Posted by amy at April 1st, 2006

About 2 miles into my walk today, I was struck by the realization that I wasn’t wearing my wedding rings and watch. I also was 2 miles from home with no identification on me. What, goddess forbid, would happen if I fell down and knocked myself out, or if I was hit by a car and left unconscious? How would anyone know who I was? Would they have to take out my new dental crown and look for a serial number? Do crowns even come with manufacturer information? Before I got too far into my CSI daydreams, I looked down at my chartreuse i-pod with the words Marlboro College Graduate Center engraved on the back. Assuming the i-pod stayed attached to me, could an EMT find out who I was and notify my family?

According to FERPA (The Family Educational Rights Privacy Act) colleges are welcome to give out standard, directory type information without my consent, provided I haven’t submitted in writing a request for them to withhold it, which I haven’t and don’t plan on doing. Marlboro College Graduate Center isn’t so big that someone in the technology center wouldn’t be able to quickly scan the student database to find I was the only student within a 10-mile radius of the local hospital. And since I get my health insurance through Marlboro College as well, chances are the paper trail could begin before a doctor saw me.
With one phone call, Jane Doe turns into Amy Stevens. Even when I’m walking miles from home without recognizable ID, I have a limited presumption of privacy. As I kept walking, I tried to remember if there was ever a time when I presumed privacy, I remember my junior high school principal lecturing us that our school lockers were not considered private, that he could get out the bolt cutters at any time and open them up without a search warrant. He could because schools act in loco parentis — Latin for in the place of parents. We were reminded of that when we got to high school, and the dorm monitors reinforced the idea even in college. So even before I knew about e-privacy, I couldn’t identify a place where my privacy was guaranteed. When I went online in 1992, through Prodigy, I assumed that the technology existed – or would soon exist – to track my every keystroke – and that even though Prodigy wasn’t acting in loco parentis – there was no “confidentiality agreement” to protect my online actions as I would expect in my records at a doctor or a lawyer.

It is possible that I became exceptionally jaded while doing research for my book on 1960s anti-war activists. As I sat with boxes of files from the FBI, and saw they documented details about people that even their closest friends claimed not to know, I understood that there could never be an assumption/protection of privacy from the government.

More to the point, I don’t think there can be the expectation that the government will be prevented from collecting information that people freely disclose about themselves.

As we read codes and regulations, privacy policies and legal challenges to those this semester in my legal and ethics class, I followed Google’s struggles with privacy issues. The courts have long held that if a third party like Google already knows something about you, you generally have a very limited privacy right to keep the government from knowing the same thing. Further the government is only seeking from Google aggregated search information, in order to compile statistics which a judge has declared necessary in their attempt to suppress child pornography. I don’t think Google has a legal leg to stand on, especially if it is selling this type of aggregated — and even personal — data in the public marketplace.

Their privacy policy specifically states:

Information sharing Google only shares personal information with other companies or individuals outside of Gxoogle in the following limited circumstances: * We have your consent. We require opt-in consent for the sharing of any sensitive personal information. (Note your consent isn’t required, your non-consent is.) * We provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Policy and any other appropriate confidentiality and security measures. (Schools and governments have this same clause, which essentially means that if the information is part of the work flow, it is fair game.) * We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of Google, its users or the public as required or permitted by law. (Emphasis added.)

We may share with third parties certain pieces of aggregated, non-personal information, such as the number of users who searched for a particular term, for example, or how many users clicked on a particular advertisement. Such information does not identify you individually. (And here is the kicker – they are sharing the information already.)

And while they claim “limited circumstances”; the language is vague enough for anyone, at any time, to ask for such information from Google and be fairly assured of getting it, if they are willing to pay for it. I can’t help wondering if it wouldn’t it be far more advantageous for the Department of Justice lawyers to take out a few Google advertisements, then request the aggregate data, than to waste taxpayers’ money and burden the judicial system fighting over something Google is already providing to its advertisers. Whether it is Google’s aggregated search data, or directory information from MCGC, it seems that Scott McNealy — then CEO of Sun Microsystems — foreshadowed this in his famous 1999 declaration, “You have zero privacy anyway. Get over it.” I wonder if Google is looking for a new motto.