2013 03 13 NYT Google Focuses on Privacy After Street View Settlement – NYTimes.com
Google Hastens to Show Its Concern for Privacy
Richard Drew/Associated Press
Google Street View cars on Avenue of the Americas in New York. The company acknowledged privacy breaches this week.
Published: March 13, 2013
SAN FRANCISCO — Silicon Valley hates being told what to do. “Better to seek forgiveness than permission” is its unofficial slogan.
This week, though, Google was told what to do. In the culmination of a two-year investigation into whether its Street View violated privacy protections, law-enforcement officials told the company to shape up. Again.
Google has repeatedly redefined how people communicate and acquire knowledge in the 21st century, and it has repeatedly been accused of breaking the rules in the process. The company says it has taken its mistakes in the case to heart and has already changed. Never again, it says, will a midlevel engineer be able to do anything like what one did in Street View: start a program to scoop up data secretly from potentially millions of unencrypted Wi-Fi networks around the world, without his bosses bothering to know.
To make sure of this, a coalition of 38 states has drawn up numerous specific steps for Google to take, ranging from educating its engineers to educating its lawyers. Whatever Google was doing before to improve its privacy controls was not enough, the states say.
“There is no reason to believe they are not going to comply with each and every term in this agreement,” said Matthew F. Fitzsimmons, the Connecticut assistant attorney general who worked on the settlement.
Jill Hazelbaker, a Google spokeswoman, said, “We’ve worked hard to improve our practices.”
Google’s internal compliance will not be directly monitored. But if states feel Google is not upholding its side of the deal, they can bring the matter up to the executive committee that brokered the deal, including the attorneys general of Illinois, Massachusetts and Texas.
Some privacy experts think the program has a fair chance of success.
“This gives me some glimmer of hope that going forward, the culture of Google will include more privacy by design,” said Joseph L. Hall, senior staff technologist at the Center for Democracy and Technology. “Then they could do things in an innovative way on the front end that won’t result in needing to beg for forgiveness later.”
Still, it is difficult to make changes in an extremely successful technology firm. Silicon Valley executives remember all too well the case of Microsoft, which owned the future in the mid-1990s in the way that Google, Facebook and Amazon seem to now. Then the government sued the company and came close to breaking it up. Microsoft’s image, and its momentum, never recovered.
“Google is just as concerned, if not more concerned, about public perception than it is about paying a few fines,” said Ryan Calo, a law professor at the University of Washington who studies privacy issues. “Lay people will take a settlement as being evidence of a mea culpa.”
Larry Page, Google’s co-founder and chief executive, has made it clear that he wants the 31,000-employee company to try to act like a start-up, which means taking risks and doing things quickly. That was the sort of attitude that led to the Street View violation.
“The states are trying to inculcate a culture of privacy, to make it part of the DNA of Google,” said Timothy J. Toohey, a privacy expert at the law firm Snell & Wilmer. “But regulators and attorneys general are not technologists, and it becomes very difficult to follow through.”
Inside Google, the Street View breach was viewed more as a management problem than as a privacy one, according to people briefed on the investigation who were not authorized to speak publicly. The company realized, these people said, that it needed clearer control over what its engineers were doing and tighter restrictions on which engineers could gain access to certain data.
There has also been a realization among Google executives that these privacy penalties do matter, if only because of the reputational risks. They know the company can only sustain so many strikes against it in the public’s point of view, and the problem becomes more acute with each one, said former Google executives who spoke anonymously to preserve business relationships.
Edward Wyatt contributed reporting from Washington.
In 2010, when the Street View case erupted publicly, Google appointed Alma Whitten, an engineer with expertise in computer security, to be its director of privacy for product and engineering. Since then, it has added about 350 employees to her team.
Google has also added new rules for employees. For instance, workers must receive training in privacy practices and attend privacy lectures, and engineers overseeing new products have to maintain documents, reviewed by internal auditors, that detail how a product handles user data
Ms. Hazelbaker, the Google spokeswoman, said the company had also hired privacy experts and tightened controls. Google has said it is now thinking about privacy issues at the start of product development.
Now the company will have to deal with the states’ new demands.
Google’s most vociferous critics predict it will be business as usual.
“People who care about privacy have to be grateful that the state A.G.’s are trying to do their jobs, but it is hard to imagine this latest settlement will make much difference in how Google behaves,” said Gary L. Reback, a Silicon Valley lawyer who represented companies pushing for antitrust charges against Google, which were ultimately unsuccessful. “This is the third time the company has promised to educate its employees, including once in a Federal Trade Commission order, all to no avail.”
Under a settlement Google made with the F.T.C. in 2011, the company must submit to an independent audit of a newly constructed privacy plan every two years for two decades. The settlement concerned Google’s unauthorized use of private information of users of its Gmail service as public content for its Google Buzz social network.
PricewaterhouseCoopers submitted its first Google privacy audit last year. The report was not made public, but the Electronic Privacy Information Center obtained it through a Freedom of Information Act request.
The report was extensively redacted after Google said, and the F.T.C. agreed, that disclosing the company’s privacy procedures and controls would allow outsiders to thwart them and competitors to harm Google commercially.
Edward Wyatt contributed reporting from Washington.