I’ve written about this week’s two TripAdvisor stories (Conor Pope’s piece on an Irish hotel group in the Irish Times and the ASA’s ruling on TripAdvisor’s marketing claims) over on the blog of the Centre for Competition Policy. I talk about the legal status of reviews posted by businesses who claim to be consumers (which I wrote about on Lex Ferenda – was it really five years ago?), and the reason why the ASA found against TripAdvisor for what was a statement on its own website.
This week’s English newspapers (including the Guardian and Independent, but there may be others) carried a number of full-page advertisements for Google, which formed part of its current ‘Good To Know‘ campaign. The campaign is ‘in partnership with the Citizens Advice Bureau‘.
Some parts of the campaign strike me as extremely sensible and useful information, and leave me very pleased that Google is putting its money and reputation behind them. For example, one ad (which I first saw in a Tube station) emphasised Google’s 2-step verification; another (which I saw in print, but can’t recall where) gave examples of good passwords. (You can see a collection of these ads on the Good To Know website). The most recent ads, though, raise some interesting questions around data and privacy. As readers of the growing literature on the development of Google will know (most recently Douglas Edwards’ I’m Feeling Lucky on his experiences as employee #59), it’s clear that these issues are thought about and debated a lot within Google; this however is my external take and some quite preliminary questions rather than conclusions;.
One ad is about IP addresses – it doesn’t appear to be on the Google site, but I’ve scanned it (apologies for resolution) here. Explaining how a user in Brighton doesn’t need a plumber from New York when they use a search engine, the ad states that results based on where you are use your computer’s IP address. “It’s a number like 188.8.131.52 which acts a bit like the first part of a postcode to tell them the rough area your computer is in“. I think this isn’t the best definition of an IP address, particularly in the week where (in the Sabam decision regarding ISP filtering for copyright reasons) the Court of Justice of the EU found it to be common ground “that the injunction requiring installation of the contested filtering system would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content on the network is sent. Those addresses are protected personal data because they allow those users to be precisely identified”. This confirms a direction in European Union practice, particularly the statements of the article 29 Working Party (e.g. opinion 1/2008 on search engines, opinion 2/2010 on online behavioural advertising), that an IP address can be personal data. In a way, I’d suggest, that the first part of a postcode is less likely to be.
Another ad (with a quirky little graphic about extra-shot coffee, which is what I’m drinking as I type this) (scanned here) draws a link between the barista knowing your coffee order (but not your name) as you walk through the door, and how Google and other websites act:
Making a note of your preferences in case you visit them again. It’s how they are able to recommend a particular artist you might like, or if you prefer to fly from a certain airport, or if you like a specific printer ink.
(I think ‘preferences’ here is broader than a technical meaning of preferences as in settings, but am open to correction).
Again, I can see what they are getting at, but I think the anonymous coffee order may not be the best model here – as (a) there are plenty of ‘preferences’ that are more revealing (and yes, legally sensitive) than coffee choice, and (b) concerns about profiling include the cumulative impact of data collection rather than a single point – the barista doesn’t know what you prefer when you go to the clothes shop next door!
Google does some great work around data – and the Good To Know website highlights this, including work on Data Liberation, cookie deletion and more. But there’s something about the ads above that I’m not as sure about.
I mentioned this campaign to a fellow academic and s/he pointed out that the ultimate target here might not be users, but the forthcoming (and unpopular with large Internet companies) revision of the Data Protection Directive. If that’s the case, Google’s intervention isn’t unwelcome – we need to hear its voice – but it’s worth debating those points. If it’s just about consumers, I think it goes in the right direction (particularly the security stuff), but the wording could be a good bit tighter.
Finally, I think there are questions to be asked about the role of the Citizens Advice Bureau. It knows well that the interests of consumers are different to the interests of corporations – see for example its current struggle to publish the results of investigations and how libel law appears to prevent that. So should it be involved with (a) a particular company and (b) a particular view of the law of privacy? Indeed, the UK government proposes (consultation paper here) to take a whole range of consumer information and advocacy functions away from public bodies and transfer them to the (private, charitable and generally wonderful) CAB. Should it therefore be more careful about taking ‘sides’, appearing to endorse the views of Google and in having the ads presented as authoritative and neutral?