IN PROGRESS...

Privacy Loopholes in Google Voice, and Why Users Won't Even Notice

-- By SethLindner - 06 Nov 2009

Recent Google Acquisitions

Two acquisitions over the past two years indicate that Google may be getting serious about significantly entering the VoIP telecommunications industry. In 2007 Google bought a company called GrandCentral, which ran a web-based call forwarding system that provided users with a single "central" phone number from which calls could be routed to multiple other phone numbers based upon user-configurable preferences. In April of 2009 the service was launched as Google Voice. In addition to the call forwarding features of GrandCentral, Google Voice adds call screening, blocking of unwanted calls, and voice transcription to text of voicemail messages.

While Google Voice allowed users to essentially consolidate all of their conventional phone numbers into one Google Voice number, it still required users to have a separate land line or cellular telephone to make or receive calls. It appears that this is about to change. Google recently announced that it had purchased a company called Gizmo5 for $30 million. Gizmo5 offers the missing piece to the VoIP? puzzle for Google by providing an actual phone number and software to make and receive calls. Many people speculate that Google will integrate the Gizmo5 features into Google Voice, creating a no-cost centralized telephone system that simultaneously threatens pay services like Skype and cellular telephone services like Verizon and AT&T.

Currently Google claims to have more than 1.4 million users of Google Voice, of which about 570,000 are active users.

"A Higher Sense of Privacy" -- User Reactions to Google Voice

I was curious to see what the buzz on the internet was about privacy issues raised by Google Voice, so I did a search for "google voice privacy." One article discussed some of the advantages and disadvantages of Google Voice, noting that the possibility of advertisements was a disadvantage, although Google hadn't yet included any ads on the Google Voice site (as it has for Gmail). Then came a reader comment that really scared me:

I'm worried by this statement because I think this user almost completely correct. Most users probably don't want to see advertisements in Google Voice that appear to be targeted to the content of their phone calls or voice messages. And I think most users believe that phone calls should be entitled to greater privacy protection than other forms of communication. The problem is that Google already knows how to play this game. It knows that we do want to feel like someone is standing over our shoulder. It knows that if we pick up the phone and hear nothing but measured breathing on the other end of the line, we're going to hang up pretty quickly. Google's response, then, will be to encourage us to believe that is offering a service that is both free and private.

A careful reading of Google's privacy policy reveals what are likely the real dangers. I call this policy attractively deceptive, because once we look beyond the first line reminding us that Google believes that privacy is important, and the statement of compliance with the U.S. Department of Commerce's Safe Harbor Program (that sounds safe), we see some startling possibilities.

Let's first look at how Google handles "personal information," which Google defines as information that "personally identifies you." The Policy plainly allows Google to "process [personal information] on behalf of and according to the instructions of a third party." I see at least two problems here. First of all, even though Google says that it won't directly "share" personal information with third parties without consent, Google still has a whole lot of personal information that it can use for its own purposes. Second, it seems that third parties (advertisers, banks, potential employers?) could learn quite a lot about you just by "processing" your personal information.

Google Voice has its own privacy policy and even more clever deception. For instance, if you delete something from your Google voice account, the deletion will take immediate effect in your account view.

Unfortunately, the information is not deleted from Google's offline backup systems. In other words, it is there forever, permanently, and you've given Google permission to keep it. In effect, the only thing Google does when you delete the information is to keep you from being able to access it anymore. The danger, of course, is that most users will simply forget that Google still has it, once it is removed from their view. This shows again why Google Voice is uniquely dangerous. People will use it without even knowing how much information they are really sharing with Google. And even if they realize that they've shared something they wish they hadn't, there isn't any way to get it back.

I think it is safe to assume that Google intends to make money from its users conversations (the $30 million Google just spent in the Gizmo5 acquisition combined with the vast number of companies with whom Google has had to work to make Google Voice a reality is strong evidence that Google's cost of providing the service is significant, even if it pays next to nothing for the bandwidth). If Google continues its current practice of not showing advertisements on the site, I think users need to think seriously about how their information is actually being used. There is no question that Google is making money off of its users, so it is a foolish (but I'm afraid all too common) mistake to believe that just because we can't tell exactly how our privacy is being violated and our autonomy being curtailed, those things aren't indeed happening on a massive scale.