It's really a juggling act - Intel spin doctor
|
|
|
Google's privacy reform is a hoax
AFTER GOOGLE announced Monday that it would begin removing Internet addresses from web search records after only nine months instead of its former 18 month retention period, it drew praise for that reform from European Commission privacy regulators and the press.
The only problem is that Google's announcement was just a ploy to deflect criticism and its web search archives will still contain data identifying individuals' online search activity for at least 18 months.
Because Google's initial announcement was rather vague and tentative as well as very light on implementation details, a Cnet reporter contacted Google requesting more information. As he put it, Google's reply was "extremely interesting." In an email response, Google said:
"After nine months, we will change some of the bits in the IP address in the logs; after 18 months we remove the last eight bits in the IP address and change the cookie information.
"It is difficult to guarantee complete anonymisation, but we believe these changes will make it very unlikely users could be identified."
Doesn't sound positively reassuring, does it?
Looking into how Google "anonymises" users' web search records reveals that its claims are nothing more than a sham, and that it retains enough data to track users for years.
When a wibbler uses Google to search the web, it stores their unique Internet Protocol (IP) network address, the search words they entered, and their unique "cookie" identifier. (A "cookie" is a record sent by a website and stored by the user's web browser. The cookie identifies it and may retain additional information between a user's visits to that website.)
Google's current policy is that it "anonymises" users' IP addresses and cookies within its archived logfiles after 18 months have elapsed.
However, Google's method for supposedly "anonymising" users' IP addresses is simply to clear the last eight bits of each address, according to information it has revealed publicly.
Since an IPv4 network address consists of only four bytes, 32 bits, deleting the low-order (rightmost) eight bits doesn't remove much information. The address-block belonging to the user's Internet Service Provider (ISP) is certainly still identified by the data retained.
Google has never said how it supposedly "anonymises" the cookie identifiers it retains, so it's at least possible that Google merely says it scrubs cookie identifiers, but really doesn't.
Now, Google's clarification of its recent announcement states that it will change "some" -- but by implication less than eight -- IP address bits that it retains after only nine months. It says that it will still strip the last eight bits off the IP addresses it retains after 18 months.
But Google has not said anything about anonymising the cookie identifiers it retains in its logs after nine months have elapsed.
Changing a few bits in users' IP addresses means nothing if Google doesn't also clear or non-reversibly encrypt its users' cookie identifiers at the same time to render their search records truly anonymous.
The cookies Google presents to web browsers reportedly persist for two years, and their expiration dates are reportedly updated every time a user visits a website run by Google.
What Google plans on doing means that it will still be able to track its users' web search histories longer than nine months. And if, as one might be forgiven for suspecting, Google never clears users' cookie identifiers, then it can track them forever.
Without clearing its users' cookie identifiers, Google's widely praised, supposed "reform" of its individually identifying data retention practices is meaningless, and no true reform.
The European Commission, other citizen privacy advocates and the traditional press that applauded Google's so-called "reform" of its data retention and privacy policies ought to withdraw their praise as premature and unwarranted, and haul Google in for questions.
"Don't be evil," indeed. µ
See Also
EU
welcomes Google data retention reform
Google
caves on privacy
Google
reluctant to stop data hoarding despite new EU report
L'Inq
Cnet
Tags: Google
Share this:
Share
How to remake cookies from scratch:
8 bits = 1 byte of a number 0-9
Place in an uncovered Google and re-bake to recover.
Google supposes that Joe Average European Commissioned public is a great un-scrubbed naivete.

a little leaven cakes!

I guess this is why they make the big bucks.
There are two meanings to "last 8 bits". One would be the only 8 bits that remain. The other would be the 8 bits that appear last in the decimal form of the IP address.

It seems that what Google is saying is that even after 18 months, all they will remove is the last 8 bits. After 9 months, they'll modify some of those 8 bits (perhaps, say, randomly flipping 3 of them, perhaps obscuring the last 2, we don't know).

All said, this is very, very little from Google.

Now, you can configure your browser not to keep cookies across sessions. You can use proxies. You can do all kinds of things to obscure your private information. But the problem is that these things have a cost and you often don't know that you need privacy until something happens.

Your searches on poisons and chemistry may have been for only your own personal interest. But if you later find out someone's trying to frame you for murder, you may suddenly care very much whether they can be traced to you.
I imagine they also save your computer processor number if it's there, your screen resolution, O/S, etc, etc - quite a bit of extra data to help make the connection if they feel like it.
Just think of Google as a continual, effortless consumer survey. All they want to know is what it will take to trigger your purchase response for more goods and services, so they can keep increasing their ad rates.

It would also help if you'd use both Google Search and Gmail for a little cross-referencing, but so far some of you haven't been playing along.
Excuse me but since the cookies are on YOUR computer and are manageable by YOU it's not them retaining it if it's still there after 9 months but you, simply set the google domains (make sure you got all of them) to only allow session cookies and they are gone each time you close your browser.
But yeah it's interesting, but the article is a bit confusing, to quote:
"after 18 months we remove the last eight bits in the IP address and change the cookie information."
Now aren't the last 8 bits the ones you claim are deleted first? They are in my definition of last, if you have an IP 111.222.333.444 I'd call 444 the last bits/byte, in which case they delete others first.
Anyone want to bet the nsa and its equivalents have a daily full back up of all worldwide traffic in detail just waiting to be searched on demand, backed up forever....?

This is redundant for a google power user all this info is available if you have the storage space or the inclination which the nsa cia interpol etc certainly do.

the moral of this story, stop thinking big brother is not watching your every move and behave :P
All your user websurfing data are belong to us
Ok.... so how can anyone keep privacy being online? It's almost impossible. And anyway if you use google, what prevents him from saving your data? It keep on every site you visit a privacy policy, has anyone ever read it? And EVEN if you read, what if they simply troll it trhu the window out and keep on milking your data for eternity? What will prevent that? Privacy is an UTOPIA.
"The address-block belonging to the user's Internet Service Provider (ISP) is certainly still identified by the data retained."

Thousands of people are connected to same ISP, so it doesn't quite matter.