Facebook, Google privacy 'breaches' that aren't
Facebook and Google have been in the news for all the wrong reasons in recent weeks--the social network for the misuse of some users' data by applications they'd installed on their pages, the Web-services giant for collecting data from people's wireless networks.
Both of these episodes show we need to upgrade how we think about privacy online--starting with the vocabulary we use.
The Facebook and Google issues have both been called "breaches." But they're not. The information at stake in each case was already public by any meaningful definition. It would have remained public no matter how good or evil the two companies had been.
In Facebook's case, the data consisted of the basic parameters of each person's account: Their name, picture, gender and networks, all of which Facebook makes public to all of the 500-million-plus users on the site. Unless you change its default settings, that information is also visible to anybody on the Internet.
Facebook's own rules prohibit applications from using this data for their own purposes, and the Palo Alto, Calif., company has since cracked down on app developers and banned one data broker from doing business on the site. But if you're on Facebook, your basic identity is just as visible to everybody else on the site as before--in the same way the White Pages broadcast your identity to anybody who still gets the phone book.
(Disclaimer: Post Co. chairman Donald E. Graham may appreciate these words, as he sits on Facebook's board of directors. You may also see this item get promoted on Facebook by the Post, as the paper markets itself extensively on the site.)
In Google's case, the problem began with people leaving their wireless networks unencrypted. People have been neglecting to take this simple step since the arrival of consumer-grade WiFi routers, either because they're confused about its necessity (see the puzzled questions about it in this 2004 chat transcript) or the typically hideous configuration interfaces of most routers make it too difficult to do so.
For example, this summer, Wired noted that
House Intelligence Committee member Rep. Jane Harman (D.-Calif.), chair of the House Subcommittee on Intelligence, Information Sharing and Terrorism Risk Assessment, had left her District residence's wireless networks open.
But if your WiFi is open, anybody can read your traffic at will. That's why Google itself began encrypting the logins of Gmail users years ago, a measure that ensures an eavesdropper will pick up only useless gibberish.
The Google Street View engineers--who wanted to build a database of WiFi hotspots that Google's mobile services could use for location-finding purposes that would replace Skyhook Wireless's service--didn't show the same level of foresight as Gmail's developers. As Google explains it, they simply forgot to scrub the data collected by the Mountain View, Calif., firm's Street View cars of anything beyond a wireless network's name and hardware address.
That's a dumb mistake, and the company is right to pronounce itself "mortified" by its conduct. But if you think that your unsecured WiFi's privacy issues ended with Google's surrender, you are a fool. The people you need to worry about don't drive around neighborhoods in cars equipped with massive camera rigs on their roofs, and they won't apologize for eavesdropping because they'll be too busy logging into your accounts.
Don't get mad at Google in that scenario--save your anger for WiFi vendors who can't be bothered to make it easy and obvious to encrypt your network and for Web operators who don't encrypt your login by default.
I'm not saying that nobody has any privacy anymore or that I place unlimited trust in Facebook, Google and their ilk. I don't. But when Congress is considering possible legislation, we need to focus on actual problems.
A real privacy breach doesn't involve a remix or collection of data that's already out there for anybody to see. It exposes information that nobody else should know, in ways that lead to the loss of money or security or otherwise fairly earn the adjective "Orwellian." If you, like my wife, have ever received one of those letters from a credit bureau offering a year of free credit monitoring to make up for a leak of your financial data, you know what I'm talking about.
At the same time, information about ourselves is the currency we spend to get free services. We don't have to do that--you need not spend more than $50 a year to get an ad-free Web-mail service--but few of us bother, even if that earns us extra marketing attention later on. That's how things happen offline as well; we open credit-card accounts and join store membership programs and don't pretend to be surprised by the additional junk mail that shows up afterwards.
This is the business we have chosen, and we might as well get good at it.
There are decent odds that you just read a draft of Sunday's column. What arguments am I missing? Am I going too easy on the likes of Facebook and Google? Your chance to be my editor awaits in the comments.
(11/12/10, 5:04 p.m. Corrected Harman's job description.)
| November 11, 2010; 9:45 AM ET
Categories: Privacy, Security, The business we have chosen
Save & Share: Previous: CEA launches 'Tech Enthusiast' membership
Next: Newest Twitter annoyance: iTunes Ping updates?
Posted by: tojo45 | November 11, 2010 1:29 PM | Report abuse
Posted by: inojk | November 11, 2010 2:09 PM | Report abuse
Posted by: gannon_dick | November 11, 2010 2:42 PM | Report abuse
Posted by: 54Stratocaster | November 11, 2010 2:45 PM | Report abuse
Posted by: wiredog | November 12, 2010 8:04 AM | Report abuse
Posted by: Thomas25 | November 12, 2010 2:07 PM | Report abuse