Trust and Google’s Privacy Policy

Google, some have argued, knows more about you than your wife or husband. And now all the things they know about you from various locations (what maps you’ve used, what documents you’ve shared, what your certainly-not-private email contains, what porn you’ve surfed, for what you’ve searched) are conveniently gathered in one location, and all integrated into Google’s Digital You. Any time you are logged into or using any Google service, Google is watching you.

This is a lot to ask, in terms of the trust they want me to give them. I’m going to apply a very much simplified version of an ISECOM trust analysis on this situation, and try to arrive at some sort of trust decision.

The ten trust properties prescribed by ISECOM:

  • Size. How many people am I trusting with my Google Digital Doppelganger? The number is huge. Huge. Primarily people who want to sell me something. But not ordinary people, not yet, though that prospect makes me leery. All this makes risk large, and trust small. Minus one.
  • Symmetry. Is the trust two-way? If it’s not, then there is room for abuse. So is Google going to allow me to see personal information about the corporation? No. Is Google even going to allow me to see “what they’ve got on me”? No. Minus one.
  • Transparency. How open is Google in general? Not. Will they openly share their data about me, which is essentially MY stuff, like my car is my stuff? No. Minus one.
  • Control. Who, exactly, controls the data? Google. Can I get data about me erased or corrected? Essentially, no. So who is in (total) control? Google. Minus one.
  • Consistency. Does Google have a consistent record of protecting data privacy? Well, getting hacked by the Chinese so they could root out dissidents wasn’t exactly a stellar example. And Google has indeed bowed to the governments both here and overseas and surrendered data. So the answer is no, and the point is minus one.
  • Integrity. Is Google today what Google once was? Not so much. Is that cause for alarm? Good question. More accurately, does Google provide timely notice of changes, like their notice of this change of policy? Actually, they are relatively good at this. Plus one.
  • Offsets. Is Google going to pay when my data is compromised? Are they offering me any financial guarantees? Because they’re certainly bringing me risk. Minus one.
  • Value of Reward. Does Google offer me something valuable? Absolutely they do, in many areas. Plus one.
  • Components. What are the things that gather, store and update information about me? How many of them are there? Because the more, the riskier. Minus one.
  • Porosity. How far is my Digital Doppelganger, within Google, separated from the external Internet? Possibly, it’s well isolated. But how well is my Digital Doppelganger separated from paying clients of Google (not of mine)? It’s not: it is precisely to them it is available. Minus one.

Ultimately I arrive at a minus six, a low enough level that my willingness to trust Google is quite small. I’ll be reluctant to log into my cursory Google+ account again, and certainly I won’t do Gmail. I don’t mind using Google maps, since I do so very rarely. But I darn sure won’t use Google Docs, nor would I suggest that a client do so. That is, however, their trust decision.

As for me, now it’s time to take a look at Facebook. And LinkedIn. And so forth. Because my Digital Doppelganger belongs to me, the same way my car belongs to me. Don’t ask to borrow it, then wreck it, please.