Sillycon Valley Biz


Privacy & Sillycon Valley Biz14 Jul 2005 07:31 am

In an interesting survey of Google’s difficulty balancing privacy and search ubiquity, CNet reporter Elinor Mills has done an excellent job in chronicling the tensions. I commend the article to your reading.

I do have one criticism, however: she didn’t mention Google’s lack of a Privacy Officer as an issue contributing to Google’s litany of privacy miscues. Frequent readers of this blog know that it’s one of my pet issues, and a critical component of why I believe Google still doesn’t “get it,” and why they will continue to have trouble.

I sent Elinor some feedback, which you can read below. Perhaps the next time Google stumbles on privacy — just a matter of when, not if — people will begin to focus on the underlying reasons for why Google stays on the cutting edge of privacy scandal.

Here’s the feedback I sent:

To: elinor.mills@cnet.com
Subject: FEEDBACK:Google balances privacy, reach

I enjoyed your piece today about the mounting privacy concerns at Google. It’s something I’ve been concerned about for quite a while, and have written about extensively in my blog, http://www.privacyclue.com.

My only criticism of your piece was that I didn’t see you mention their lack of dedicated privacy personnel, such as a Privacy Officer. Most major companies have such a position, but Google doesn’t. hey considered hiring a Privacy Officer back in 2001, but concluded that they didn’t need one — they thought the “do no evil” ethos would insulate them from privacy issues. As a result they have no one looking at privacy as a strategic issue, and the consequences show every time they’re surprised by user concerns over some new practice.

As the world’s first corporate Chief Privacy Officer, and one who has helped many of the nation’s major corporations hire and train their privacy personnel, I’m still appalled by Google’s myopia on this score. Contrary to the headline of your piece (which I know you probably didn’t write), privacy and reach shouldn’t need to be balanced if both are guiding principles and working objectives. It’s only a zero-sum game if you’re not applying creativity to the search for solutions. Unfortunately, when there’s no CPO, nobody is being assigned the task of finding those solutions every single day.

You might find a couple of my recent blog entries interesting if you care to explore these issues further:

Google’s CEO: ‘We Still Don’t Get It’
(In which I discuss the difference between “do no evil” and Doing Good.)

Google Launches New Privacy Controversy
(In which I analyze gaping holes in Google’s Privacy Policy.)

Privacy Wanes when Bloggers are Muzzled
(In which I analyze Google’s blogging policy.)

Best regards,
Ray

Update: 7/15 I stand corrected, thanks to these lovely new shoes Elinor Mills sent me… Seriously though, Elinor pointed out that I missed a couple of sentences where she discusses the privacy officer issue, and even asked Google about it. So bravo for raising the question!

Elinor quoted Google’s rep, saying that the company has several attorneys on staff who deal with privacy issues among other issues. For this reason I do still stand by my criticism of Google.

These problems are precisely why most companies have separated out the privacy issues into a separate position, the Privacy Officer, and sometimes into a separate department. When I created the world’s first corporate Chief Privacy Officer position, we specifically separated the duties from those of the in-house legal team, so that the position could be truly focused on privacy matters.

In-house counsel is a very important part of the equation, but counsel is searching for the minimum necessary for legal compliance, and as a result isn’t always looking for other red flags, such as those that will create PR issues. A specialized Privacy Officer often has the kind of hybrid skill set — including marketing, technology, public relations, and public policy — that prepares them for tackling issues that are more complex than mere regulatory compliance. There’s lots of stuff that a company can do that’s legal, but still dumb. Speaking as a lawyer, I know first-hand that most good lawyers can help you avoid legal problems, but fewer lawyers can help you avoid looking bad while you do it.

Malware & Sillycon Valley Biz11 Jul 2005 06:43 am

A fascinating new survey conducted by the fine folks at the Pew Internet and American Life Project, and released late last week, found that 91 percent of Internet users have changed their online habits to avoid spyware.

This is quite a triumph for malware makers… You can’t get 91 percent of average people to come in out of the rain, so pissing off 91 percent of the public so much that they seek to avoid you is a real accomplishment!

There were a lot of other noteworthy findings. For example, 81 percent of users avoid opening e-mail attachments without knowing for sure that they are safe; 48 percent stopped visiting Web sites they considered to be potential sources of spyware; 25 percent don’t use music-swapping networks anymore; and 18 percent have switched Internet browsers.

The Pew report also showed that about 68% of users (approximately 93 million) have had computer trouble in the past year consistent with problems caused by spyware and viruses, although 60% of those who had problems were not sure where the problem originated. Some 25% of Internet users have seen new programs on their computers that they did not install or new icons on their desktop that seemed to come out of nowhere. One in five Internet users (18%) reported that their homepage had been inexplicably changed.

While covering on the Pew survey, the St. Petersburg Times interviewed Claria’s Chief Privacy Officer Reed Freeman, asking him about the all-too-frequently obscure privacy disclosures that are the stock-in-trade of malware companies. To his great credit, my old friend Reed recognized that it’s up to the malware companies to be more transparent in their practices:

“Consumers shouldn’t have to go hunt for disclosure of that nature,” said Reed Freeman, chief privacy officer of Claria. “Adware companies that are interested in broad consumer acceptance ought to be putting their disclosures in the download process as they are getting the product so they can make an informed decision about what they’re getting.”

I couldn’t help but chuckle at this quote, given that the subject of Claria’s crappy disclosures was a substantial bone of contention during my deposition in the dozen consolidated lawsuits against Claria. I’m so gratified to see that they’ve taken my criticisms to heart! :-D

Malware & Sillycon Valley Biz07 Jul 2005 12:37 pm

Anyone who owns cats knows the joy of waking up in the morning, stumbling towards the kitchen, and stepping barefooted in a cold, squishy pile of cat barf. As I read one of this morning’s news items in Good Morning Silicon Valley, I shuddered in exactly the same way that I do when feeling half-digested kibble ooze between my toes.

The GMSV posting in question discussed the fact that, on the heels of rumors that Microsoft is interested in buying malware company Claria, this week’s update of Microsoft’s anti-spyware utility downgrades the risk posed by Claria’s malware.

According to a posting by Eric Howes on Broadband Reports:

Several sources have now confirmed that Microsoft downgraded its detections of Claria’s adware products in the latest update (#5731) to Microsoft AntiSpyware released today. Where Microsoft AntiSpyware used to detect Claria’s products and present users with a “Recommended Action” of “Quarantine,” following today’s update Microsoft AntiSpyware now presents users with a “Recommended Action” of “Ignore” (see attached screenshot). Users can still change the action to “Quarantine” or “Remove.”

Click for larger image.

(Screenshot credit: Eric Howes @ Spywarewarrior)

This isn’t the first time an anti-spyware utility has downgraded the threat posed by Claria’s crap. But are the downgrades a sign that Claria is improving its practices? Hardly.

As I’ve noted before, Claria has managed to bully, threaten, or cajole, several anti-virus and anti-spyware companies into changing its default settings for dealing with a Claria-ware infestation.

My recommendation? Do as GMSV’s headline suggests: “Antispyware untrustworthy? Recommended Action: Ignore.” Always read your anti-spyware reports carefully and override any softpedaling it offers for known threats.

Malware & Sillycon Valley Biz30 Jun 2005 12:41 pm

According to CNet’s Stefanie Olsen, Microsoft is reportedly in discussions to buy Claria, the notorious firm responsible for many of the unwanted pop-up ads and malware infections that are battled by consumers the world over.

According to BitsofNews.com, this move “underscores just how eager Microsoft is to catch up with Google, the search and advertising giant.” Eager?!?! How about desperate? Picking up Claria for its advertising network is like buying a nuclear test site because the lack of anything standing affords a great view of the mountains. Just ignore the 3-headed rabbits populating the poisoned ground and you’ll be fine.

There are plenty of other ad networks out there, most of which got to be successful without engaging in deceptive, unfair, and tortious activities.

Claria is a long-standing pariah among consumers, and its advertising reach is directly tied to its years of distributing malware and encouraging abusers to taking advantage of security holes in Microsoft’s operating system to install the software surreptitiously and without permission. Claria claims to be migrating its business model to one focused on more legitimate forms of business. But like the Gotti family and their garbage hauling business, it’s going to take them some time to stop living off their “other” gigs.

To get an idea about how brazen Claria is these days, you really need to check in with Ben Edelman, who is doing yeoman’s work tracking the malware industry. His analysis of Ezone.com gives you an excellent example of how Claria takes advantage of inexperienced users to get their malware installed on the computers of unwitting consumers.

Dan Gillmor has also done an excellent job of encapsulating the Valley’s thoughts on Claria in his posting this morning. As he notes, neither company would be enhanced by a union. Although, as I will explain, I think it may actually be a better match than you might think.

When I served as an expert witness for a group of a dozen companies suing Claria, I learned a lot about their business practices. Unfortunately, I can’t really talk about any of the juicy details that I learned. Suffice to say, there was ample evidence in the record to make it worth Claria’s while to settle those suits — which they did last year.

Over the last several years, I’ve also had the opportunity to work fairly closely with executives at Microsoft on a number of issues related to privacy, security, and spam. While I have known a few really wonderful people who have passed through the doors at Microsoft, I’ve also found that in far too many instances, seeing a lengthy stint at Microsoft on someones bio is an all-too-reliable warning sign of someone you shouldn’t turn your back on.

Too many of my experiences with those who have risen to executive positions at the Redmond giant, and those alumni who have since moved on to build their own ventures, have been marked by bald-faced dishonesty and an utter vacuum when it comes to issues of ethics and honor. And the infection doesn’t stop there. I’ve learned that when Microsoft inserts its tentacles into various “independent” organizations, it has had remarkable success in driving out anyone with principles and stacking the organization with bought-and-paid-for apologists.

Yes, yes, I freely admit that I’ve got a chip on my shoulder when it comes to the ways in which I’ve been screwed by Microsoft over the years. But I’ve also learned that there are two kinds of people in this community: those who have been screwed by Microsoft, and those who keep begging for it as long as the money keeps flowing.

The irony is that, putting together what I know about Claria with what I’ve I came away from my experiences with Microsoft, I think Claria would be an excellent fit for the Redmond culture.

Privacy & Sillycon Valley Biz17 Jun 2005 07:10 pm

According to a report by CNet, a contract between Google and the University of Michigan to make millions of books searchable online contains no provisions for protecting the privacy of people who use the service.

As I have previously noted, Google’s privacy policy is rather confusing on the issue of what data the company stores about your searches and how it may cross-link that with any personal information it might have about you. Indeed, a recent interview with Google’s VP of Engineering suggested he was more focused on whether law enforcement had adequate access to your private information.

Google’s blind spot on privacy issues is pretty well-known. But one expert was disappointed that U. of Mich. missed the boat too.

“I would have hoped that the University of Michigan would be sensitive to the fact that Google tracks everything that everyone searches,” said Daniel Brandt, founder of the Google-watch.org Web site, which is highly critical of the search company’s policies.

I’ve said it before and I’ll say it again, Google will continue to step on its … um, … it’s message, yeah that’s it … the company will continue to step on it’s message of being a cool and customer-centric company until the day it finally gets somebody onboard to man the privacy watchtower.

Sillycon Valley Biz09 Jun 2005 09:49 am

Red Herring magazine reports that PortAuthority (formerly Vidius) has raised another $13.4 million. Competitor Vontu has landed another $10 million. And PC Guardian, a crypto firm, closed a round for $6 million. Not too shabby! The message is pretty clear: there’s an increasing market for privacy and security technologies, and there’s plenty of room out there for real innovation. And where innovation goes, VCs throw money. :-)

Sillycon Valley Biz01 Jun 2005 05:25 pm

My partner, Justin, learned today that his employer, Yahoo!, had issued blogging guidelines. So he blogged about it! Then, in his “Drunk with Freedom” posting, he proceeded to blog about all sorts of other dirty little secrets at the Big Y… like the gawd-awful purple potatoes that Yahoo! serves in their cafeteria.

Anyway, for those who are interested in reading the guidelines, which were written with the assistance of some of Yahoo!’s most prolific bloggers, I think they’re a model for any company who actually trusts that its employees are rational, mature, and reasonable people.

Unlike, say, Google… whose policy seems to be: “Don’t get caught or we’ll show you the door.

To see why Yahoo! should rightly be proud of its bloggers, after you read Justin’s, you should check out Russ Beattie’s comments on the new blogging policy, which he helped to write. And while you’re there, bookmark both of their blogs because they’re both great reads!

Privacy & Sillycon Valley Biz19 May 2005 03:30 pm

GoogleGoogle’s CEO Eric Schmidt defended the company’s privacy screw-ups at a Gartner Symposium on Wednesday. Reported by CNet, Schmidt responded to a question about Google’s privacy sensitivity, or lack thereof. According to Schmidt, they are guided by the company’s founding motto, “Don’t be evil.”

In response to a question about how Google treats consumer privacy, he tried to illustrate how the company’s don’t-be-evil philosophy trumps technology by recounting a meeting he attended with company co-founders Larry Page and Sergei Brin. In it, a business executive suggested a particular change at Google.

“One of the engineers says, ‘That’s evil.’ It was like setting off a bomb in the middle of the table,” Schmidt said. The concern was taken seriously: “You can pull the ripcord and stop the production line.”

He added that after a long debate, the engineer’s assessment prevailed over the business executive’s idea. “They concluded it was (evil), and this poor person was thrown out the room.”

Unfortunately, Schmidt’s story is indicative of a culture that doesn’t understand the dynamics of privacy problems. When some random engineer in a meeting decides that something poses a privacy problem, and raises the issue, it’s a happy event. But in my lengthy experience, it’s also a rare event.

It’s not the job of that engineer to raise obstacles to other people’s ideas. Indeed, the smart engineer will learn that after shooting down some big-wig’s idea, he’s a lot less likely to get invited to as many meetings. “Oh, no! That wouldn’t happen at a cool and funky place like Google,” I can hear someone say. Yeah, right.

As I’ve pointed out on numerous occasions, many of Google’s privacy blow-ups aren’t nearly as dire as some might make them out to be. But the sheer frequency of these privacy missteps has contributed to an image of a company that, at best, has a tin-ear when it comes to privacy matters, and at worst, is actually evil.

Touting a corporate motto of “Don’t be evil,” is cute. But “Don’t be evil,” is significantly different from, “Be good.” Google-up a definition of “amoral” and you’ll see what I mean.

“Don’t be evil,” is a passive statement. In a company guided by such a passive directive, it’s a tacit admission that, from time to time, the company is going to do something evil without realizing it. Sure the company can go back and fix stuff, and Google has shown its willingness to be reactive when their latest creation turns into Frankenstein’s monster. But by then the damage is done: trust is further frayed.

When it comes to privacy matters, reactive is bad. Being passive is a prescription for disaster. Privacy protection requires being proactive. In a business where it’s this easy to stumble into trouble, shouldn’t somebody have the job of watching out for the pitfalls in the first place, instead of mobilizing afterwards to dig yourself out of the hole?

To the best of my knowledge, Google still doesn’t have a Privacy Officer, or anyone else similarly situated whose job it is to be the curmudgeon, to look at everything askance, to not merely wait for somebody to discover a problem but to go looking for trouble and blow the time-out whistle.

Yes, it’s nice to think that everybody in an organization is going to be constantly vigilant, and will uncover the privacy risks associated with anything the company does. But with a new privacy-related problem arising on an almost weekly basis, clearly the “neighborhood watch” approach isn’t working. It’s time for Google to hire themselves a dedicated privacy cop.

Malware & Privacy & Sillycon Valley Biz25 Apr 2005 10:15 pm

Claria (nee Gator)Leading adware manufacturer Claria (formerly known as Gator) announced today that computer security software maker McAfee has rescinded its January 2005 declaration that Claria’s GAIN adware/spyware was a “malicious threat.”

In yet another triumph of semantics over substance, McAfee appears to have succumbed to Claria’s Jedi Mind Trick, wherein company representatives get their targets to repeat the language of Claria’s privacy policies, hoping they fail to notice the surreptitious installation of software under people’s noses.

The reason why McAfee listed Claria’s GAIN software as malicious is no mystery: almost no one ever asks to have Claria’s software installed on their computer, yet it somehow finds its way on there, without the user’s explicit knowledge or consent, generating unwanted pop-up ads, hogging memory, and generally making the day-to-day lives of its hapless victims more miserable.

Claria insists that the installation of its software is clearly disclosed, and that people are always fully aware when, and why, the software is being installed. Claria’s representatives and PR flacks will dutifully point to page four, sub-section 27(a), of the End User License Agreement — those long screens of gobbledygook that nobody reads when they install software — in which the presence and functions of the GAIN software are generally disclosed.

Never mind, of course, the extensive evidence that thousands (maybe even millions) of consumers haven’t asked for Claria’s software to be installed on their computers. Never mind the evidence of malicious “drive-by” downloading by Claria’s paid “affiliates.” And never mind the fact that, for many hapless users, Claria’s software remains difficult to detect, identify, and remove.

So why did McAfee change its position? It could be that Claria threatened another lawsuit, such as the one it launched to censor PC Pitstop’s criticisms. Indeed, litigation is not new for Claria.

Some readers may be familiar with my work as an expert witness against Claria in a collection of nearly a dozen lawsuits that were consolidated into one massive multidistrict case. Claria managed to buy its way out of most of those suits, leaving unresolved the fundamental issues raised in the cases. Unfortunately, much of my work in that case is still covered by a court-imposed protective order, so I can’t write about all the juicy details I learned during that case. Suffice to say, I was not surprised that Claria went to great lengths to make those suits go away quietly.

But Claria has taken a recent turn away from litigation that suggest a new-found preference for pumping sweetness and light, instead of the usual brimstone and bullshit. Beginning with the hiring of my old acquantance Reed Freeman as Chief Privacy Officer in April of 2004, Claria has continued to wage a masterful campaign to rehabilitate its reputation.

That reputation, which had been qualitatively equivalent to the foul-smelling muck in which its former swamp-dwelling namesake preferred to remain submerged, could only have improved. Thus, through the deft usage of political connections, and the liberal use of cold, hard cash, Claria is on its way to being even more highly regarded than MCI (nee Worldcom), Altria (nee Phillip Morris), and even Mary Mallon (you’re on your own for that one… ;-) ).

As a measure of success, Reed Freeman was recently appointed to the U.S. Department of Homeland Security’s privacy advisory board. Claria also continues to get mileage out of its recent appointment of a self-styled “dream team” of “privacy, security, public policy and consumer protection law experts” to assist its PR white-washing efforts.

Claria’s not the only company buying a squeegee to scrape the crap off its reputation. Others in the same line of business — namely, the business of causing ads to pop-up on people’s computers whether they’re wanted or not — have followed similar courses and are successfully insinuating themselves into the corporate and public policy mainstream. Just recently, spyware maker 180 Solutions joined as Silver Sponsor of the International Association of Privacy Professionals.

Claria has earned a well-deserved negative perception in the minds of those consumers whose Internet experience has been made more problematic by Claria’s troublesome software. But through obfuscation and glad-handing, they will slowly continue to recast the company’s image. And now McAfee’s software will help, through the cunning usage of namby-pamby language that will make it more difficult for McAfee users to understand the problems that Claria’s pop-up ad software can pose.

But all the PR whitewashing cannot change the underlying facts: Claria’s software remains a scourge for too many unsuspecting users. As I continue to say: there are two kinds of people — those who hate adware and spyware, and those who will. It’s only a matter of time.

Privacy & Sillycon Valley Biz21 Apr 2005 06:10 pm

Google My Search HistoryAn AP article on today’s SFGate.com heralds what will probably be Google’s next new privacy controversy: My Search History.

Yes, friends! Just when you thought you’d cleared your browser cache and disabled your browser’s history, Google helpfully offers up something for your wife’s divorce attorney to subpoena!

According to Forrester analyst (and apparent “Holy Grail of Search” enthusiast) Charlene Li, analysts are just the sort of people who might find it useful. The underlying idea is that by tracking what you’ve searched for previously, Google can tailor the results based on previous searches.

But then, of course, if you forget to log out, the results of your next search for “boring+work+research+topic” may be flavored with “Anna+Kournikova+upskirt”, “Jessica+Alba+accidental+breast+exposure”, and “painful+itching+rash+testicles”. Yes, the service apparently lets you go back and delete any queries that you might not have wanted tracked. But it’s always the trails of data that you forget about that are the ones that come back to bite you.

In the end, though, Google’s offering is neither unique or ground-breaking. Many other services have provided this kind of customized searching for a while. And as even Charlene Li points out, not that many “average users” will use the service.

Maybe I’m one of the “privacy fearing loonies” noted by a commenter on John Battelle’s blog entry about My Search History — although its the lack of privacy I really fear. But my greater concern comes from implications of the not-terribly-clueful quotes from Google’s VP of Engineering, Alan Eustace:

With “My Search,” however, information stored internally with Google is no different than the search data gathered through its Google.com search engine, Eustace said. “This product itself does not have a significant impact on the information that is available to legitimate law enforcement agencies doing their job.”

These comments are the sort that make PR people fear putting engineering-types in front of reporters. Is he really saying that Google already captures and stores search data tied to unique users? Unfortunately, Google’s privacy policy is pretty vague on the issue. It discusses how cookies are used to understand how unspecified “people” interact with Google’s services, and elsewhere it discusses aggregated information except under those circumstances in which you’ve specifically signed up for a Google service.

Eustace may have misspoken… but really he didn’t. According to the “My Search History (Beta) – Privacy FAQ,” you may feel free to edit the logs, but Google is still keeping copies of the unedited searches. So there you have it: a comprehensive log of your searches tied to your identity, available to law enforcement bearing warrants and litigious people bearing civil subpoenas. Signing up for the service simply provides them an easier way to wrap the data into a tidy duces tecum package!

So, in other words, you are already using My Search History, and you didn’t even know it!

Once again, Google has steped in a big pile of privacy crap without a plan.

« Previous PageNext Page »