Google, according to a report in The Wall Street Journal last week, has not been playing fair when it comes to upholding its own privacy standards.
The company has been tracking “web-browsing habits of people using Safari browser software even if [users] intended for that kind of monitoring to be blocked,” the Journal article noted, adding that this behavior has led three U.S. congressmen to ask for a Federal Trade Commission investigation. The article also pointed out the company last year signed a privacy settlement with the FTC after the commission charged it with using “deceptive tactics and violating its own privacy promises to consumers” when it launched its Buzz social network.
As for the breach the Journal found last week, Google responded that it has deleted the tracking files in question and is addressing the congressmen’s concerns.
KnowledgeToday asked two Wharton faculty — Andrea Matwyshyn, professor of legal studies and business ethics, and Shawndra Hill, professor of operations and information management — to comment on this latest incident.
Given all the recent examples of Internet companies chipping away at people’s privacy, how serious is this latest breach?
Matwyshyn: According to press reports of commentary from a Google spokesperson, the company does not necessarily consider its actions to constitute impermissible conduct: Google is alleging that users authorized the company to interact with their data in certain ways and, by implication, that this consent authorized alteration of inconsistent settings on a device, which may have happened in an unanticipated manner.
Hill: Firms like Google need to take [care] because legal cases regarding privacy breaches can and do go to court. With each breach, Google opens itself up to punishment and a degradation of consumer trust. In this [latest incident], millions of consumers might be affected, which could indeed prove problematic for Google because of the scale of the Safari problem.
What would have led Google to do this? An obvious answer is the increasing competition for ad dollars, but is there another explanation?
Matwyshyn: This type of error is symptomatic of the broader privacy and security culture wars going on inside all companies, but technology companies in particular. Privacy and security champions and lawyers frequently butt heads internally with engineers over design and consumer protection. In engineering-focused cultures such as Google’s, shipping code usually wins, and privacy/security and consumer protection can be viewed by some internal decision makers as secondary things you “clean up” when they go awry, rather than things companies must design around.
Hill: It’s possible that better advertising alone is driving the data collection when consumers use the Safari browser. However, it is also possible that Google was not aware of all the consequences of their actions. It is often the case with data collection that you have one intention but that there are other uses that are unforeseen when the data or process for data collection is established. Still, Google should do a better job identifying potential problems before launching new processes.
Is it conceivable that Google didn’t know this was happening?
Matwyshyn: Code is written by humans, for humans. Yes, it’s entirely conceivable Google didn’t do their homework and anticipate this dynamic. It’s also conceivable that a company might anticipate a dynamic such as this, but would then decide that fixing it is a lower priority than shipping code out fast. A third scenario might be that a company decides this type of dynamic is a feature and not a bug, that their consumer EULA [end user license agreement] grants the right to tweak settings on user devices and that users are unlikely to notice the exact workings of the code.
Do you think Google’s reputation as a “do no evil” site has taken a substantial hit?
Matwyshyn: “Do no evil” was Google’s successful mantra from the 1990s and 2000s. Those days are gone from the standpoint of consumer perception. Although Google’s socially-beneficial pilot programs and philanthropic efforts are commendable, in the 2010s many consumers view Google as an aggressive data aggregator akin to Facebook. Microsoft is the new underdog.
Hill: Google is scheduled to change their privacy settings next month. In addition, they have come under scrutiny regarding other privacy breaches in the past year. While the firm may continue to claim to “do no evil,” their business strategy is certainly changing; no doubt consumer perceptions, and possibly trust, will change as a result. However, other large data driven companies are using behavioral, social network and demographic information to target ads. So, it’s not like there is an alternative (right now) where user data are not being used for advertising and business intelligence.
The main concern for consumers will come when/if Google tries to maximize their advertising dollars at the expense of giving users the most relevant information to answer their search queries.
Three congressmen have called on the FTC to investigate Google over this practice. Are we finally reaching a tipping point where the privacy issue has caused enough concern that the government will mete out serious sanctions/punishment?
Matwyshyn: One possible outcome may be another FTC consent decree expanding the existing mandatory periodic FTC audits…. The organizational impact of FTC audits may be underestimated internally: FTC audits are a disruptive and expensive experience, as Microsoft learned. If this underestimation is the case, and if the privacy lessons from Buzz have not been internalized by the corporate culture, it is unsurprising that another privacy problem has arisen.
Hill: It’s hard to say which case will end up [resulting in a] severe punishment. However, with each case, we get further along into the discussion about what is acceptable and what is not with respect to consumer privacy. The hope, at least from consumers, is that the conversation will evolve into a clear set of rules and regulations that govern how online firms and others can make use of personal data while offering useful, and free, services.