How a Grad Student Scooped the Government and Uncovered One of the Biggest Internet Privacy Scandals
Continued from previous page
Yet there is a feared privacy watchdog, Mayer notes: the European Union. American companies have far less political influence in Europe, and Europeans are far more attentive to privacy issues, partly due to memories of Nazi-era totalitarianism. Because most tech services offered to Europeans are the same as offered to Americans, protections required by EU regulators are usually extended to American consumers. It's the globalization of digital regulation: What happens in one country can affect all countries.
For instance, under Irish privacy law, citizens are entitled to know the information a company possesses on them — and this was used against Facebook by a 24-year-old Austrian, Max Schrems, who asked the company to hand over all the data it had on him. Facebook's international headquarters are located in Dublin, so the firm had to comply. Last year it gave Schrems more than 1,200 pages of data that included just about every keystroke he had made while on the social network, including items he had deleted and location information he had never provided. Facebook had kept almost every poke and like, every friend and defriend, every invitation accepted or rejected. Schrems posted the information online and compared his Facebook dossier to the data that the East German secret police, the Stasi, had kept on millions of citizens.
In effect, Schrems exposed Facebook's data retention practices, and this led to a big change. In May, Facebook said its 900 million customers — not just the ones in Europe — would receive far more detail on its data collection, making it easier for them to know what information was being collected and what was being done with it. The company acknowledged that the change was the result of a harsh report issued by Irish authorities looking into the Schrems case. Ireland wasn't trying to protect the privacy rights of Americans, but its pressure on Facebook had precisely that effect.
The outsourcing of consumer data protection has been going on for a number of years. In 2008, European privacy officials asked Google, Microsoft and Yahoo! to delete, far quicker than they were doing, the data they were retaining about user searches. In short order, the search giants complied — not only for their European customers but for Americans, too. "The EU drives regulation worldwide," Mayer says. "While we make nods to self-regulation and cooperation, the reality is that the EU is getting all of this done."
The power of Europe's privacy regulators — and the weakness of America's — was demonstrated most vividly in the Street View dustup. While there was only modest protest against Google photographing American streets and homes, the company immediately ran into big trouble when its cars began to roam around Europe. The collection and abuse of personal information also was a hallmark of communist regimes that ruled Eastern Europe during the Cold War. Throughout Europe, local and national authorities expressed concerns about Street View, and the project quickly hit a number of walls.
Google promised its cars were only taking pictures — and the firm's word was enough for U.S. officials — but French authorities demanded to know for sure. They inspected one of the vehicles in 2010 and realized that Google was not telling the whole story: The hard drives in the cars were downloading data from Wi-Fi networks. Google downplayed the revelation by contending the downloads were innocuous — just technical data, not personal information.
In Germany, where popular opposition to Street View was strongest, the data commissioner of Hamburg, Johannes Caspar, demanded to inspect a Street View car, too. At first, Google reportedly told him it didn't know where the cars were. The firm eventually found one — but its hard drive was gone. At that point, Google said it was taking a new look at what the cars were downloading. Caspar insisted the company hand over a hard drive. After a few months, Google complied. Caspar discovered that Google had downloaded vast amounts of personal data.