Re: Google announces privacy changes, no opt out for users

[Tim Doty <tdoty () MST EDU>]

On Tue, 2012-01-31 at 09:11 -0600, Jesse Thompson wrote:
> Right.  Google is being intentionally vague.
>
> I'm not a lawyer, but my interpretation is that the new privacy policy 
> effectively allows Google to bypass the protections offered in the EDU 
> privacy policy for the core apps.  The only way around it is to disable 
> all of the non-core apps.  Again, I'm no lawyer.

so... today I got an email from google because we use Postini that looks
very like the one from google if you have gmail. It refers to the same
privacy policy, the one that says "we can do whatever we want with your
data". I'm no lawyer, but I'm concerned that this means they are in fact
considering *all* users, EDU or not, as being subjects of spying.

>  From http://www.google.com/policies/privacy/preview/
>
> "We may combine personal information from one service with information, 
> including personal information, from other Google services"

Take this in the light of google having access to all your email because
the institution uses Postini. I'm not liking where this is going.

> I understand this to mean that all apps are now able to interchange 
> personal data, which means that the new consumer apps privacy policy 
> would effectively minimize or eliminate (in some cases) the protections 
> within our core apps privacy policy.

I think it is worth double checking that you still have a core apps
privacy policy, or that it won't change come March 1st. Yes, they state
it doesn't include services that have a separate privacy policy, but the
whole point is that they are combining them and they *were* separate but
are now not only unified in terms, but permit sharing of information
between them. (That last distinction is one of my personal gripes with
how google is doing this. They are pretending that unifying to a single
privacy policy requires allowing them to share your PII between all of
them.)

> From http://www.google.com/policies/privacy/preview/

> Our Privacy Policy applies to all of the services offered by Google
> Inc. and its affiliates, including services offered on other sites
> (such as our advertising services), but excludes services that have
> separate privacy policies that do not incorporate this Privacy Policy.

The last phrase '...that do not incorporate this Privacy Policy'
indicates to me specific assurance is needed that your existing one
won't simply be merged in with this PII-should-be-free model.

Also from http://www.google.com/policies/privacy/preview/

> For external processing
>
> We provide personal information to our affiliates or other trusted
> businesses or persons to process it for us, based on our instructions
> and in compliance with our Privacy Policy and any other appropriate
> confidentiality and security measures.

So they are saying they will provide PII to other businesses or persons
for them to process it on Google's behalf. Of course, Google is looking
out for you and those folks will have to protect your PII just as well
as Google did -- by only providing it in exchange for a service,
apparently.

I am no lawyer, but that looks pretty meaningless to me. I mean, they
promise not to just publish it on the web or put it up on an anonymous
FTP server -- after all they expect to receive some benefit for sharing
it.

You might also be interested how Google defines "sensitive personal
information" which is the term they use rather than PII.

From
http://www.google.com/policies/privacy/preview/faq/#toc-terms-sensitive-info

> This is a particular category of personal information relating to
> confidential medical facts, racial or ethnic origins, political or
> religious beliefs or sexuality.

So medical facts, race/ethnicity, political/religious beliefs or
sexuality. But not, for example, financial/economic information. Or
personally identifying information.

Would searching for debt relief not be considered something they need to
protect? Not even necessary to invoke the 'business relationship' clause
for selling the geographic location and name of individuals performing
such searches?

Maybe I should take off my tin foil hat and quit hiding from the Sun,
but this new 'privacy' policy concerns me.

Tim Doty

> Jesse
>
> On 1/27/12 11:56 AM, Mike Porter wrote:
> > On Fri, 27 Jan 2012, H Morrow Long wrote:
> >
> > Without knowing what our contract states, and what portions of the
> > contracts refer to URLs whose contents may or may not have changed,
> > the below statement sort of means nothing. Well, it means Google is
> > not violating a legal contract, but the terms in that contract were
> > hardly static, if I recall correctly. Am I wrong for most of us?
> >
> > Mike
> >
> > Mike Porter
> > Systems Programmer V
> > IT/NSS
> > University of Delaware
> >
> > > Google's new privacy change will apparently not affect Education,
> > > Government nor Enterprise business customers (at least not right away
> > > anyway).
> > > As long as we have current contracts.
> > >
> > > [
> > > http://www.computerworld.com/s/article/9223753/Google_says_privacy_change_won_t_affect_government_users?source=CTWNLE_nlt_security_2012-01-27&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fs%2Ffeed%2Ftopic%2F84+%28Computerworld+Privacy+News%29
> > > ]
> > >
> > > Google says privacy change won't affect government users
> > >
> > > Company downplays privacy, security concerns from former federal IT
> > > official
> > >
> > > By Jaikumar Vijayan
> > > January 26, 2012 05:02 PM ET
> > > 1 Comment
> > >
> > > Computerworld - Google today dismissed concerns by a former senior
> > > federal IT official that the company's controversial new privacy
> > > policy would create problems for customers of Google Apps for
> > > Government (GAFG).
> > >
> > > In a statement, Google said the new policy will not change existing
> > > contracts that define how it handles and stores data belonging to
> > > government users of its cloud services. "Enterprise customers using
> > > Google Apps for Government, Business or Education have individual
> > > contracts that define how we handle and store their data," Amit Singh,
> > > vice president of Google Enterprise said in a statement.
> > >
> > > "As always, Google will maintain our enterprise customers' data in
> > > compliance with the confidentiality and security obligations provided
> > > to their domain," he said.
> > >
> > > According to Singh, Googles contractual agreements have always
> > > superseded its privacy policy for enterprise customers.
> > >
> > >
> > > On Jan 26, 2012, at 1:11 PM, H Morrow Long wrote:
> > >
> > > > I think we need to hear from Google.
> > > >
> > > > Part of the rationale for the current change is that Google wants to
> > > > reduce the # of different privacy policies they have (for different
> > > > products).
> > > >
> > > > Morrow
> > > >
> > > >
> > > > On Jan 26, 2012, at 12:56 PM, Jesse Thompson wrote:
> > > >
> > > > > I don't see any indication that the changes to the generic policy
> > > > > are trumped by the edu-apps policy. But, I'm no lawyer.
> > > > >
> > > > > http://www.google.com/apps/intl/en/edu/privacy.html
> > > > >
> > > > > Jesse
> > > > >
> > > > > On 1/26/12 11:08 AM, Joel Rosenblatt wrote:
> > > > > > I asked the question also and was told (not by google) that this only
> > > > > > applies to their consumer apps, not core Google Apps for Edu
> > > > > >
> > > > > > Have you contacted google to confirm this?
> > > > > >
> > > > > > Joel
> > > > > >
> > > > > > --On Wednesday, January 25, 2012 12:56 PM -0500 Morrow Long
> > > > > > <morrow.long () YALE EDU> wrote:
> > > > > >
> > > > > > > Read it & trying to determine what this means for Yale.
> > > > > > >
> > > > > > > We outsource many of our studen
> > > > > > >
> > > > > > > Sent from my iPhonet email accts to Google now (though our branded
> > > > > > > gmail does not have Google targeted ads shown alongside the
> > > > > > > messages).
> > > > > > >
> > > > > > > Morrow
> > > > > > >
> > > > > > > On Jan 25, 2012, at 10:44 AM, Nicole Kegler <nk278 () georgetown edu>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Has anyone read this article about the privacy changes being
> > > > > > > > implemented by Google starting March 1? What are your thoughts?
> > > > > > > >
> > > > > > > > http://www.washingtonpost.com/business/economy/google-tracks-consumers-across-products-users-cant-opt-out/2012/01/24/gIQArgJHOQ_story.html?hpid=z3
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Nicole Kegler
> > > > > > > > Communications Manager
> > > > > > > > University Information Security Office
> > > > > > > > Georgetown University
> > > > > > > > 202-687-5784
> > > > > > > >
> > > > > > > > Protecting data is a shared responsibility!
> > > > > > > >
> > > > > > > > INSTALL antivirus and antispyware software.
> > > > > > > > USE strong passwords.
> > > > > > > > KNOW who you are dealing with online.
> > > > > > > > STORE confidential and sensitive data on encrypted devices only.
> > > > > > > > SHUT DOWN computers or disconnect from the Internet when it's not in
> > > > > > > > use.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Joel Rosenblatt, Manager Network & Computer Security
> > > > > > Columbia Information Security Office (CISO)
> > > > > > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> > > > > > http://www.columbia.edu/~joel
> > > > > > Public PGP key
> > > > > > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
> >
> > -
> > Mike Porter
> > PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA 2F D2 37 F3 99 ED D1 C2