Privacy, The Illusion Of

In a recent blog entry, Google announced the production of a 4.5 minute movie about search privacy in Google. Let me quote the presenter, Maile Ohye:

“As you can see, logs don’t contain any truly personal information about you.” – Maile

I strongly suggest you watch the clip and have your own opinion. Below is my own:

What Maile neglects to mention is that Google keeps all the queries you submit together, correlated by your cookie, including the user you use to login to Google, the links you clicked on in search results, any site you visited with a Google ad, every address you mapped, every product you searched, every video you watched, etc. which makes up a nice profile of your behavior online.

If you slip – once – and search for something which is personal – a name of someone you know, your home address in Google maps, a nearby store, your email address – and it has that information in your profile too. If you use a Google account, it doesn’t even matter if you switch computers or expire the cookies.

I use Google a lot, I have a Google account and if you look it up you’ll probably know pretty much most of my interests and generally a lot about me. I am aware of the fact that this is so. It doesn’t stop me from using Google’s services – I like using Google’s services, and I know that one of the things that make them of value to me is the fact that Google knows a lot about me and what I do and where I go and what I care about. I don’t care, because I do not search with the same account, browser, cookie or IP address for things I don’t want Google to know about. How many people know enough about the Internet to take such measures? Not many, I guess.

So back to the clip. The video clip is market-speak (doublespeak? duckspeak?). It is marketing privacy as a differentiator for Google’s services, and portrays Google’s privacy practices as benign. In that sense, it serves its purpose. The problem that I can see is that privacy doesn’t need a lot of marketing. I don’t think you really need to market your privacy practices. The way I see it, the world is made out of 3 kinds of people:

1. Those who don’t care about privacy, they just graze around where the grazing is good, and are pretty much oblivious to such concerns. For these people, if you make an appealing product (not even a good product) and market it properly, and make it cool, they will come. Even if you trample their privacy, they will still come, because they don’t care. Reference: iPod. OMG I’m using a MacBook Pro now. Busted, I guess. People from this group wouldn’t care much, even if you wouldn’t have a privacy policy in place. Google already won them over, making Google a household name. Want to increase your market share here? Add a scroll wheel. Oh wait, that’s so early 2000s. add a touch screen.

2. Those who like their privacy but don’t really know much about privacy or privacy technology. These people are the to an extent conspiracy theorists. “Google keeps my email for good so they must be trying to control my mind! We’re dooooomed! Run away, run away!”. They are, as far as I can tell, a loud but small minority. Some times they’re so loud that it makes people from group #1 look around from their pasture, cock their head to one side, and, well, keep on grazing. Marketing privacy to these people will most likely just compound the conspiracy theories, because you wouldn’t do it unless you have something to hide. These people might just as well use Google’s services and perform some token ceremony to make sure that Google isn’t watching them, like expire their cookies or perhaps even clean their pages with greasemonkey. Oh well. I say to Google – let them be. There’s little you can do about it.

3. These are the people who are aware of the implications of using technology and either come to terms with it, or don’t play. I know some people who don’t play, and I can’t blame them. I personally am less hard-core, perhaps, because I agree to make a lot of my life more open to scrutiny in order to reap the benefits. It’s a risk, a managed risk. If there is some way this might come back to haunt me despite the precautions I’ve taken, well, I guess I’ll know it eventually, and I can only blame myself.

Have a doubleplus good day.

Disclaimer: All of the opinions presented here are my own and do not necessarily reflect the opinions of any entity I may be affiliated with.

Share
  • Ork

    … What Maile neglects to mention is that Google keeps all the queries you submit together, correlated by your cookie, including the user you use to login to Google, the links you clicked on in search results, any site you visited with a Google ad, every address you mapped, every product you searched, every video you watched, etc….

    How do you know that? In fact, I’ve seen this in many texts every time I read about google privacy.

  • Beat the system

    One way to beat Google’s system is to clear your google cache once you don’t need it, i.e. whenever you logout from Gmail use Firefox’s cleanup agent to clean the cookie and then surf the Internet, this will get rid of any pesky correlation between gmail and your surfing.

    In any case it is a good idea to frequently clear your cookies, not just Google :) – I remember when it was a word of the day – using cookie cleaners – now it has become something people rarely do.

  • http://arik.baratz.org Arik

    Oh, Hello there, Mr. BTS,

    I can go into the technical discussion of exactly what out of what you’re saying is right and what is wrong.

    I wont.

    I don’t want to offend you, but, based on your comment, BTS, you belong to group #2 in my categorization. You like your privacy to the extent that you at least know about the problem, and you have some sense of how this is done, technically.

    Does it solve the problem if you delete the cookies? Does it really increase your privacy? Well, it does, to an extent, even though there is more than one way to track you.

    But that’s not the question. The question is – what’s public and what’s private in your life? Do you need EVERY query you make to be private? Or just a very very small minority? I’d wager that the later is right.

    So let’s assume that you’re interested in your privacy. Is your interest served by preventing Google from correlating your GMail account with your search queries? Well, that depends.

    Let me present a rather radical view of privacy here, which is probably worthy of a separate post. You want some of your private information out there. I know it sounds counter intuitive, but let me elaborate.

    The actual information is not the only measure by which information can be gleaned about you. The fact that you have no private information about you stored in Google is private information. Think of it as a traffic analysis attack on your privacy.

    Today most people have a lot of private information out there about them. If you are an internet user, it is expected of you to have mail that you wrote to newsgroups, posts to forums, comments to blogs etc. available online. It is expected of you to have a Google profile, a doubleclick profile (now part of Google), a browser history, cookies, etc. because that’s what the average user does.

    The lack of that information is also a piece of information, and a very significant one: The famous “you have something to hide so you’re guilty of something” logical fallacy. To put it more mildly, you lack the normal Internet fingerprint an average user has. You are no longer noise as far as traffic analysis goes, you’re data. Part of privacy is the ability to remain anonymous. If your traffic is anomalous, you are no longer anonymous. You’re visible.

    – Arik

  • http://www.BeyondSecurity.com Aviram

    Arik, in that case the solution might be to create a firefox plugin that runs random searches on both common and esoteric topics – kind of like the random “anti-echelon” signature that was popular a few years back. This will create enough random noise to drown your fingerprint.

    Come to think of it, I think I read something about it once. If only I could use google on my brain to find out where it is :-)

  • http://arik.baratz.org Arik

    Ork,

    Keeping all queries together is a no-brainer. If you have a single cookie for all the queries, they’re tied together.

    The links you click are a little more difficult. For this you have to look at the actual code a search result generates. If you examine the source and wade through the obfuscation, you’ll see that each link has an “onmousedown” action, like this:

    return rwt(this,”,”,’res’,’1′,’blahblahbase64_morebase64′,’&sig2=evenmorebase64′)

    And if you look at the rwt function definition, you’ll see that it actually MODIFIES the target URL of the a tag it is in. All this happens when you’re logged to your account. When you’re not logged in it does something else, I need a Javascript expert to decode this one, it’s a little more involved and the function name is clk.

    In fact, here’s a test you can easily perform on your own, without performing any packet-capturing. It works great with Firefox 2.0.0.6 on a mac:

    1. Search google for something, get the result page (while you’re logged in)
    2. Disconnect from the internet
    3. Click on a result, watch your browser status bar.

    As for other services… I’ll leave it as an exercise to the reader. Wireshark is your friend.

    – Arik

  • http://arik.baratz.org Arik

    Hey Aviram, What’s up?

    Again, what is the result you want to achieve?

    1. Who’s your adversary?
    2. What do you want your adversary to see? What don’t you care that your adversary sees? What don’t you care that your adversary sees?

    My personal answer to question #1 is – currently no one, but I don’t want information about me that I consider very private to be stored in an archive for future retrieval, just because I’m paranoid.

    #2 is easier now:

    I don’t really care about my day to day interests. I don’t care that people know I’m interested in hacking, in security, in privacy, in flying, in python, in internet infrastructure, in TCP, in NLP, in encryption, etc, etc – and this list of subject I brought up was extracted from my Google search history. This is a normal activity for a guy my age who is a computer professional with a couple of expensive habits. Hey, I write most of that in the resume. This is not ‘interesting’ data about me, it’s not really private. It’s part of the noise – because everyone has that.

    As for information I don’t want people to know – like my red shoe fetish craig’s list ads, my natural hemorrhoid cure search and ways to sneak my 500kg of platinum across the boarder – these I search, as I mentioned, with a different browser, coming off a different IP, no cookies, no login to my Google account, etc.

    Now this is not fool proof. If you have enough resources (like the government) you can still correlate that traffic to me too. But at least the guys who have access to the Google database don’t. And considering where I live, there is a distinct chance that one of those is my next door neighbor and that they don’t like my taste in music.

    I can see no advantage of a random query tool. In fact, running random queries is another interesting datum about a person. Had I been Google I would look for these and scrutinize them closely. This is not a normal user behavior. You want to be anonymous, you want to remain below the noise level, so you have to behave like a regular user.

    Another advantage is that you don’t have to continually be in ‘privacy mode’. You can relax and live your life, and be careful only when you really want to make what you search for private. It’s a small portion of your life, so you don’t have to be in that state of mind a lot, which makes life easier.

    – Arik

  • http://www.BeyondSecurity.com Aviram

    You have a good point with “Who’s your adversary”. I guess a part of the problem is that information can be kept almost forever, and who knows what someone will be able to use it for 20 years from now.
    So maybe the key is to force google to delete the data after 6 months? It won’t solve the problem of staying below the noise level, but it will considerably lower the chance of abusing this information without you realizing what’s about to happen and taking measures to stop it.

    I’m not trying to be a “type 2″ person, it’s just that I do want to play but I want to keep my privacy too.

  • http://arik.baratz.org Arik

    Aviram,

    Specifically, Google say that they delete all non-aggregate information after 18 months. The problem is that you can’t really trust anyone (see, see that paranoia taking over?), hence my group 3 definition: Either don’t play, or come to terms with the fact that once out there, the information is not under your control anymore, so you better make sure what you write is what you want to write.

    – Arik