Can Google be Trusted to Do No Evil?

broken-trustNot long after Google+ was launched, I came to the conclusion that Google didn’t build it as just another entry into the social arena. I was certain it ran a lot deeper than that.

When authorship launched, it seemed to support my theory that Google+ was more an identity platform than a social media venture. Then Eric Schmidt said as much in Edinborough. But by that time, there was enough discussion around the real-names-only policy on Google+, that quite a few people had accepted the fact that Google was simply gathering information.

Some thought it was just the search giant taking advantage of a dandy opportunity to bolster their data-hoppers to further their ability to laser-target ads to users. Others (myself included) saw it in a broader view – ad targeting, yes… but it was also a great addition to the tie-ins that they needed to build out a massive entity database.

One thing was becoming fairly evident, though: it was anything but just another social media venture.

The Plot Thickens

Over a relatively short life, Google managed to build (or acquire) properties in which users just naturally leave tracks. From image sharing to voice, from email to videos, they amassed a collection of properties in which users could connect, share, and communicate with their contacts, while building out their own ever-expanding profiles. What they didn’t build, they either bought or negotiated access to.

Google+ took this to a new level. Suddenly, it wasn’t just a matter of where you built a profile or who you shared specific content with. Now it became a focal point of your online presence. You could list all your social profiles, blogs and websites, post photos and videos, map places you’ve lived for your entire life, provide your address and contact information – all in one spot. If all your different presences on the web could be considered spokes, Google+ became the hub.

It’s not like Google couldn’t track down a good bit of that information alone, of course. But there are a lot of John Smiths out there, so some disambiguation had to have been very helpful to clean up their database. Adding properties like Freebase and Frommer’s to their collection handled some of that, but not enough.

Most people, even those that are quick to refer to Google as Big Brother and refuse to use Chrome for its supposed intrusiveness, don’t seem to appreciate the tremendous amount of information that exists for anyone with any sort of Internet presence.

It brings to mind a slogan from World War II: “Loose lips sink ships”. The premise of that was that even those making innocuous comments could be providing information that, when combined with a lot of other innocuous comments, could piece together enough information to present a serious security risk.

Boy, ain’t that the truth!

If you’re shaking your head and pooh-poohing that idea, check out your Google Dashboard and see how much information Google admits to have on you and your activities. Mine is seven full screens of scrolling, and I’m not nearly as active as a lot of folks I know.

Now sit back and look again at how much information is there, how many different accounts are represented. Imagine how many forum posts, blog posts, and interactions with others you’ve had over the years. It’s all there… every innocuous comment, every minute detail you ever typed. There are even those that claim that every page you’ve ever visited is mapped. When seen as a whole, it can provide a lot more information than most of us would ever consider putting in one place.

Loose lips, indeed!

Do No Evil

no-evilThere’s no shortage of people who don’t know the feel of a tinfoil hat and will poke fun at anyone citing a conspiracy – I’m one of them. I’ve always recognized that Google is a business and they need information in order to do their job of serving targeted ads. To date, they’ve done a pretty decent job of protecting privacy. And frankly, I’ve always been fairly comfortable with the amount of information I suspected Google could round up on me if they decided I was worth their attention.

It seems I’m worth more than I thought, though, judging by my Dashboard. As user data, we all share a common value.

But is this all just a ploy to gather more intelligence for targeting ads? Is it a grandiose scheme to build a massive graph that can help convert a search engine into a knowledge engine? Or is it something else?

Andy Carver summarized Schmidt as having said that “… G+ was build (sic) primarily as an identity service, so fundamentally, it depends on people using their real names if they’re going to build future products that leverage that information.”

OK, in the context in which that was said, it made sense. As Matt Cutts cited at SES San Francisco last year, if you’re looking for poison control in an emergency, it makes sense that Google immediately provides you with the local number at the top of the page, rather than making you click through to find it.

Cutts made another remark in that same SES keynote: “…Google is more of an information company and not just a pure search engine.”

So we give information – and we get information. It’s a trade-off.

The Game is Afoot

Some are probably still either blissfully ignorant of what is going on or so complacent that it doesn’t bother them. I’m definitelybothered. And each of you should be too.

Enter: NSTIC (National Strategy For Trusted Identities In Cyberspace)

In 2011, NSTIC gained some visibility, but it wasn’t until late 2012 that it took on the shape of more than a “maybe someday” project, when Google, PayPal and Equifax were named the first three officially credentialed IPs (identity providers).

The “Identity Ecosystem” that NSTIC is intended to construct isn’t totally in place yet, but it’s coming. My best guess would be sometime 2014, at best (or worst, depending upon your viewpoint), possibly longer. Some pilot programs are already in use. So what is it intended to do?

Since the government has decided that it’s too much trouble for us to have to enter our various user names and passwords when logging into websites, they came up with the idea of NSTIC, wherein Identity Providers will “vouch” for us. It’s still unclear exactly how we’ll be identified, but presently, they seem to be leaning toward a digital “Information Card“, which will be issued by the ID Provider we select. Supposedly, this is necessary in order to make our lives easier and enhance our privacy?

What? They’re going to protect our privacy by having someone else carry our wallets for us? Uh…. time out!

Let’s take a look at how this is supposedly going to work.

When you log into a site that only requires you to be at least 13 years old, the ID Provider will only have to vouch for the fact that you meet that criteria. On the other hand, if you’re logging into your bank to transfer funds, or Amazon to make a purchase, considerably more information would be required.

There are a number of problems that surface with this plan. Just to name a few:

  • Who asked the government to mandate a system to make my online dealings “easier”?
  • In order for someone to be able to provide all necessary private information I might need to offer, that entity has to be in possession of all of it. Explain the “enhanced” part of our privacy again, please.
  • There are no laws, either in place, or contemplated, to regulate the manner in which our information must be stored, managed, protected, altered or deleted. Instead, there is a toothless guideline entitled the Fair Information Practice Principles (FIPPs), which only applies to government agencies.
  • With no regulation, there is also no redress in case of mishandling.

So, essentially, we’re supposed to let some company like Google, PayPal or Equifax handle all our private data, and decide how much of it they’ll share, with whom they’ll share it and how well they’ll safeguard it, just so we don’t have to use passwords? And all this is on the honor system?

With agencies like the FBI, CIA and NSA getting their data compromised, I’m a little hesitant to buy into letting a commercial interest “protect” my data.

With no regulations to set and enforce acceptable use policies of my data, I don’t feel inclined to just trust a multi-billion dollar company to not use my data to make more billions.

I’ll opt for a password when I log into my bank, thanks. And I wouldn’t hold your breath waiting for me to share my bank, account number or balance with anyone that only operates on the “honor system”.

While advocates of this Identity Ecosystem love to claim how much more secure we’ll all be with an ID provider watching out for our privacy, I have to ask myself – who will be watching them?

I’ll be going into more depth on NSTIC here soon, but I strongly encourage you to read more on the NSTIC program. Kristine Schachinger has written several informative articles on the topic, which I highly recommend and a simple search for NSTIC will provide you with plenty of strongly held opinions from both sides of the argument. Below are the links to Schachinger’s articles:

Related reading

SEO is a team sport: How brands and agencies organize work
How to pitch to top online publishers: 10 exclusive survey insights
search reports for ecommerce to pull now for Q4 plan
amazon google market share for ecommerce, data