This is a late post on the never-ending discussion about the data privacy inside large companies, especially such data-centric ones like Google and Facebook (see later in the post). In this posting I'm referring mostly to Google and Facebook but be aware that similar discussions and many related topics are not at all limited to these companies and I just take the most known ones as an example. I'm writing this because it gets more frequently in the recent weeks that I'm involved in talks and discussions about privacy issues on different internet services, so here I try to write down my own position. I'm trying to back most of my comments with references here (be sure to check them out if you want to understand my point of view) but of course I'm already biased so take this as my completely personal opinion as of the end of 2010!
Why I have trust in Google
Google had to take a heavy hit when it publicly announced that it had found out that there was payload data from unencrypted WLANs stored during their StreetView programme and recently because people sent email and passwords over unencrypted WLAN.
For me, contrary to aparently most other opinions, this causes Google to rise in my trust because I'm very sure that any other company which had a similar incident would do everything to prevent public knowledge of this. Not so Google. They proactively stepped forward, disclosed the data acquisition accident and invited public authorities to come in to review and check the collected data before they are deleting it without further processing.
The company must have known very well that these actions would impact its image but this didn't stop it from further cooperation in almost any aspect of this incident. For example an evaluation of official british privacy groups found no evidence of personal data in the StreetView logs although this was again stated as a disappointment (german) by other data protection groups later on. Google also let an external company review the whole process of the data acuisition and processing for the StreetView programme which came to the conclusion that the whole process did at no point analyze or process recorded data from connections in the WLAN. It really did only enough processing of the WLAN headers to be able to locate the WLAN, which was the whole point of this programme.
Collecting WLAN data and positions is common practice and many companies have specialized in the area of geolocation via WLAN IDs (eg. SkyHook and even Apple itself), yet only Google is ranked high in the news for data breach while almost nobody criticises these other companies or thinks of real attackers who are surfing the streets and scanning unencrypted WLANs for importand data. For software developers and engineers it's almost clear that the data breach of Google was really just an oversight (german) during the software development and I certainly salute Google to bite the bullet for a whole industry branch. It even takes complaints from its competitors who think that during this public criticism on Google is the right time to take the chance and join beating the rival.
In my opinion Google was (and still is) one of the most respectable companies if the topic is about data security. There were of course other minor accidents with data privacy but almost every time they reacted fast and closed the holes or changed the processes within a very short timespan. As of my knowledge there has only been one incident where an internal maintenance employee who, because of its maintenance activities had access to users' data, abused his rights and accessed users' data without their consent or internal maintenance reasons. Google did react on this but I think it could have done faster and with a more clear statement.
As a final hint, if someone is really interested what data Google collects for each person hop over to the Google Privacy Center and read the small and (in my opinion) quite clear (compared to any other) privacy statement. There you also have the possibility to access the Google Privacy Dashboard where you can yiew and manage almost all the data stored with your account, change the Google ads preferences or even opt-out of it and disable the statistics collection by Google Analytics. It even maintains a publicly availale list of requests from governments to Google for removing content or providing user information.
Why I have no trust in Facebook
Try to find such features on sites like Facebook. In fact Facebook already has a quite impressive list of similar privacy issues, ranging from simple data collection features for crawlers (which is still available to this date) to collecting data of users without accounts on Facebook (german). Although Facebook has often said to tighten up their privacy settings and make it easy for users to adjust them it's still a very complicated process to strip down your privacy options and requires constant review of your sharing settings when you don't want to keep the default settings and share your data with the whole world. There already have been privacy support applications created which assist you in checking and correcting Facebooks privacy settings via easier interfaces. How sick is this? Some people even think to the extend that Facebook should just give in and simply sell your data right away.
Of course Facebook serves its original purpose, connecting people and sharing information, quite well and it may be the ideal tool for many people to do so. But in fact, I doubt that most of the users on Facebook are really aware to which extend Facebook really collects and connects information which is provided in known and unknown means by its users.
In the end I'm always a bit confused and disappointed when people state that they don't trust a certain big company because of "privacy reasons" without having a real justification at hand to do so and then maybe even take this discussion to their Facebook, Twitter or MySpace. I personally still give Google a magnitude of trust in advance of sites like Facebook and from my current point of view there is not much possibility to change my opinion or see me creating an account on this site in the near future.| Permalink