Dear Mr. Page:
We are writing to you as data protection authorities to raise questions from a privacy perspective about the development of Google Glass, a type of wearable computing in the form of glasses, which is currently in beta testing and not yet available to the general public.
As you have undoubtedly noticed, Google Glass has been the subject of many articles that have raised concerns about the obvious, and perhaps less obvious, privacy implications of a device that can be worn by an individual and used to film and record audio of other people. Fears of ubiquitous surveillance of individuals by other individuals, whether through such recordings or through other applications currently being developed, have been raised. Questions about Google’s collection of such data and what it means in terms of Google’s revamped privacy policy have also started to appear.
As you may recall, data protection authorities have long emphasized the need for organizations to build privacy into the development of products and services before they are launched. Many of us have also encouraged organizations to consult in a meaningful way with our respective offices.
To date, what information we have about Google Glass, how it operates, how it could be used, and how Google might make use of the data collected via Glass largely comes from media reports, which contain a great deal of speculation, as well as Google’s own publicizing of the device.
For example, our understanding is that during the beta testing of the product, Google has put in place extensive guidelines for software developers to follow in building applications for Glass. These limits appear to be largely related to advertising within Glass. If this is indeed the case, we think this is a positive first step in identifying privacy issues, but it is only a first step and the only one we are aware of.
We understand that other companies are developing similar products, but you are a leader in this area, the first to test your product ”in the wild” so to speak, and the first to confront the ethical issues that such a product entails. To date, however, most of the data protection authorities listed below have not been approached by your company to discuss any of these issues in detail.
For our part, we would strongly urge Google to engage in a real dialogue with data protection authorities about Glass.
The questions we would like to raise include:
- How does Google Glass comply with data protection laws?
- What are the privacy safeguards Google and application developers are putting in place?
- What information does Google collect via Glass and what information is shared with third parties, including application developers?
- How does Google intend to use this information?
- While we understand that Google has decided not to include facial recognition in Glass, how does Google intend to address the specific issues around facial recognition in the future?
- Is Google doing anything about the broader social and ethical issues raised by such a product, for example, the surreptitious collection of information about other individuals?
- Has Google undertaken any privacy risk assessment the outcomes of which it would be willing to share?
- Would Google be willing to demonstrate the device to our offices and allow any interested data protection authorities to test it?
We are aware that these questions relate to issues that fall squarely within our purview as data protection commissioners, as well as to other broader, ethical issues that arise from wearable computing. Nevertheless, we feel it is important for us to raise all of these concerns. We would be very interested in hearing about the privacy implications of this new product and the steps you are taking to ensure that, as you move forward with Google Glass, individuals’ privacy rights are respected around the world. We look forward to responses to these questions and to a meeting to discuss the privacy issues raised by Google Glass.
Sincerely,
Original signed by
Jennifer Stoddart, Privacy Commissioner, Canada; Jacob Kohnstamm, Chairman, Article 29 Working Party, on behalf of the members of the Article 29 Working Party; Timothy Pilgrim, Privacy Commissioner, Australia; Marie Shroff, Privacy Commissioner, New Zealand; Alfonso Orà±ate Laborde, Secretary, Data Protection, Federal Institute for Access to Information and Data Protection, Mexico; Rivki Dvash, Head, Israeli Law, Information and Technology Authority; Hanspeter Thà¼r, Swiss Federal Data Protection and Information Commissioner; Jill Clayton, Information and Privacy Commissioner, Alberta; Jean Chartier, President, Commission d’accès à l’information du Québec; Elizabeth Denham, Information and Privacy Commissioner, British Columbia.