Wednesday, February 22, 2012

Google's New Privacy Policy: Nothing to write home about

What was changed fundamentally when Google switched to its new Privacy Policy instead of multiple Policies, each policy related to a different product?

Many people think that this change is the End of Google as You Know it.
Some of them think that the slogan Don't be Evil should no longer be associated with the company.

As you can easily guess from this post's title my opinion is different.

The Problem
Google is gathering a lot of information about its users.  Usage of this information could threaten these users Privacy. 

The information is used by Google mainly for advertising, because its Business Model is based on optimizing the advertising to each user profile or characteristics.

User Privacy could be violated not only for undesired advertisement but for other purposes.      

Is Google unique?
Gathering user information and analyzing it by Business Intelligence tools is a common practice. Many Web based companies like Amazon or eBay gather and analyze information. Smaller companies and traditional software vendors are using similar methods as well.  

The only differentiator is Google dominance in some Web related markets, especially Search Engine.

The Risks
1. Google will use private information for other purposes than matching advertisements to user profile.
The probability for risk events of this kind is low. Google has too much to lose. 

2. People will receive advertisement they do not want to receive, as well as Spam advertisement messages.
What is new? They are already receiving plenty of advertisements. Receiving advertisements in Search based on information gathered in YouTube is not a significant change.   

3. A Google employee who has permissions to access the information or acquire such access authority will use it and violate your Privacy (for example, by selling your private information). 
This is a higher probability risk than the previous risks.  It should be mitigated. The employee could be a gambler that lost a lot of money or someone who is going to be fired from Google. 
It is not a new risk. 60% of misusing your private baking details are attributed to internal threats(i.e.  a bank's employee). 

4. External unauthorized Web user will access or copy your private data kept in Google's Systems.
The probability of this threat is lower than the probability of the previous threat (Insider i.e. Google's employee). Google probably will take the required actions to protect the data, but a data breach could occur.
I am not sure that your Private data is better protected on your Smart Phone, Desktop or Mobile Computer

What you should know and do?

  • Once your private data is in the Web it is unforgettable. The data will not be cleaned or erased for ever unless you do  it.

1. Do not feed private data to the Web if you do not need to.
2. Clean it if you do not need it anymore.

  • Companies as well as other less honest organizations and people will track your activity in the Web in order to get information about you and your activity patterns. They may use sophisticated software. 
Protect yourself. There are a lot of software products you may use. Some of them are even free for a consumer. Do not Track Plus is an example of software protecting you from tracking for free.

  •  Some of them will do more than tracking and gathering information: They will aim at controlling your computer and using your identity, inserting Malware in your computer, Phishing or other methods.
Protect yourself. There are a lot of software products you may use. Some of them are even free for a consumer. I can recommend Advanced SystemCare Spybot and Avira. All of them has free consumer edition. It is up to you to decide if the free edition is good enough or you want the full edition, which is not for free.

What else could be done to protect Privacy?

  • Do not post sensitive private data if it is not necessary.
  • Do not use services in the Web using your Private data in non-Secure methods.

My Take
It is reasonable to replace multi-Privacy Policies by a single privacy Policy.
Do not forget that most users, do not read these policies before ticking the "I agree box". 
No significant change to the Privacy policy was added by Google, so there is nothing to write home about.

The World Wide Web is a World Wild Web. Expect all types of deception, Privacy and Security violations and prepare to mitigate them. 

The main problem is not companies like Google gathering and analyzing your data and using it for their purposes the main problem is you.

If you are not aware of the risks and do nothing to protect yourself sooner or later, you will be harmed.

As far as Privacy is concerned, it is more a Users Awareness issue than any other issue. 
The same conclusion is applicable to Security. Penetration Tests I have done in the past, usually revealed, that The Chain is as strong as the weakest link in the chain.

Human behavior is the weakest link in Security as well as in Privacy. 

1 comment:

Avi Rosenthal said...

LinkedIn Groups

Group: IT/ IS Manager in Israel
Discussion: Google's New Privacy Policy: Nothing to write home about
U can say that again. Google is going to the wrong direction when it comes to privacy.
Posted by Mor Asher

Public Cloud Core Banking: Hype or Reality? - Revisited

  More than 4 years ago I was asked if Public Cloud Core Banking is a Hype or a Short Term Reality? If you had read the post, you would prob...