Google Privacy Fiasco Lesson: There Is No Privacy
Google is in hot water for bypassing privacy controls on the Safari Web browser in iOS devices--and allegedly on Internet Explorer as well--to surreptitiously track users’ online activities. While Google deals with the backlash and regulatory scrutiny from the FTC, there is an important lesson to be learned: Privacy is dead.
I am not suggesting that it is OK for Google or any other company to intentionally circumvent privacy controls to access information the user has specified should not be shared. But, you should also be aware that you don’t actually have a “right” to privacy, and that even if you did that ship has probably sailed.
Your “Right” to Privacy
Here’s the thing: you don’t actually have a legal right to privacy. The 14th amendment to the U.S. Constitution is often cited thanks to a precedent set when Justice Louis Brandeis claimed that it protects the “right to be left alone.” However, it takes some acrobatics of reason to arrive at the conclusion that it inherently protects privacy.
The 1st, 4th, and 5thamendments are sometimes tossed out to support the perceived right of privacy as well. But, the reality is that the very best chance for privacy protection probably falls on the 10thamendment--which grants authority to the individual states for any powers not specifically delegated to the federal government. So, it is possible that your individual state could have measures in place to safeguard privacy.
There are also examples of privacy--or at least the protection of sensitive information—being legislated at a more granular level, depending on the industry. The Privacy Act of 1974 prevents the unauthorized disclosure of personal information held by the federal government. The Fair Credit Reporting Act protects information gathered by credit reporting agencies. The Children’s Online Privacy Protection Act grants parents authority over what information about their children (age 13 and under) can be collected by websites.
There are various regulatory and industry compliance mandates that require affected organizations to take adequate steps to protect sensitive data. Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and Payment Card Industry Data Security Standards (PCI-DSS) each have stipulations that obligate organizations to protect data, and they impose fines and penalties on those that fail to do so.
All of this suggests that privacy is an important issue, and that there is a societal expectation of privacy. Just remember that your privacy isn’t actually guaranteed.
The concept of privacy and the misguided belief that our privacy is protected or guaranteed cause people to get very defensive about having privacy violated, even though the reality is that the information that is revealed is relatively benign and useless.
I might prefer that the pictures I took of my kids playing in the park, or the fact that I was shopping Amazon for suede blazer, not be shared with the general public. But, if it were it wouldn’t really matter. Whoever might stumble across such revelations would surely be bored to death.
It may be shady if Google has been tracking my Web surfing habits on my iPhone, but for me--and probably the vast majority of the users in the world--there is nothing Earth-shattering to be learned from that. It may be sneaky if friends of mine joined Path and my contact details were uploaded to Path’s servers, but my name and email address are plastered in so many places across the Internet that I have long since surrendered any expectation that the information is a secret.
Even in situations where you have an illusion of privacy, your data is probably not as private as you believe. Facebook, Google, Path, and others have all been guilty of accessing or sharing information in ways not explicitly authorized by users--and those are just the incidents we know about. It’s possible, or perhaps even probable, that other entities are also secretly tapping your private data and simply haven’t yet been caught.
It’s All Public
You should just assume that if you post it, share it, access it, or store it online that it’s probably going to be seen by some unauthorized party at some point. Maybe it’s by a malicious hacker, or perhaps by a trusted entity like Facebook or Google, or it might be by law enforcement or government agencies.
To some extent, you do have some power to protect your own privacy. For starters, you can make sure you understand and implement all of the security and privacy controls at your disposal for the sites and services you use. Next, you can simply choose not to do business with sites or services that violate your trust and breach your privacy.
Even if you take those steps, though, and do everything in your power to enforce the protection of your privacy, you should essentially consider everything online to be public. If you truly don’t want certain thoughts, beliefs, personal data, or other information about you to be known to the general public or by any third-parties, you should think twice about whether it should ever be online in the first place.
Again, I am not apologizing for Google in any way, or for Path, or for any other entity that might violate the expectation of privacy. I am, however, suggesting that the expectation of privacy itself is optimistic, and that you should not be surprised when you learn that your “private” information isn’t quite as private as you thought.
Instead of an expectation of privacy, users should have an expectation that their privacy will be breached eventually. Unless you plan to live some Luddite existence off the grid and simply disconnect from the Internet, this probably won't be the last incident that affects your privacy.