Thursday, 24 May 2007

Google – "Don’t be Evil" - My Arse!

I continue to worry about Google and where they are going, for company that has an informal motto of “Don't be evil”, they potentially are doing some evil things. Don’t get me wrong, I think Google is by far the best search engine there is, I have been using it as my default search engine since the late 90s, just after they went live. One of the reasons I preferred them over the dominate “Yahoo” search engine in the early days, was because Google was just a simple search engine, the search engine page didn’t have loads of crappy media bits and adverts around it, a huge plus in those low bandwidth modem days. These days Google are offering many extra services, and to be fair most are free to the user, but don’t worry they make plenty of money from advertisements. Some of these extra services are going to give Microsoft some decent competition for once, which is a big plus in my book.

So what are my concerns?

Well first of all, just in case you didn’t know, Google record every single search you type in. They know your IP address and whether you are on a specific computer. Why do they do this? Well they Google say they record this information for “research purposes”. It’s a bit too 1984 for me.

For example if I search for “IT Security Expert” on Google, the following is created and stored on the Google servers. - 24/May/2007 13:24:34 -

As you can see, my IP Address (not my real IP address of course), the date and time of the search, what I searched for and a unique id for my computer, is all taken. It's easily possible to trace the IP addresses back to geographic areas, or even to specific users through ISPs, and they could go on to identify you by your specific PC.

The US Government have already tried to make Google had over this data without success, but who knows if that will change in the future, it’s pretty scary to consider what the US government might do with this info. Who knows what behind the scene deals have been done between Google and the US Security services. I suppose if it stopped terrorism it could be a good thing, I am not saying whether this is right or not, too many ethical issues for me, my beef is the fact this record keeping by Google doesn’t appear to be common knowledge with the masses.

Google say the collected search data is anonymised after 18 to 24 months, they delete the IP address and the computer id part. For me a statement of “18 to 24 months” sounds a bit wishy-washy and I can’t help but wonder if it actually happens, who’s there to make it or prove it, and what about data backup, do they wipe that as well?

The another aspect to Google is their increased use of censorship, the other day they censored essay writing websites, I certainly don’t believe in the practice of plagiarism, but should Google have the authority to ban any web site they see fit? It sets a dangerous precedent in my mind, as the Google China site blocks plenty of western and human rights content at the request of the Chinese government. I wonder how many hits a search for the “Dali Lama” would get on Google China for example. Sure there’s the Great Firewall of China that fits around Chinese Internet access, but for me practice with the China Google site represents an interesting examination of Google’s ethics as a company. Speaking of questioning Google's ethics, Google has bought a genetics company. And incidentally the owner of the genetics company just got married to a Google co-founder.

Google are now going into the area of offering online “office” applications, leading to users storing their personal data files online. Web Applications in general are full of security vulnerabilities, and they always probably will be, while storing your personal data online does not sound like good practice to me, I certainly wouldn't trust it to kept my files secure. If you take Google’s Online Mail application (GMail), which is basically an online version of Microsoft’s Outlook, it has a calendar functionality, which like the Outlook calendar you can share, make it public. Guess what, you can easily search all public calendars held by Google, and it’s astonishing what information you can find. Searching for “passcode” for example returns loads of company conference call details, with the conference call number, subject, the passcode, date & time, company name and conference topics, there is nothing to stop you sneakly joining the call! While checking this out, I even found one conference call for a major “Network level” change for a well known large organisaton. Hardly a good track record on protecting you personal data online by Google online, is it?

To finish on a positive note for Google, I really like Google search results are now flagging up websites which have potential malware embedded in them, warning the user before clicking through, it probably won’t be long before they start censoring those too. There’s a question why don’t they just ban them, arguable they are just as harmful and exam writing websites…


Dave Whitelegg CISSP said...

And would you beleive it, Google's privacy policy was questioned again today. The follow is courtesy of BBC News website...

Google queried on privacy policy

Google dominates the search engine world
Google has been told that it may be breaking European privacy laws by keeping people's search information on its servers for up to two years.
A data protection group that advises the European Union has written to the search giant to express concerns.

The Article 29 group, made up of data protection commissioners around the EU, has asked Google to clarify its policy.

Peter Fleischer, Google's global privacy counsel, said the firm was committed to dialogue with the group.

"We believe it's an important part of our commitment to respect user privacy while balancing a number of important factors, such as maintaining security and preventing fraud and abuse," Mr Fleischer said.

"This group has addressed a letter to Google raising a number of questions," EU spokesman Pietro Petrucci said, adding that the Union's Justice Commissioner Franco Frattini was backing the investigation.

"He considers those questions raised by the letter to be appropriate and legitimate," Mr Petrucci said.

A spokeswoman for Google said the firm would answer the EU's privacy concerns before the panel's next meeting at the end of June.

"The concern is about keeping information about people's search for a definite period of time ranging from 18 to 24 months," she said.

"They (the working party) believe it is too long."

Data retention

Earlier this year Google said it would anonymise personal data it receives from users' web search after 18 to 24 months.

At the time, the firm said it was taking the step partly to match data retention laws being rolled out across Europe.

European Internet Service Providers (ISPs) and phone companies are in the process of implementing an EU directive that forces them to retain a variety of communication data for up to two years.

Google collects and stores data from each query. It holds information such as the search term itself, the unique address of the PC being used, known as the IP address, and details of how a user makes searches, such as the browser used and previous queries to Google.

That information can contain private data about a user, and could be used to build a detailed picture of the user's habits or lifestyle.

Google has said it was using this information to help improve its different services and to monitor how its search engine was functioning.

Privacy groups are concerned about how the data collected by Google, and other web firms, could be used to monitor people's online habits.

Anonymous said...

I certainly have no trust in google. You said it correctly, that they are just too 1984ish. They keep all info - forever - for no purpose? How believeable!!!

For the good it does, I use Devilfinder or other similar services when searching. They at least state that they don't keep your records.