Privacy Wars in Cyberspace: Does Google Know Too Much?

By Chelsi Nakano (@chelkano) Apr 29, 2010

2 comments

Can Google hear you think? Independent computer security researcher Moxie Marlinspike seems to believe so. He used his stage time at this year's SOURCE conference in Boston to raise awareness around Big G's data harvesting practices, admonishing the search engine's ability to mine way more information than statistics say you're comfortable with.

Google, The Pentagon — Same Thing

The Pentagon had this project called the Total Information Awareness (TIA) program back in 2002. Aimed at tracking threats to national security, the program proposed gathering and storing the personal information of everyone in the United States, including personal e-mails, social network analysis, credit card records, medical records, etc. without any requirement for a search warrant.

Google's habits, Marlinspike claims, are much like this program.

"They have an awful lot of data," he said. "They record everything. They have your IP address, your search requests, the contents of every e-mail you’ve ever sent or received. They know the news you read, the places you go. They’re even collecting real-time GPS location and DNS look-ups. They know who you friends are, where you live, where you work, where you are spending your free time. They know about your health, your love life, your political leanings. They even know what you are thinking about,”

"Fake Anonymization"

Google's soothed many a citizen concerned about privacy by offering what Marlinspike calls "fake anonymization." Utilizing Google's privacy settings, Marlinspike points out, “requires that you have an account, be logged in while using the services and maintain a persistent cookie. It’s a brilliant move on their part.”

Sure, you could always just discontinue using Google, but not, Marlinspike says, without removing yourself entirely from the social narrative.

GoogleSharing

Marlinspike's solution to this privacy pickle is a little tool he calls GoogleSharing. The anti-snooping solution scrambles user requests together, effectively making it impossible for Google to tell which data is coming from which person.

This achieves a handful of Marlinspike's specific goals:

Provides a system that will prevent Google from collecting information about you from services which don't require a login
Total transparency for the user. No special websites, no change to your work flow
Leaves non-Google traffic completely untouched, unredirected, and unaffected

From the official GoogleSharing site:

The GoogleSharing system consists of a custom proxy and a Firefox add-on. The proxy works by generating a pool of GoogleSharing 'identities,' each of which contains a cookie issued by Google and an arbitrary User-Agent for one of several popular browsers. The Firefox Addon watches for requests to Google services from your browser, and when enabled will transparently redirect all of them (except for things like Gmail) to a GoogleSharing proxy. There your request is stripped of all identifying information and replaced with the information from a GoogleSharing identity.

GoogleSharing concept

Meanwhile…

Google is — coincidentally — also in the habit of releasing tools that expose just how much of our information is up for grabs. A recent solution called Government Requests reveals when government agencies around the world ask Google to provide them with user data, or to remove certain content: