Cenzic 232 Patent
Paid Advertising
web application security lab

Google Ranked Worst In Privacy

This is a non-technical post and completely my own opinion (as if you asked). I’m sure you all have seen this by now, in the news, on blogs, or even on Google’s employees’ sites but it’s time for me to discuss my view on Google’s recent ranking of the absolute worst privacy of the top 23 companies chosen for scrutiny by Privacy International in their latest report. They ranked lower than anyone else looked at, and the list included companies like Microsoft, eBay, Yahoo and MySpace. Here is a choice quote that should put to rest that this is simply some rogue company’s vendetta against Google as some people have conjectured:

This material, submitted by the Electronic Privacy Information Center (EPIC) and coupled with a submission to the FTC from the New York State Consumer Protection Board, provided additional weight for our assessment that Google has created the most onerous privacy environment on the Internet.

Again, Matt Cutts let me down when he responded to this by pointing to other people’s follies instead of focusing on Google’s privacy issues. Shame on you Matt - and didn’t Google buy a huge stake in AOL right before that privacy disclosure happened? It’s easy to point fingers but please do your homework first. I have to give Matt some leeway here - he may simply be ignorant of how the rest of the company operates.

Anyway, as a side note this was followed up by an interesting thread finding more places where a man in the middle could read usernames and passwords in Google. Google doesn’t have a great track record with security either. Tons of private information and very poor track record in keeping that information safe? Great combination.

I’ve had the dubious distinction of being tangentially part of some secret Google meetings (I am under no NDAs with them in any shape or form) and I have no doubt in my mind that every accusation made against them is true - and some I have actually seen myself. While Google plays the we’re not evil dance to the devil’s flute, the rest of the industry is actually trying to play by the rules. Even the FTC sided against Google in the Microsoft anti-trust case where Google claimed that Google’s Desktop wasn’t as useful on Vista as it was on XP. Microsoft’s answer? Google Desktop slows the computer down, it’s not Vista slowing Google’s Desktop down. Touché! I don’t blame the FTC for putting the advertising company in its place - especially an advertising company that intends on buying another advertising company that people have loathed for their privacy mis-deeds for nearly a decade (DoubleClick). I used to work for an advertising company - I personally have experienced how evil they are.

Google’s tools cannot be easily avoided, even by people who choose not to download their spyware. Adsense and Google Analytics also report home and can track users as they travel from domain to domain, as do the Google images that you see on search boxes that float all over the Internet. Unless consumers know how to avoid Google’s reach, they cannot simply avoid Google by not using their downloaded executables or their search engine. That to me constitutes a huge risk to privacy. That they delete or rather anonymize (and how good is that anonymization strategy, really?) after two years is irrelevant - that’s already too long when you combine it with all the other forms of information that they have access to and log. Yes, it is a requirement of the various governments they work with, but the governments don’t ask them to combine this information, they do that on their own.

The next most common thing I hear is that most of the tracked information is only used to tune the search engine. While that sounds like a noble task, what if I am uncomfortable with having personally identifiable information combined into custom or targeted search queries? Why is there no way to opt out of their reach (even DoubleClick had this)? Herein lies my biggest concern and why I recommend privacy concerned people seek alternatives. I’ve stopped using all things Google whenever possible, and am considering adding their entire netblock to my egress filters, except for testing purposes. While Google is an innovative company in some respects, I don’t trust the motives of an advertising company. Are they any better or worse than the others? There’s probably no way to know for sure, but at least the others are forthcoming.

23 Responses to “Google Ranked Worst In Privacy”

  1. David Says:

    I thoroughly agree. I’m pretty much convinced I’ll block them from my personal Internet activity entirely. They want me a lot more than I want them.

    Great post. A great deal to chew on - as always.

  2. olli Says:

    I think I’ll be stopping using Google. Only a few days ago I realized that when I logout from gmail.com I still end up being “logged in” google.com, in a domain where I never wanted to login in the first place!!! This made me disable cookies on google.com, although I’d rather find an alternative which doesn’t profile my personal information without a permission.

  3. Jeremiah Grossman Says:

    You punk! Now ya tell me. After you turned me into a blogger and using “blogger”! ahahah. :)

  4. Mephisto Says:

    LOL @ J.G…we’re all screwed now!

  5. eastwind Says:

    There’s no such thing as a free lunch. In this business model, end users are more of a livestock product than they are customers.

    The trend now is towards full scale factory farming. Trap animal like humans, hook them on the taste of their own vomit to make content creation cheaper. Keep them alive and milk regularly.

  6. TarraDog52 Says:

    Great post, but I don’t think any of this will stop me from using google products… Well I don’t have any google accounts and don’t use any of their applications, but I do use their search engine and their ads are everywhere. As you said, it’s hard to avoid google tools. I haven’t gone into the report in any great detail but I noticed that Yahoo received the second lowest privacy grade. Google may not be the best at protecting users data, but it also seems other companies aren’t doing a great deal more on the privacy front. Therefore it’s hard to protect your privacy anywhere you go on the Net.

    Don’t get me wrong, I’m not taking sides with Google but I also think that they are not the only company that needs to do a great deal more with security to protect it’s users.

    I like to think that I know more about security than the average user (who most likely doesn’t know that much), but along with them I think I’ll continue to take my chances…

  7. Anton Chuvakin Says:

    This looks to me like an opportunity to SCREAM: “You have no privacy, GET OVER IT”

    So they collect and analyze data on us - great. So? :-)

    Yes, one can create nightmarish “New 1984″ scenarios but then again you are much more likely to get something useful out of it.

    My conclusion on this: overoveroverblown concerns.

    It reminds me of the recent blooper by some guy who said “blogs are the evil guys’ tool” :-)

  8. Andrew Hay Says:

    For a company that prides itself on a “do no evil” motto they don’t understand the concept of protecting their user base.

  9. Juan Valdez Says:

    To play devil’s advocate, how long does this site keep its own web logs around and how are they protected? Based on the “1000 Cutts” post, you are keeping IP addresses and comprehensive logs for at least 6 months.

    From a security perspective, keeping this data is just showing due diligence. However, just because Google is a big company doesn’t mean that the same privacy standards shouldn’t universally apply to anyone logging personally identifiable information, which includes this site. Call it the categorical imperative of privacy.

    For the sake of discussion, what is your own data retention policy? Are your logs secured on a independent system? Are they anonymized? Can users request to have their IP address purged from them? Do you have a privacy policy that guarantees that you won’t sell log data to third parties?

  10. Bipin "3~" Upadhyay Says:

    “Do no Evil” is a motto of past, I guess.
    Today’s (somewhat apparent) motto would be: “Do no evil. If there is any, close your eyes”.
    I agree that they may not be the only one to “do a great deal on security”. But then how about the famous one liner, “…with every deal, Google is buying yet another piece of the internet.”

    And no!
    No security concern is ever overblown, IMHO.
    We should keep in mind that most people have their complete online-life (and sometimes offline-line) just ONE SINGLE password away (the issue of many-accounts-one-password, quite obviously).
    …and that’s where the issue gets critical because it’s not just any other company. It’s Google. It has it’s presence on almost every page (a li’ll exaggeration :) ).

  11. beNi Says:

    Haha, great post.

    Googles politics in handling with security issues really sucks:

    One day I found https://www.Google.com XSS issues (http://mybeni.rootzilla.de/mybeNi/mXsk1/wp-content/uploads/2007/02/google.png)
    and reported them to their team. No response on the “direct” way.
    Then I placed a comment at Matt’s Blog and a Google employee asked me to give them the information, I did - A huge fault as I have experienced:

    - They gave me NOTHING in return for this flaw. NOTHING! As you perhaps know, such a vulnerability is thousands of $$$ worth if sold in the underground. I wanted to help them and all I got is nada.. except of a “Thank You” by a lowlevel employee of the Google Search Quality team.

    - After the Disclosure of another GMail Vuln they banned my google Account

    That is enough for me to never help this company again, and IMO a lot of security researchers are thinking exactly the same way.

    Hard lesson though, but learned.

    -beni

  12. RSnake Says:

    Juan Valdez - that’s a terrible argument (and again, finger pointing rather than dealing with the real issue - you and Matt Cutts should hang out, if you want his number, just ask). However, since I am accused, I will deal with your questions directly, rather than more finger pointing. See how non-hypocritical I am? This is a hacking site. Of course I log everything about you and I post about doing that exact thing regularly - look at two blog posts before this one for an example of this. If you want to compare Google to ha.ckers.org (which is doing tons of real-time and after the fact forensics on all the people who visit the site to demonstrate malicious activity) that’s probably a good comparison in terms of what you shouldn’t be okay with. If that’s your thing, then you should have no reason for concern.

    I don’t anonymize anything, I keep data forever - except what gets accidentally deleted due to our rather shoddy backup strategy we have had and the frequent hard-drive failures we’ve had on these old machines. I’ve said a number of times that if you do something stupid on or with this site I’ll happily hand anything over to the police that they ask me for. I have no privacy policy nor will I ever instate one for this site. You cannot expect to have privacy on this site, given that the entire function of it is to protect itself, do forensics on the thousands of hack attempts we get per day and talk about the findings. It’s _supposed_ to be malicious - at least for demonstration purposes, and drawing a correlation between this site and Google is borderline insane, where if I do it, it’s okay for Google to. Seriously, you cannot think that’s a good idea. But if you do let me just say, if Google is a big version of ha.ckers.org they are _definitely_ evil (multiply my reach by millions).

    However, in terms of what I actively do to “find” people, it’s non-existent unless there is something harmful to the system in progress, or to prove a point (in your case, I found out some info about you, because I think you are being subversive in your anonymity, but we’ll get to that later). I don’t read private messages on Sla.ckers.org (yes, I know how, I just don’t). I don’t crack the passwords (again, it’s easy, it’s just not my MO), I don’t de-anonymize people, I don’t log information that comes out of MR T, I don’t do OS fingerprinting, or dump the HTTP headers to disk, or do history theft, etc, etc… So while I could be hugely nefarious, that’s not what this site is about. It’s a lab. It’s a lab that details how evil companies like Google can be when they want to. Making a direct correlation between this site and Google is making a very poor relationship to a hacking site with 20k users a day making about a few hundred a month and a publically traded company making billions of dollars off of it’s millions of consumers. One privacy flaw is understandable the other is un-excusable. I should hope you understand the difference.

    That said, I always encourage everyone to use as much caution as possible when visiting this site and indeed every site everywhere - use anonymous proxies, randomize information as much as possible, use unique passwords and secret answers and make the task of anyone who may be interested in those logs’s job incredibly difficult, etc… While I support the people on this site, I will not be able to protect them, I have neither the legal funds to fight the legal system nor the time. Also, something we’ve long known is that eventually this site will get hacked (it’s just a certainty despite the crazy precautions we have in place - and even more coming) and if you aren’t protecting yourself, any one of the tools/techniques I talk about could be made evil and be used against you. About selling information to other companies - trust me, if I wanted to make money illegitimately or by subverting my users, there are far FAR better ways to do it. I guess you simply have to trust that we aren’t idiots, but if you don’t you are welcome to stop reading this site, really. I couldn’t care less. We don’t make any sizable money with this site, so a decrease in user traffic is only a curiosity, it’s not impacting our livelihood.

    ——— FIN ———

    So, Juan Valdez, now that I’ve answered your questions honestly, it’s your turn. As the only post you referenced was about a Google employee, you are responding to a post about Google’s privacy failures, you use Google’s RSS reader, you used Google to find content on this site more than once, and you are coming from the Bay Area, in the spirit of full disclosure, I must ask, are you in the process of drinking the Kool-aid, sir?

  13. ChosenOne Says:

    Overreacting? @ RSnake.
    Exposing Juan like that, seems a little harsh to me.
    I’m also wondering, how one makes money with an ad-free web page :o

    Now regarding the blog entry:
    What’s the conclusion on Googles weak security measures? Not-using Google, sounds weird..now to be honest: Which alternatives are there, considering the weak reasults of other search engines?

    Regards,
    ChosenOne

  14. Torstein Says:

    I now request the “How to stop using Google”-tutorial.

    I’m at the point where not using Google seems umimaginable. Gmail, Google Docs, Analytics, Seach, Calender, Maps and the ones I forgot are used at least on a weekly basis.

    What to do?

  15. beNi Says:

    Suspend your GMail account and get another Email address.
    Believe me, GMail sucks

  16. RSnake Says:

    ChosenOne - I don’t think I’m over-reacting. If someone has something negative to say to me, I am willing to allow the comment so that everyone else can read it too. But I am well within my rights, and indeed compelled to respond to defend myself. I am in no way obligated to listen to Google’s employees defame the site, while they refuse to honestly answer the same questions they pose to me. I hardly posted his docs, but I also thought it relevant that he is at least affiliated with Google. To me that frames his argument. Maybe you don’t see it that way, but I think others would agree.

    To answer your other pointed question, “how one makes money with an ad-free web page” I’m not sure if you mean this page or some other page. This site makes nowhere near enough money to cover its own costs. But our business covers that cost, because I think the research done here is important enough to warrant the cost center. Ultimately it’s my money that I’m spending, so it’s up to me how that money is spent - besides it started as a fun hobby. If you are talking about some other page, I’m not sure I can answer that question without a specific example.

    Now onto the good part of your post - in my opinion (and take that opinion with a grain of salt) the Google search engine is less accurate and has less information than Overture which is owned now by Yahoo (esoteric information is 90% of what I’m after so Google is way less useful than Overture to me in that regard). At the time I switched from Altavista to Google’s search engine it was the best (I was one of the first people telling everyone to go use it). I am also one of the first people to notice that Overture’s search engine quickly surpassed Google’s in terms of information and search quality. So if that’s the only reason you are using Google go visit http://search.yahoo.com/ If you’re really interested in search engines as a whole go check out http://www.searchlores.org/ (warning, it may take days to get through this site and it’s a little out of date in parts so check the date of each article).

    Torstein - I don’t use any of that stuff on Google. There are tons of variants of almost everything you listed out on the web. I don’t know what to tell you other than if you want alternatives for any one of those they are out there.

  17. Mephisto Says:

    I agree with RSnake on this one. If you are going to come here and lay down accusations of hypocrisy, criticize and compare this site to google. Then lay it all out on the table, debate the issue openly. According to the information RSnake shared about “Mr. Coffee”, I don’t think he overreacted, and I don’t think he disclosed anything that couldn’t be discovered on any other site that tracked it’s users in the same manner. I suspect “Mr. Coffee” is only defending his company (Google), and he’s attempting to do it in a very poor manner…Pointing fingers is not a defense.

  18. Juan Valdez Says:

    You missed my point: Privacy standards should be universal. You can’t make the argument that “Oh, gee. This is a lowly hacker web site, so it doesn’t matter.” It does matter.

    Why does this matter? Let’s supposed you were subpoenaed. I’ll assume you lack the legal resources to fight a subpoena and that you wouldn’t stick your next out to destroy logs ex post facto. Because you’ve kept detailed, personally identifiable information in your logs and those logs are not secured, your users are at risk.

    This is not meant to pick on you or defend Google. I am not trying to paint you as a hypocrite — you are doing what everyone else does. The point is that when talking about privacy, we should apply the same standards across the board. We should be trying to improve privacy practices at Google, Yahoo, at ISPs, and yes, even on small sites like this.

    On a side note, there are plenty of privacy-enhancing technologies that can address some of the problems.

    As for your sleuthing skills, they are laughable. I gather coffee beans each morning with my trusty goat. But, I’ll admit I have friends who’ve drunk the kool-aid and who know more about the issue than you.

  19. RSnake Says:

    Juan Valdez - so you are concerned about my visibility into my user’s traffic, but Google’s (which is far more wide reaching than anything I could ever hope to have) is okay? I have to believe that’s not what you really think as that doesn’t even sound reasonable, logically. I never said it didn’t matter that I have these logs, it does matter - you and I agree there. I shouldn’t be able to do this, but if I am, think about what a major company can do. You should be outraged, but you and your “friends” seem to be pretty complacent about the whole thing. However, at least there was some admission of guilt by reducing the number from 18-24 months down to 18 for data retention. Yay. There’s a huge win for privacy. :-/

    Yes, I do lack the legal resources to fight a subpoena (as stated previously) and even if I didn’t I wouldn’t waste the time/effort and would *gladly* give it over to the police if they asked (I also said this as well above). I think you may have missed a paragraph or so of what I wrote above. Please re-read. Yes, my users are at risk. Huge risk. They should take appropriate precautions, I’ve told them this every time it comes up. I do not attempt to hide this fact in any shape or form. I talk about this fact regularly on sla.ckers.org and here as well in case anyone misses it. Perhaps I do need to write an anti-privacy policy just so people realize how dangerous this site could be. I was sort of hoping the wall of shame was clear enough, but maybe not. I’ll think about it.

    I’m not sure why you said “you are doing what everyone else does” and that’s somehow okay, though. It’s most certainly not. I shouldn’t be able to correlate any information about you at all, but yet, there you have it. I think your statement, “We should be trying to improve privacy practices at Google, Yahoo, at ISPs, and yes, even on small sites like this.” is where you and I agree completely and that’s what this post is about - waking people up to the privacy atrocities out there that they take part in mostly unknowingly every day by using Google products. In lieu of others taking up arms against how our data is being used, I personally boycott Google whenever possible. I have told their staff this much too - my stance towards them is not a secret to them and if more people voiced their outrage I think they would be forced to be more responsible. Given that they have been independently assessed as “the worst” I think we should start there and work our way up the list of offenders, don’t you?

    Let’s assume your friends know more about this than I do (and I would hope they would as they are the ones using all the data), why don’t they speak for themselves? I’m open for a debate. Let’s lift up our veils and do this publically instead of having everyone else conjecture about their ethics. I’d like to hear some answers directly from their mouths. You heard my honest answers, I want theirs.

    For instance, I’d like to get an answer to a question pertaining to this quote: “After considering the Working Party’s concerns, we are announcing a new policy: to anonymize our search server logs after 18 months, rather than the previously-established period of 18 to 24 months. We believe that we can still address our legitimate interests in security, innovation and anti-fraud efforts with this shorter period.” “We also firmly reject any suggestions that we could meet our legitimate interests in security, innovation and anti-fraud efforts with any retention period shorter than 18 months.”

    Firstly, I’d like to point out that not all innovation is welcome. Some innovation is purely unethical, so I personally don’t take innovation at face value, for as nice a word as it is. Unlike Google I could delete all my logs today and it wouldn’t have any effect on the “security” or “anti-fraud” (if those are different) tactics of this site whatsoever. In fact it would clean up some disc space so I might just do it anyway out of house-cleaning. Honestly, anything more than a week of data is pretty pointless for everything we do except in the off chance that I need to teach Matt Cutts how to surf the internet securely. ;) I do log robots indefinitely, as they have interesting long term traffic patterns, but I’m not too worried about breaching a spider’s privacy. I don’t think they’ll mind too much, what do you think? ;)

    So here is my one simple question for Google. Why 18 months and not 17? Clearly Google stated 17 months is “firmly” rejected. If someone _at Google_ can give me an honest and complete answer to that question, I’d acquiesce. Until then, I’m going to have to call foul on the do no evil propaganda as all of the evidence I have seen, and three other independent parties have gathered (Privacy International, EPIC and the FTC), points to contrary moral standing.

    P.S. I am sorry for “sleuthing” you - it was to a prove a point, and one I think was lost amongst a more interesting issue, regardless of who’s Kool-aid you may or may not be drinking. Frankly it’s not even relevant where you work. The questions are currently unanswered and no amount of finger pointing to this site, Google’s competitors or anywhere else changes that. Still, my apologies - I felt bad about it after reading your response.

  20. MustLive Says:

    Google not just have problems with privacy, but also have problems with security.

    As I wrote in Month of Search Engines Bugs project:

    MOSEB-15: Vulnerabilities at images.google.com
    http://websecurity.com.ua/1049/

    MOSEB-15 Bonus: Vulnerability in Google Custom Search Engine
    http://websecurity.com.ua/1050/

  21. Kenan Says:

    i dont like google its big thief in my opinion dont use any app from google …

  22. notme Says:

    Yeah, so, checkout froogle.org if you still want google search results.

    My vote is against Google. I’ve been saying this since they started big in the ad industry. I loathed gmail. Using Google docs is more embarrassing than walking to the train station naked.

    I don’t like ads. I don’t like salesmen. I don’t like marketing. I don’t need them. I don’t use them. I don’t listen to them. I don’t care about that bullshit. They are not providing me any service. I am getting nothing from them.

    When I walk into a store, I always ignore the salesman. He’s bound to know less than I do about what I want. My friends are free to ask my opinion. I give it freely. Contrast that to a salesman who is paid to.

    disclaimer: adverts, marketing, and salesmen, probably have their place. However, currently in certain countries where money is God and consumerism is Religion, it’s over the top.

  23. Nogo Ogle Says:

    After a visit to picasa at google, my formerly safe netbook turned into a piece of keylogging crap. I do ALL my banking and brokerage online, and fell victim to scum posting “make money on google” popups, search popups, browser redirection/hijacking to alien sites (including when I went to the FTC site or my own employer, the Department of Commerce)- all determined to f-up my own personal and professional business online. These goons deserve not only removal from China but hot pokers up the ass. Hey google a-holes- get out of my f-ing life and DIE! Make an honest living like even Microsoft compared to your stinking space consuming selves. Pay for fixing my gear, while you’re at it, jerks!