What kind of evil is Google: Accidental or intentional?

Company claims ignorance and 'mortification' that it grabbed passwords, emails while facing lawsuit for selling user data

If knowledge is power, Google is arguably one of the most powerful companies on the planet -- and potentially one of the most dangerous. Consider, for a moment, how many bits and bytes flow into the company's numerous data centers, both through its own collection processes and from users worldwide. The company eagerly reiterates its mantra -- "Don't be evil" -- but recent developments suggest the company is breaking that pledge, either intentionally or unwittingly.

In the most high-profile case, Google collected and stored payload data from unsecured wireless networks while compiling Street View images. The company has asserted it amassed that info by accident and downplayed the sensitivity of the data. However, recent investigations by the Canadian and Spanish governments reveal that Google has been holding on to a hoard of sensitive information, including passwords, URLs, and entire emails -- the sort of content that could be put to ill-advised use by cyber-ne'er-do-wells.

Since that time, Google senior VP of engineering and research Alan Eustace has declared the company "mortified" by the findings -- and surprised. Apparently, Google will have us believe it never looked at the data it gathered. "No one inside Google had analyzed in detail the data we had mistakenly collected, so we did not know for sure what the disks contained," he writes.

It doesn't end there. Just this week, Google was slapped with a federal lawsuit for allegedly illegally divulging user search terms to third parties. "Google has consistently and intentionally designed its services to ensure that user search queries, which often contain highly-sensitive and personally-identifiable information, are routinely transferred to marketers, data brokers, and sold and resold to countless other third parties," the suit states.

Per the lawsuit, Google is able combine search terms with data it acquired with its purchase of DoubleClick. The complaint also states that a user's IP address, combined with information from Google Analytics and services, enables third parties to connect anonymous data to specific individuals. Google hasn't commented on the legal matter.

Even if we give Google the benefit of the doubt and assume it gathered the data by accident while never looking at the information, there's still cause for concern: How do we know what other data the company is collecting, whether intentionally or otherwise, as users rely on Google Docs, Google Voice, and other services to conduct business and private affairs? And how do we know that we can trust Google to keep that data safe?

To put it another way, imagine a spectrum of evil. On one end is a company that is evil by intent; on the other end is an organization that's evil by carelessness. The evil-by-intent Google would collect data such as Street View payloads, passing along search terms to marketers and government bodies, and otherwise exploiting every search, email, document, video, voice call, and who knows what else its gets its hands on.

On the other terminus, the evil-by-carelessness Google embraces its "Don't be evil" philosophy, yet in the mishmash of experiments, technologies, and services, it's compiled fat stores of juicy data, ripe for the plucking. Said data could be a enticing target for insiders who have no qualms about being less than pure.

Granted, both scenarios are a bit far-fetched. Still, move a step or two in either direction on the spectrum and you've entered the realm of possibility: either a company run by a man with a seemingly cavalier attitude about privacy -- CEO Eric Schmidt recently said people who are worried about Street View should "just move" -- and that is more than willing to push the limits and bend the rules to make more money and garner more power; or one with so many data-sucking tubes that it can't keep track of what it's holding on to and, thus, may not be trustworthy to secure it all.

To Google's credit, the company is undergoing a security shake-up, according to Eustace. Google has appointed a new director of privacy named Alma Whitten, whose purview will extend over engineering and product management. Her focus will be "to ensure that we build effective privacy controls into our products and internal practices." Additionally, Eustace claims Google is stepping up training efforts to make employees more aware of information security practices.

Eustace also says Google is updating its internal compliance policies and adding a new process to its review system: "Every engineering project leader will be required to maintain a privacy design document for each initiative they are working on. This document will record how user data is handled and will be reviewed regularly by managers, as well as by an independent internal audit team."

That's all well and good, and perhaps it's indicative of a Google that truly believes in doing no evil. Still, an evil-by-intent Google would say it's doing due diligence to prevent such mortifying incidents from happening again. An evil-by-carelessness Google would botch or miss a step when it rolls out its next great data-gathering service.

This article, "What kind of evil is Google: Accidental or intentional?," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Copyright © 2010 IDG Communications, Inc.

How to choose a low-code development platform