Google: the case for hawkish regulation
Regulatory agencies have been nipping at Google’s heels, but they need to go straight for the throat.
Google reminds me of Adam, the cute, 100-foot-tall toddler in the 1992 Rick Moranis film, Honey I Blew Up the Kid. In case you missed it, Adam keeps stumbling over buildings, mistakes real cars for toys, and ultimately threatens the existence of Las Vegas. Adam is also the name of the errant father of the human race. And Google is the company named after an astronomically large number (1 with a hundred zeros after it) that controls access to most of the information on earth and that finds innovative new ways to get in trouble several times a year.
In 2010, Google’s Street View teams – the mobile crews that are systematically filming every street and building in the world, including your home – were accused of deliberately capturing people’s names, telephone numbers, emails, text messages, passwords, search histories, and even online dating information as they drove from neighbourhood to neighbourhood in the US and more than 30 other countries between 2006 and 2010. Google snatched the data from Wi-Fi networks. This is akin to what those nasty adults in the white van were doing when they drove around the neighborhood trying to find ET, but on a spectacular scale.
At first Google claimed, absurdly, that only one lone engineer at the company was aware of this activity, but a 2012 Federal Communications Commission investigation concluded that the knowledge was widespread. The FCC fined Google $25,000 for obstructing its probe, but was it. Extracting data from personal, unencrypted Wi-Fi networks does not violate current federal wiretapping laws. In 2011, the French government fined Google 100,000 euros for its Street View caper, and in the UK the investigation is ongoing. But that was it.
In February 2010, Google stunned privacy advocates by rolling out Buzz, a social networking service that automatically enrolled Google’s 175 million Gmail users, instantly creating a “circle of friends” for each user based on who they emailed most often. The problem was that Google never asked its Gmail users whether they wanted to enroll – and what was that again about who you emailed most often? Buzz was shut down after 18 months.
In 2011, Google reached a settlement with the Federal Trade Commission regarding revelations about how it handled user search information. Google tracks everything you search for, you see, as well as every website you visit, including those porn sites your friend visited when he borrowed your laptop. The company denied it was using this information improperly, but FTC officials were not persuaded. As a result, the company reluctantly agreed to undergo regular privacy audits for the next 20 years. As you may have noticed, however, those highly targeted ads Google sends you based on your email content and internet activities seem to be coming faster than ever.
In March 2012, in possible violation of the terms of its FTC settlement, Google announced a dramatic change in its privacy policy. Specifically, it began aggregating data obtained from more than 60 different Google products and services, including its Chrome browser and Android operating system. The manoeuvre allowed the company to create comprehensive profiles of the likes, dislikes, tastes, preferences, and activities of hundreds of millions of individuals worldwide, collecting, according to DailyTech.com, “sensitive information including … sexual orientation, sexual habits, relationship status, religion, political views, health concerns, employment status, and more.”
The Electronic Privacy Information Center has protested, as have at least eight US Congressmen and several foreign governments, but to no avail. Google defends itself by saying that it’s not breaking any laws, just managing data in a way that allows it to better serve customer needs.
In 2011, after a successful sting operation by the state of Rhode Island on behalf of the U.S. Department of Justice, Google agreed to pay a whopping $500 million fine to the Federal Government for illegally marketing Canadian prescription medication to US citizens through its AdWords program – a ubiquitous advertising system that allows Google ads to appear on just about any website, just about anywhere – even smack in the middle of an article on Mitt Romney or the Mars landing. Google had been on notice since 2003 that its advertising may be in violation of US law, but it continued to solicit and support its position aggressively until at least 2009, supposedly generating upwards of $500 million in revenues.
In early August 2012, the FTC levied a $22.5 million fine against Google for violating the privacy of people who used the Safari browser on Apple iPhones, iPads, and Macintosh computers. Google bypassed Safari’s privacy settings to track user activity and send users customised ads. Google’s actions not only violated its agreements with Apple, they also - yet again - violated the terms of Google’s settlement with the FTC. Google agreed to pay the fine but refused to admit that it had violated any laws. The company’s defence? It was “unaware” that the privacy violations were occurring.
In response to these and other challenges to its high-handed conduct, Google recently launched an aggressive advertising campaign to try to shore up its image. The basic message: Google is an awesome business that provides awesome services to the world, unmatched by any other company.
The message is not entirely wrong. And that’s the problem. No one wants to mess with something good – in this case a hip, helpful company that includes in its official and unofficial mission statements variations on the breathtaking assertion that you can make money “without doing evil”.
Even the word “google” itself is so gosh-darn cute. What harm could such an extraordinary and trailblazing company possibly do? But as good as the company is at providing information, it should not and must not be allowed to conduct business as it has until now. It must and will eventually be regulated, just as phone companies are regulated. Fundamental civil liberties issues are at stake.
A frustrating personal experience I had earlier this year with Google illustrates, in a narrow context, why we need to start looking at the company differently. The experience opened my eyes to the real threat that an unregulated Google poses – one so enormous that you can’t even see it. It’s like the curvature of the planet. Here’s what happened. I’ll try to keep the technicalities to a minimum, and I promise to summarize the key issues in plain language before I’m done.
* * *
On New Year’s Day, 2012, I awoke to nine emails from Google informing me that my professional website, DrRobertEpstein.com, had been hacked. My site had been hacked before, but this was different. Last time, a few obvious lines of code had been added to a key program. The bogus code, which took only seconds to remove, had added links to websites selling Viagra to my home page. In the grand scheme of things, this was not a big deal. Everyone gets hacked these days, even (as in October 2011) Google, Facebook, and Microsoft.
This time, however, the hack appeared to be deep and deadly, affecting not only my main website but the twenty or so websites at which I provide psychological tests, such as DoYouNeedTherapy.com and MySexualOrientation.com. For all practical purposes, this hack shut down all of my websites for more than a week. It turns out, though, that the bad-guy code was only part of the problem. The other culprit was Google itself.
Google has an awesome power, you see, that few people are aware of: the unfettered, unregulated power to effectively shut down any website in the world by adding that website’s URL to its blacklist. In my case, this power was abused.
Before I give you the details, I should point out how generally helpful I find Google’s products to be. Google’s search engine not only gets me where I want to go, it also allows people around the world to learn about my own scientific and scholarly work. As of January, 2012, when people searched for me on Google, the company pointed them to more than 450,000 web pages. Incredible. Flattering.
And powerful. Imagine if Google suddenly erased me from its database. Relatively speaking, I would almost cease to exist. (Will this happen, I wonder, when Larry Page, Google’s chief executive and co-founder, reads this article?) Information is power: more so in today’s world than ever before, and whoever provides or restricts access to large volumes of information has the ability to alter the attitudes and behaviour of billions of people.
Which brings me back to New Year’s Day. Google’s missives said that my websites were redirecting visitors to a malicious website in India. In other words, my sites were not themselves malicious; they simply redirected people to a bad place, like the traffic cop who sends you off on a long detour through a scary neighbourhood. Google’s emails also provided links to webmaster tools that allow users to see what Google’s automatic crawler program – a Googlebot – has found wrong with their websites.
At this point, Google was limiting access to my websites in two ways. Firstly, if you searched for me or most anything related to me using the Google search engine, every result was tagged with a terrifying warning: “This site may harm your computer.” If you were foolish enough to ignore the warning and click through, you got an even stronger warning, typically a page containing a blood-curdling red box declaring that “drrobertepstein.com has been reported as an attack page” (which it was, of course, obviously not) and featuring an irresistible button reading “Get me out of here!” Depending on your browser and security settings, you might then have been at a dead end, or you might still have been able to click through—which virtually no sane person would do.
Secondly, and this is important, if you didn’t use Google’s search engine and simply tried to go to any of my websites directly or through a link on another website, most computers and most browsers would also block your access, again displaying that intimidating red box. This would occur even if you were just trying to download articles without actually visiting the site.
Now think about that. It makes sense that Google’s search engine should, on its search list, warn people about a website that its crawler has found to be dangerous. But why does Google, a private company, have the power to block access to a website that you want to visit directly, and how, technically, is Google accomplishing the block? Is someone from Google looking over your shoulder as you type?
Working with local colleagues, my internet service provider, as well as with the programmer who had defeated my earlier hack, I soon learned some interesting things. First of all, Google’s own analytical tools indicated that my home page was clean, even while its crawler was reporting that the source of the redirect was a link to a non-existent page on my website. A non-existent page? How could a user ever get to a page that doesn’t even exist? Are they supposed to use ESP to figure out the URL?
We also learned that when it was possible to get past Google’s blocks, visiting my websites directly never resulted in a redirect to a malicious site.
On 3 January, still unable to find the hacked code and still getting contradictory information from the webmaster tools, I emailed “webmaster-central-help” at Google, asking Google to stop blocking my websites. In return, I received what appeared to be a computer-generated email referring me back to the webmaster tools. I replied with a more emphatic message, this time, in order to attract attention, with a copy to a New York Times reporter who had once interviewed me for a story on artificial intelligence.
The subsequent reply I received may have been written by a person, but it was still unsigned and contained no more information than we had found with the automated tools.
Calling Google was even more frustrating. The courteous woman who answered the phone was allowed to give me her ID number but no name, which seemed to frustrate her as much as it frustrated me. She said the department that could help me was the “web search department” – which was helpful – but that “they don’t take calls” – which wasn’t. Neither, she said, does Mr. Page’s office, nor her supervisor, nor even the public relations office. Why, I wondered to myself, does Google even have a phone? Just to tell you that they don’t take phone calls?
That evening I was contacted by Nicole Perlroth, a New York Times blogger who specialises in computer security issues. On 5 January, she posted a sympathetic article about my situation entitled, “One Man’s Fight With Google Over a Security Warning”. She also interviewed John Harrison, a project manager at Symantec, who acknowledged that my dilemma was becoming increasingly common, with 40 million attempted hacks every day and the websites of physicians, news organisations, and “even a Fortune 1,000 company” being successfully infected.
But comments on the article generally defended Google as a fatherly company that “protects us from the evil that lurks on websites” (that’s a direct quote). One writer accused me of “maligning” Google, which was “acting in the best interests of you and your clients.” A few writers were more sceptical, however, wondering, for example, why Google won’t put employees’ names on emails or help people over the phone.
Fortunately, the article also drew the attention of some highly-skilled security experts, including a systems analyst in Southern California who found the troublesome code: twenty crafty lines that had been added to a configuration file. We fixed the problem on 6 January, and Google finally removed the blocks about 30 hours later – except, that is, on DrEpstein.com, my primary URL. Even though it contains no content – it’s just a forward to DrRobertEpstein.com – it took an additional three days for Google to clear it. Empty links that do nothing but forward to other links are apparently too subtle, or unimportant, for Googlebots to understand.
Problem solved? Unfortunately not. Because this incident exposes a much larger problem, one that goes well beyond my own New Year’s headaches.
* * *
Those lines of troublesome code, presumably inserted after a program or person cracked one of my passwords, served a very narrow purpose: to redirect people who had reached my websites through Google or other search engines. And that’s all they did.
In other words, the code itself confirmed what we had already concluded: that no one visiting any of my websites directly or simply downloading material from my main website – more than 85 per cent of my traffic – was ever in danger. But Google had blocked thousands of people from reaching me who were not using the Google search engine. In other words, yes, my main website had been hacked, but Google’s bot had dealt with the hack in an absurdly simplistic way, driving people away from multiple websites I owned even though they were safe.
This can mean only one thing, and our tests confirmed it: You know those innocuous little Google boxes in the upper-right corner of your browser? Those now come built-in on many browsers, on hundreds of millions of computers. And when Google is built into your browser, before you access a website, your browser checks to see if that website is on Google’s blacklist. If so, you are blocked, even if that website is safe. In other words, yes, Google, Inc. is indeed looking over your shoulder as you type. You can defeat the block by changing your security settings, but most people won’t do so either because they don’t know how or because they assume the warnings they receive are valid.
So Google can not only track your activity when you’re not using its search engine, it can also restrict that activity through blacklisting, thus serving as a censor for internet content. In my own case, Google blocked my content unnecessarily for ten days for the vast majority of people who tried to access it. Google was correct in discouraging people from trying to link to my main website through its search engine, but it erred in adding more than a dozen of my URLs to its blacklist, because direct access to those sites never put users in danger.
If a company like Procter & Gamble or Johnson & Johnson mistakenly blacklisted a large number of your websites, you would be guaranteed an apologetic letter from a customer service representative, perhaps enclosing a coupon for free nappies. But Google remains silent. In fact, it doesn’t even have a customer service department.
And if you’re thinking that Google’s blacklist is probably small and inconsequential, think again. At any one time, there are about 800,000 URLs on the list, with more than 6,000 added every day. In July 2011, Google blocked an entire subdomain – co.cc – an action that effectively shut down more than 11 million URLs. That doesn’t sound like the sort of discerning and intelligent filtering you’d expect from one of the smartest corporations on the planet.
Most major browsers now accept Google’s blacklist as gospel, even though experts are aware that its lists are flawed. For example, a 2012 analysis by security firm Zscaler found that when a legitimate website is infected in a way that forwards users to a malicious site, Google typically blocks the legitimate site rather than the malicious one, a practice that makes no sense at all.
Who gave Google the authority to block websites, which can mean crippling livelihoods? No one. No website owners. No government agencies. Google, in its arrogance, just does it – and often it does it improperly.
* * *
In the early 1990s, I directed the Loebner Prize Competition in Artificial Intelligence, the search for the first computer that could fool people into thinking it was a person. One of our entrants was a junior professor named Michael Mauldin, known as Fuzzy to his friends. One day on the phone Mauldin surprised me with the following news: “Yesterday I was a poorly-paid assistant professor. Today, I’m a millionaire.” His financial status changed suddenly because a pet programming project of his – Lycos, one of the first internet search engines – had just been sold to a start-up company.
Although a game-changer for Mauldin, this was not a landmark event in the world at large. In those days, barely a thousand public websites existed, so search engines weren’t particularly helpful in solving everyday problems. Information was still obtained mainly from original sources or sources close to them: from experts, libraries, archives, books, newspapers, and so on. Information gathering was an art: a slow, awkward, and somewhat haphazard process, as it had been for hundreds, if not thousands, of years.
Early internet investors saw potential in Lycos and other search engines, but no one envisioned what began to happen just a decade ago: namely, that the search engine – with Google quickly emerging as the best of the lot – would become the primary gateway to virtually all information. Nor did people envision the existence of hundreds of millions of websites serving as interfaces to virtually every business and organisation on the planet. The search engine became the gateway to the entire digital universe.
Search engines have become the primary vehicle – and often the only vehicle – people use both to obtain information and to access products and services. That means the executives who control search engines now determine what information people will see or not see, which websites people will reach or not reach, and the order in which the information will be presented.
And who is overseeing the people who control the search engines? No one.
* * *
Google, which handles two-thirds of all Internet searches, is a private company in which key policy decisions are made by just one person: Larry Page. We can guess why he makes certain decisions – market share issues, personal values, political leanings, whims, a bad mood – but we can’t know for sure, because he has no obligation to tell us. And because he’s not an elected official, we can’t vote him out of office. We just have to trust that he has our best interests in mind, even though, legally, his first obligation is to his shareholders.
We also have no impact on Google’s other 56,000 employees, some of whom – such as Marius Milner, the engineer who equipped the Street View teams with the code that collected private information from millions of people – have the authority to blacklist your business, push you to the hundredth page of the search queue, or delete you entirely from Google’s database.
Speaking of which, you might recall that in January 2012, my scholarly work was mentioned on more than 450,000 Google pages. Sometime this spring, however, that number dropped to around 40,000. Was this due to a sweeping change Google made in its search algorithm? Or because Larry, Marius or someone else at Google was irritated by my vocal public criticism of the company? There’s no way to know. Remember, Google doesn’t even have phone support.
Let’s not forget: Google does – without anyone’s approval except probably Page’s – occasionally make dramatic changes in its search algorithms, arbitrarily helping or hurting millions of business and organisations that have no input into the process and no redress if they are harmed. In August 2012, for example, apparently giving in to pressure from the music and movie industries, Google announced that it was going to lower the search ranks of websites based on how many copyright violations had been reported about them.
How, exactly, would such a policy be implemented? Would it spare websites that don’t profit from their copyright violations? Would the new policy be applied with equal vigour to every offender? I doubt it. And who could tell, in any case. In fact, here is a straightforward prediction that I’d bet money on: YouTube, which hosts vastly more copyright violations than any other website on earth, will continue to enjoy top search rankings. Why? Well, because, as anyone with a passing acquaintance of the internet will know, Google owns YouTube.
* * *
And now for the quiz. Would it be unlawful for Google to give preferential treatment to its own websites in its search results?
Would it be unlawful for Google to alter its search algorithm in a way that helps or hurts businesses of a particular type – say, businesses accused of idealism, agnosticism, or the excessive use of plastic bags?
Would it be unlawful for Google to alter its search algorithm in a way that changes the rankings of one particular political party, news service, or type of news story?
Would it be unlawful for an individual Google employee to push his or her favorite business, rock band, or political candidate up or down in the search rankings?
Would it be unlawful for Google to completely eliminate a business or individual from its search engine?
Is it unlawful for Google to add websites to its worldwide blacklist without the permission of the owners of those websites, with or without cause?
Is it unlawful for Google to collect and organize vast volumes of information about you, your family, and your business and then to use that information to try to alter your behavior?
The answer to each of these questions, as you will likely have guessed by now, is: nope. The one question to which the answer is a resounding yes is this: is Google a threat to our civil liberties?
* * *
Google today is roughly where telephone companies were in the early 1900s: insinuating itself into every aspect of our lives, unaccountable to anyone but its shareholders, regularly riding roughshod over the liberties of individuals and organisations, and growing rapidly in power.
In the 1930s, the office and home phones of all of the members of US Supreme Court were wiretapped. Phone company personnel were colluding with both criminals and government officials on a regular basis. Over time, in an attempt to protect civil liberties, our elected officials subjected the phone companies to more regulation. Some of the regulations favored monopolistic practices, and eventually, all phone traffic in the US was in the hands of one highly regulated private company: AT&T.
In the 1970s, AT&T’s monopoly on telecommunications was successfully challenged in court by the U.S. Department of Justice, and the company was subsequently broken up into smaller ones: more innovative, but still highly regulated. People need to be protected, after all, from a private company that controls vast amounts of personal information.
If you’ve ever bought a house, or a car, you might have learned first hand about the importance of such protection. In the US, three private companies – Experian, TransUnion, and Equifax – collect information every day about most of your important financial transactions. They track how much credit you have with lenders and whether you make your credit card or mortgage payments on time, and the scores they compute for you determine what you can buy and how much interest you’ll be charged.
For more than 40 years now, these companies have been regulated under the federal Fair Credit Reporting Act, which gives consumers easy and often free access to their credit reports, as well as straightforward methods for correcting errors on the reports. These companies still make lots of money, but they are highly constrained in what they can do.
It’s still early in the game, but Google, too, is heading down the road to regulation, because it puts our civil liberties at risk – and it does so to a far greater extent than do the credit bureaus or phone companies. The extent to which Google currently misuses its power is not the point; the point is that it has the power, currently unfettered, to exercise malice on a grand, and even global, scale. Repeatedly, the company has proven itself unworthy of the level of trust required to allow this situation to continue unabated.
And even if we were all naive enough to give our absolute trust to the trendy techies at Google, Inc., ask yourself this: what if all the information Google has collected ended up in the hands of people who were not so worthy of our trust? What if Google were itself hacked? What if a high-ranking guru or executive at Google sold out to a foreign government, or to terrorists?
Google and the two other major technology companies – Microsoft and Yahoo! – that together handle more than 95 per cent of the world’s online searches must ultimately be regulated, because information is power, and search engines have become the primary way in which we access information online.
No private, unregulated company should have the kind of power Google has amassed. To leave power of this magnitude in the hands of corporate executives or, worse yet, inscrutable automated bots – no matter how benign, well-meaning and snoogly-googly they claim to be – is imprudent, if not insane.
Let’s face it. Google is a business, not a charity. It cares more about the information it’s collecting about you than it does about the information it provides for you. Except for its paid listings, the information Google provides costs the company money, whereas the information it collects is worth a fortune.
As Google executive James Whittaker said publicly after he quit the company, Google started out as a cool corporate anomaly but has quickly morphed into “an advertising company with a single, corporate-mandated focus”. That focus is the manipulation of consumer behaviour.
From a commercial point of view, the search engine’s main function is not to provide information, but to collect it. The more than one billion unique visitors who use Google’s search engine every month don’t see it that way, of course. As I’m sure Mr. Page would agree, that’s the beauty of it.
As for the Street View scandal, does the world really need an archive of images of every street and building in the world? Of course not. The main purpose of the Street View vehicles was probably – and probably still remains – to collect information from private wireless networks.
Why did Google develop its own browser, Chrome, and its own operating system, Android? And why has Google been buying websites like YouTube? Because they provide more information about consumer behaviour. Not as much as the search engine provides, but enough to justify the expenditures.
And now, increasingly, it’s personal. Google isn’t just collecting information in the abstract, as advertisers have always done; it’s collecting information about you, exactly as if it were listening in to all of your phone calls, peering though your windows to see which books and articles you read, watching you through hidden cameras to see which television shows you watch, following you from shop to shop to track your purchases, and then transcribing all of this information and indexing it for later use and resale.
That’s what Google is doing to you in the digital world you inhabit for so much of the day, and if a bot or a person at Google thinks that what you are doing in that world is unacceptable, they can make your digital self disappear.
Would we, as a society, tolerate a private company that routinely monitored our behaviour throughout our waking hours, collecting and cataloging information that it later used to influence our spending and that could, in principle, be used for even more nefarious purposes? No. But that’s exactly what we’re allowing Google to do. If you’re not afraid, you probably should be.
Nipping at Google’s heels. That’s what US federal agencies and some foreign governments have been doing. But the issues they’ve looked at are trivial. It’s time we all examined the larger ones.
Robert Epstein is Senior Research Psychologist at the American Institute for Behavioral Research and Technology and the founder and Director Emeritus of the Cambridge Center for Behavioral Studies in Massachusetts. The former editor-in-chief of Psychology Today, he has published fifteen books, including a 2008 book on artificial intelligence called Parsing the Turing Test: Philosophical and Methodological Issues in the Quest for the Thinking Computer