(Cross-posted on the Public Policy Blog)
It’s become a welcome tradition: Today is the fourth annual Data Privacy Day. Dozens of countries have been celebrating with events throughout the week to inform and educate us all about our personal data rights and protections.
This is the first year I’ve marked this day as director of privacy across both engineering and product management at Google. I’ve chosen to spend the day in Washington, D.C., where there’s a been a lot of robust and productive discussion lately. People from Congress, the Federal Trade Commission, the Department of Commerce, and industry and consumer groups have been contributing to these important conversations about how to best protect people’s data, and we’re happy to be participating too. I’m doing my part by bringing my geek sensibilities into a public discussion that we’re hosting today. In fact, that’s what we’re calling it: “The Technology of Privacy: When Geeks Meet Wonks.” I’ll be joined on the panel by technologists from the Electronic Frontier Foundation, the Federal Trade Commission and the National Institute of Standards and Technology. If you can’t attend in person, don’t worry—we’ll be uploading a video of the event later in the day on our Public Policy blog and you’ll also be able to see it on the Google Privacy Channel on YouTube.
On this Data Privacy Day, a major focus for Google is on creating ways for people to manage and protect their data. We’ve built tools like the Google Dashboard, the Ads Preferences Manager and encrypted search, and we’re always working on further ideas for providing transparency, control and security to empower our users. For example, earlier this week we launched an extension for Chrome users called Keep My Opt-Outs, which enables you to opt out permanently from ad tracking cookies. And pretty soon we’ll be extending the availability of 2-step verification, an advanced account security solution that is now helping protect more than 1,000 new accounts a day from common problems like phishing and password compromise. Right now it’s available to Google Apps Accounts; we’ll be offering it to all users in the next few weeks.
Data Privacy Day 2011 reminds us that as industry and society are busy moving forward, we face new challenges that together we can tackle through conversation and innovation. We’re eager to be part of the solution.
Showing posts with label privacy. Show all posts
Showing posts with label privacy. Show all posts
Friday, January 28, 2011
Friday, October 22, 2010
Creating stronger privacy controls inside Google
(Cross-posted on the Public Policy and European Public Policy Blogs)
- First, people: we have appointed Alma Whitten as our director of privacy across both engineering and product management. Her focus will be to ensure that we build effective privacy controls into our products and internal practices. Alma is an internationally recognized expert in the computer science field of privacy and security. She has been our engineering lead on privacy for the last two years, and we will significantly increase the number of engineers and product managers working with her in this new role.
- Second, training: All our employees already receive orientation training on Google’s privacy principles and are required to sign Google’s Code of Conduct, which includes sections on privacy and the protection of user data. However, to ensure we do an even better job, we’re enhancing our core training for engineers and other important groups (such as product management and legal) with a particular focus on the responsible collection, use and handling of data. In addition, starting in December, all our employees will also be required to undertake a new information security awareness program, which will include clear guidance on both security and privacy.
- Third, compliance: While we’ve made important changes to our internal compliance procedures in the last few years, we need to make further changes to reflect the fact that we are now a larger company. So we’re adding a new process to our existing review system, in which every engineering project leader will be required to maintain a privacy design document for each initiative they are working on. This document will record how user data is handled and will be reviewed regularly by managers, as well as by an independent internal audit team.
Finally, I would like to take this opportunity to update one point in my May blog post. When I wrote it, no one inside Google had analyzed in detail the data we had mistakenly collected, so we did not know for sure what the disks contained. Since then a number of external regulators have inspected the data as part of their investigations (seven of which have now been concluded). It’s clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords. We want to delete this data as soon as possible, and I would like to apologize again for the fact that we collected it in the first place. We are mortified by what happened, but confident that these changes to our processes and structure will significantly improve our internal privacy and security practices for the benefit of all our users.
Friday, September 3, 2010
Trimming our privacy policies
Long, complicated and lawyerly—that's what most people think about privacy policies, and for good reason. Even taking into account that they’re legal documents, most privacy policies are still too hard to understand.
So we’re simplifying and updating Google’s privacy policies. To be clear, we aren’t changing any of our privacy practices; we want to make our policies more transparent and understandable. As a first step, we’re making two types of improvements:
Our updated privacy policies still might not be your top choice for beach reading (I am, after all, still a lawyer), but hopefully you’ll find the improvements to be a step in the right direction.
So we’re simplifying and updating Google’s privacy policies. To be clear, we aren’t changing any of our privacy practices; we want to make our policies more transparent and understandable. As a first step, we’re making two types of improvements:
- Most of our products and services are covered by our main Google Privacy Policy. Some, however, also have their own supplementary individual policies. Since there is a lot of repetition, we are deleting 12 of these product-specific policies. These changes are also in line with the way information is used between certain products—for example, since contacts are shared between services like Gmail, Talk, Calendar and Docs, it makes sense for those services to be governed by one privacy policy as well.
- We’re also simplifying our main Google Privacy Policy to make it more user-friendly by cutting down the parts that are redundant and rewriting the more legalistic bits so people can understand them more easily. For example, we’re deleting a sentence that reads, “The affiliated sites through which our services are offered may have different privacy practices and we encourage you to read their privacy policies,” since it seems obvious that sites not owned by Google might have their own privacy policies.
- More content to some of our product Help Centers so people will be able to find information about protecting their privacy more easily; and
- A new privacy tools page to the Google Privacy Center. This will mean that our most popular privacy tools are now all in one place.
Our updated privacy policies still might not be your top choice for beach reading (I am, after all, still a lawyer), but hopefully you’ll find the improvements to be a step in the right direction.
Monday, June 28, 2010
An update on China
Update July 9:
We are very pleased that the government has renewed our ICP license and we look forward to continuing to provide web search and local products to our users in China.
(original post)
Ever since we launched Google.cn, our search engine for mainland Chinese users, we have done our best to increase access to information while abiding by Chinese law. This has not always been an easy balance to strike, especially since our January announcement that we were no longer willing to censor results on Google.cn.
We currently automatically redirect everyone using Google.cn to Google.com.hk, our Hong Kong search engine. This redirect, which offers unfiltered search in simplified Chinese, has been working well for our users and for Google. However, it’s clear from conversations we have had with Chinese government officials that they find the redirect unacceptable—and that if we continue redirecting users our Internet Content Provider license will not be renewed (it’s up for renewal on June 30). Without an ICP license, we can’t operate a commercial website like Google.cn—so Google would effectively go dark in China.
That’s a prospect dreaded by many of our Chinese users, who have been vocal about their desire to keep Google.cn alive. We have therefore been looking at possible alternatives, and instead of automatically redirecting all our users, we have started taking a small percentage of them to a landing page on Google.cn that links to Google.com.hk—where users can conduct web search or continue to use Google.cn services like music and text translate, which we can provide locally without filtering. This approach ensures we stay true to our commitment not to censor our results on Google.cn and gives users access to all of our services from one page.
Over the next few days we’ll end the redirect entirely, taking all our Chinese users to our new landing page—and today we re-submitted our ICP license renewal application based on this approach.
As a company we aspire to make information available to users everywhere, including China. It’s why we have worked so hard to keep Google.cn alive, as well as to continue our research and development work in China. This new approach is consistent with our commitment not to self censor and, we believe, with local law. We are therefore hopeful that our license will be renewed on this basis so we can continue to offer our Chinese users services via Google.cn.
We are very pleased that the government has renewed our ICP license and we look forward to continuing to provide web search and local products to our users in China.
(original post)
Ever since we launched Google.cn, our search engine for mainland Chinese users, we have done our best to increase access to information while abiding by Chinese law. This has not always been an easy balance to strike, especially since our January announcement that we were no longer willing to censor results on Google.cn.
We currently automatically redirect everyone using Google.cn to Google.com.hk, our Hong Kong search engine. This redirect, which offers unfiltered search in simplified Chinese, has been working well for our users and for Google. However, it’s clear from conversations we have had with Chinese government officials that they find the redirect unacceptable—and that if we continue redirecting users our Internet Content Provider license will not be renewed (it’s up for renewal on June 30). Without an ICP license, we can’t operate a commercial website like Google.cn—so Google would effectively go dark in China.
That’s a prospect dreaded by many of our Chinese users, who have been vocal about their desire to keep Google.cn alive. We have therefore been looking at possible alternatives, and instead of automatically redirecting all our users, we have started taking a small percentage of them to a landing page on Google.cn that links to Google.com.hk—where users can conduct web search or continue to use Google.cn services like music and text translate, which we can provide locally without filtering. This approach ensures we stay true to our commitment not to censor our results on Google.cn and gives users access to all of our services from one page.
Over the next few days we’ll end the redirect entirely, taking all our Chinese users to our new landing page—and today we re-submitted our ICP license renewal application based on this approach.
As a company we aspire to make information available to users everywhere, including China. It’s why we have worked so hard to keep Google.cn alive, as well as to continue our research and development work in China. This new approach is consistent with our commitment not to self censor and, we believe, with local law. We are therefore hopeful that our license will be renewed on this basis so we can continue to offer our Chinese users services via Google.cn.
Friday, May 14, 2010
WiFi data collection: An update
Update June 9, 2010:
When we announced three weeks ago that we had mistakenly included code in our software that collected samples of payload data from WiFi networks, we said we would ask a third party to review the software at issue, how it worked, and what data it gathered. That report, by the security consulting firm Stroz Friedberg, is now complete and was sent to the interested data protection authorities today. In short, it confirms that Google did indeed collect and store payload data from unencrypted WiFi networks, but not from networks that were encrypted. You can read the report here. We are continuing to work with the relevant authorities to respond to their questions and concerns.
Update May 17, 2010:
When we announced three weeks ago that we had mistakenly included code in our software that collected samples of payload data from WiFi networks, we said we would ask a third party to review the software at issue, how it worked, and what data it gathered. That report, by the security consulting firm Stroz Friedberg, is now complete and was sent to the interested data protection authorities today. In short, it confirms that Google did indeed collect and store payload data from unencrypted WiFi networks, but not from networks that were encrypted. You can read the report here. We are continuing to work with the relevant authorities to respond to their questions and concerns.
Update May 17, 2010:
On Friday May 14 the Irish Data Protection Authority asked us to delete the payload data we collected in error in Ireland. We can confirm that all data identified as being from Ireland was deleted over the weekend in the presence of an independent third party. We are reaching out to Data Protection Authorities in the other relevant countries about how to dispose of the remaining data as quickly as possible.
You can read the letter from the independent third party, confirming deletion, here.
[original post]
Nine days ago the data protection authority (DPA) in Hamburg, Germany asked to audit the WiFi data that our Street View cars collect for use in location-based products like Google Maps for mobile, which enables people to find local restaurants or get directions. His request prompted us to re-examine everything we have been collecting, and during our review we discovered that a statement made in a blog post on April 27 was incorrect.
In that blog post, and in a technical note sent to data protection authorities the same day, we said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products.
However, we will typically have collected only fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car WiFi equipment automatically changes channels roughly five times a second. In addition, we did not collect information traveling over secure, password-protected WiFi networks.
So how did this happen? Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data.
As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it.
Maintaining people’s trust is crucial to everything we do, and in this case we fell short. So we will be:
- Asking a third party to review the software at issue, how it worked and what data it gathered, as well as to confirm that we deleted the data appropriately; and
- Internally reviewing our procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future.
This incident highlights just how publicly accessible open, non-password-protected WiFi networks are today. Earlier this year, we encrypted Gmail for all our users, and next week we will start offering an encrypted version of Google Search. For other services users can check that pages are encrypted by looking to see whether the URL begins with “https”, rather than just “http”; browsers will generally show a lock icon when the connection is secure. For more information about how to password-protect your network, read this.
The engineering team at Google works hard to earn your trust—and we are acutely aware that we failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake.
Wednesday, May 5, 2010
Happy half-birthday Dashboard! Six months in and 100,000 users a day
Six months ago, we launched the Google Dashboard to help you view and control information stored in your Google Account. It’s organized according to the products you use (like Gmail, Docs or YouTube), listing data stored in your account and providing direct links to control your personal settings.
Since we’re celebrating our very first half-birthday, we thought it was the ideal time to update you on how things are going. On average, around 100,000 unique visitors a day check out their Dashboard, 85 percent for the first time. Since launch, we’ve worked to grow Dashboard, adding a number of other Google products including Sites, Maps, Books, Webmaster Tools, Buzz, Goggles, Sidewiki and Analytics. We’re still working on adding other products to the tool and are talking with users about new ways to improve the functionality moving forward.
We launched the Dashboard to provide you with greater transparency and control. We’re proud of its success so far and look forward to what’s next. If you haven’t looked at your own Dashboard yet, check it out!
Since we’re celebrating our very first half-birthday, we thought it was the ideal time to update you on how things are going. On average, around 100,000 unique visitors a day check out their Dashboard, 85 percent for the first time. Since launch, we’ve worked to grow Dashboard, adding a number of other Google products including Sites, Maps, Books, Webmaster Tools, Buzz, Goggles, Sidewiki and Analytics. We’re still working on adding other products to the tool and are talking with users about new ways to improve the functionality moving forward.
We launched the Dashboard to provide you with greater transparency and control. We’re proud of its success so far and look forward to what’s next. If you haven’t looked at your own Dashboard yet, check it out!
Tuesday, April 20, 2010
Greater transparency around government requests
Article 19 of the Universal Declaration on Human Rights states that "everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers." Written in 1948, the principle applies aptly to today's Internet -- one of the most important means of free expression in the world. Yet government censorship of the web is growing rapidly: from the outright blocking and filtering of sites, to court orders limiting access to information and legislation forcing companies to self-censor content.
So it's no surprise that Google, like other technology and telecommunications companies, regularly receives demands from government agencies to remove content from our services. Of course many of these requests are entirely legitimate, such as requests for the removal of child pornography. We also regularly receive requests from law enforcement agencies to hand over private user data. Again, the vast majority of these requests are valid and the information needed is for legitimate criminal investigations. However, data about these activities historically has not been broadly available. We believe that greater transparency will lead to less censorship.
We are today launching a new Government Requests tool to give people information about the requests for user data or content removal we receive from government agencies around the world. For this launch, we are using data from July-December, 2009, and we plan to update the data in 6-month increments. Read this post to learn more about our principles surrounding free expression and controversial content on the web.
We already try to be as transparent as legally possible with respect to requests. Whenever we can, we notify users about requests that may affect them personally. If we remove content in search results, we display a message to users. The numbers we are sharing today take this transparency a step further and reflect the total number of requests we have received broken down by jurisdiction. We are also sharing the number of these content removal requests that we do not comply with, and while we cannot yet provide more detail about our compliance with user data requests in a useful way, we intend to do so in the future.
As part of our commitment to the Global Network Initiative, we have already agreed to principles and practices that govern privacy and free expression. In the spirit of these principles, we hope this tool will shine some light on the scale and scope of government requests for censorship and data around the globe. We also hope that this is just the first step toward increased transparency about these actions across the technology and communications industries.
So it's no surprise that Google, like other technology and telecommunications companies, regularly receives demands from government agencies to remove content from our services. Of course many of these requests are entirely legitimate, such as requests for the removal of child pornography. We also regularly receive requests from law enforcement agencies to hand over private user data. Again, the vast majority of these requests are valid and the information needed is for legitimate criminal investigations. However, data about these activities historically has not been broadly available. We believe that greater transparency will lead to less censorship.
We are today launching a new Government Requests tool to give people information about the requests for user data or content removal we receive from government agencies around the world. For this launch, we are using data from July-December, 2009, and we plan to update the data in 6-month increments. Read this post to learn more about our principles surrounding free expression and controversial content on the web.
We already try to be as transparent as legally possible with respect to requests. Whenever we can, we notify users about requests that may affect them personally. If we remove content in search results, we display a message to users. The numbers we are sharing today take this transparency a step further and reflect the total number of requests we have received broken down by jurisdiction. We are also sharing the number of these content removal requests that we do not comply with, and while we cannot yet provide more detail about our compliance with user data requests in a useful way, we intend to do so in the future.
As part of our commitment to the Global Network Initiative, we have already agreed to principles and practices that govern privacy and free expression. In the spirit of these principles, we hope this tool will shine some light on the scale and scope of government requests for censorship and data around the globe. We also hope that this is just the first step toward increased transparency about these actions across the technology and communications industries.
Tuesday, March 30, 2010
Our stand for digital due process
The year was 1986. A gallon of gas cost 89 cents, Paul Simon’s Graceland won the Grammy for album of the year, and the federal Electronic Communications Privacy Act (ECPA), which governs how law enforcement can access electronic data, was signed into law.
A lot has changed since 1986. Gas is now measured in dollars and Taylor Swift (born 1989) won album of the year. All the while, technology has moved at record pace. But ECPA has stayed the same. Originally designed to protect us from unwarranted government intrusion while ensuring that law enforcement had the tools necessary to protect public safety, it was written long before most people had heard of email, cell phones or the “cloud” — the term used for programs helping people store personal data like photos and documents online. As a result, ECPA has become outdated.
This is why we’re proud to help establish Digital Due Process, a coalition of technology companies, civil rights organizations and academics seeking to update ECPA to provide privacy protections to new and emerging technologies.
Specifically, we want to modernize ECPA in four ways:
You can read more about our proposal at our coalition website. In the coming months, we’ll meet with lawmakers, law enforcement officials and others to help build support for modernizing the law.
1986 was a good year, but it’s time our laws catch up with how we live our lives today.
A lot has changed since 1986. Gas is now measured in dollars and Taylor Swift (born 1989) won album of the year. All the while, technology has moved at record pace. But ECPA has stayed the same. Originally designed to protect us from unwarranted government intrusion while ensuring that law enforcement had the tools necessary to protect public safety, it was written long before most people had heard of email, cell phones or the “cloud” — the term used for programs helping people store personal data like photos and documents online. As a result, ECPA has become outdated.
This is why we’re proud to help establish Digital Due Process, a coalition of technology companies, civil rights organizations and academics seeking to update ECPA to provide privacy protections to new and emerging technologies.
Specifically, we want to modernize ECPA in four ways:
- Better protect your data stored online: The government must first get a search warrant before obtaining any private communications or documents stored online;
- Better protect your location privacy: The government must first get a search warrant before it can track the location of your cell phone or other mobile communications device;
- Better protect against monitoring of when and with whom you communicate: The government must demonstrate to a court that the data it seeks is relevant and material to a criminal investigation before monitoring when and with whom you communicate using email, instant messaging, text messaging, the telephone, etc.; and
- Better protect against bulk data requests: The government must demonstrate to a court that the information it seeks is needed for a criminal investigation before it can obtain data about an entire class of users.
You can read more about our proposal at our coalition website. In the coming months, we’ll meet with lawmakers, law enforcement officials and others to help build support for modernizing the law.
1986 was a good year, but it’s time our laws catch up with how we live our lives today.
Subscribe to:
Comments (Atom)
