Ex-Google Engineer: “I Think There’s Too Little Consumer Fear”

Last October, when Brian Kennish read that Facebook was transmitting personal IDs to Internet tracking and advertising companies through popular Facebook applications, the Google engineer went home and spent the next 2.5 hours writing a browser extension that blocked Facebook Connect functionality.

Kennish thought “50 people might use this thing,” but within two weeks, 50,000 people were using it. Sensing opportunity, and wanting to do more to combat privacy infringement, Kennish left a seven-year career at Google and struck out on his own.

Today, the native New Yorker is running Disconnect, a San Francisco-based startup whose software blocks third-party data collection from Facebook, Google, Yahoo, Twitter and other companies that are constantly gathering user information. He’s also in the process of raising roughly $1 million in seed funding to help market the software and expand Disconnect’s scope, including through a premium app now that’s “heavily privacy related and that will be downloadable some time in the next six months.” (He isn’t talking details just yet.)

Yesterday, I caught Kennish at his South of Market offices to learn more. Our conversation has been edited for length.

How many people are using Disconnect at this point, and using what browsers?

They’re [accessing our software through] Chrome and RockMelt — which is really Chrome underneath — and Firefox and Safari. The numbers are currently 170,000 weekly downloads on Chrome. Firefox is very early stage – we put it up a week ago and haven’t promoted it at all. And Safari doesn’t provide reporting [so we don’t know how many users have downloaded it].

You’ve done some research to support your case for downloading Disconnect. What are some of your findings?

Well, we know for example that when you go to Yahoo.com, your data is being shown to 75 different third parties. But you can’t tell what the sites are doing with your data unless you read through their ridiculously long privacy policies. We’re actually developing five icons to help describe what their policies are.

Like the kind of colored icons that we now associate with airport security?

Right. Green is relatively better than orange, which is relatively worse. The basic idea is that if these things become universal, it will be easier to distinguish what the sites are doing. So we’re laying a database on top of the top 10,000 sites that tells us how many third parties are involved in each site and where your data is going. And we’ll publicly released it [to work on] all the browsers, so the privacy icons will appear on the sites you’re visiting.

How are you compiling the information? You aren’t reading through all these companies’ privacy policies.

Actually, one person on our team is a former lawyer and he was our guinea pig for turning [some of these policies] into icons and he was like, ‘So many of these privacy policies, I don’t even understand.’ So we’re doing it through crowd-sourcing, via a Wikipedia-like platform, where users can go through a privacy policy and choose the icon that best corresponds with it.

Is this really a fight that consumers can win? You develop Disconnect, then someone develops a widget that gets around it. It seems like an endless arms race.

I think the advantage we have is the ability to be more agile technically than third parties, because we’re building these automated systems to detect what they’re doing. We can easily see where the underlying data is going, whereas third parties, in order to change what they’re doing, have to change their tagging structure, which is a manual process that takes a long time. So we have the ability to detect a lot quicker than they have the ability to change what they are doing.

How big a hardship is it for a user to be profiled? On the upside, we’re being served relevant ads finally.

I think there’s too little consumer fear. In the antivirus business, for example, there are more tangible consequences of getting a virus than getting your privacy somehow violated. It makes it hard to sell privacy protection tools as a result, which is why we’re about controlling your data instead. It’s more proactive, as opposed to asking people to reactively protect their privacy.

What are the consequences of people not protecting their privacy? What’s the worst case scenario?

I’ve been an engineer at DoubleClick and Google – two of the world’s biggest ad and data collection companies — and I personally have no idea what’s happening with our data. I know it’s being collected in tons of places and data exchanges, but ultimately, it’s being replicated in so many places, it’s completely unknown what’s going to happen with the data. I think stuff will get lost, hacked. People talk about your data exhaust. This stuff is going to leak out all over the place. I met with a group product manager from Google after I left the company, and he told me he thought that in 25 years, all the data that Google has right now will be public.

I’m not that pessimistic about it, but I do think what’s considered private data right now will eventually be public – through people forgetting to protect it, engineers forgetting about it–

Others eventually succeeding Larry Page, Sergey Brin, and Mark Zuckerberg…

It’s not even necessarily about a change in leadership. These guys will have market pressure in the future that they don’t now, and their most precious commodity is user data. Facebeook especially looks at it as: we’re collecting as much data as we can, even while we don’t know necessarily how we’ll use it all.

They may be build a new product that exposes what you thought was private data in public ways. It’s not even theoretical. We saw it with Google Buzz. We’ve seen it with Facebook, taking private feeds and making them public because of Twitter.

Is there a balance somewhere? We look at a lot of these sites and don’t pay anything for them, and they need advertising to survive in most cases.

I think the issue is that users are paying for these services, but they don’t necessarily know that they are paying for them and how. It’s unclear how your data is being used to monetize these services. If the services were more upfront about how they were collecting and using people’s data, it would be fine. But I think the vast majority of people don’t know how their data is being used, which makes it a not-quite-fair business exchange.

Which is why not many people turn on the do-not-track features built into their toolbars.

Less than 1 percent of users make the effort. But if you light up a button every time users’ data is being tracked, and you give them an option on their toolbars to opt out, I think you’d see 80 percent opt out, If you make it more prominent [as some legislators are suggesting we should], people will take action.

How has Facebook reacted to what you’re doing?

I got a job offer from Facebook after [creating] Facebook Disconnect.

Did you consider it?

Nope.