EU condemns Google's privacy policy

One of Christchurch's greatest breakfast institutions has just hung its shingle in Wellington.

Hailing originally from Canterbury, I've long been a fan of Drexels' ability to deliver up a breakfast menu that would make a New York deli proud, but with premium local ingredients and crash- hot service that would embarrass many upmarket eateries. Drexels' signature eggs are something to behold: Fluffy, lightly salted and well- scrambled.

Also well-scrambled was Work and Income New Zealand's much-publicised privacy blunder when a walk- in hacker managed to download 7000 pieces of confidential client information from a public- facing computer kiosk.

To be clear, it wasn't primarily a privacy blunder, it was a security loophole in the Work and Income network which allowed a computer-savvy blogger to get access to tens of thousands of documents from Social Development Ministry (MSD) servers which were publicly available through kiosks at Work and Income offices around the country.

Many have rightly criticised Work and Income's lax system architecture, and clearly something is seriously wrong with a public kiosk system connecting to a globally accessible corporate network, but there's also a lot to observe in how it happened and the response. It's qualitatively different to what we saw at ACC earlier this year, where instead of reacting to being hacked, the corporation was actively sending out personal information.

First, Work and Income was being progressive in giving clients web access to research and apply for jobs.

In the digital world, this is an absolute necessity and Work and Income was a public sector pioneer.

Second, blogger Keith Ng is a great example of a good or "white hat" hacker.

Rather than creating mischief or benefiting, he's exposed the flaw and tabled the results with the Privacy Commissioner.

He sought no money and was motivated by public good.

Third, MSD chief executive Brendan Boyle took it on the chin. There was no shying away, just a straight- up admission that it was unacceptable, the immediate deactivation of the kiosk system and a promise to put it right. It was a clear example of the fact there are no dress rehearsals in cyberspace.

At the same time as Work and Income was scrambling to fill the security hole, a much bigger privacy issue bubbled to the surface on the other side of the globe as the European Union gave Google an ultimatum over its reconstructed umbrella privacy policy.

This gave Google the explicit ability to track you across virtually all its products, from YouTube and Calendar to Gmail and search. Google said the new policy was driven by the "desire to create one beautifully simple and intuitive experience".

My take was slightly different, namely the ability to "get social" with their search results and advertisement targeting.

Last week the French Data Protection Agency issued a report saying Google's new policy failed to comply with EU data protection rules.

The report was endorsed by privacy regulators in 27 EU countries and a few others, including Canada.

It criticised Google for not providing enough information to users on how their data is processed and the vagueness about how long it retains personal information. It noted there was no reason for Google to combine information about people's use of more than one Google service, and that it was far too hard for a user to opt out. The condemning report comes after a rough couple of months for Google.

In August, the company agreed to pay a record $22.5 billion fine to the Federal Trade Commission for misleading users of Apple's Safari browser over privacy.

Then its stock tanked after earnings per share came in at $9.03 versus expectations of $10.65, resulting in its shares falling 10 per cent.

It also muffed the announcement with the disclosure going out without final authorisation. Not flash.

In September, global search figures went backwards for the first time ever. Macquarie Securities said total organic search in September declined 4 per cent year-on-year. People are increasingly using mobile apps, marketplaces and social media to find stuff, more than Google and Yahoo.

Not great news if you are in the search market.

All this means Google has more motivation than ever to further monetise its big money-making services - AdWords and the display network - both of which pivot on smart use of personal data.

If Google fails to convince the EU it is complying with privacy laws, the next step is expected to be a formal request to unwind the March changes.

In simple terms, this would be a bit like trying to unscramble an egg - and you don't need to be a Drexels' chef to know that would be pretty bloody hard to do.

Mike "MOD" O'Donnell is an e-commerce manager and professional director. He reckons Drexels' breakfast burrito is the best thing on the menu. Interest disclosure - MOD once picked up Keith Ng hitchhiking in Northland.