Rogue Programmers

Cross-posted from PrawfsBlawg

In early 2010, Google apologized for the way Google Buzz had revealed people’s Gmail contacts to the world. Later that year, the company announced that its Street View cars had been recording the data being transmitted over WiFi networks they drove by. And just this week, the Wall Street Journal and privacy researcher Jonathan Mayer revealed that Google had been using cookies in a way that directly contradicted what it had been telling users to do if they didn’t want cookies.

Once is an accident, and twice a coincidence, but three times is a sign of a company with a compliance problem. All three of these botches went down the same way. A Google programmer implemented a feature with obvious and serious privacy implications. The programmer’s goal in each case was relatively innocuous. But in each case he or she designed the feature in a way that had the predictable effect of handing people’s private information in a way that blatantly violated the company’s purported privacy principles. Then—and this is the scary part—Google let the feature ship without noticing the privacy time bomb it contained.

When it comes to privacy, this is a company out of control. Google’s management is literally not in control of the company. Especially given its past mistakes, Google’s legal team know that privacy compliance is critically important: witness the extensive effort lavished on its new forthcoming privacy policy. And yet they have been unable, time and time again, to keep privacy blunders affecting millions of users from getting out the door.

Google was founded and is run as an engineering-driven company, which has given it amazing vitality and energy and the ability to produce world-changing products. But even as the company has become a dominant powerhouse on which hundreds of millions of people depend, it continues to insist that it can run itself as a freewheeling scrum because, er, um, Google is special, Google’s values are better than the competition’s, and Google employees are smarter than your average bear. All of these may be true, but adult companies have adult responsibilities, and one of them is to train and supervise their employees. Google is stuck in a perpetual adolescence, and it’s getting old fast.

The only other firms I can think of with this kind of sustained inability to make their internal controls stick are on Wall Street. (See, e.g.) Google has already had to pay out a $500 million fine for running advertisements for illegal pharmaceutical imports. And the company is already operating under a stringent consent decree with the FTC from the Buzz debacle. If those weren’t sufficient to convince Larry Page to put his house in order, it’s hard to know what will be. Sooner or later, the company will unleash on the Internet a piece of software written by the programmer equivalent of a Jérôme Kerviel or a Kweku Adoboli and it won’t be pretty, for the public or for Google.

Well, what do we expect from a guy who plainly declared, on record, “Privacy is dead”. That was an echo of Larry Ellison, another Silicon Valley elite who knows what you need more than you do, just like other Nanny State advocates.

And this just when laws are passed requiring private corporations to become de facto evidence fisheries for any evidence fishing expedition some G-man might want to do, accumulating oceans of personal information to hand over to governments that might want to look at somebody, and that way they get denial for Fourth-Amendment and Fifth-Amendment lawsuits.

Umm, Trutherator, you’ve got your ideological talking points mixed up. If there’s a “Nanny State” position in this debate, it’s more privacy rights against companies, not fewer. The privacy rights that might have prevent this mess are restrictions on what companies can learn, do, and say; they’re enacted so people aren’t able to take actions they later regret.