Seinfeld” character was distressed enough when his fiancée started hanging out with a friend of a friend, bringing separate parts of his life into contact and causing his “worlds to collide.” “You couldn’t figure out the ‘worlds’ theory for yourself?!” he fumes at Jerry, who brought the two together. “It’s just common sense! Anybody knows you have to keep your worlds apart!”
Tell that to Google. On March 1, the Mountain View, Calif.-based Internet giant plans to toss out more than 60 different privacy policies and consolidate its services under a single set of guidelines. The harmonization will remove separation between YouTube, Google+, Gmail, Google search and other Google products, meaning that the company will be able to use data it collects from users in one area across all of its platforms. The goal, as Google tells it, is to “create one beautifully simple, intuitive user experience” that treats consumers “as a single user across all our products.”
“The reason this becomes a non-trivial piece of news is because our data can now be used out of context from what might have been expected when the user first provided the information,” notes Anindya Ghose, a visiting professor at Wharton and co-director of New York University’s Center for Digital Economy Research. “That is, data provided in one setting might now be used in a different setting. It is precisely this data sharing across contexts that creates privacy concerns.”
Google’s announcement is the latest turn in the tango between online platforms and consumers who use them. As online social networks expand, information collection improves and online advertisers create new ways to target consumers, companies like Google must amass ever-richer data sets to compete. That puts them increasingly at odds with some users who feel their privacy slipping away.
The tension has grown to such an extent that some companies are beginning to flout their privacy standards as marketing gambit. Shortly after Google made its announcement, competitor Microsoft came out with an ad campaign to woo users to its services instead. “The changes Google announced make it harder, not easier, for people to stay in control of their own information,” Frank X. Shaw, Microsoft’s corporate vice president of corporate communications, wrote in a blog post announcing the ads. “We take a different approach — we work to keep you safe and secure online, to give you control over your data, and to offer you the choice of saving your information on your hard drive, in the cloud, or on both.”
Google countered immediately with its own blog post: “Our privacy controls have not changed. Period,” the blog reads. “Our users can: edit and delete their search history; edit and delete their YouTube viewing history; use many of our services signed in or out; use Google Dashboard and our Ads Preferences Manager to see what data we collect and manage the way it is used; and take advantage of our data liberation efforts if they want to remove information from our services.”
The tit-for-tat is an interesting twist in the privacy wars, which last saw Google as the winner. The initial appeal of Google+ “was that Facebook’s privacy policies were not very good,” Ghose points out. “People actually moved from Facebook to Google+…. This is going to be very disappointing to the early adopters of Google+.”
Defending Territory
Worlds are colliding not only in the Google universe but offline, as lawmakers and regulators worldwide scramble to figure out what Google’s policy merger means in their respective territories. On January 26, eight U.S. Congressmen wrote to Google CEO Larry Page, asking for clarification of what Google’s new policy would mean. Days later, regulators from the European Union asked Google to “pause” its policy merger until the group, the Article 29 Data Protection Working Party, had a chance to investigate the impact on EU citizens. Google refused, saying it had already notified 350 million account holders and had already discussed the issue with regulators. In the reply to both EU regulators and U.S. lawmakers, Google said its new policy would not impact existing privacy settings, and that it was not collecting more data, just combining it in new ways
Sometimes it’s the amount of aggregation that’s the problem, says Wharton new media director Kendall Whitehouse. Personal data that has been public for years — in public records, phone books and court filings, for example — was difficult to collect in one place. Not so today, where every public record is now viewable online with a click. “Every one of those items is a valid piece of public information, but as it gets aggregated together, it gets a little creepy at a certain point,” Whitehouse notes.
Most online platforms say they don’t share personally identifiable information with advertisers, but studies have shown that large amounts of data about a single person — even anonymous data — can sometimes be used to identify the individual. “It turns out that as your information gets more aggregated, you become more transparent…. At a certain level of aggregation, [anonymity] disappears,” Whitehouse says. Google’s privacy merger raises questions about how far data aggregation should go. “Aggregation at a certain scale really does change things and possibly call for a need for additional oversight,” Whitehouse adds.
The Google privacy policy merger “is going to be analyzed as a tipping point” for data privacy and database regulation, predicts Wharton legal studies and business ethics professor Andrea Matwyshyn. “Consumers were not expecting this degree of data integration, and, although they haven’t quite processed the full consequences of it yet, are uncomfortable with it.”
Matwyshyn says Google’s new policy highlights “a fundamental tension in the business space around what it means to have databases to store information, how we monetize [the data] and what privacy protection consumers are entitled to, if any.” Questions remain about how much privacy users can expect, what legal rights a user has in terms of how public information is assembled and shared, and whether users can do anything legally to prevent one online world from colliding with another.
“There are identity salience questions” that haven’t been answered, Matwyshyn notes. Just as George Costanza’s “Relationship George” threatened to destroy “Independent George” when his worlds collided, a first grade teacher who spends weekends playing in a rock band might struggle to maintain both identities in the real world if they start to blend together online. “We all have different identities at different points in our lives,” Matwyshyn points out. “Maybe we want to maintain a segmented identity.” As data collection intensifies and one online world links to others, “we’re essentially removing the ability of the individual to choose which identity role comes out in which situation.”
Both legally and culturally, the tension comes out differently on opposite sides of the Atlantic. “The Internet, of course, is an inherently transnational space, but the regulatory regimes, particularly with respect to data privacy, have always been very country-specific,” Matwyshyn says. In Europe, “the relationship between a user and his or her data is conceptualized fundamentally differently, culturally speaking, than that relationship is in the United States.” In Europe, the individual has more rights to his or her own data. For example, in some Scandinavian countries, a blog post about a friend seeking medical treatment is considered a violation of privacy law. “In the U.S., if one of your friends posts that you sought medical treatment, it’s perhaps inappropriate and bad judgment, but nothing comes of it. So it’s a very different cultural and legal starting point.”
In the past in the U.S., the data that companies collected was not considered a thing of value that had been relinquished. Privacy concerns are beginning to change that. “Now we certainly recognize in the U.S. that data is a thing of value, and that the transfer of the information from the consumer to the business is itself a transfer of something valuable,” Matwyshyn notes. “The U.S. is moving more towards the EU paradigm of viewing privacy as something intrinsic to the user’s identity and realm of control, and the EU meanwhile is moving more towards the U.S. paradigm.”
Where these two approaches are going to meet is the operative question, Matwyshyn says. But one thing is clear: Google isn’t going to stop collecting data anytime soon.
“I think the privacy changes are an example of where the company decided it had to face reality,” notes Kevin Werbach, a professor of legal studies and business ethics at Wharton. “Services such as Gmail and Google+ that use personal information most actively are no longer marginal; they are core Google offerings.”
With its push into social networking through Google+, “the company has made a decisive turn,” Werbach says. “It’s easier to take a strong position in favor of user privacy when you’re a search engine than when you’re a social network. Focusing on social [media] means that you gather a tremendous amount of private information, and the use of that information is intimately tied into the functionality you offer your users. It also means leveraging the ‘social graph’ across other services, which requires further information sharing. That’s the argument Facebook has been making all along.”
Google deserves credit for being transparent about the fact that it’s changing its privacy policies and offering its perspective on how it’s still being fair to users, Werbach points out. “Google is competing with companies like Facebook, Microsoft and Apple, which are bigger than it in some ways and much more willing to impose themselves on their users,” he says. “It’s hard to ask Google to ignore the business pressure to make the changes.”
Shawndra Hill, a Wharton operations and information management professor, says Google had little choice but to make better use of its data. “Strategically, if they want to compete against Facebook, they have to take advantage of the data that they have.” By combining the information collected across its various platforms, Google has increased its value to advertisers, she points out. “Google basically makes its money from advertising. So long as that’s true for their competitors, then they’re always going to be figuring out a way to collect more data from you … use that data better,” she adds. “That’s what they do — try to figure out how to better advertise to you. For as long as that is [the case], this conversation around privacy and the value that consumers are getting from the services are always going to be in conflict.”