Tuesday, July 10, 2012

Google's Privacy Breach: Abnormal Wrongdoing or Normal Wrongdoing?

Today there is news that Google is close to a settlement involving payment of $22.5 million related to its circumvention of the Apple Safari security settings, which let it monitor the web browsing of users who had blocked such monitoring. This very large payment was caused by a small piece of computer code that planted a "cookie" (a tracking file) on devices using Safari, including iPhones. The reason this computer code ended up involving the FTC (Federal Trade Commission) in the US is that privacy rights are regulated by law, so if a user sets the privacy settings on a browser to deny monitoring, it is illegal to ignore this and monitor anyway. (It ought to be difficult as well, but Safari was not programmed securely enough to stop Google.)

Google has stated that the monitoring has not harmed anyone and that it was not done intentionally. This statement will strike many as odd, because it sounds like the excuse of a driver caught speeding: "I didn’t look at my speedometer, and anyway nobody was harmed." Surely there must be a better (and more ominous, for the consumer) reason for the monitoring, because would they otherwise risk a fine of that size?

 A new book by Donald Palmer offers an interesting answer to this question. He looks at different theories of wrongdoing by organizations, and classifies them by whether the wrongdoing is seen as abnormal actions -- done for some benefit and facilitated by slack rules and organizational cultures -- or whether the wrongdoing is seen as an outcome of normal organizational functioning. Of those two types of theories, we are familiar with the theories of abnormal wrongdoing, because it fits our ideas of individuals and organizations calculating the potential costs and benefits of wrongdoing and (if they lack a moral compass) choosing wrongdoing when it benefits them. We are less familiar with theories of wrongdoing as a result of normal organizational functioning, but these theories are interesting because they are likely to explain many kinds of wrongdoing. The idea is that under certain conditions, organizations are likely to commit wrongdoing thoughtlessly and without consideration of benefits – just because their systems lead to such actions.

A number of theories on normal organizational wrongdoing exist, and it would be hard for me to do justice to his excellent book in a short post. I can give an example, however: In an earlier post on the Costa Concordia shipwreck, I asked whether there might be a larger problem of safety routines in Costa shipping. The answer was not clear then and still isn't, but Costa ships have been involved in mishaps later, raising new questions about how they are managed. This would be an example of wrongdoing through faulty administrative systems. Organizations are not always organized (!) well enough to handle the technologies and activities that they operate, and in some cases the gaps in organization lead to wrongdoing through organized carelessness. Google may indeed have broken privacy laws simply because no one thought of checking, most likely because those writing the programs were too separated from those who knew the law. In this case (Google says) nobody was harmed, but the same process can produce much more dangerous results in other kinds of organizations.

Angwin, Julia. Google, FTC Near Settlement on Privacy. Wall Street Journal Asia, July 9.
Palmer, Donald. Normal Organizational Wrongdoing: A Critical Analysis of Misconduct in and by Organizations. Oxford University Press.