Greg Conti : Googling Security – How Much Does Google Know About You?

I can’t remember where I saw Googling Security reviewed*, but the review made a strong impression. It exposed at least a couple of the provocative tidbits in the book, like that even if you personally refuse to use Google’s Gmail service on privacy grounds, as soon as a friend sends you a message with Gmail, Google knows that you and that friend are associated. It might have mentioned that as soon as some searches for, say, your full name and the word “plumber” (or something much less innocuous) Google “knows” in some sense that there’s an association between you and plumbing (or something much less innocuous).*

Conti is a computer scientist who researches things like security and information disclosure. As this job description requires, he’s both sharp and paranoid. I bookmarked a dozen or so passages that showcased one attribute or another. He starts out by saying that he considers Google “a sovereign entity equivalent to a nation . . . because of its top-tier intellectual talent, financial resources in the billions of dollars, and world-class information-processing resources,” a viewpoint which strikes me as patently absurd. Throughout there are asides like, “every time an old friend contacts you from a webmail account, a little piece of your privacy dies.” But in the chapter on maps, Conti offers this provocative scenario:

Let’s say [your company] has 1,200 employees located at 10 locations, some not publicly known. Imagine mapping activity form the IP address ranges used by our corporate headquarters, as well as the other locations, all seeking directions from Ministeri Pistarini International Airport in Buenos Aires to the street address of a meeting site at the outskirts of the city. Because this activity is out of the norm, you’ve just created a unique set of characteristics that ties together your various company offices with a potentially sensitive meeting. You’ve also disclosed with a high probability, the travel plans of the meeting participants, as well as given a clue to the strategic importance of Argentina to your company’s planning.

In the chapter on cross-site tracking via embedded content, after dissecting the roles of the (many) sites involved in serving up content for a typical page, he makes the trenchant point that, “your real privacy in terms of visiting a web site is the equivalent of the worst [privacy] policy of all the sites embedded there.”

Far from accepting Google’s famous “don’t be evil” precept at face value, Conti continually ascribes the worst possible motivations to Google. He makes insinuating comments like, “Note that these are the publicly acknowledged uses of machine processing of communications. It is a safe bet that many other uses will never be discussed overtly.” In discussing the Google Analytics javascript, which has been through a “minification” process that makes the code hard to read, he saves the admission that “the density of code could also be seen as an attempt to reduce the size of the file, to improve response time.” He fails to mention that minifying javascript for performance reasons is standard practice for high-performance, real-time websites. Conti assumes Google (ab)uses information in ways it has publicly states it does not; one could imagine that at least some of the data mining Conti describes might be technically challenging even for an organization like Google.

But Conti makes another interesting point: Google won’t endure forever, certainly not in its current form***. The individuals who defined Google’s culture and ethics won’t live forever, and there is no guarantee that their principles will be adhered to indefinitely. If Google doesn’t, or even can’t, exploit data in certain ways now, it’s impossible to say with absolute certainty that that will always be true. This sorts of threat isn’t even hypothetical to me — when I signed up for a Flickr account, I was comfortable with Flickr’s privacy policy. I was not at all comfortable with Yahoo!’s privacy policies, which are the ones that matter now.

I don’t plan to make many changes to my web browsing habits as a result of reading Conti’s book, mostly because I already aggressively filter tracking cookies and minimize my use of problematic sites like FaceBook. But I did find it interesting and thought provoking, if sometimes a little shrill.

* I also didn’t remember the author or the exact title. I made a game of trying to track down the book without using Google, pretending that showing interest in this book might set some blackmark flag in Google’s servers. I searched on Amazon, Yahoo!, and even Bing. But I couldn’t track it down without recourse to Google.

** Or at least that someone is trying to establish a connection, which may be interesting in an entirely different way.

*** If nothing else, the end of normal matter in the universe will eventually impose significant changes on Google’s technical infrastructure.

needs more demons? I wouldn’t want to wish more demons on Conti; he seems to have enough of his own.

Published by therealsummervillain

likes: equality, making things easier to use, biking, jangle, distortion, monogamy dislikes: bigotry, policies that jeopardize people, lack of transparency

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: