Slashdot Mirror

← Back to Stories (view on slashdot.org)

Questioning Google's Privacy Reform

Posted by Soulskill on from the how-private-is-private? dept.

JagsLive makes note of a story questioning whether Google's recent commitment to anonymize IP logs faster is really as good as it sounds. We discussed their announcement a few days ago. CNet's Chris Soghoian takes a closer look: "While the company hasn't said how it de-identifies the cookies, it has revealed in public statements that its IP anonymization technique consists of chopping off the last 8 bits of a user's IP address. As an example, an IP address of a home user could be 173.192.103.121. After 18 months, Google chops this down to 173.192.103.XXX. Since each octet (the numbers between each period of an IP) can contain values from 1-255, Google's anonymization technique allows a user, at most, to hide among 254 other computers. ... Google has now revealed that it will change "some" of the bits of the IP address after 9 months, but less than the eight bits that it masks after the full 18 months. Thus, instead of Google's customers being able to hide among 254 other Internet users, perhaps they'll be able to hide among 64, or 127 other possible IP addresses. By itself, this is a laughable level of anonymity. However, it gets worse."

134 comments

  1. Well by mindstrm · · Score: 5, Insightful

    Do all those whining about this anonymize their own server logs? Because I sure don't.... they are doing this to keep the mob away, that's it.

    1. Re:Well by Dolda2000 · · Score: 1

      Well, I do let logrotate throw away old logs a lot faster than 18 months, though.

    2. Re:Well by rtfa-troll · · Score: 2, Insightful

      I'm shocked. Terrified in fact. If your site, with all the traffic you see, is keeping logs then we should just completely give up on trying to get Google to improve it's privacy policy and make you priority numero uno. After all, what Google knows about the web and it's users can probably be stored on one cylinder of one plater of the tiniest server in your data centre which extends to every horizon.

      sorry; which site?

      P.S. if you RTFA, you might find out that Google, whilst maybe not particularly well known to you, is actually quite a big search engine.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    3. Re:Well by TubeSteak · · Score: 4, Insightful

      Do all those whining about this anonymize their own server logs? Because I sure don't.... they are doing this to keep the mob away, that's it.

      What do our server logs have to do with Google's?

      The principle may be the same, but the scale is so vastly different that the practical consequences cannot be plausibly compared to one another.
      Subpoenaing logs for IP 123.456.789 from Google is not the same as getting logs from icanhascheezburger.

      --
      [Fuck Beta]
      o0t!
    4. Re:Well by lysergic.acid · · Score: 4, Insightful

      yea, also i don't think the author of this article understands statistics.

      if Google changes random bits in the IP address even before they remove the last byte at 18 months, that would already make guessing the original IP address near impossible since you don't know which bits were changed.

      if they only changed 1 bit in the entire address, then there would be 32 possibilities, but if they changed 1 bit in each octet, then there would be 4096 possibilities. if they changed 2 bits in each octet, there would be 61,4656 possibilities. if they changed a random number of bits in each IP address, then the possibilities grow even larger. and this isn't a login password or encryption scheme. there's no way to brute-force the original IP address from the anonymized IP address even if only a single bit was changed.

      this is just more unwarranted alarmism. google has stated that they are working on developing a method of anonymization that would protect user privacy while retaining the useful characteristics of their log data. frankly, as long as they're not giving up user data to 3rd parties anonymization is a non-issue.

    5. Re:Well by figleaf · · Score: 3, Insightful

      I didn't see any mention of random bits being changed in the article.

    6. Re:Well by Silas+is+back · · Score: 5, Funny

      Subpoenaing logs for IP 123.456.789 from Google is not the same as getting logs from icanhascheezburger.

      I'm not sure whether you're qualified to talk about IPs giving this example IP.

      --
      this sig is useless
    7. Re:Well by HeronBlademaster · · Score: 1

      If I were giving a random example IP, I'd certainly choose an obviously invalid one.

    8. Re:Well by Your.Master · · Score: 4, Insightful

      That's kind of the point. We want to make an informed decision about the costs here.

      Without hearing about "this bullshit", you cannot make an informed decision. Imperfect information damages capitalism; and the more imperfect the information, the more damage is done.

      There's also another aspect. Just about everybody wants everything to be better than it is now. This is a way this could be better. So we ask for it to be better. The argument can be paraphrased as:

      A: Good enough is good enough
      B: Yes, but better would be better.

    9. Re:Well by TubeSteak · · Score: 2, Insightful

      I didn't see any mention of random bits being changed in the article.

      Not to mention that, IMHO, 'anonymizing data' is not the same as 'making the data anonymous'.
      Anonymizing data = preventing it from being personally identifiable
      Anonymous data = scrubbed of all context

      http://www.answers.com/anonymous
      3. Having no distinctive character or recognition factor

      You can anonymize data and still retain geographic and/or demographic data.

      --
      [Fuck Beta]
      o0t!
    10. Re:Well by centuren · · Score: 2, Insightful

      +1 Insightful, cuts right to the heart of the matter.

      As Google's presence on the Internet becomes more and more significant, specific details on how their operations can affect us become more important.

    11. Re:Well by RedK · · Score: 1, Offtopic

      Except yours wasn't even a dotted decimal IP, having more than 8 bits in the 2nd and 3rd fields, and lacking a 4th field completely. A proper example would've simply used the reserved address space (anything over 240.0.0.0/4) in which there is no assignments at all. 242.242.242.242 would have been a proper example.

      --
      "Not to mention all the idiots who use words like boxen."
      Anonymous Coward on Monday August 04, @06:49PM
    12. Re:Well by HeronBlademaster · · Score: 1

      Mine? I didn't give one :P But I see your point, and if the occasion arises I will use an IP in the reserved space as my example.

    13. Re:Well by dw604 · · Score: 2, Funny

      12.34.56.78

    14. Re:Well by Anonymous Coward · · Score: 0

      I dont think so, every online company does that. Its a way to protect user from online fraud. Google does great job in storing IP's so that user is protected and any account malpractices can be known by someone other than original user.

    15. Re:Well by palegray.net · · Score: 1

      127.0.0.1

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    16. Re:Well by stephanruby · · Score: 1

      Do all those whining about this anonymize their own server logs? Because I sure don't.... they are doing this to keep the mob away, that's it.

      You must have very little traffic, or lots of storage space, I take it.

    17. Re:Well by Hal_Porter · · Score: 2, Funny

      That guy is a hacker and terrorist. DDOS him now.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  2. Who cares about the IP? by compumike · · Score: 4, Insightful

    Everyone makes it much easier than matching IP addresses... As the article discusses, many people use Google logins for e-mail and other services. This is a much more reliable way to track all of your information.

    What I'd like to see is some significant differentiation between logged-in and logged-out states and the level of anonymity that is provided in each case.

    But really, if you're voluntarily storing your stuff on someone else's server with the known understanding that they're parsing it for ad matching, what kind of privacy expectations do you really have?

    --
    Hey code monkey... learn electronics! Powerful microcontroller kits for the digital generation.

    1. Re:Who cares about the IP? by TubeSteak · · Score: 4, Informative

      What I'd like to see is some significant differentiation between logged-in and logged-out states and the level of anonymity that is provided in each case.

      There's no difference.
      Google sets a tracking cookie.
      That cookie gets tied to your current IP.
      If you log in, that gets tied to your login name.
      Logging out doesn't undo the log entry saying IP 127.0.0.1 = cookie 34kl5j2345 = compumike@gmail.com

      The spread of google-analytics makes avoiding their tracking cookie all the harder.

      --
      [Fuck Beta]
      o0t!
    2. Re:Who cares about the IP? by yoshi_mon · · Score: 1

      1. Open hosts file.
      2. Set all google-analytics to: 127.0.0.1
      3. Profit...er...hide.

      --

      Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
    3. Re:Who cares about the IP? by NeoSkandranon · · Score: 1

      The spread of google-analytics makes avoiding their tracking cookie all the harder.

      If it bothers you that much, learn to love NoScript.

      --
      If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
    4. Re:Who cares about the IP? by iyntsiannaistnyi · · Score: 1

      Step 1: Firefox + NoScript + "Mark google-analytics.com as Untrusted"
      Step 2: Delete cookies when browser exists
      Step 3 (optional): Stop using Google

      Yes, Step 2 will make some things more annoying. But the question is this: how much do you value your privacy? Enough to log in to Slashdot and your webmail every day, instead of just once?

    5. Re:Who cares about the IP? by arose · · Score: 1

      Or you could use one of the cookie equivalents of noscript.

      --
      Analogies don't equal equalities, they are merely somewhat analogous.
    6. Re:Who cares about the IP? by kalirion · · Score: 1

      Firefox: Ctrl+Shift+Del

    7. Re:Who cares about the IP? by iyntsiannaistnyi · · Score: 1

      Examples, for those of us unaware?

    8. Re:Who cares about the IP? by arose · · Score: 1

      I use CS Lite myself.

      --
      Analogies don't equal equalities, they are merely somewhat analogous.
  3. Hide by Wowsers · · Score: 3, Interesting

    I'm on IPv6, so I hide behind ::1/128

    --
    Take Nobody's Word For It.
    1. Re:Hide by Anti_Climax · · Score: 5, Funny

      If you're using google services from IPv6, it's even easier to figure out who you are.

      I mean, it's either you or the other guy...

      --
      Even people that believe in pre-destiny look both ways before crossing the street.
    2. Re:Hide by paul248 · · Score: 1

      Your comment makes no sense at all. It's equivalent to saying "I'm on IPv4, so I hide behind 127.0.0.1/32"

    3. Re:Hide by ion.simon.c · · Score: 1

      OH SHIT!
      They're on to me!

  4. Question by TuaAmin13 · · Score: 1

    What benefit does Google have to semi-anonymize after 9 months, then "fully" anonymize after another 9 months? Does it really make any difference? I guess it does give you a bit more privacy after 9 months as opposed to waiting 18 months for the full anonymization process, but it makes no sense to me why they wouldn't just totally get rid of the IP information after that long. I mean, it's data; data must be stored. It's just sitting somewhere taking up space.

    1. Re:Question by DanZ23 · · Score: 1

      It's just sitting somewhere taking up space.

      Do you really think Google isn't doing anything internally with this data, and it's "just sitting someplace"? Because I sure don't....

    2. Re:Question by TuaAmin13 · · Score: 1

      Duh, I should have thought of that. Thanks for pointing out the obvious to me. Lazy Sundays...

    3. Re:Question by pbhj · · Score: 1

      What benefit does Google have to semi-anonymize after 9 months, then "fully" anonymize after another 9 months?

      They get 9 months longer to attempt to tie that data to a username on some other Google service.

      Once they have it hooked to a username, ie if you logged into any Google service during use of that IP then they can throw away the IP (once they've tied it to the ISP and location of course) - so they know your @gmail.com email address (and your profile data) and can link that to your usage pattern, location and ISP .. why do they still need to keep your IP address then?

  5. Uh huh, yeah, whatever. by Creepy+Crawler · · Score: 5, Informative

    Dont trust anybody what they say about your "privacy".

    Install Firefox 3, AdBlock+, noscript, and torbutton.

    You want complete anonymity, click torbutton (you have to set up tor). You're now damned hidden. No cookie leaks and stuff;.

    --
    1. Re:Uh huh, yeah, whatever. by Anonymous Coward · · Score: 1, Insightful

      Yah, but it is unbearably slow.

    2. Re:Uh huh, yeah, whatever. by Apoorv+Khatreja · · Score: 3, Insightful

      If only we had more relays in the Tor network than the leeches. That's why Tor is really really slow these days. We need a restructure or major change in protocol for Tor to survive. A lot of people seem to be hopping onto the network these days, with companies becoming increasingly nosy.

      --
      RutSum.com
    3. Re:Uh huh, yeah, whatever. by Bragador · · Score: 1

      If more people set relays, no.

      Also, I2P is coming out eventually. They need more developpers though so... heard that, Slashdot?

      I2P: http://66.111.51.110/

    4. Re:Uh huh, yeah, whatever. by aristofanes · · Score: 1

      How does Chrome compare in this regard to "ask.com" "AskEraser"?

    5. Re:Uh huh, yeah, whatever. by Bragador · · Score: 1

      What about a ratio system like they use on private torrent websites? One could have a ratio of upload and download and if you don't give back to the community, your IP is temporarily banned from using the network. That wouldn't pose a problem since knowing that IP adress is wants to use the network doesn't mean they know where it is going when it connects. You are still anonymous.

    6. Re:Uh huh, yeah, whatever. by McGiraf · · Score: 1

      "Dont trust anybody what they say about your "privacy".

      Install Firefox 3, AdBlock+, noscript, and torbutton.

      You want complete anonymity, click torbutton (you have to set up tor). You're now damned hidden. No cookie leaks and stuff;.
      "

      I do not trust you. So I will not do this :)

    7. Re:Uh huh, yeah, whatever. by Creepy+Crawler · · Score: 1

      Whatever floats your boat.

      That's why the source is open. Make your own decision.

      --
    8. Re:Uh huh, yeah, whatever. by SanityInAnarchy · · Score: 2, Informative

      And you linked to an IP address, why?

      http://www.i2p2.de/

      The picture sucks, though -- I think I know how it's supposed to work, but looking at that, I have no clue what it's trying to say.

      --
      Don't thank God, thank a doctor!
    9. Re:Uh huh, yeah, whatever. by DiLLeMaN · · Score: 0

      If more people set relays, no.

      In other words, at this moment it is unbearably slow.
      Some people do not live in some nebulous future where privacy is king, everything is free, and farts smell like roses. Some of us have to live in the now.

      But don't let that keep you from using Tor.

      --
      /var/run/twitter.sock is a twitter socket puppet.
    10. Re:Uh huh, yeah, whatever. by McGiraf · · Score: 1

      "Make your own decision."

      Shit! Now I can't make a decision! Damn you untrustworthy person!

    11. Re:Uh huh, yeah, whatever. by carlmenezes · · Score: 1

      Well, I've tried downloading I2P several times already in the past n months and I always encounter the same roadblock - the download link for the I2P installation from dev.i2p.net always takes too long to respond. Has anybody got around this?

      --
      Find a job you like and you will never work a day in your life.
    12. Re:Uh huh, yeah, whatever. by carlmenezes · · Score: 1

      Your link worked. Downloading I2P now. Cheers.

      --
      Find a job you like and you will never work a day in your life.
    13. Re:Uh huh, yeah, whatever. by msormune · · Score: 1

      You would get better anonymity if you wrote your own browser.

    14. Re:Uh huh, yeah, whatever. by Colz+Grigor · · Score: 1

      I noticed that, too. Maybe we could convince Google to create a TOR service?

      Just kidding.

    15. Re:Uh huh, yeah, whatever. by robthebob · · Score: 1

      Get a new sig.

    16. Re:Uh huh, yeah, whatever. by centuren · · Score: 1

      Tor get a vote of confidence as it's endorsed by the EFF, which has an established reputation for privacy.

      I don't know anything about I2P. If it's a better-than-Tor network, I hope they have the good sense to get trusted organizations on board.

    17. Re:Uh huh, yeah, whatever. by centuren · · Score: 1

      I laughed (and then cried a little). Not really, but I do find it ironic that the only successful mainstream XMPP instant messenger client is done by Google.

      I was quite excited when it came out. Google was smaller than today, but still a big force, and I thought it might be a step towards not having to beg people to use Jabber so I wouldn't have an empty contact list.

      Now I have a few contacts that use Google Talk, primarily due to their Gmail integration and it's easy way around corporate firewalls, and for each new one I have to wait until their online, open up Gmail, open a conversation, and take that user off the record.

      Until realizing this, of course, all the chats were logged and saved. There is the option to delete, but that goes back to the core issue of knowing the specific details: how is my information deleted? Are backup archives kept?

    18. Re:Uh huh, yeah, whatever. by centuren · · Score: 1

      What about a ratio system like they use on private torrent websites? One could have a ratio of upload and download and if you don't give back to the community, your IP is temporarily banned from using the network. That wouldn't pose a problem since knowing that IP adress is wants to use the network doesn't mean they know where it is going when it connects. You are still anonymous.

      Tor is for everyone to use, even those that don't meet Tor's bandwidth standards for a relay.

    19. Re:Uh huh, yeah, whatever. by Pathwalker · · Score: 1

      I've played with i2p a bit; the focus is different than that of TOR.

      Whereas TOR aims at anonymity in accessing the internet at large, i2p aims at a double blind internal network. You and a site can communicate, but neither of you knows the identity of the other; you only know each other's public keys.

      There are a few gateways between i2p and the internet (in both directions), but that doesn't appear to be the intended focus.

    20. Re:Uh huh, yeah, whatever. by Pathwalker · · Score: 1

      I've only played with i2p a bit, but I know you shouldn't try to download from dev.i2p.net.

      I think the box crashed locking everyone out, and no one knows who has access to it.

      Look at http://www.i2p2.de/download.html

  6. Why does Google risk customer relations? by wandm · · Score: 4, Insightful

    I don't get it. I'm sure I'm not the only one looking for a good Google substitute, and the number of skeptics will just grow, unless Google gets it privacy protection act together. It's just a matter of time that another AOL-type leak happens.

    In the internet age, companies' luck can change quite quickly. Please Google, just get rid of those logs quickly and completely..

    1. Re:Why does Google risk customer relations? by Anonymous Coward · · Score: 0

      money?

    2. Re:Why does Google risk customer relations? by Anonymous Coward · · Score: 0, Insightful

      See that is what geeks and nerds aren't able to understand. The 90's are gone. This is the digital age. Internet life is not restricted to the same pathetic mom's basement dwellers. Nowadays, it is much more important to the Big Corps to learn what the bully that used to beat your nerd arse at school wants, than what you want. The bully got 1000 expensive devices connected to the Internet and doesn't care about this privacy BS, he just wants access to Facebook and MySpace to call his million hoes to drop by his flat for some cuddling and party.
      So, privacy is a concern for you and your 3 nerd long life friends, and Google really doesn't care about your pathetic WoW virtual life or your Sarah Palin porn...

    3. Re:Why does Google risk customer relations? by tylerni7 · · Score: 3, Informative

      Well first, while I'm sure you aren't the only person looking for a Google substitute, that doesn't mean a significant amount of users are. With the percent of the market that Google already has, a few people going somewhere else won't even make a dent.
      That said, at least they are working on the issues rather than just ignoring them completely, as most companies do.

      And second, that AOL leak wasn't really a leak. Instead they purposefully released the data for research purposes, thinking that a random, unique ID number for each user would be enough to keep them anonymous. According to this article (well the summary), even if they released search data (which they aren't stupid enough to do) instead of a unique ID number it would be something like 64 or 128 people under one ID number, which makes it impossible to see who searched for what, even if you know what IP block someone has.

    4. Re:Why does Google risk customer relations? by Anonymous Coward · · Score: 0

      +1 HarshReality, anyone?

  7. Tor is not a solution either by speedtux · · Score: 5, Insightful

    except, of course, that with Tor, the egress routers can (and probably do) look at your unencrypted communications, which often can be traced back to you, too.

    If you want reasonable anonymity, you need to buy VPN access from a source using a non-traceable payment method. And, of course, they can still correlate your online activity on various sites. A single unencrypted Yahoo Mail or GMail session will unlock your entire usage history.

    1. Re:Tor is not a solution either by Bragador · · Score: 1

      This is only true if you give personnal information out which is rarely the case. Also, Tor scrambles the relays each 10 minutes.

      Anyway, for managing your funds I wouldn't recommend Tor. Just directly go to the website.

    2. Re:Tor is not a solution either by Anonymous Coward · · Score: 0

      If you give personal information out... Yes, like a browser cookie... ;) So not exactly rare.

      Anyone running a tor exit node can, if they like, hijack your session cookies and impersonate you on any unencrypted site you visit..

    3. Re:Tor is not a solution either by moonbender · · Score: 1

      Soooo... a) don't visit sites with accounts you care about (may break the account) and b) particularly not with accounts tied to your real identity (breaks anonymity, which is the point of tor).

      Not every cookie can be considered personal information. I may leak a Google cookie during a Tor session, but since it's a "temporary" one which is generated for this one session and deleted at its end, I couldn't care less.

      --
      Switch back to Slashdot's D1 system.
    4. Re:Tor is not a solution either by tirnacopu · · Score: 1

      A nod to the parent poster. In any financial transaction, made with your own money, you do NOT want to be anonymous. If you are in a hotel in Las Vegas, or in a coffee shop in Amsterdam, that's OK. The company handling your purchase must have enough measures to monitor and repair eventual damages, and whether they do or not - when the police comes asking why you just bought a brand new limousine you would be off the hook simply by showing them a plane ticket and saying "hey, I was in Vegas, Mercedes - that's a car from France, right?"

  8. I'm appalled that anyone expects privacy at all by postbigbang · · Score: 2, Insightful

    Sure-- it's a great thing. But Google and Yahoo and myriads of other online sites live and die for your IP address, so that they may serve you better-- after running you through great behemoths of analyticals. Anonymizing after such a time serves no one's real privacy interest. Anonymizers have the ability to help you peruse privately, but even those are becoming easier to predict-- making anonymizing increasingly difficult. It's best to start your own botnet if you really want to be anonymous these days and this is just what a few good anonymizers do. Face it folks, Google's not trying at all and is financially compelled not to do so.

    --
    ---- Teach Peace. It's Cheaper Than War.
    1. Re:I'm appalled that anyone expects privacy at all by Adrian+Lopez · · Score: 1

      "Anonymizing after such a time serves no one's real privacy interest."

      Do we really want Google to become a one-stop shop for all of law-enforcement's "what did this person search for this year" needs?

      --
      "In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
    2. Re:I'm appalled that anyone expects privacy at all by Anonymous Coward · · Score: 0

      Then perhaps criminals should use other search engines? Perhaps that's the way Microsoft can advertise their Live Search? "Now with increased privacy for your criminal needs!"

      Nah, people will probably still use Google.

    3. Re:I'm appalled that anyone expects privacy at all by Teun · · Score: 0, Troll
      Yep, innocent perpetrators shouldn't use Google...

      As they say: "Do no evil".

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  9. What have you done with Slashdot? by bigtallmofo · · Score: 1, Funny

    OK, I thought it was strange that there was an "Apple is Evil" story about sneakers earlier today. But now there's a "Google may be evil" story! What's next? A story about how "SCO was right about Linux all along"?

    --
    I'm a big tall mofo.
    1. Re:What have you done with Slashdot? by CaptainPatent · · Score: 2, Funny

      Shhhh! don't make them hunt the 256 of you down!

      --
      Well, back to rejecting software patent applications.
    2. Re:What have you done with Slashdot? by bigtallmofo · · Score: 2, Funny

      Shhhh! don't make them hunt the 256 of you down!

      Oh crap! I'm screwed then because I own my entire Class-C netblock! Stupid sexy last octet....

      --
      I'm a big tall mofo.
    3. Re:What have you done with Slashdot? by Arimus · · Score: 2, Informative

      Err???

      255.255.255.0 doesn't give 256 host addresses ;)

      One for broadcast, one for network so 254 is the number you looking for...

      --
      --- Users are like bacteria -> Each one causing a thousand tiny crises until the host finally gives up and dies.
    4. Re:What have you done with Slashdot? by centuren · · Score: 1

      "Successful tech-company is evil" is always headlining on slashdot. What's strange about that?

    5. Re:What have you done with Slashdot? by phayes · · Score: 1

      Not unless the address is from a /24. Think smaller (sub/super)net masks...

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    6. Re:What have you done with Slashdot? by Anonymous Coward · · Score: 1, Insightful

      Well... if you want to get technical about the number of possible anonymous addresses you need to keep in mind that Network Address Translation(NAT) and Protocol Address Translation (PAT) will multiply this number significantly. Assuming that Google only keeps the IP address and not the rest of the TCP header.

      If your getting internet access from a major ISP and you didn't spend the extra $20 to get a 'static' or 'internet visible' IP address, your likely behind PAT.

      I'm sure someone will correct me if I'm wrong.

      --Magus Sartori

  10. No. Its evil. by Apoorv+Khatreja · · Score: 1

    That is a harsh and forced way to get things done. A better way would be to ask for donations, and then buying dedicated (or non dedicated) machines in different parts of the world, using connections from different ISPs (therefore different IPs) and then using these machines solely towards serving as Tor relays.

    --
    RutSum.com
    1. Re:No. Its evil. by Bragador · · Score: 1

      Yes but will the leechers really give money? They are leechers you know...

      Also, I kind of understand most of them. I would have no problem with setting a relay for the Tor network if I used it but owning a relay that is also an exit point to the Internet would be a problem.

      I wouldn't want to be responsible for everything my own IP would do on the net...

    2. Re:No. Its evil. by Apoorv+Khatreja · · Score: 1

      Just like public trackers on BitTorrent, Tor is surviving on the good will of a few people who will fight for anonymity on the internet. Its just that it needs a little advertising, so that the load from the few relays can be distributed and make the Tor network faster. Doing what you said would make Tor fall.

      --
      RutSum.com
    3. Re:No. Its evil. by moonbender · · Score: 1

      Seems like a bad idea to have a single organisation providing a significant number of servers. Although placing them in several countries reduces the risk of bad guys (the gubment) to get hold of all of them.

      --
      Switch back to Slashdot's D1 system.
    4. Re:No. Its evil. by calmofthestorm · · Score: 1

      I'd be happy to send $20 to a good cause like that, but for legal reasons I can't run an exit node myself. I do run a relay though, for all the good that does.

      --
      93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
  11. Minor correction by Duncan+Blackthorne · · Score: 1, Informative

    A class C subnet is 253 addresses, not 254. Zero and 255 are, last time I checked, reserved.

    1. Re:Minor correction by Anonymous Coward · · Score: 1, Funny

      Fail.

    2. Re:Minor correction by Anonymous Coward · · Score: 0

      And 256 - 2 was 254 unless arithmetic's changed recently :)

    3. Re:Minor correction by Anonymous Coward · · Score: 0

      2^8 - 2 = 254

    4. Re:Minor correction by perlchild · · Score: 1

      If you include zero, you're going 256 minus two, that's 254 usable, everyone says 253 usable because everyone's used to having the default gateway being "at the providers" and therefore unusable. But if you're delegating a /24 to internal use, you'll have 254 usable ips, counting the router you're using for that subnet.

    5. Re:Minor correction by Anonymous Coward · · Score: 0

      our website histing provider gave our site an IP ending in .255
      I can confirm that that doesn't work well.

    6. Re:Minor correction by Anonymous Coward · · Score: 0

      Wrong:

      class C subnet is /24 -- leaving 8 bits for the host.

      8 bits = 2^^8 = 256

      there are 256 addresses available -- minus "0 and 255" leaves 254 addresses.

      Another way of putting it:

      0-255 = 256 values. Take 2 away:

      1-254 = 254 values.

    7. Re:Minor correction by Lennie · · Score: 2, Informative

      And if it's part of a bigger block the 0 and 255 are possible usable, depending on where in the large block they are.

      --
      New things are always on the horizon
    8. Re:Minor correction by Duncan+Blackthorne · · Score: 2, Insightful

      Damnit.. I wish there was a way to edit comments here. That was a typo on my part, and I didn't notice it until I saw 6 people beating me in the head with it. :p

    9. Re:Minor correction by Duncan+Blackthorne · · Score: 1

      Gah.. actually I'm completely wrong from the start. My apologies..

    10. Re:Minor correction by kiddygrinder · · Score: 1

      Yah, if you're gonna correct someone you better re-read your post 18 times before you click submit. It won't help, (mistakes are invisible until they're irrevocable) but at least you can feel you tried.

      --
      This is a joke. I am joking. Joke joke joke.
    11. Re:Minor correction by Anonymous Coward · · Score: 0

      A class C subnet is 253 addresses, not 254. Zero and 255 are, last time I checked, reserved.

      ehm... 0 to 255 = 256 addresses.
      0 and 255 are 2 reserved addresses, so ...
      256-2 = 254 last time I checked

    12. Re:Minor correction by Anonymous Coward · · Score: 0

      A class C subnet is 253 addresses, not 254. Zero and 255 are, last time I checked, reserved.

      So, 1, 2, 3, 4, ... and 254 are allowed?

    13. Re:Minor correction by Fastolfe · · Score: 1

      "Classless" subnetting allows the use of 0 and 255. If you have a network 10.0.0.0/23 (not /24 aka class C), that means the network ranges from 10.0.0.0 to 10.0.1.255, with only 0.0 and 1.255 reserved. This means 0.255 and 1.0 are perfectly usable, legitimate addresses. The only time this should be problematic is if you've misconfigured your own network (saw 10.0.0.255 and assumed your subnet was 10.0.0.0/24), or if your network devices are horribly broken.

  12. Do no evil, unless you can fool the public? by TheNetAvenger · · Score: 1, Insightful

    Do no evil, unless you can fool the public?

    Google has been getting away with identity murder for years and years. For anyone that finds this whole thing 'new' or 'odd' needs to slap themselves and research the marketing company that is Google.

    They don't provide services or features, they sell identity information and ads.

    The services and online features are just the bait in the trap.

    "Google, making Microsoft look non-Evil for years."

    1. Re:Do no evil, unless you can fool the public? by Cyrcyr · · Score: 0

      I fail to see how this relates to being "evil". And how this is "insightful" is truly beyond me. Google uses logs to predict how their users want data presented. Please tell me how this is different from any serious online-based business in the world. It's like a dunkin donuts keeping tabs on which donuts are more popular in what state, and make sure their services meet that demand.

    2. Re:Do no evil, unless you can fool the public? by Anonymous Coward · · Score: 0

      Spout more googlehater nonsense please.

      Link to some credible reference that Google sells identity information to anyone, ever? According to them/their privacy agreement/news sources, they use it for their own research, and naturally must give it up to the government when they are subpoenaed.

      Google sells advertising services, and if you think that is "Evil" you need to reevaluate your system of morals/ethics.

    3. Re:Do no evil, unless you can fool the public? by nog_lorp · · Score: 1

      What? Reference for when they have sold identity information please.

      And if you think being an ad provider makes them Evil you need to take a serious look at your system of ethics.

    4. Re:Do no evil, unless you can fool the public? by TheNetAvenger · · Score: 1

      Sure data mining and collecting information on everyone is a 'good thing', just like the IBM punchcards Germany used in the 30s/40s...

      Consolidation of personal information without approval is not ethical, nor an 'ad provider'.

      When Windows XP started sending back crash information 'anonymously', people like you stepped up in numbers calling them evil and painting Microsoft as evil and looking over your shoulder, when all they wanted to do was fix the freaking crashes and identify bad drivers and software.

      So Microsoft is evil for anonymously collecting crash data and NEVER using it, but Google is good for collecting personal data and using it to sell their ad services?

      Google may not sell identities, but they are becoming a monopoly of identity information and they use that muscle and have more control over your life and what you see on the internet than you realize, and in the long run if left unruled, will make Microsoft look like Goodwill when the shape of everything you do is Google dominated.

      From movie popularity, to products, Google is already changing the markets of ALL industries, and people think this is ok?

      Even the press uses Google as a research source and based on data mining of the journalists, can shape the informatino they return, changing even the news stories you see on TV.

      If you are not alarmed, you are either stupid, or working for Google.

    5. Re:Do no evil, unless you can fool the public? by Anonymous Coward · · Score: 0

      I fail to see how this relates to being "evil".

      If you think that it's "reasonable" for Google to respond to privacy concerns by offering to change a few bits in the bottom byte of IP addresses in its logs, and that only at the end of a whole pile of months, then you "fail to see" a lot more than you realize.

    6. Re:Do no evil, unless you can fool the public? by nog_lorp · · Score: 1

      You give Google approval when you agree to their privacy agreement, which is extremely open and clear and not just a giant blob of legalese.

      I just want to make the point that something can "seem scary" or "put you off" without being evil or unethical. In MY system of ethics, there needs to be either (1) intent to do harm, or (2) actual harm done. With neither of these, I can declare your puppy is evil with just about as much credibility as someone claiming "being an ad provider is evil".

    7. Re:Do no evil, unless you can fool the public? by TheNetAvenger · · Score: 1

      You give Google approval when you agree to their privacy agreement, which is extremely open and clear and not just a giant blob of legalese.

      Not when viewing ads on a website. I have given no permission for the data they collect from my visit...

      Now run along and look up Google moving their data center to a freaking boat so they can avoid US regulations, taxes, and accountability to any governing body. (This means they can do whatever they want with the data and no court can touch them.)

      Do no evil my ass...

  13. Why do they keep them at all? by Sark666 · · Score: 1

    These issues concern me, but I admit I do not know much about this. How about I do a search and you keep nothing? Does any search engine provide that?

    1. Re:Why do they keep them at all? by Bender0x7D1 · · Score: 1

      Ask.com has AskEraser. Here's the description.

      --
      Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
    2. Re:Why do they keep them at all? by Anonymous Coward · · Score: 0

      Supposedly www.scroogle.com proxies queries to google without any of the original client side cookies/IP info being sent.

    3. Re:Why do they keep them at all? by pbhj · · Score: 1

      These issues concern me, but I admit I do not know much about this. How about I do a search and you keep nothing? Does any search engine provide that?

      Basically you're asking does any search engine spend millions of pounds and not expect to extract any financial worth our of its relationship with you ...

      Maybe in Soviet Russia?

    4. Re:Why do they keep them at all? by Anonymous Coward · · Score: 0

      ixquick

    5. Re:Why do they keep them at all? by Sark666 · · Score: 1

      No they can still run ads, and they can even do target specific ads based on my current search. But don't build up a profile history on me. What other form of advertising does that?

      A tv show on say sports might run ads about other sports stuff, athletic gear etc. That's as far as I want an advertising relationship to go.

  14. Anonymizing IP info properly. by Animats · · Score: 3, Interesting

    I have something that actually does anonymize IP data. I need a roughly unique identifier for web sites for load balancing and queuing purposes, but don't need to identify the remote site. So I run the IP address through MD5, the cryptographic hash, then take the absolute value, then reduce mod 1,000,000. So the world of IP addresses is mapped into 0..999999. About 4000 IP addresses map to each number, but they're spread pseudorandomly across IP space.

    So there's no real problem doing this if you just need enough info to make your server farm run smoothly. Of course, Google wants more.

    1. Re:Anonymizing IP info properly. by supersat · · Score: 1

      How many of those 4000 IP addresses are valid and allocated?

    2. Re:Anonymizing IP info properly. by pbhj · · Score: 1

      Of course, Google wants more.

      What you mean of course is that Google's customers want more, they're serving the market. That's big business but it's also everyone else that uses Googles Analytics or PPC or AdWords programs.

      I'm director of a small business - we use Google Analytics/Webmaster Tools to help track SEO efforts and to establish good site stats. It's valuable to me to see things like (approx, guesstimated) geographic location of users and the like.

    3. Re:Anonymizing IP info properly. by AlXtreme · · Score: 1

      It's valuable to me to see things like (approx, guesstimated) geographic location of users and the like.

      Google could simply store the totals per region (they probably already do so). Anonymization is very much possible for Adwords/Analytics, as users simply get the big picture and not the unique IP addresses of every visitor anyway. I can't see proper anonymity after X months hurting Adwords in its current form.

      Perhaps Google wants to keep the whole IP address in order for Adwords-users to target specific groups of users unrelated to their current search queries, but instead take the user history into account (everyone who searched for "dishwasher discount" in the last 7 days, for instance). But even then anonymization wouldn't be a problem after any length of time for advertisers. Google simply doesn't want to throw away data, period.

      --
      This sig is intentionally left blank
    4. Re:Anonymizing IP info properly. by Fastolfe · · Score: 1

      Your MD5 hashing trick is just about useless at actually hiding anything. All you've done is replace the IP address with something derived directly to the IP address, while chopping off ~12 bits of precision (likely much less since many of those IP addresses won't be valid or active unicast addresses). It's trivial to build up a lookup table from IP address to identifier. MD5 is nice if you can't reverse it, but you don't have to reverse it here. If someone subpoenas your logs, and they know the IP address(es) they're looking for, you've handed them a complete record. If your site were high-traffic, with lots of active IP addresses sharing the same identifier, you might get a bit of anonymity out of that for your users, but I'm not convinced this approach is better than Google's.

  15. Privacy reform??? by iminplaya · · Score: 1

    HAHAHA... That's-a-funny...

    Maybe, possibly you might get some privacy if you can randomly change your public IP address a few thousand times a second in some "spread spectrum" type fashion. But for now, real privacy on the net is but a pipe dream.

    --
    What?
  16. It only gets worse by PingXao · · Score: 1, Interesting

    It only gets worse if you believed it was "good" in the first place. These revelations don't make it worse for me since I don't believe they're committed to my privacy at all. Never have been, never will be. Sheesh, I swear some of you people will believe anything! The "do no evil" myth has been one of the most pervasive and unfounded ones of the last decade. Watch what they do, not what they say.

    1. Re:It only gets worse by nog_lorp · · Score: 3, Funny

      How are these "revelations"? A massive web-app provider HAS LOGS? No way! They might even do analysis of them for RESEARCH PURPOSES? How dare they! And if they are legally required to disclose them, THEY DO? The evil of it!

  17. Cuil. by Anonymous Coward · · Score: 0

    But their search sucks... :/

  18. Here's how I would do it by Anonymous Coward · · Score: 0

    I would just delete all of the IP addresses. That would be a better example of anonymity.

    1. Re:Here's how I would do it by cleatsupkeep · · Score: 0

      I would just delete all of the IP addresses. That would be a better example of anonymity.

      And that's why Google is Google and you are sitting in your mother's basement posting to Slashdot.

  19. like when... by Anonymous Coward · · Score: 0

    I created a new email account (I have my own domain) and signed up for another gmail account. Soon afterward, to an email address I had never, ever used... I got spam! That's when I realized Google wasn't as non-evil as they claim to be.

  20. Oh sorry... by Bragador · · Score: 1

    I simply searched for I2p on Google to get the homepage and it gave me the IP link... But the IP link seems to be out of date so thank you for the correction.

    1. Re:Oh sorry... by SanityInAnarchy · · Score: 1

      Ah, yes, it showed up in my Google search, too, when I was looking to see if that was actually the right link.

      --
      Don't thank God, thank a doctor!
  21. I2P will never get out of beta. by Spy+der+Mann · · Score: 2, Insightful

    The problem is that to enter I2P you need an i2p gateway to connect to. It's like TOR but reversed: TOR nodes let you get from the anonymous net to the outside world... I2P gateways let you get from the outside world to the anonymous net. So what happens when these addresses get banned?

    No matter how you look at it, if it ever gets popular it will be declared illegal by governments for supporting "terrorism or other illegal activities" (such as p2p, doh) and they'll come out with "if you have nothing to hide...".

    My conclusion is that I2P will *ALWAYS* be in "beta" and therefore it will never be announced to the world. And because of that, not many people will cooperate and try to install their own i2p nodes. The result: A VERY VERY slow anonymized network.

    1. Re:I2P will never get out of beta. by SanityInAnarchy · · Score: 1

      TOR nodes let you get from the anonymous net to the outside world... I2P gateways let you get from the outside world to the anonymous net.

      So, if you combine the two, you'd get a poor-man's Freenet?

      --
      Don't thank God, thank a doctor!
  22. Umm...the author makes some big assumptions... by Gybrwe666 · · Score: 1

    First off, I was running ISP's back in the 90's, and even then my dynamic pools for Radius were bigger than a /24, unless the location was a tiny remote dial up. Nowadays, there probably is no large ISP assigning single /24's for dynamic IP addressing. Heck, /20, /19, and even /18 are being used by my ISP, a large cable provider. I haven't asked anyone there lately, but I'm betting they have bigger pools than that.

    Now, if you have a static block, that's different, but if we're talking about the masses in general, the number of possibilities are going to be larger than 1 in 253, and if you also consider DHCP timeouts, the possibilities become even larger.

    This sounds a bit like alarmism, and the author apparently doesn't bother to map any of this into actual real-world.

  23. Even if IP and cookies were scrambled by Anonymous Coward · · Score: 0

    Even if IP and cookies were scrambled, that would still leave search terms and google analytics. If your IP or cookies have at least short-term persistence, the pattern of associated web use seems likely sufficient to establish a chain of identity. Though one more computationally expensive to mine (but more expensive only if you never login to google services).

  24. Re:Minor correction - correction by Anonymous Coward · · Score: 0

    A class C subnet is 253 addresses, not 254. Zero and 255 are, last time I checked, reserved.

    Let's see, there are 256 possible numbers from 0 to 255 inclusive, and two of them are reserved. Your skill testing question was to calculate how many remain by subtracting 2 from 256, and you got it wrong...

  25. I don't understand this by schamarty · · Score: 1

    If all the people making such a big fuss of this would just tell users

    (1) dont stay logged in to gmail
    (1.1) if you have to stay logged in for IM, use Pidgin or something to do that
    (2) set your browser to clear cookies every time the browser is closed

    wouldn't that be a lot shorter and more useful. Google has to do what they have to do for their business model, and if you don't like it, you either stop using their servers or do what you can on your side to limit the damage.

  26. Just use Relakks by Anonymous Coward · · Score: 0

    Whatever you do, our governments be it US or UK under pretext of WarOnTerror, France under pretext of MusicAuthorsRightsProtection, China for... just because, and most others : they all pledge meaning no offence to your privacy but all pass laws to make Internet a better and more secure BigBrother world.
    If you're really serious about privacy protection, look in Sweden : real laws are there to protect privacy, real political movements protect it at the parliament, real solutions like Relakks are developped to help people from InternetTotalitarianCountries to keep they privacy.
    Use Relakks and discuss with your neighbours to enlight them about Internet freedom !

  27. R e l a k k s posts filtered ? by Anonymous Coward · · Score: 0

    Looks like R e l a k k s related posts are filtered on Slashdot ?