This raises a question. By adopting the various policy changes mentioned, does Google now have an ability to evaluate the veracity of user information associated with accounts?
This possibility arises from the well-known ability to re-identify individuals by linking disparate data sets. E.g., Sweeney (2000) examined de-identified health records and voter lists and showed that, by cross referencing three user attributes (i.e. DoB, gender, and postal code), 87% of the U.S. population could be uniquely identified. That basic method was repeated as recently as 2010, when Koot, Noordende, & de Laat showed that 99.4% of the Dutch population could be unambiguously identified in the same manner.
As illustrated, by combining certain attributes about its users with other available data sources, Google can likely determine with a high level of certainty whether the user attributes associated with an account match attributes in other authoritative data sets. For example, Google can likely verify whether the “real” name a user associated with an account is actually a name (as represented in some authoritative data set) or just another pseudonym.
To be clear, Google is not requiring a user to enter personally identifiable information to register an account. One can still submit fictitious data and ostensibly maintain an anonymous Google account. The point is they probably know its fictitious. Given Google’s known interest in becoming an identity provider and that it is one of a handful of IdPs certified for providing access to certain low-level U.S.G. agency services online, Google has likely designed a pretty good way to determine the veracity of information provided by users. This should not be a surprise. Being able to scale this capability to the size of Google’s user base is fundamental to growing its identity and other lines of business (e.g., advertising). Nonetheless, it should also raise flags for privacy advocates about the need to govern online identity and attribute providers and the information they handle.