Access to user data

A week without Google

So I really and truly meant to go for a whole week without interacting with a Google product.  But it’s kind of like announcing that you’re quitting sugar.  You mean it at the time, but then you realize that not only is it nearly impossible but it turns you into some kind of weird social outcast if you try.  So, this turned into more of a thought experiment because I just couldn’t face a whole week without Google.  I wouldn’t actually advocate either a sugar-free or a Google-free lifestyle, but it’s sobering to realize just how reliant we are on one big corporation.

I’m strong out of the blocks because I don’t have any Google hardware.  If I had an android phone or chromebook, I’d be dead in the water.  As a smart home laggard, I also don’t have a Nest thermostat or Google Home Assistant. Things are looking strong until I think about checking my email.  And this is one of the biggest problems for me: my main email accounts go through either Gmail or Google business.  I know there are alternatives, but weaning myself entirely off Google email is a big task.  It’s just so darn convenient to use it, and so much effort to close down existing email accounts.  I’m also always surprised at how many sizeable startups and individuals use Google for their email, which means that my day is punctuated with Google calendar events. This is where I start to realize that going Google-free has social consequences.

Using Firefox over Chrome is completely seamless, and skipping the Google search engine is tolerable, if a little janky.  In fact, it feels good not to be tracked all over the place and I get that smug, sugar-free feeling from Duck Duck Go.  Box, Dropbox and other cloud-based providers have me covered for document sharing, and it’s a simple switch-out from Google Hangouts to any of the other video chatting services (please don’t pretend like a week without Google+ is some kind of loss). As an old-school lawyer type, I use Office, so I’m also in the clear for document creation.  It’s Google Maps that’s going to create the withdrawal migraine for me.  It’s not just the road directions and public transport times that I have to forego; it’s also any of the ride-hailing apps (since Uber and Lyft both rely on Google Maps).  This is bad.  Apple Maps bad, Gavin.

So an audit of my day proves that I can theoretically go without Google, but not without some pain.  Why does this even matter?  It matters because knowledge is power and we have unthinkingly given one company a huge amount of power.  Google indexes, interprets and stores vast amounts of data about our personal and professional lives, as well as information about our government and infrastructure, and our collective learning as a society.  What happens if they fail?  What happens if they make policies and decisions that we don’t agree with?  How bad would it have to be before we boycotted Google, and would we have any alternative provider? 

I don’t think we need to go Google-free.  As a company, they certainly make mistakes, but they also do great things.  The point is that we need to keep them honest.  We need to support competitors so that there is no complete concentration of power with any one company.  It is so tempting to go all-in with one tech ecosystem but we need to insist on cross-platform compatibility and genuine competition.

Creating accessible information for customers on international data privacy and government access

The past week has brought key decisions on the status of cell site location data, the validity of the NSA’s metadata collection under section 215 of the Patriot Act, and the little matter of the USA FREEDOM Act.  To say it’s like drinking from the fire hose is an understatement.  Companies and users are rightly concerned about how to interpret these decisions, and how best to respond.  But (to continue an overworked metaphor), when it comes to finding information that is clear, accessible, and actually applies to companies and customers, it’s a bit of a case of water all around but not a drop to drink. 

This is a real problem for cloud-based companies with an international customer base; it is important to be able to address customer questions and concerns with clear, concise information.  It is in this context that I created information sheets on international government access to user data in the cloud for cloud-based document management and email management company, NetDocumentsThe first of these sheets explains the legal framework in the United States, Australia, and the United Kingdom, and outlines NetDocuments’ policies and procedures to protect confidential client data.    

Don’t get too comfortable – the need for tension between government and tech companies

As I’ve always said, “We don’t want the relationship between companies and government to be without tension; we want friction”.  Actually, Anupam Chander said this at Monday’s privacy lecture at Berkeley, but it’s the kind of statement that I wish I’d said.  This idea of an optimum level of friction is a good frame of reference at a time when law enforcement and companies trade words as to whether encryption will create the “phone of choice for the pedophile” or simply mean that “privacy doesn’t stop because of a government information request”.

At the same lecture, James Aquilina of Stroz Friedberg noted that a great travesty of the Snowden revelations was that it destroyed the relationship between government and companies.  He explained that the trust built after 9/11 has been completely eroded and the relationship destroyed.  The problem with this relationship breakdown is that the public still expects the government to be able to protect them.  While this might seem to be at odds with Chander's statement, I think that these statements can actually be seen as reflecting questions about how much tension there should be.

Much of our legal and political system is based on the idea that the best outcome is achieved when opponents representing different sides of a debate are able to battle it out; the separation of powers between executive, legislature, and judiciary; the adversarial court process; and the halls of Congress all rely on the tension between opposing views.  While I wouldn’t advocate for a relationship based on the level of tension within Congress, we also don’t want tech companies to be the government’s lapdogs.  It’s hard to know where the right line is on facilitating legitimate government investigations and ensuring individuals’ right to privacy. 

Twitter’s new legal fight to publish full transparency figures reminds us that the right level of tension can’t necessarily be quietly negotiated.  Instead, it may need to be lobbied and litigated.  This is particularly important when legislative change is glacially slow.  Where does this leave smaller companies, who don’t necessarily have the deep pockets to fight it out in court?  I’ve had conversations with a small, very pro-user tech company where the C-suite has agreed that if they get a national security letter, they’ll close their US operations rather than hand over the data.  But this isn’t an approach that many companies would be willing or able to take. 

As a baseline, companies of all sizes should insist on a search warrant (or the appropriate legal process under the Electronic Communications Privacy Act) before handing over user data and notify users (wherever permitted).  Companies should be proactive in their own privacy policies and procedures, paying attention to what personal information they’re collecting and storing, where they store it, and with whom they share it for commercial purposes.  Whereas the US Government has been happy to overlook the rights of non-US persons, companies that operate in the global marketplace should take a principled approach to all users (see my explanation of the glaring gaps in ECPA with respect to foreign government requests).  And if you happen to have deeper pockets and in-house legal support, consider having your day in court.

At the moment, we’re headed back into another round of the cryptowars between government and industry.  Hopefully we will soon be able to reach some kind of détente where we have a set of clearer, more appropriate boundaries for where privacy ends and legitimate government access begins.  In the meantime, let’s not shy away from a good fight.

Techcrunch article - If Microsoft wins do startups lose?

In all the commentaries on this important case about where you host your data, the voice of the startups seems to have been lost.  Somehow, there seems to be the assumption that if you're pro-business, you're pro-Microsoft.  I'm not so sure that assumption is true when you think about more innovative and early-stage companies.  In my commentary here in TechCrunch, I outline some of the reasons why supporting Microsoft's position in their current litigation could actually harm the business interests of US startups.