Can Google hear you think? Independent computer security researcher Moxie Marlinspike seems to believe so. He used his stage time at this year's SOURCE conference in Boston to raise awareness around Big G's data harvesting practices, admonishing the search engine's ability to mine way more information than statistics say you're comfortable with.
Google, The Pentagon -- Same Thing
The Pentagon had this project called the Total Information Awareness (TIA) program back in 2002. Aimed at tracking threats to national security, the program proposed gathering and storing the personal information of everyone in the United States, including personal e-mails, social network analysis, credit card records, medical records, etc. without any requirement for a search warrant.
Google's habits, Marlinspike claims, are much like this program.
"They have an awful lot of data," he said. "They record everything. They have your IP address, your search requests, the contents of every e-mail you’ve ever sent or received. They know the news you read, the places you go. They’re even collecting real-time GPS location and DNS look-ups. They know who you friends are, where you live, where you work, where you are spending your free time. They know about your health, your love life, your political leanings. They even know what you are thinking about,”
Google's soothed many a citizen concerned about privacy by offering what Marlinspike calls "fake anonymization." Utilizing Google's privacy settings, Marlinspike points out, “requires that you have an account, be logged in while using the services and maintain a persistent cookie. It’s a brilliant move on their part.”
Sure, you could always just discontinue using Google, but not, Marlinspike says, without removing yourself entirely from the social narrative.
Marlinspike's solution to this privacy pickle is a little tool he calls GoogleSharing. The anti-snooping solution scrambles user requests together, effectively making it impossible for Google to tell which data is coming from which person.
This achieves a handful of Marlinspike's specific goals:
- Provides a system that will prevent Google from collecting information about you from services which don't require a login
- Total transparency for the user. No special websites, no change to your work flow
- Leaves non-Google traffic completely untouched, unredirected, and unaffected
The GoogleSharing system consists of a custom proxy and a Firefox add-on. The proxy works by generating a pool of GoogleSharing 'identities,' each of which contains a cookie issued by Google and an arbitrary User-Agent for one of several popular browsers. The Firefox Addon watches for requests to Google services from your browser, and when enabled will transparently redirect all of them (except for things like Gmail) to a GoogleSharing proxy. There your request is stripped of all identifying information and replaced with the information from a GoogleSharing identity.
Google is -- coincidentally -- also in the habit of releasing tools that expose just how much of our information is up for grabs. A recent solution called Government Requests reveals when government agencies around the world ask Google to provide them with user data, or to remove certain content:
Brazil tops both lists, with 291 requests to remove content and 3,663 requests for user data.
"We are releasing this tool because we believe that transparency will give people insight into these kinds of government actions," said Scott Rubin, head of planning, public policy and communications for Google EMEA. "Historically, information like this has not been broadly available. We hope this tool will be helpful in discussions about the appropriate scope and authority of government requests and that other companies will make similar disclosures."
David Drummond, Google's senior vice president for corporate development and chief legal officer, claims that many of these requests are entirely legit. This includes requests for the removal of child pornography, or accredited criminal investigations.
Furthermore, Google wishes to provide even more information about these requests, such as how many users have been affected by them. It's just not that easy. "The requests come from a variety of law enforcement agencies with different legal authorities and different forms of requests.," explained Rubin. "They don't follow a standard format, or ask for the same kinds of information."
"Google should be commended for disclosing more information than most companies do," said Wendy Seltzer, a senior researcher with the Berkman Center for Internet and Society at Harvard University.
What To Do...
Some might consider Marlinspike's privacy paranoia a bit cheeky, or Google's efforts to expose requests a deviation from some crazy Google-governed conspiracy theory. In any case, privacy remains a discussion worth having. Where do you stand?