Patriot Act Haunts Google Service

The Globe and Mail has an interesting piece taking a look at Google's latest headache, the US Government. Many people are suddenly deciding to spurn Google's services and applications because it opens up potential avenues of surveillance. "Some other organizations are banning Google's innovative tools outright to avoid the prospect of U.S. spooks combing through their data. Security experts say many firms are only just starting to realize the risks they assume by embracing Web-based collaborative tools hosted by a U.S. company, a problem even more acute in Canada where federal privacy rules are at odds with U.S. security measures."

Time for google.ca?

[argent]

Time for Google to move to Vancouver?

Re:Time for google.ca?

[Ogive17]

I think the bigger issue is how much information google is actually storing. I don't care if Canada's government respects the individual's privacy more.. the temptation is there for future abuse.

I'm not one that usually gets paranoid and I hate conspiracy theories.. but google worries me. Even if they never do anything wrong as a company, it just takes one person with bad intentions to make all that information public.

There is something wrong with a company that wants to be everything to everyone. (look at Microsoft)

Re:Time for google.ca?

[iminplaya]

Or google.cx?

Only a small step away from goatse..

Re:Time for google.ca?

[Sancho]

Since the article is about collaboration tools (like Google Docs and mail), I certainly hope that Google is storing the relevant information!

As for other information (such as who is searching for what), well they're probably not storing significantly more than Yahoo or MSN. Google's just one of the more popular targets because they're pretty highly visible.

The Patriot act says that, under certain circumstances, a service provider may not notify its customers that they've released their records. That's one of the biggest issues here--companies want to know if their documents are being viewed.

Re:Time for google.ca?

[xmedar]

Cayman Islands would be better, make Google a bank there and users account holders (with a zero balance of course) and all the data would be covered by the Caymans banking laws, any snooping would get the perp extradited and charged with breaking the bank secrecy laws.

Re:Time for google.ca?

[osu-neko]

Yup. Last time we invaded Canada, they kicked out asses back across the border. Although we did manage to burn down the Parliament in York (now Toronto) before leaving. :)

It's interesting, what they do and don't teach you about the War of 1812 in American schools. Like the fact that, oh, you know, we lost? Sure, we won a few nifty battles, but overall we lost the war. They didn't stop impressing our sailors or interfering with our trade because we fought a war over it, they stopped because they'd only been doing it as part of their war against Napoleon, and that war ended. In the treaty that ended the war, we agreed to a return to status quo ante bellum -- basically a big undo button: things were to return to exactly the state they were in before the war. But the British had been fine with the state of things before the war, we're the ones that had a list of demands for things to change. In the end, we agreed to no change. We did that because the alternative being argued by the other side was for the US to make territorial concessions to Britain. We were lucky we managed to get everyone to agree to just forget the whole thing, and doubly-lucky that the changing circumstances of the world basically obsoleted our original demands.

Don't keep logs

[Threni]

There's no reason why Google (et al) need keep logs of who's doing what. Websites keep logs largely to trace attacks, don't they? Can't they have a standard EFF-approved `we keep logs for 24 hours` policy, after which time they're removed permanently?

Re:Don't keep logs

[vux984]

Of course, they could do quite a bit of this anonymously.

With enough 'anonymous' data you can unmask the identity. A few cases have already shown this.

While they can get some information from the IP address, it's not nearly as useful as information from the Google Cookie.

That's true in theory. In practice its very nearly as good in a great deal of cases. If you sign into gmail from home, they'll be able to link the ip address to the account. So even when you aren't logged in they can attach data to the profile, with a 'liklihood' of being the same, or at least an affiliated person. (affiliated people are likely in similiar demographics...)

Once they have a list of ip addresses you use your account from, you might as well be logged in. Sure it won't be 100% accurate, but the link is strong enough to be useful. And if your dynamic ip address changes, they'll pick you up again next time you log-in.

Proxy servers etc can also help, but even the proxy is useful... if your proxying in from webgate5.marketing.ibm.com that's useful information too. And they still have session cookies.

Even the combination of NAT address + browser + windows size + java version + etc can make a usable session variable. Its more than enough to track a session from page to page, especially on smaller sites, even if they are behind a proxy and have cookies disabled. If that session is at any pointed linked back to a 'authenticated' connection -- e.g. logging into a google app, all your 'supposedly' anonymous surfing can be linked.

Sure if you go to a web cafe and surf around they might not be able to make any useful inferences if you don't login to your gmail, but that's the exception not the rule.

Consider a scenario where two PCs are behind a NAT/Proxy - person X accesses gmail then continues along to a number of other sites: A, B, C, and D. Later on someone else, person Y, behind the same proxy accesses sites E,F,G,H and then logs into gmail. In both cases google can reliably link the history to the correct account.

Over time, someone from behind the proxy visits sites A,B,C on a regular basis. Google can with high probability link all that data to person X, even if its an isolated session that never visited gmail. If someone later visits E,F,H, that data can be linked to profile Y.

Sure it -might- be wrong, but odds are its not. And its right often enough to be worth making these inferences for the purposes of placing targeted ads.

PGP

[Rinisari]

Perfect time to consider PGP.

http://firegpg.tuxfamily.org/

Re:PGP

[26199]

That would be when nasty laws that allow law enforcement to demand cryptographic keys come into play.

These days encryption just makes you a target. Clearly the way forward is steganography :)

Re:PGP

[CRCulver]

It's sad that a decade ago the use of PGP--or at least the possession of a PGP key--was de rigeur among nerds, and now it seems that few nerds know much about encryption. Even if you don't want to harangue all your friends about using it with you, you could at least put a public key on your website and on keyserver so that people have the choice of sending you encrypted correspondence.

"Patriot" act

[iamacat]

What is so patriotic about passing laws that will eventually put US companies out of business in the era of hosted applications while terrorists will simply move their sites abroad?

Here is What is Coming :

This is the new future of Software. Everything will be online. Welcome back to the days of mainframe computing, and paying for services by the minute/email/etc.

Sure, there will be 'Free' services, but be prepared to pay for those in exchange for giving up marketing data.

Think about it, on-line services eliminate piracy, people pay for the services they use.

It works for cellphones, and people accept it.

It works for on-line games, and people accept it.

The Microsoft X-Box , and X-Box 360, and basically test-cases for super-locked down PC's.

Get ready to slowly relinquish control over your PC.

Corporate Espionage?

[SuperBanana]

Many people are suddenly deciding to spurn Google's services and applications because it opens up potential avenues of surveillance.

Um, how about corporate espionage? Nothing, absolutely nothing, stops Google from harvesting everything they can get their hands on- and they have the storage systems and human expertise to do it.

Case and point: I emailed a link to a wiki I had just set up to 3 people, two of whom had Gmail accounts. A spider from Google hit the page hours before anyone else did, hitting the wiki just after I emailed the link out. There were no public links to the site, and no referral URL.

So, let's see: processing your email to show you relevant ads? Check. Processing email to feed URLs to their spider? Check. What else does Google do with your email? Wouldn't it be the greatest tool in their quivver- the "God Google"? Sit down with HipWebShit.com, then an hour after the meeting and see a)How many people search/click on links for HipWebShit b)Who from HipWebShit.com has sent gmail users email (and what it says...), c)Who is talking about HipWebShit from/to a Gmail account period (ie general "valley buz"?

Hint: why do you think Google has so many PhDs? It starts getting creepy when you realize that Google seems to work very hard to keep their employees inside the google campus as much as possible, how secretive their operations are (seriously, nobody can compete with them anymore- it's not like they're guarding the henhouse for competition reasons) and how cult-like the atmosphere is...

Re:Corporate Espionage?

[PS3Penguin]

Or .. its how the gmail anit-smap system tries to find and filter out spam / virus links by tasting what links are sent to gmail recipients and looking for known exploits / spam / etc. Sorry if that was tin-foil-hatted enough :)

POP/SMTP Lets Anyone Read Your E-Mail

[da'+WINS+pimp]

From TFA:

"Mr. Puk says teachers want an in-house system that doesn't let third parties see their e-mails."

Then screw GMail, they better be using encryption anyway! I know most here know this, but someone needs to hit the author and this school's faculty with the clue stick. If you are just using a plain old POP/SMTP client without encryption anyone with access to a packet sniffer can read your email at any point along the route, whether it be in the US or Canada. Its is amazing (read: scary) the number of folks in IT and computer science who don't know this. While we are at it maybe the Canadians better stop using all other unencrypted protocols too...

Re:Don't be evil?

[mOdQuArK!]

Can you imagine what Google could really do if they were utterly unscrupulous about manipulating the political process in their favor?

Every politician who crossed them would have every possible scandal associated with them come up on the front search page whenever somebody was looking for info about them. Politicians who did what Google told them to would have all their scandals banished to the 300th page.

Muck-raking reporters would be mysteriously signed up for Google Alerts on Google-hostile politicians, and might "mysteriously" receive private documents from the hard drives of those politicians & their interns who happen to be running the "Google Desktop" toolbar.

Or some hacker might "discover" how to get the search histories of selected politicians, and suddenly the politician has to explain why he keeps searching for child porn photos.

Re:I Propose

[protolith]

I propose Google Subpoena Gpoena - A searchable database of all of the gov't data requests and all associated legal documents, especially what is being requested and why.

The snooping would be greatly curtailed if there was no anonymity for a snooping govt. If every request was made naked in front of the teeming millions only the most vital info requests would occur.

Request for serches from machine No 000.000.000.0000 in relation to ongoing criminal investigation associated with charges of ... ... ... ... would seem legit.

Request for all machines that searched for "TSA" , "Liquid" , and "explosive" for ongoing terrorist investigation would suddenly seem quite dubious without better specifics.

banninated

[troutsoup]

yep, i'm on a couple mailing lists that will not allow people with gmail accounts to sub to them for these kind of reasons.

Re:Are they just NOW figuring that out?

[m.ducharme]

If enough countries get sick of the US' bullying, they could basically tell the WTO to piss off. The WTO is just a bunch of agreements made by world leaders after all. If the EU, and China, and the rest of Asia decided to make the US irrelevant by restricting trade, who'd enforce the embargoes? Hell, China just has to cash in its greenbacks and you're all screwed. What exactly do you think is propping up the American economy right now, other than China, Japan, maybe a few other creditor nations? You don't think the EU would love to see the Middle East receiving payment for oil in Euros? The American gov't has two things going for it: the military, and the world's biggest consumer culture.

The Iraq war is showing everyone what the limits of the US military really are (they can't handle a geurilla war in a country that they'd previously bombed the snot out of for twelve years, despite the best-equipped military in the world), and China and India -- that's 2B potential consumers, kids -- are set to outpace American consumption levels, probably in the next decade or two, less if we're all really unlucky.

You know, it doesn't even matter what the rest of the world does, the US government is well on the way to making your country a backwater anyway. Too bad you're going to take us down with you.

Google - the Ultimate Trojan Horse ;)

'Mark you out?' The fact of the matter is, everything we transmit outside of the firewall is subject to surveillance these days. And most companies have no clue how much of their data is crossing the firewall every day.

Um, no. That's architecture 101, not sure what your experience is, but beg to differ. I mean, consider the headlines when a laptop is stolen or misplaced, or a web site is hacked. Trust me, you may not know the difference, but forward thinking organizations do, sometimes as in the case of this college, a little too late. Well, they can still ditch Google. It's not clear from the article, but what do they need? Google Office? Search capability? Spreadsheet? How hard is that - pick up a copy of OpenOffice for goodness sake. We're not talking Oracle/SAP here are we?

I don't know why people are getting their knickers in a knot over Google, when the main problem lies with the US backbone carriers, who - with only one known exception - have opened their networks to constant and widespread monitoring by US security agencies.

Yes, that's surely a concern also, but that shouldn't minimize this, which is close to providing the same capability, on a company's data that is inside the firewall (or so they thought).

Google at very least had the guts to fight a public legal battle with the Feds over release of even sanitised data.

See maybe it's just me, but handing over the reigns to Google, and depending on their "do no evil" is not a position most organizations want to be in. This strikes me as a Faustian bargain.

The story here may be the danger to companies when they bring these companies inside the firewall, but again, refusing to trust Google is a funny place to start enforcing data integrity. The plain and simple fact is that the greatest threat of corporate data leaks is from staff who, whether through sins of omission or commission, carry sensitive data on laptops, thumb drives, CDs without any protections whatsoever.

Excellent point, as I pointed out above. And I don't know about you, but I do know organizations are working very hard to minimize the impact of lost laptops, such as encryption, etc. But why do you want to compound the error?

I have to conclude, therefore that this is nothing more than a tiny kernel of truth wrapped in chocolatey FUD-ness that PHBs and corporate counsel love so much.

See that seems a bit naive to me. Like the folks that posted all their personal info on MySpace and then are shocked to find it's not that private at all. So I disagree, I think this is a big issue people are a bit clueless about - for now.