Go Ogle Big brother
national |
miscellaneous |
news report
Friday April 18, 2003 23:05
by magog
Go*gle hires spooks
Matt Cutts, a key Google engineer, used to work for the National Security Agency. Google wants to hire more people with security clearances, so that they can peddle their corporate assets to the spooks in Washington.
That's why we nominated Google for a Big Brother award in 2003. The nine points we raised in connection with this nomination necessarily focused on privacy issues. By the time the 2004 nominations are open, we hope that this list will be shorter rather than longer. But don't count on it.
1. Google's immortal cookie:
Google was the first search engine to use a cookie that expires in 2038. This was at a time when federal websites were prohibited from using persistent cookies altogether. Now it's years later, and immortal cookies are commonplace among search engines; Google set the standard because no one bothered to challenge them. This cookie places a unique ID number on your hard disk. Anytime you land on a Google page, you get a Google cookie if you don't already have one. If you have one, they read and record your unique ID number.
2. Google records everything they can:
For all searches they record the cookie ID, your Internet IP address, the time and date, your search terms, and your browser configuration. Increasingly, Google is customizing results based on your IP number. This is referred to in the industry as "IP delivery based on geolocation."
3. Google retains all data indefinitely:
Google has no data retention policies. There is evidence that they are able to easily access all the user information they collect and save.
4. Google won't say why they need this data:
Inquiries to Google about their privacy policies are ignored. When the New York Times (2002-11-28) asked Sergey Brin about whether Google ever gets subpoenaed for this information, he had no comment.
5. Google hires spooks:
Matt Cutts, a key Google engineer, used to work for the National Security Agency. Google wants to hire more people with security clearances, so that they can peddle their corporate assets to the spooks in Washington.
6. Google's toolbar is spyware:
With the advanced features enabled, Google's free toolbar for Explorer phones home with every page you surf. Yes, it reads your cookie too, and sends along the last search terms you used in the toolbar. Their privacy policy confesses this, but that's only because Alexa lost a class-action lawsuit when their toolbar did the same thing, and their privacy policy failed to explain this. Worse yet, Google's toolbar updates to new versions quietly, and without asking. This means that if you have the toolbar installed, Google essentially has complete access to your hard disk every time you phone home. Most software vendors, and even Microsoft, ask if you'd like an updated version. But not Google.
7. Google's cache copy is illegal:
Judging from Ninth Circuit precedent on the application of U.S. copyright laws to the Internet, Google's cache copy appears to be illegal. The only way a webmaster can avoid having his site cached on Google is to put a "noarchive" meta in the header of every page on his site. Surfers like the cache, but webmasters don't. Many webmasters have deleted questionable material from their sites, only to discover later that the problem pages live merrily on in Google's cache. The cache copy should be "opt-in" for webmasters, not "opt-out."
8. Google is not your friend:
Young, stupid script kiddies and many bloggers still think Google is "way kool," so by now Google enjoys a 75 percent monopoly for all external referrals to most websites. No webmaster can avoid seeking Google's approval these days, assuming he wants to increase traffic to his site. If he tries to take advantage of some of the known weaknesses in Google's semi-secret algorithms, he may find himself penalized by Google, and his traffic disappears. There are no detailed, published standards issued by Google, and there is no appeal process for penalized sites. Google is completely unaccountable. Most of the time they don't even answer email from webmasters.
9. Google is a privacy time bomb:
With 150 million searches per day, most from outside the U.S., Google amounts to a privacy disaster waiting to happen. Those newly-commissioned data-mining bureaucrats in Washington can only dream about the sort of slick efficiency that Google has already achieved.
printable version
Digg this
del.icio.us
Furl
Reddit
Technorati
Facebook
Gab
Twitter
View Comments Titles Only
save preference
Comments (8 of 8)
Jump To Comment: 1 2 3 4 5 6 7 8You shouldn't really be using a computer at all should you now. At least you shouldn't be using google or infact 99% of the worlds websites that by default collect some if not all the information you are talking about.
Like anything electronic computers leave a signature. Do you know what interesting software tidbits are in your cellphone? PDA?
If you don't want to be traced or recorded:
1. Try using a public computer at your library or internet cafe.
2. Use encryption software like PGP Freeware.
3. Use a spyware blocker like this one:http://security.kolla.de
Google are here to make money. Don't underestimates peoples acknowledgement of that fact.
Lastly, you can collect all the data in the world you want, but without knowing what you want to extract from it before you start, its really not that useful, just ask doubleclick about their cookie fiasco.
With reference to "1. Try using a public computer at your library or internet cafe.", public libraries where I live keep a log of users and the machines they used. The http requests are mechanically logged, mostly, I suspect, for fear of naked ladies. For all we know, they could have installed a key logger as well.
The thing about cookies which people tend to forget is that while they establish a persistent user identity, they don't connect that identity with anything extrinsic to the web transactions themselves. So, for example, unless you key in your name in a web form on the cookified site, the cookie won't know your name.
One way around this, so far as I can tell, is for the site to use the ip address together with Internet Service Provider ip logs to determine the ISP customer details of the web visitor. This assumes a level of co-operation from the ISP which private companies would be unlikely to obtain. Despite recent legislation to force ISPs to store ip logs for inspection by select government agences, so long as the private and public sectors remain separate, there will be no way of connecting persistent state data with other more personal data.
Inevitably however, with increasing partnership between the private and public spheres, it seems inevitable that that will change. The war on terrorism creates the perfect pretext for such a move. Already we see the beginnings of such a move in the form of a Corporate Security Officer Conference in the US.
"In February, 2003, CSIS brought together Chief Security Officers (CSOs) from major corporations across the United States for a one-day conference to discuss how the private sector can interact more effectively with the federal government on terrorism risks and to compare perceptions and current strategies to reduce threat vulnerabilities."
http://www.csis.org/hs/
http://www.google-watch.org/cgi-bin/proxy.htm
No cookies, no search-term records, access log deleted after 7 days... Trouble is, how do we know that Google-watch isn't being watched by the NSA?
Also, it's always within the user's control to simply delete cookies and even, in the case of google at least, refuse to accept them. More worrying is the storing of server transaction logs which usually include visitor ip addresses. Quite independently of cookies, if used in conjunction with ISP access logs, these can tie an account holder identity to a web transaction history.
Who's to say google-watch isn't a smart piece of COINTELPRO?
I'd be far more worried about things like Carnivore:
http://www.fbi.gov/hq/lab/carnivore/carnivore.htm
than google. And dont think for a second that every single govt. spy / police agency in the world hasn't got something like this up and running.
Why not simply turn off the cookies on your browser?
I was asked about this in an email by a friend. I thought I'd post my comments here aswell. Excuse the length.
1: Google's immortal cookie
Cookies reside on the client computer. If you don't like google's cookie, there are several steps you can take to block it (don't allow
cookies from .google.ie, .google.com etc., frequently delete cookies on your computer etc. etc.). Nearly every site you visit these days will
put a cookie on your computer. Consider, even if these cookies don't live as long as googles, if you visit a site regularly that has a cookie
on your computer, then the site can just replace that cookie with another one after reading the last one. This point is shite -- if users
don't like the idea of google being able to record what they search for etc., then block the cookies. It's up to the user.
2: Google records everything they can:
Google are out to make money. The more they can refine a search for users, the better their service gets. Anyway, there are ways around this
aswell -- delete the cookies (or block them), use a proxy server (that way the IP of the proxy is recorded, and not your IP). That way, the data they collect cannot be traced back to you at all. Again, something that can be combatted on the client side easily enough.
3: Google retains all data indefinitely:
Again, this is related to refining searches to make the engine more efficient for end users. A good point made at the bottom of the page is
that this data is useless to anyone unless they know what they're looking for. What good is this data to (eg.) "the spooks in Washington"? All it can contain is a bunch of cookie id's, ip addresses and search terms. I'm sure they could bullshit and say something like they can find
people who want to build chemical weapons by what they search for, but they still have to find the people after that. And, I'd say terrorists would have more brains than to leave themselves open like that -- as I've already said, most of this information can be obfuscated at the client side by deleting cookies and using proxy servers.
4: Google won't say why they need this data:
Do you really care why google need it? It really can't possibly cause anyone any damage.
5: Google hires spooks:
Once again, I see no problem with who google hire. They're a company -- they'll hire the best person for the job. Where that person worked before google really has no bearing on it does it? Even so, it still comes back to the whole argument of obfuscating the data from the client end.
6: Google's toolbar is spyware:
Unless the toolbar sends lists of files on the computer, sniffs for passwords etc. I can't see how it can be classified as spyware. If all
it does is report back on what pages you've searched using the toolbar (with cookie ID etc.) then it does the same as the search engine. Unless
it follows what you browse, and sends that back -- that would be spying. But, of course, if you use the search engine to find the pages and
navigate to them from there, then it's the same thing really! The only worry I have about it is with it "phoning home" with every page you surf
-- but this is documented and only happens with the Advanced Features turned on. As with the automatic update -- Microsoft do it all the time,
and to a greater extent. This point is just scaremongering.
7: Google's cache copy is illegal:
If it was, then someone would've challenged them on it by now. I do agree it should be "opt-in" for webmasters and not "opt-out", but again, this can be controlled by webmasters with meta tags and robots.txt files (they disallow access to directories in the web directory to web crawling bots that collect terms for search engines).
8: Google is not your friend:
Again, I don't agree with this. I think this is nothing but scaremongering. The only valid point I see here is about webmasters trying to take advantage of "known weaknesses in Google's semi-secret algorithms", but then, I'm of the opinion that only sly underhanded webmasters would look to do this. I don't see why any valid company or website would try this -- the only thing it would do is increase traffic to the website, probably so the webmaster(s) get advertising revenue.
9: Google is a privacy time bomb:
Bullshit -- unless the data can be tracked back to someone, it's useless to anyone other than the search engine itself. Plus, it depends on
cookie ID's to record your tracks -- these can easily be countered by steps I've stated above. I've never given google any personal data, and
it has never asked for any. The only way it could possibly identify me is by cookie ID, which I have deleted several times -- not purposely,
but for testing of websites I was developing (I just deleted all cookies instead of the ones I wanted to test).
So, overall, I think this is just scaremongering. Unless someone can show me how google can identify me without doubt and show me everything I've browsed, I'm in no way worried by this. All the measures google take are to improve their site for end users, and most of these can be blocked by those users if they like (or, by webmasters if they wish also).