When personally identifiable information (PII) that permits the identity of an individual to be directly or indirectly inferred is shared publicly online it poses a grave threat to fraud, financial security, and potentially even to personal safety. Google has recently released a feature that allows individuals to remove such sensitive information from their databases that power its search engine.
The amount of information available on the internet, for a wide swathe of topics has been a boon for the most part. The problems arising from the relatively permanent nature of this information and the inability to verify the authenticity of some information online increasingly becoming more prominent.
The perils of disinformation and misinformation, peddled by a wide range of actors with questionable motives, has now become part of the mainstream conversation. The challenges posed by the permanent nature of information posted online is only now gaining steam.
Is information published online really ‘permanent’?
The vast majority of content published online is publicly accessible, with just the web address. Search engines such as Google and social media platforms such as Facebook, Twitter etc. have become de-facto gatekeepers of the internet, as they help people discover content that is published online (or natively posted on a social media platform).
Depending on a website or social media platform’s configuration and user privacy preferences information published could be public or it can be restricted to only select individuals upon authentication or depending on whether the publisher is ‘connected’ to a reader on a given social media platform.
The permanency of information online arises out of 3 broad factors:
- Indexing by search engines: automated tools known as spiders ‘crawl’ the internet to follow links to discover and index all public content on the internet to help search engines direct traffic to relevant resources for any search query. These indexes contain a cached version of pages as they were when the spider crawled the page
- Indexing by online archives: Websites may be temporary and frequently updated, or never updated and allowed to lapse due to closure of businesses, but online archival tools provide a mostly valuable service by acting as the library of the web
- Screenshots by individual readers: In social media, personal messaging applications and sometimes on the web too, users can take screenshots for sharing updates that may be deleted by the poster. These serve as a dispersed form on saving information that could pose risks when not sufficiently protected or when published online
What are the risks of personally identifiable information published publicly online?
The seemingly virtual nature of information, especially personally identifiable information about individuals makes it likely if not certain that any information about you as an individual, that is published online is likely to be archived by tools such as the Wayback machine. ‘The Internet will always remember’, as the meme goes.
People who are conscious of their privacy or people in highly sensitive roles such as national security, or even public roles such as politicians and journalists have been burnt by the phenomenon of ‘doxxing’. Doxxing is a form of invasion of privacy by sharing information such as residential addresses and contact details of public / semi-public figures with the aim of intimidating them for their views. While public figures are always liable to a higher degree of exposure to scrutiny (as it should be), it could also pose a risk to the families of said people and the sensitive information could be used for social engineering attacks or for even in-person attacks.
Is the solution a right to be forgotten?
In some countries it is known as the right to be forgotten or the right to vanish, in some others it goes by much more technical names but the principle remains consistent – to hand back the power to individuals to control at least some elements of information about themselves that can be publicly accessed online.
As noted above, Google has recently launched a feature that allows individuals to request the takedown of personally identifiable or sensitive information from the Google search engine index. This is significantly different from Google’s other tool which allows website owners to de-list their websites from the Google index and therefore not be shown up as part of its search results.
This newly released tool allows the subjects of the information to be in control of the discovery of the information, without relying on the owners of websites to remove content that may be published online. It is important to note that the use of this Google feature does not necessarily make the sensitive data inaccessible online, it only reduces the likelihood of the discovery of such information.
What information does Google consider ‘PII’?
Tax identification numbers such as social security numbers across several jurisdictions, bank account numbers, credit card numbers, medical records, addresses and personal contact information are some of the details that Google has identified as details that can be removed using this new feature. Google has also mentioned that ‘doxxing’ would be considered as grounds for removal of information, in the presence of explicit or implicit threats.
How does the removal request feature work?
The removal process for PII from Google search needs to be initiated by the affected individual or an authorised representative. The process starts with the submission of URLs and Google searches where the PII is published, using this PII removal request form. The form can accept up to 1000 URLs that can be reported in a one go, and may require screenshots of the PII as displayed on the infringing websites.
Upon submission of the request, an automated confirmation email is sent, and Google will review the request and notify the complainant about any action that is taken. As noted earlier, a successful removal request only removes the information from appearing on Google search results, inhibiting its discovery, and the information may remain available to anyone who possesses the direct URL or a screenshot.
Will this make a difference?
There’s no silver bullet to tackling the problem of PII and doxxing to the broader risks of erosion of privacy online, but this feature is a small step in the right direction from Google. Individuals and companies now have one more tool to help protect themselves better but the deck is still stacked heavily against them, in the face of lax regulations, inaccessible tech giants with immense power and inadequate awareness and education in the general public.
We are also yet to see how quickly Google may act on reports using this tool, and that could make or break the utility of this feature. We at Webnames have always cared deeply about data privacy for our customers and small businesses, and this article is just one small step in helping improve the awareness about tools available to the public to shore up their data privacy on the internet.