Slashdot Mirror
Googling Security
brothke writes "It has been suggested
that if one was somehow able to change history so that aspirin had never been
discovered until now, it would have died in the lab and stand no chance of FDA
approval. Similarly, if we knew the power that Google
would have in 2008 with its ability to aggregate and correlate personal data,
it is arguable that various regulatory and privacy bodies would never allow it
to exist given the extensive privacy issues." Read below for the rest of Ben's review.
Googling Security: How Much Does Google Know About You?
author
Greg Conti
pages
360
publisher
Addison-Wesley Professional
rating
9
reviewer
Ben Rothke
ISBN
978-0321518668
summary
Explores the many security risks around Google and other search engines
In a fascinating and
eye-opening new book Googling Security: How Much Does Google Know
About You?, author Greg Conti explores the many security
risks around Google and other search engines. Part
of the problem is that in the rush to get content onto the web, organizations
often give short shrift to the security and privacy of their
data. At the individual level, those who make use of
the innumerable and ever expanding amount of Google free services can end up
paying for those services with their personal information being compromised,
or shared in ways they would not truly approve of; but implicitly do so via
their acceptance of the
Google
Terms of
Service.
While the book focuses specifically on Google, the security issues detailed are just as relevant to Yahoo, MSN, AOL, Ask and the more than 50 other search engines.
My friend and SEO guru Shimon Sandler has a blog around search engine optimization (SEO). In the over three years that his blog has been around, my recent post on The Need for Security in SEO was the first on the topic of SEO security. Similar SEO blogs have a very low number (and often no) articles on SEO and security. Sandler notes that when he mentions privacy issues around search to his clients, it is often the first time they have thought of it.
The book opens with the observation that Google's business model is built on the prospect of providing its services for free. From the individual user's perspective, this is a model that they can live with. But the inherent risk is that the services really are not completely free; they come at the cost of the loss of control of one's personal information that they share with Google.
The book lists over 50 Google services and applications which collect personal information. From mail, alerts, blogging, news, desktop, images, maps, groups, video and more. People are placing a great deal of trust into Google as each time they use a Google service, they are trusting the organization to safeguard their personal information. In chapter 5, the book lists over 20 stated uses and advantages of Google Groups, and the possible information disclosure risks of each.
In the books 10 chapters, the author provides a systematic overview of how Google gets your personal data and what it does with it. In chapter 3, the book details how disparate pieces of data can be aggregated and mined to create extremely detailed user profiles. These profiles are invaluable to advertisers who will pay Google dearly for such meticulous user data. This level of personal data aggregation was impossible to obtain just a few years ago, given the lack of computing power, combined with the single point of user data. The book notes that this level of personalization, while golden to advertisers, is a privacy anathema.
Chapter 6 is particularly interesting in that it details the risks of using Google Maps. Conti explains that the privacy issue via the use of Google Maps is that it combines disclosure risks of search and connects it to mapping. You are now sharing geographic locations and the associated interactions. By clicking on a link in a Google map, the user discloses and strengthens the link between the search they performed and what they deemed as important in the result. By aggregating source IP addresses and destinations searches, Google can easily ascertain confidential data.
After detailing over 250 pages of the risks of Google and related services, Chapter 9 is about countermeasures. Short of simply not using the services, the book notes that there is no clear solution for protecting yourself and company from web-based information disclosure. Nonetheless, the chapter lists a number of things that can be done to reduce the threat. Some are easier, some are harder; but they can ultimately add up to a significant layer of protection. Chapter 9 details 11 specific steps that help users appreciate the magnitude of their disclosures and make informed decisions about which search services to use.
Googling Security: How Much Does Google Know About You? is an important book given that far too many people do not realize how much personal information they are disclosing on a daily basis. An important point that the book makes is that small information disclosures are not truly small when they are aggregated over the course of years. Advances in data mining and artificial intelligence are magnifying the importance of the threat, all under the guise of improving the end-user experience. The book emphasizes the need to evaluate the short-term computing gains with the long-term privacy losses.
The final chapter notes that apathy is the enemy. As a user becomes aware of the magnitude of the threat, they will see it grow every day. But the next step is to take action. Be it with technical countermeasures, taking your business where privacy is better supported, or petitioning lawmakers.
As to the underlying question, "how much does Google know about you?", the answer is that it is a colossal amount, far more than most people realize. For anyone who uses the Internet, Googling Security should be on their list of required reading. The risks that Google and other search engines present are of great consequence and can't be overlooked. If not, privacy could slowly be a thing of the past.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Googling Security: How Much Does Google Know About You? from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
While the book focuses specifically on Google, the security issues detailed are just as relevant to Yahoo, MSN, AOL, Ask and the more than 50 other search engines.
My friend and SEO guru Shimon Sandler has a blog around search engine optimization (SEO). In the over three years that his blog has been around, my recent post on The Need for Security in SEO was the first on the topic of SEO security. Similar SEO blogs have a very low number (and often no) articles on SEO and security. Sandler notes that when he mentions privacy issues around search to his clients, it is often the first time they have thought of it.
The book opens with the observation that Google's business model is built on the prospect of providing its services for free. From the individual user's perspective, this is a model that they can live with. But the inherent risk is that the services really are not completely free; they come at the cost of the loss of control of one's personal information that they share with Google.
The book lists over 50 Google services and applications which collect personal information. From mail, alerts, blogging, news, desktop, images, maps, groups, video and more. People are placing a great deal of trust into Google as each time they use a Google service, they are trusting the organization to safeguard their personal information. In chapter 5, the book lists over 20 stated uses and advantages of Google Groups, and the possible information disclosure risks of each.
In the books 10 chapters, the author provides a systematic overview of how Google gets your personal data and what it does with it. In chapter 3, the book details how disparate pieces of data can be aggregated and mined to create extremely detailed user profiles. These profiles are invaluable to advertisers who will pay Google dearly for such meticulous user data. This level of personal data aggregation was impossible to obtain just a few years ago, given the lack of computing power, combined with the single point of user data. The book notes that this level of personalization, while golden to advertisers, is a privacy anathema.
Chapter 6 is particularly interesting in that it details the risks of using Google Maps. Conti explains that the privacy issue via the use of Google Maps is that it combines disclosure risks of search and connects it to mapping. You are now sharing geographic locations and the associated interactions. By clicking on a link in a Google map, the user discloses and strengthens the link between the search they performed and what they deemed as important in the result. By aggregating source IP addresses and destinations searches, Google can easily ascertain confidential data.
After detailing over 250 pages of the risks of Google and related services, Chapter 9 is about countermeasures. Short of simply not using the services, the book notes that there is no clear solution for protecting yourself and company from web-based information disclosure. Nonetheless, the chapter lists a number of things that can be done to reduce the threat. Some are easier, some are harder; but they can ultimately add up to a significant layer of protection. Chapter 9 details 11 specific steps that help users appreciate the magnitude of their disclosures and make informed decisions about which search services to use.
Googling Security: How Much Does Google Know About You? is an important book given that far too many people do not realize how much personal information they are disclosing on a daily basis. An important point that the book makes is that small information disclosures are not truly small when they are aggregated over the course of years. Advances in data mining and artificial intelligence are magnifying the importance of the threat, all under the guise of improving the end-user experience. The book emphasizes the need to evaluate the short-term computing gains with the long-term privacy losses.
The final chapter notes that apathy is the enemy. As a user becomes aware of the magnitude of the threat, they will see it grow every day. But the next step is to take action. Be it with technical countermeasures, taking your business where privacy is better supported, or petitioning lawmakers.
As to the underlying question, "how much does Google know about you?", the answer is that it is a colossal amount, far more than most people realize. For anyone who uses the Internet, Googling Security should be on their list of required reading. The risks that Google and other search engines present are of great consequence and can't be overlooked. If not, privacy could slowly be a thing of the past.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Googling Security: How Much Does Google Know About You? from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Googling Security
About 830,000,000 results returned.
Are they saying that aspirin is so simple and helpful that Big Pharma never would have allowed it on the market or would have it tied up in all sorts of patents? But the comparison makes it sound like aspirin is harmful, seeing as Google is portrayed as more powerful than we would have let happen if we knew the future in advance.
And who would have stopped Google from doing what they did? That's like saying "If people knew what Microsoft would become, they would have stopped it." Huh? If people knew who John Wayne Gacy would become they would have stopped him except they couldn't because they didn't know.
Kwisatz Haderach
Sell the spice to CHOAM
This Mahdi took Shaddam's Throne
Similarly, cell phone cameras would have been banned from ever being marketed. It's way too easy to film goverment officials and law enforcement agencies commiting abuses of power, when before that it used to be your word against theirs, with their word always winning.
Forget the what-if-we-knew-x-years-ago supposition : why does nobody - no regulatory body that is - demand that Google explain exactly what data they collect and what the heck they do with it?
Really, it seems that, since they started out saying "do no evil", everybody took their word for it and let it go at that. Google is worth billions, reaches millions worldwide, provides dozens of services people have come to rely on, and yet no-one knows what they do exactly, aside from banalities such as "their business model is selling ads". Heck, even Microsoft is under 100x more intense scrutiny than Google...
I like and use Google services as much as the next guy, but their ultra-secretive habits make me very wary of them.
My grandparents refused I remember a long time ago to give out their Social Security Number to anyone.
I remember when you put your credit card onto the manual machine and then made sure to get the carbons.
For the luxury of convenience we have given up our security our anonynimity in not just the digital world but the world at large.
And for this price we get one-click shopping and online bill paying and such. But when the waiter swipes you card # it all comes back to you.
And am I any better than anyone else in this regard ? No. Not really.
ACK
For all we know, Google could have an extensive psych profile on each of us, know the names of everyone in our family, and probably even determine our level of education or our professions based simply on our search queries.
:P
Google's reputation, however, is mighty squeaky clean, and until it is revealed just exactly what kind of information their computers can put together from your web habits (and what, exactly, they do with it), I have a feeling we'll be in denial about it for a very long time. I mean, they really, really have a couple billion metric fucktons of money.
I refuse to put any more information into Facebook than I already have because, unlike Google, Facebook doesn't have quite so evident of a business model.
Google away.
Boot Windows, Linux, and ESX over the network for free.
Google knows what my favorite cheese is! Now advertisers can purchase information about who likes what kind of cheese in what region. Good thing that they can't trace the Swiss addiction back to me.
I'm predicting that Google's flu tracker is going to end up being used as an argument in favor of a federal data retention mandate if it turns out to be successful for the CDC. While DHS may have recently shown that datamining doesn't work on terrorists, I'll bet that it would certainly work on certain classes of other criminals like sex offenders. How long before the DoJ starts down this path by saying, "hey Google, why don't you keep an eye on suspicious searches for us, and let us know if someone reaches a threshold of $X searches/month so we can see if they're bad dudes banging little kids." The road to hell is paved with good intentions.
Think I'm paranoid? Then explain why the USA PATRIOT Act was ready to go so soon after 9-11. It's not like they were just waiting for a justification to present it to Congress...
The premise here is "if only we had known ahead of time, we would have done things differently". In the cases where we did know ahead of time, or enough people did, we still went ahead and did it anyway. *After* the Grand Banks fishery collapsed ... we continued to fish it. A few short years later ... we shut down the entire fishery due to lack of foresight and cooperation.
For some reason, I've never viewed Google as a particularly large threat. They seem to be using the data mining to sell a well targeted audience. Is there a Google service where I can pay to get dirt on my neighbors? There's two guys living out front I'd like to get rid of.
Like a bank, there is a business model to make a lot of money in a hurry by whisking all the deposits off to an island paradise. However, the business model where they maintaining the trust relationship with the fools who deposited in the first place pays better in the long run. When you get down to it, banks sell trust, and not much else.
Do we think our banks don't know a lot about us? If only we had known, we'd have never allowed banks to exist in the first place.
What's happening here is that with mass storage plummeting into the $/TB range, one way or another we were going to have to rethink our entire privacy and public information models rather dramatically.
If only we had known, we'd have never allowed Shugart to spin that first platter.
aspirin had never been discovered until now, it would have died in the lab and stand no chance of FDA approval
This argument is such a fallacy. If it was discovered today it would be considered an herbal supplement and they are not regulated by the FDA. If it was considered a drug patent trolls would sue for it and it would still get marketed since it does work with little side effects. They would see the potential to make a lot of money.
"The stupid neither forgive nor forget; the naive forgive and forget; the wise forgive but do not forget." -Thomas Szasz
I have never heard that said of aspirin, but I have heard it said of caffeine. Specifically, that caffeine would be regulated like cocaine.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Epine had a divine epiphany and opined about optional nature of our banking industry, which now appears to be controlled by alpine aphids addicted to aspirin.
Disclaimer: I blame the above on the wine. Now if you'll excuse me I need to visit the latrine, and then I'm going to get supine.
I'm not sure I agree. Do people "willingly disclose" the contents of their emails, their searches, their map queries, their photos, their videos, etc by using Google services? Personally, I'm trusting them not to compile all that information and sell it - but what if they did?
With data mining, the whole is much more than the sum of the parts. Your individual queries might not be worth protecting - "ooh, I can't have Google know that I want an office chair!" - but in aggregate, they might reveal where you live, your financial status, your relationship troubles, your medical problems, what products you like.... stuff that marketers would die for.
If people knew what their "willingly disclosed" info could be used for, maybe they'd be less willing.
There is actually a great short story about the idea of Google using its collected information for Homeland Security. The story is called "Scroogled". Good read. I'd link to it but I thought it more appropriate to have you Google the title.
That's strange, because I remember doing a report (10 years ago maybe) on Aspirin in high school, and I distinctly remember reading in several books on the subject that if aspirin were discovered today, it would be hailed as an amazing wonder drug instead of its current image as a ho-hum headache remedy.
We always knew Comcast was corrupt, here's the proof: http://tech.slashdot.org/comments.pl?sid=1909890&cid=34545432
Google provide what governments want, i.e. "Information", and as information is power, no government would want to stop Google. (Unless that information gathering power was directed at them).
Also from the main title page: "Similarly, if we knew the power that Google would have in 2008 with its ability to aggregate and correlate personal data, it is arguable that various regulatory and privacy bodies would never allow it to exist given the extensive privacy issues"
That's basically saying the boiled frog principle. So implying people other than governments, would see the danger with Google and then seek to pressure governments to stop it. Well *some* people have seen the power of google and did see the danger it opens up years ago, but no where near enough people stood up and said something about Google, to even limit its ultimate goal to becoming effectively an advertising version of Big Brother. Problem is even now, most people still cannot see the full danger, so nothing will be done.
e.g.
http://slashdot.org/comments.pl?sid=465072&cid=22544268
There are 10 kinds of people in the world... those who understand binary and those who don't.
the most obvious way I thought of Google as gathering data on your connections is that for Gmail they enforced a "by invitation only" registration system. Once you had been invited and signed for Google, one day, they gave you 5 or 10 or 50 invitations that you would *normally* send to your buddies so they can register too. Here's your perfect way to track who you know and who they know etc.
The point isn't to find your Bacon number, but to profile you even more accurately (birds of a feather, anyone?).
AC
The book lists over 50 Google services and applications which collect personal information. From mail, alerts, blogging, news, desktop, images, maps, groups, video and more. People are placing a great deal of trust into Google as each time they use a Google service, they are trusting the organization to safeguard their personal information.
Oh, you mean they're agrigating my fake personal information. I don't care what they do with that.
I've never given out my real personal info to sign up for any online service, and I have no intention of starting now.
The only thing a search for my real name returns is an interview in a newspaper from a charity event several years ago.
And several other people who share my less-than-common name.
---
"I can't complain, but sometimes still do..." Joe Walsh
The lack of respect for the personal privacy of individuals displayed by Google is jaw dropping.
It is amazing that we have reached a point where a company can get away with the type of stuff Google gets away with.
it is one thing to be forced into submitting your personal info for purposes of data aquisition and quite another for you to do it because you want the entire world to know just how important it is that YOU CAN HAS CHEESEBURGER! Sigh...
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
I was on jury duty recently, and in some recorded testimony they had the person give their full name, SSN, etc. This testimony is then transcribed to text. I couldn't help wondering if these documents ever go public, and if search engines like Google would get access to them.
3 main ways to google to get info about you:
- You publish that information in your site (i.e. you give it to everyone, google included)
- You give that information to google (i.e. you store your mail/documents/etc in google, or interact with your google account with google sites, like in maps, search history, etc)
- You interact with google sites not with your account, but interact anyways. That could include google ads, or the search engine itself (even if is embedded in your browser), or visiting sites using google analytics.
In the first two is your choice to give them your information. And if the last one worries you, using alternative search engines or using extensions like NoScript will solve that problem.
The problem with google is that give you too much ways, most of them very handy, to store your information, and is in very good positions to combine all that sources. You can pick all yahoo services and be in more or less the same situation, but in yahoo. Or in lesser degree, can fall in the same with Microsoft, Facebook, your mail provider, etc(even slashdot could fit in that category eventually)
So you are responsible for doing that to poor old goatse's asshole?
Is not a big privacy problem per se, not more than a census, but could be the start of a trend. Would hate to read it as "If you have no privacy, we can help you"
it ain't over 'til it's over baby....
I'm still paranoid enough to wonder if the current white house occupants might still pull something that is almost but not quite a coup
every day http://en.wikipedia.org/wiki/Special:Random
"Water, taken in moderation, cannot hurt anybody" --Mark Twain
As to the underlying question, "how much does Google care about you?", the answer is that it is an infinitesimal amount.
What did Google know and when did Google know it!
Tip #1: Get your blog linked to in a story at Slashdot....
As I can see from the comments and replies, it seems all people are worried about their privacy. Well, I don't consider myself in any way special from any other internet user. But I really do not mind Google or any other organisation to know my every detailed private information.
The point is I have nothing to hide. Good citizen overall. And if Google is using its database to track me down and display relevant ads...Hell I would rather see ads that might be relevant to my interests!!! The rest is up to me, buy or not buy!
Why are you all so worried about your privacy? I just do not understand. Anyway one should know at this age of technology that once you use internet you can as well put the concept of "Privacy" in the bin.
Take a look at the links; ultimately the Google's capabilities could be used in that direction in near future.
http://www.wikinomics.com/blog/index.php/2008/08/14/2018-a-vision-of-the-future/
http://www.wikinomics.com/blog/index.php/2008/09/23/government-20-and-beyond-harnessing-collective-intelligence/
My friend finally, finally convinced me to get a Facebook account; even though the info on my yahoo! e-mail account was completely false, and the information I entered into Facebook was also false, it took my fake name and info, and matched me up with my highschool buddies.
Nowadays, most people just click through the ToS before even bothering to skim through it. I play Goonzu rather regularly, and every time the developers take something from the gamers, the gamers freak out. However, the ToS tells them they own nothing, and that the developers can take anything away at any time for any reason (or no reason at all); and they all signed and agreed to this!
As society gets lazier (and therefore, dumber), we lose interest in protecting our own rights. We don't have a single problem with putting our credit card information up on the internet, even though our virus scanners and anti spyware programs pop up with varying infections, some minor tracking cookies, others major. After that, we have to maneuver around to find college sites that aren't fake so we don't end up plastering our SSN onto an evil site.
Not that it surprises me; we're at a point where we claim moral superiority over other countries, yet the mere idea of same sex marriage tears us apart. We're so close to turning into Pikmin that I don't even -want- to see what the next step is in removing rights and stripping us of our unique identity.
I just don't get all of the handwringing over the data Google and others collect from your online activities. Suppose Google knew everything I had ever researched online, every link I had ever clicked, everything I ever bought, the names and addresses of every person and business I've ever been associated with, even my credit and medical histories and my political beliefs. So what? How exactly am I harmed by anyone knowing these things? Do I *want* my entire life to be subject to public scrutiny? Not really. Do I care if some bozo knows what brand of laundry detergent I buy? Not in the least.
I don't ever worry about the waiter stealing my card number. Why? Because the few times I HAVE had invalid purchases all it took was one call to the credit card company, and I never had to worry about it again. I have always instantly had the amount put back on my card, and once I had to sign a letter they sent with a self-addressed envelope saying that the charges listed were not mine. After my wife had surgery and was on heavy duty painkillers, she was duped into giving her card number to someone by phone. We immediately told the credit card company and they took care of it. I would FAR rather have my credit card stolen than cash, and I've heard many stories from friends about problems getting banks to fix errors in checking accounts. All around, I love getting 5% cash back on groceries, gas, and drug store purchases with the security of knowing that money CANNOT be stolen from me. I do hate the habit of the entire financial industry of using identifiers as secret tokens, but then I've chosen a bank that doesn't and check all my accounts every few days. The modern day convenience really isn't costing me anything but my privacy.
Atanamis
Really how much would it cost to make a cohesive form of data? Sure if they wanted info on a specific Google account your nailed but otherwise its just WAY too much info to really organize. I think Hitler would have been a more fitting point than Aspirin though.
... as it is today.
Privacy can't really be protected, it's an illusion. If my neighborhood has webcams pointing out their window at my house or appartment can I stop them? If someone is dedicated enough or well funded enough, they can find out much about you simply since by existing and interacting with society you leave 'breadcrumb' traces of yourself everywhere you go. Anytime you make any kind of economic transaction via electronic means that is recorded, even if you use money, camera's inside the store are recording your habits.
Why does no one complain about being recorded inside a supermarket for instance? Why is it acceptable, when over the years people can study it and research it and deduce things about you? Google just makes the process convenient and slightly easier, the lack of privacy has always been there whenever you enter into stores, shops and malls. If google needs to have data requested, why don't all corporations who record and monitor people over a long time also not need to be queried about their data?
As you can see the scope and financial undertaking of being consistent would be fairly large, and I doubt you'd get much out of it.
Not always your choice...
* You post to Usenet, using your newsreader, but Google still archives your post in Google Groups (and X-No-Archive is not always foolproof since someone else quoting that post in whole or in part still gets it archived).
* You apply for a job through an online job board and are they serving Doubleclick or Google ads? If so, then more than likely the job application was parsed for relevant information to send to advertisers to at least some extent. (Unlike other sites, most job boards are expecting real name, real e-mail address, and want some sort of resume that would contain your real name and some sort of skillset, work history, etc.)
* Someone you know sends you a message using G-mail. Even if you have G-mail blocked, Google still gets your info via the e-mail message that was sent to you so the privacy damage is already done even before you receive or block the message with your e-mail client.
So that's only a small number of examples, but others can make the choice for you too.
and would myself regulate them given a chance.
Do Less Evil, Google!
Now is not the time to worry You need to worry when Google teams up with or takes over microsoft Those 2 combined will take over the planet and there will be nothing that we can do to stop them.
http://www.dhmo.org/
I know tobacco is bad for you, so I smoke weed with crack.
That is what I think Google is up to; the ability to see the future, they probably have a day on everyone else at the moment, but if they release a beta time machine it will be a week by the end of :)
There is so much data flowing through, and they have access to so much activity, that to make those correlations is just going to be too tempting.
When they open a bookies you know they have perfected the formula, GoogleBets.