Tuesday, November 17, 2009

Revised Google Book Search Court Settlement Fails to Address Core Privacy Concerns

I'm guessing everyone is aware of one of Google's latest ventures that, as one might have guessed, poses a threat to privacy rights: A dramatic expansion of its Google Book Search service. I've written about this in the past here, particularly the court battle that has been underway over the service pitting the Electronic Frontier Foundation, the ACLU, and the Samuelson Clinic (from the Berkeley Center for Law & Technology) against the technological Juggernaut, and privacy allergic Google.

As I have noted in the past, the good news is that millions of books will be available for browsing and reading online. The befuddling question remains however as to why Google continues to refuse to bring privacy protections into the 21st Century along with its innovative products. Under its current design, Google Book Search can monitor the books you browse, the pages you read, and even the notes you take in the "margins."

Thus, without strong privacy protections, as the ACLU has outlined so well, all of our browsing and reading history could be collected, analyzed, and turned over to the government or third parties without our knowledge or consent.

But before I go deeper into the privacy implications of the service and ways to address them, let's discuss the revised court settlement regarding Google Book Search that was just released this past Friday (hint: its done little to assuage concerns of privacy advocates).

The University of California, Berkeley's, Pamela Samuelson, a law professor and director of the Berkeley Center for Law & Technology, noted:

I also raise questions about user privacy. There are dozens of provisions in the settlement agreement that call for monitoring of what users do with books and essentially no privacy protections built into the settlement agreement. While I think that there were some substantial changes that were made to it, it more had to do with getting foreign rights holders out of the settlement and trying to respond at least in part to issues that the Department of Justice raised. So I think there are dozens and dozens of issues that were raised by objectors to the settlement agreement that are, in fact, not addressed in this revision.

Here's more on the ruling from Wendy Davis of mediapost:

Civil liberties organizations have pointed out that the agreement leaves Google in a position to amass at least as much in-depth information about users' reading habits as libraries. For that reason, groups like the Electronic Frontier Foundation have said the settlement should have terms obligating Google to protect users' privacy -- such as provisions requiring the deletion of loggin information. Instead, the amended pact merely says that Google won't share private information with the registry without "valid legal process."

This promise doesn't go nearly far enough to solve the privacy problems posed by a digital book registry. First, requiring "valid legal process" doesn't set the bar all that high considering that any judge can rubber-stamp a subpoena requiring Google to disclose information about readers. Sure, Google can challenge subpoenas in court, but nothing in this agreement appears to require the company to do so.


The reality is, as long as Google plans to collect and retain information tying users -- or even IP addresses -- to reading material, users' privacy is vulnerable...If Google doesn't want that to happen, the company should agree to some new limits on its ability to collect and retain data about the books that people read online.

Click here to read more.

I don't think its too much to ask, as the ACLU has advocated, that Google promise it will protect reader records by responding only to properly-issued warrants from law enforcement and court orders from third parties. It also must promise that it will tell readers if anyone demands access to information about them, before that information is disclosed if possible.

If none of this takes place, and no additional protections are afforded users, EFF and the ACLU warn that Google Books could "become a one-stop shop for government surveillance into the reading habits of millions of Americans."

As I wrote a month back, we're not talking about just another library mind you - librarians utilize a different standards for dealing with user information than does the online world. Many libraries routinely delete borrower information, and organizations such as the American Library Association have fought hard to preserve the privacy of their patrons in the face of laws such as the U.S. Patriot Act. The concerns of privacy advocates are not hypothetical - nor should they be discarded as paranoia.

Our country has a long history of government efforts to compel libraries and booksellers to turn over customer records and information. Why would anyone believe, particularly after the warrantless wiretapping scandal, that the government won't ask a company like Google to turn over the treasure trove of private personal information it has on millions of Americans? For these reasons and more, it is essential that Google Book Search incorporate strong privacy protections.

The ACLU lays out how users privacy should and could be better protected:

Limited Tracking: Just as readers can anonymously browse books in a library or bookstore, they should be able to anonymously browse, search, and preview books using Google Book Search. Google must allow users to browse, search, and preview books without being forced to register or provide any personal information. Google must not keep logging information for any of its Google Book Search services longer than 30 days. In addition, Google must not link any information about a reader's use of Google Book Search with any information about that reader's use of other Google services without specific, informed consent.

User Control: Readers should have complete control of their purchases and purchasing data. Readers must be able to review and delete their records and have extensive permissions controls for their "bookshelves" or any other reading displays. Readers also must be able to “give” books to anyone, including to themselves, without tracking. Google also must not reveal any information about Google Book Search use to credit card processors or any other third parties.

User Transparency: Readers should know what information is being collected and maintained about them and when and why reader information has been disclosed. Google must develop a robust privacy policy and publish annually the number and type of demands for reader information that are received. Google needs to know that readers will not pay with digital books with their privacy. The time is now to make sure that Google doesn't close the book on reader privacy.

You can join the ACLU and EFF's effort here.

No comments: