Google Expands Its Reach Into Fitness, Health, and Finance, but Pinky Promises With a Cherry on Top That It Won’t Use This Data for Advertising ⇥ wsj.com

I present a remarkable triptych of stories from the past week or so, beginning with Peter Rudegeair and Liz Hoffman of the Wall Street Journal:¹

Google will soon offer checking accounts to consumers, becoming the latest Silicon Valley heavyweight to push into finance.

The project, code-named Cache, is expected to launch next year with accounts run by Citigroup Inc. and a credit union at Stanford University, a tiny lender in Google’s backyard.

[…]

[Google executive Caesar Sengupta] said Google wanted to bring value to consumers, banks and merchants, with services that could include loyalty programs, but it wouldn’t sell checking-account users’ financial data. The company said it doesn’t use Google Pay data for advertising purposes and doesn’t share that data with advertisers.

Beth Mole, Ars Technica:

Google quietly partnered last year with Ascension—the country’s second-largest health system—and has since gained access to detailed medical records on tens of millions of Americans, according to a November 11 report by The Wall Street Journal.

The endeavor, code-named “Project Nightingale,” has enabled at least 150 Google employees to see patient health information, which includes diagnoses, laboratory test results, hospitalization records, and other data, according to internal documents and the newspaper’s sources. In all, the data amounts to complete medical records, WSJ notes, and contains patient names and birth dates.

Google issued a statement reassuring those concerned that patient data is encrypted, siloed, kept private in accordance with HIPAA rules, and won’t be combined with Google’s own user data.

Shirin Ghaffary and Rani Molla, Vox:

Google’s parent company Alphabet announced Friday that it is acquiring wearable smartwatch maker Fitbit for $2.1 billion, marking the search giant’s latest push into the health market.

Google’s acquisition raises concerns about data privacy for Fitbit users. Google says Fitbit health and wellness data will not be used for Google ads, but it did not specify where else in its empire it might use that data. The acquisition also gives more fodder to regulators who are already scrutinizing whether the company is too big and should be broken up.

There’s a common thread here: Google is acquiring massive amounts of deeply personal information, but it insists that you can trust it — the company promises that it won’t use this data for advertising purposes nor will it mix it with behavioural data it has collected about you.

And you know what? I believe Google when it says that it won’t do that right now — I really do. But will it uphold the same promise in five years, or ten? Will it keep the same promise if new legislation comes into effect that would make it harder to collect new behavioural data? Will Google maintain the same stance if it becomes financially stressed, or if a creepier person takes the CEO chair, or if it becomes otherwise compelled to strip mine users’ personal data on every level? I’m much less certain, particularly as less than eight years ago it consolidated all user information under a single privacy policy. Why wouldn’t Google do the same thing again? What’s stopping it?

Even if you believe that this collection of highly personal information is kept perpetually secret, why is it the case that companies that have a primary business of behavioural data mining are able to dabble in industries that necessarily require a privacy firewall? I think of this in much the same way that financial institutions in the United States were once prohibited from being in consumer businesses and investment banking under Glass–Steagall. As the housing market collapsed in 2007, the devastating loss to Americans was exacerbated by Glass–Steagall’s repeal just eight years prior.

Why risk a privacy catastrophe?