A still from a video posted on Google's public policy blog advocating for stronger privacy laws for the cloud.
On Tuesday, Google’s Mountain View neighbor Mozilla drew a line in the sand for Silicon Valley, stating that CISPA “has a broad and alarming reach” and “infringes on our privacy.” But Google, unlike practically every major tech company, remains balanced on top of that line, refusing to dip a toe in either direction.
“We think this is an important issue and we’re watching the process closely but we haven’t taken a formal position on any specific legislation,” reads the standard quote that Google has fed me and other reporters for weeks.
Meanwhile, Facebook, Microsoft, IBM, Intel, Oracle, AT&T and Verizon all continue to quietly support the bill, which in its current form allows companies to hand over any private user data they’d like to government agencies like the Department of Homeland Security and the National Security Agency on matters related not just to cybersecurity threats, but also to to computer “crime,” the exploitation of minors, and even “the protection of individuals from the danger of death or serious bodily harm.” Most controversially, it’s written in a way that allows it to trump all other privacy laws.
Here’s why Google should publicly state its opposition to CISPA now, in its own self-interest, while it still has a chance of fundamentally reworking the bill before debate begins in the Senate: No company has more to lose than Google from Web users believing their secrets in the cloud are being siphoned to government agencies.
Google’s tacit agreement with users has been that we store our information in their data centers, and they keep it private and use it only for advertising purposes. Aside from its core search business and the dozens or hundreds of private desires we type into its search box daily, its projects like Chrome OS and now Google Drive illustrate that Google wants private users and even businesses to someday store everything in the cloud.
When it’s possible–or when users even believe it’s possible–for Google to hand their data willy-nilly to any federal agency that fits a vague statute of CISPA, the necessary trust of Google’s business model entirely collapses.
Law enforcement agencies already poke holes in that trust with legally enforceable requests for Google’s data in criminal investigations–sometimes with and sometimes without a warrant. But Google has done more than most tech firms to both come clean about those violations of users’ privacy and also to resist them. It publishes a bi-annual transparency report that enumerates all its government data requests, a step that Facebook, Microsoft and others have yet to match.
More directly, it’s put its significant lobbying muscle behind the Digital Due Process coalition, a group dedicated to reform of the Electronic Communication and Privacy Act, (ECPA) which currently allows some types of information stored by a third party to be hoovered up by law enforcement without a warrant.
In its own written testimony to Congress on ECPA reform in May of 2010, Google’s senior counsel on law enforcement and information security Richard Salgado wrote that strengthening and modernizing the privacy assurances in ECPA
“will benefit everyone who uses cloud services including individual users, businesses small and large, and enterprise customers — all of whom depend on having their data available everywhere, safe, secure, and at low cost. It will also make users of cloud services confident that the privacy of what they store virtually in the cloud is respected no less than the privacy of information stored at home. As confidence grows and users put more of their data on the cloud, those benefits will be felt throughout the American economy as lower costs and higher productivity.
…Advances in technology rely not just on the smart engineers who create the new services, but also on smart laws that provide the critical legal underpinning for this new world. We look forward to working with Congress to strengthen the legal protections for individuals and businesses that rely on our services.“By saying nothing on CISPA, Google is undermining exactly the confidence it implored Congress to help shore up with ECPA reform.
Here’s a video about ECPA that Google posted to its public policy blog on the same topic.
So why is Google giving CISPA, a bill that in many ways would circumvent ECPA altogether, the benefit of its silence? The company may believe that legislation like CISPA is actually necessary to prevent the constant pillaging of American intellectual property by cyberspies–a problem that affected Google very publicly in January of 2009 when it revealed that Chinese hackers had penetrated its servers. And Google has admitted to working directly with the NSA to bolster its security in the wake of that breach.
But as the White House noted when it issued a threat to veto CISPA last month, “cybersecurity and privacy are not mutually exclusive.” Google has demonstrated with its aggressive approach to security–including now paying more to hackers who find and help fix bugs in its software than any other software company–that more surveillance isn’t the only approach to securing data.
Perhaps Google already opposes CISPA, and has been working behind closed doors to tactfully reshape the flawed bill. But in that case, why not bring its opposition out into the open and score the privacy points that Mozilla already gained with anti-CISPA statement earlier this week? For Mozilla, that stance merely buttressed its already-sterling image in the eyes of privacy and civil liberties advocates. As the top-rated comment on news of Mozilla’s CISPA statement Tuesday read, “Mozilla supports privacy – in other news, water is still wet.”
But for a company that trumpets its claim to not “be evil,” but which is currently under fire for knowingly collecting data with roving Streetview cars from unwitting users’ Wifi routers, double-crossing users in its decision to assemble complete profiles of their online activities, and hiding the details of its collaboration with America’s largest intelligence organization, opposing CISPA isn’t merely a nice gesture. It’s a reputational necessity.
0 comments:
Post a Comment