Google Earth has all of the user-friendly functionality that we could possibly use, and the price is right- Free. However, I have been unable to confirm that Google does not/ will not save meta data entered into Google Earth KML/KMZ files. And to complicate matters, members (in my stake, anyway) are already using the service with lds.org's csv membership dump feature.
Here are the issues: Some members have a (reasonable) expectation that their contact information is held with fiduciary confidence, even when part or all of it may be available through other public or commercial sources. Some members have a legitimate need to keep their contact information private (such as those with restraining orders, or law enforcement, or minors). I don't think a single member would expect that by choosing to share their personal information with the Ward Clerk, that they run a risk that their information (or their children's information) could end up in the hands of a major data miner, such as Google. But this is the very risk members are now running.
How Google Earth Works
A user downloads the Google Earth client program onto their computer. A subscribing Google Earth customer may create Keyhole Markup Language (KML or KMZ) files (using Google's services, or other third party services), which are XML data files that overlay onto Google maps to create placemarks and boundaries based upon address information. They may also include other meta data such as names, phone numbers, ID numbers, notes, etc. They can be created from comma delimited (CSV) files which are output by MLS, and the lds.org ward/stake websites.
When you use Google Earth, the client computer reads the KML files, and requests the relevant maps from the Google Earth server.
Summary
Using Google Earth presents three potential threats to Members' personally identifiable information: First, Google Servers (or other third party) may store and capture the information when creating the KML/KMZ files. Second, Google Servers may upload, capture, and store the information when the Google Earth Client reads the KML data and requests the relevant maps from the Google Earth Server. Third, since Google Earth is so powerful, user-friendly, and useful, it may encourage clerks/ members to make and distribute larger numbers of KML/KMZ or CSV dumps.
Using the guidelines listed below, I think you can reduce or eliminate the risks. However, enforcing them is impossible, especially since members have access to their own CSV dumps.
Assumptions
- The Church of Jesus Christ of Latter-day Saints (and its agents), owe members of the Church sacred fiduciary duties of the highest order.
- One of these fiduciary duties it to not release potentially private or sensitive information to any third parties. This information may include names, addresses, and phone numbers.
- Church members have a reasonable expectation that agents of the church will not disclose personally identifiable information about them to third parties.
- Church policies dictate that member contact information be used only for church-related purposes.
Privacy Concern: Third Parties Harvesting Membership Data
It is manifestly inappropriate under any circumstances for the Church to become a donor of personally identifiable information to a major data miner, such as Google. If Google harvests information, it may theoretically occur at two times:
- When the user first creates a KML file from a CSV file, if a remote server creates the KML file.
- When the client computer uses the KML file to request maps from the Google Earth server.
Google and Google Earth's End User License Agreements (EULAs) and privacy policies are carefully silent about whether Google Earth reads or stores KML information on remote servers; they leave open the possibility that they may currently harvest the information, or may choose to do so in the future. I e-mailed Google Corporate several weeks ago, but have not yet received an answer to this question. However, I was able to find two online conversations between Google Earth users and engineers:[INDENT][User]: Does the application send my placemarks and my travels… to the Google servers?[/INDENT]
[INDENT][Google Engineer]: MyPlaces is stored in a local file called myplaces.kml and is not sent over the network. Only items explicitly shared with GEC or posted on the public internet will be visible to the Google search engine…. (http://bbs.keyhole.com/ubb/showflat.php ... ain/325243).[/INDENT]
In the next conversation, a business owner with proprietary information was afraid that Google would retain it on their servers, and requested a confidentiality agreement. He got this answer from a Google engineer, [INDENT]...as for the privacy concerns, as long as you don't post your [KML files online]… no one can see them.[/INDENT]
[INDENT]…Just because your data is viewed in Google Earth doesn't mean you're 'sharing' it with Google or anyone else on the Internet. Your data can stay safely behind your firewall, or your own laptop, etc. (http://bbs.keyhole.com/ubb/showflat.php ... ain/481105).[/INDENT]
Though these statements are not in an official corporate document, I tend to believe them. Google has many business clients with sensitive and proprietary data, each of whom pay several hundred dollars for Google Earth Pro. If Google collected their proprietary data, and these businesses found out, they would instantly drop the service, causing Google to loose a lot of money.
In addition, Google includes this somewhat helpful hint in their official documentation:[INDENT]A KML file is processed by Google Earth in a similar way that HTML and XML files are processed by web browsers. Like HTML, KML has a tag-based structure with names and attributes used for specific display purposes. Thus, Google Earth acts as a browser of KML files.[/INDENT]
[INDENT]...[The] benefit of this is that images are self-contained in the file and do not need to be hosted on a network server, as with KML 1.0. (http://earth.google.com/kml/kml_intro.html)[/INDENT]
For these reasons, I believe that Google servers do NOT read or capture KML information, other than which map view you request.
Privacy Concern: Data Proliferation
The second privacy issue is increased data proliferation. Because computer files are so easy to share, copy, and lose, MLS strongly discourages creating CSV files, except by an administrator, and only for authorized church purposes. However, lds.org allows all members to create CSV membership data dumps, which are easily shared via e-mail. E-mail is more secure than posting information on a website, but less secure than many other forms of data transfer.
Summary & Guidelines
Despite my questions, our Stake (and a few of our members) have whole-heartedly adopted Google Earth, without answering the questions about privacy. I submitted the following guidelines to my Stake, which were largely rejected in practice, and are virtually impossible to enforce, anyway.
- Find Out if Google harvests KML Data.
- If it is not doing so now, Google may choose to harvest KML data in the future. If this occurs, members and clerks must cease using Google Earth immediately.
- When converting CSV files to KML and KMZ files, the client computer should be disconnected from the internet. If this is impossible, members and clerks must create additional safeguards (such as splitting the name from the address).
- This will ensure that the client is not communicating with a remote server, and that a remote server is not creating the KML/ KMZ files.
- It is impossible to enforce.
- Members and Clerks should use not use Google Earth on personal or work computers connected to the internet.
- A good idea, but impossible to enforce.
- KMZ files should not be widely distributed
[*]A good idea, but impossible to enforce.
[*]Members/ Clerks should do their best to delete sensitive files from thumb drives and inboxes.
- KMZ files should contain ONLY basic contact information.
- Do not include additional information, such as Membership Number, Confirmation Date, etc.
Here are a few stupid anti-privacy arguments that have been raised explicitly or implicitly, again and again.
Stupid Argument 1: "It's already out there..."
No, "it's" not. First, take the obvious examples I gave earlier: victims of domestic violence, law enforcement, or minors. Their personal information is NOT already out there.
Second, "it" is a whole lot more than an address. "It" includes religious affliation, and may include meta data such as Full Name, Phone Number, Membership ID, Confirmation Date, Birth Date, Family Members, etc. Even if some or all of the information is "out there," it may not be connected to an individual. The Church should not be in a position to connect the dots for data miners.
Stupid Argument 2: "There is no such thing as Privacy, anyway..."
We live in a world where market forces have significantly eroded traditional notions of privacy, and individuals have much less control over how some personal data is shared. There are two ways to psychologically cope with decreasing control: Some continue to try and exercise control, and others take a "if you can't beat them, join them" attitude, which is almost defeatist in nature. This argument simply identifies the speaker as a defeatist.
The point is, there is such a thing as privacy. There are such a thing as fiduciary duties. There must be, even in a connected and fluid world. Privacy and fiduciary relationships are the basis for institutional trust, which is arguably one of the church's most valuable assets.
Stupid Argument 3: "The Church condones it, because they provide the tools to allow it to occur..."
This is a reference to the CSV dump option on lds.org. I reject the notion that creating a tool condones abuse of it.
Stupid Argument 4: "Everyone can do it, so it doesn't matter if I do, too..."
This is a classic variation of "Everybody's doing it..." Really, this argument is a restatement of, "If my actions cause damage, you won't be able to trace the damage to me."
Stupid Argument 5: "It's no different than..."
Fill in the blank with "...e-mailing an Excel file," "...printing a Stake membership directory," "...mailing an announcement to the ward," etc.
If Google Earth does not harvest data, then I agree wholeheartedly that no harm is done. However, sharing membership information with a data miner is drastically different from any of these examples.
Anyway, I just wanted to put these thoughts out for comment and discussion. I'm certainly no technophobe, and I love Google Earth's functionality. I'm just concerned that we're making important privacy policy decisions without a discussion.
-Aaron Titus