Law in the Internet Society
Ready for review. All comments are welcome.

Privacy Loopholes in Google Voice, and Why Users Won't Even Notice

-- By SethLindner - 06 Nov 2009

Recent Google Acquisitions

Two recent acquisitions indicate that Google may be getting serious about entering the VoIP telecommunications market. In 2007 Google bought a company called GrandCentral, which ran a web-based call forwarding system that provided users with a single "central" phone number from which calls could be routed to multiple other phone numbers based upon user-configurable preferences. In April of 2009 the service was launched as Google Voice. In addition to the call forwarding features of GrandCentral, Google Voice adds call screening, blocking of unwanted calls, and voice transcription to text of voicemail messages.

While Google Voice allowed users to consolidate all of their conventional phone numbers into one Google Voice number, it still required users to have a separate land line or cellular telephone to make or receive calls. It appears that this is about to change. Google recently announced that it had purchased a company called Gizmo5 for $30 million. Gizmo5 offers the missing piece to the VoIP puzzle for Google by providing an actual phone number and software to make and receive calls. Many people speculate that Google will integrate the Gizmo5 features into Google Voice, creating a no-cost centralized telephone system.

Currently Google claims to have more than 1.4 million users of Google Voice.

"A Higher Sense of Privacy" -- User Reactions to Google Voice

I was curious to see what the buzz on the internet was about privacy issues raised by Google Voice, so I did a search for "google voice privacy." One article discussed some of the advantages and disadvantages of Google Voice, noting that although the Google Voice site was currently ad-free, it could change this in the future. Then came a reader comment that really worried me:

"I don't see Google opening [Google Voice] up to ads, or at the very least, no targeted ads, as I feel that phone calls are a bit more sensitive than emails, and come with a higher sense of privacy. If they launched targeted ads, I think there would be a backlash, and a dropoff in usage."

This comment makes me nervous because I think this guy is almost completely correct. Most users probably don't want to see advertisements in Google Voice that appear to be targeted to the content of their phone calls. And most users believe that phone calls should be entitled to greater privacy protection than other forms of communication. But remember, Google already knows how to play this game. It knows that we do not want to feel like someone is standing over our shoulder. It knows that if we pick up the phone and hear nothing but measured breathing on the other end of the line, we're going to hang up pretty quickly. Google's response, then, will be to give users exactly they are looking for -- a "higher sense of privacy."

The Loopholes in the Google/Google Voice Privacy Policies

A careful reading of Google's privacy policy reveals what privacy means to Google. I call this policy attractively deceptive, because once we look beyond the first line reminding us that Google believes that privacy is important, and the statement of compliance with the U.S. Department of Commerce's Safe Harbor Program (that sounds safe), we see some startling possibilities.

Let's first look at how Google handles "personal information," which Google defines as information that "personally identifies you." The first problem is that Google presumes to know what kind of information personally identifies its users. It identifies name, email address, and billing information as examples. Even if we leave sophisticated data mining techniques aside, doesn't it seem possible that something like a simple list of the ten people that you call most often might pretty easily identify you. Next, the Policy plainly allows Google to "process [personal information] on behalf of and according to the instructions of a third party." So, even if the information that Google didn't classify as "personal" wasn't enough for third parties to identify you, those same parties can get Google to process the personal information to fill in the missing gaps.

Google Voice has its own privacy policy and even more problems. Let's take a look at what happens when you delete a record from your Google Voice account. The first thing that happens is that the message immediately disappears from your view.

"Whew! Good thing I got rid of THAT message. I could be in big trouble if it got around."

Then, "up to 90 days" later, Google removes the information from its "active servers." Unfortunately, Google also has backups of everything. And those don't ever get deleted. In other words, it is there forever, permanently, and you've given Google permission to keep it. In effect, the only thing Google does when you delete the information is to keep you from being able to access it. The danger, of course, is that most users will simply forget that Google still has it, once it is removed from their view. This shows again why Google Voice is uniquely dangerous. People will use it without even knowing how much information they are really sharing with Google. And even if they realize that they've shared something they wish they hadn't, there isn't any way to get it back.

It is safe to assume that Google intends to make money from its users conversations (the $30 million Google just spent in the Gizmo5 acquisition combined with the vast number of companies with whom Google has had to work to make Google Voice is evidence that Google's cost of providing the service is significant, even if it pays next to nothing for the bandwidth). Even if Google continues its current practice of not showing advertisements on the site, users need to think seriously about how their information is actually being used. It is a foolish (but I'm afraid all too common) mistake to believe that just because we can't tell exactly how our privacy is being violated and our autonomy curtailed, those things aren't indeed happening on a massive scale.


Seth,

I follow Google closely, so this was a very interesting read for me. Two quick easy comments: there seems to be a "not" missing in "It knows that we do [___] want to feel like someone is standing over our shoulder." in the last paragraph of part 2, "A Higher Sense of Privacy." Also, you might consider hyperlinking to our data mining readings in the second paragraph of part 3, "The Loopholes," and adding some citation or link for the statement that Google has backups and that they never get deleted. Maybe just linking to the policy where you give permission to Google would cover the latter.

Substantively, your point about the top 10 most called bit as personally identifying is a good one. I also agree that the prospect of Google monetizing Google Voice via targeting ads based on phone calls is a formidable specter. I wonder if it really loses any punch, though, even if Google doesn't actually target ads in that way? I'm not sure it does (lose any punch, that is). And I think that it is important that it doesn't because Google seems to have a lot of projects that I don't believe it currently uses to tailor ad delivery (perhaps it does and I'm simply not remembering/aware), so there is some chance that it won't monetize Voice using ads based on call contents. Another idea, and one that perhaps seems more likely than Google actually using some sort of filter that grabs keywords from your phone calls and delivers ads relevant to them, is maybe Google would just look-up (via automated software) the numbers you call. Oh, you call Pizza Joe's on Fridays? Guess we'll target ads to you that afternoon of other pizza places. You call a Laundromat 5000 on every other Sunday? Well look at that, free coupons hit your email box on Friday when you're about to drop it off. And so on. That seems like a more likely form of tailored-ad than the Google-as-fulltime-listener one. That might be something good to note more if you can find space.

I have no other substantive comments. It looks good, reads well, and is an important and engaging topic. Nice work.

11-28-09 EDIT: Seth, I ran into this story on Google Voice/cell phones today and thought it might be useful for you.

-- BrianS - 24 Nov 2009

Seth, This is a really interesting paper and topic. You imply the relationship is important, but to what extent do you think it matters that Google voice is run by Google and not some random small company? In other words, does it matter that with google voice, Google has access not only to a persons phone conversations, but also potentially to his email, calendar, googlereader, googlegroups, etc. This is both a practical and theoretical question, as I couldn't tell from the privacy policies how information from the various google products is used. Would it be less scary if some other company came out with a similar product with a similar privacy policy? It seems it would, but I wonder if we can know exactly why.

I don't really have any other comments- this paper looks good to me!

-- HeatherStevenson - 25 Nov 2009

My paper was on a similar topic. You went more in-depth into Google's Privacy Policy than I did, however.

It strikes me that a lot depends on how much teeth the Privacy Policy has. If Google (or another company doing similar privacy-sensitive things on the Internet) takes privacy seriously then they'll have people and measures to stop them from being too evil. It's their motto, after all! Strict internal controls would minimize the practical impact of data aggregation, even if there's still a philosophical problem with the data being there in the first place. But we all know how slimy and amoral marketing folks are. They want to sink their talons into any possible way to deliver ads. And if they have enough political pressure within Google then the Privacy Policy doesn't really end up meaning that much because the privacy advocates will get steamrolled.

Maybe the key is to use outside pressure and publicity to keep privacy in the spotlight. It seemed to work on Facebook. On the other hand, people don't seem to get riled up about minor privacy incursions, only really egregious ones. Which means that the marketing people will be probably be able to chip away slowly and silently.

-- GavinSnyder - 29 Nov 2009

 

Navigation

Webs Webs

r12 - 29 Nov 2009 - 22:34:48 - GavinSnyder
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM