Questioning Google's Privacy Reform

JagsLive makes note of a story questioning whether Google's recent commitment to anonymize IP logs faster is really as good as it sounds. We discussed their announcement a few days ago. CNet's Chris Soghoian takes a closer look: "While the company hasn't said how it de-identifies the cookies, it has revealed in public statements that its IP anonymization technique consists of chopping off the last 8 bits of a user's IP address. As an example, an IP address of a home user could be 173.192.103.121. After 18 months, Google chops this down to 173.192.103.XXX. Since each octet (the numbers between each period of an IP) can contain values from 1-255, Google's anonymization technique allows a user, at most, to hide among 254 other computers. ... Google has now revealed that it will change "some" of the bits of the IP address after 9 months, but less than the eight bits that it masks after the full 18 months. Thus, instead of Google's customers being able to hide among 254 other Internet users, perhaps they'll be able to hide among 64, or 127 other possible IP addresses. By itself, this is a laughable level of anonymity. However, it gets worse."

Well

[mindstrm (20013)]

Do all those whining about this anonymize their own server logs? Because I sure don't.... they are doing this to keep the mob away, that's it.

Re:

[Dolda2000 (759023)]

Well, I do let logrotate throw away old logs a lot faster than 18 months, though.

Re:Well

[Your.Master (1088569)]

That's kind of the point. We want to make an informed decision about the costs here.

Without hearing about "this bullshit", you cannot make an informed decision. Imperfect information damages capitalism; and the more imperfect the information, the more damage is done.

There's also another aspect. Just about everybody wants everything to be better than it is now. This is a way this could be better. So we ask for it to be better. The argument can be paraphrased as:

A: Good enough is good enough
B: Yes, but better would be better.

Re:

[centuren (106470)]

+1 Insightful, cuts right to the heart of the matter.

As Google's presence on the Internet becomes more and more significant, specific details on how their operations can affect us become more important.

Re:

[rtfa-troll (1340807)]

I'm shocked. Terrified in fact. If your site, with all the traffic you see, is keeping logs then we should just completely give up on trying to get Google to improve it's privacy policy and make you priority numero uno. After all, what Google knows about the web and it's users can probably be stored on one cylinder of one plater of the tiniest server in your data centre which extends to every horizon.

sorry; which site?

P.S. if you RTFA, you might find out that Google, whilst maybe not particularly wel

Re:Well

[TubeSteak (669689)]

Do all those whining about this anonymize their own server logs? Because I sure don't.... they are doing this to keep the mob away, that's it.

What do our server logs have to do with Google's?

The principle may be the same, but the scale is so vastly different that the practical consequences cannot be plausibly compared to one another.
Subpoenaing logs for IP 123.456.789 from Google is not the same as getting logs from icanhascheezburger.

Re:Well

[Silas is back (765580)]

Subpoenaing logs for IP 123.456.789 from Google is not the same as getting logs from icanhascheezburger.

I'm not sure whether you're qualified to talk about IPs giving this example IP.

Re:Well

[lysergic.acid (845423)]

yea, also i don't think the author of this article understands statistics.

if Google changes random bits in the IP address even before they remove the last byte at 18 months, that would already make guessing the original IP address near impossible since you don't know which bits were changed.

if they only changed 1 bit in the entire address, then there would be 32 possibilities, but if they changed 1 bit in each octet, then there would be 4096 possibilities. if they changed 2 bits in each octet, there would be 61,4656 possibilities. if they changed a random number of bits in each IP address, then the possibilities grow even larger. and this isn't a login password or encryption scheme. there's no way to brute-force the original IP address from the anonymized IP address even if only a single bit was changed.

this is just more unwarranted alarmism. google has stated that they are working on developing a method of anonymization that would protect user privacy while retaining the useful characteristics of their log data. frankly, as long as they're not giving up user data to 3rd parties anonymization is a non-issue.

Re:Well

[figleaf (672550)]

I didn't see any mention of random bits being changed in the article.

Re:

[TubeSteak (669689)]

I didn't see any mention of random bits being changed in the article.

Not to mention that, IMHO, 'anonymizing data' is not the same as 'making the data anonymous'.
Anonymizing data = preventing it from being personally identifiable
Anonymous data = scrubbed of all context

http://www.answers.com/anonymous [answers.com]
3. Having no distinctive character or recognition factor

You can anonymize data and still retain geographic and/or demographic data.

Who cares about the IP?

[compumike (454538)]

Everyone makes it much easier than matching IP addresses... As the article discusses, many people use Google logins for e-mail and other services. This is a much more reliable way to track all of your information.

What I'd like to see is some significant differentiation between logged-in and logged-out states and the level of anonymity that is provided in each case.

But really, if you're voluntarily storing your stuff on someone else's server with the known understanding that they're parsing it for ad matching, what kind of privacy expectations do you really have?

--
Hey code monkey... learn electronics! Powerful microcontroller kits for the digital generation. [nerdkits.com]

Re:Who cares about the IP?

[TubeSteak (669689)]

What I'd like to see is some significant differentiation between logged-in and logged-out states and the level of anonymity that is provided in each case.

There's no difference.
Google sets a tracking cookie.
That cookie gets tied to your current IP.
If you log in, that gets tied to your login name.
Logging out doesn't undo the log entry saying IP 127.0.0.1 = cookie 34kl5j2345 = compumike@gmail.com

The spread of google-analytics makes avoiding their tracking cookie all the harder.

Hide

[Wowsers (1151731)]

I'm on IPv6, so I hide behind ::1/128

Re:Hide

[Anti_Climax (447121)]

If you're using google services from IPv6, it's even easier to figure out who you are.

I mean, it's either you or the other guy...

Uh huh, yeah, whatever.

[Creepy Crawler (680178)]

Dont trust anybody what they say about your "privacy".

Install Firefox 3, AdBlock+, noscript, and torbutton.

You want complete anonymity, click torbutton (you have to set up tor). You're now damned hidden. No cookie leaks and stuff;.

Tor is not a solution either

[speedtux (1307149)]

except, of course, that with Tor, the egress routers can (and probably do) look at your unencrypted communications, which often can be traced back to you, too.

If you want reasonable anonymity, you need to buy VPN access from a source using a non-traceable payment method. And, of course, they can still correlate your online activity on various sites. A single unencrypted Yahoo Mail or GMail session will unlock your entire usage history.

Re:

[Bragador (1036480)]

This is only true if you give personnal information out which is rarely the case. Also, Tor scrambles the relays each 10 minutes.

Anyway, for managing your funds I wouldn't recommend Tor. Just directly go to the website.

Re:

[moonbender (547943)]

Soooo... a) don't visit sites with accounts you care about (may break the account) and b) particularly not with accounts tied to your real identity (breaks anonymity, which is the point of tor).

Not every cookie can be considered personal information. I may leak a Google cookie during a Tor session, but since it's a "temporary" one which is generated for this one session and deleted at its end, I couldn't care less.

Re:

[Apoorv Khatreja (1263418)]

If only we had more relays in the Tor network than the leeches. That's why Tor is really really slow these days. We need a restructure or major change in protocol for Tor to survive. A lot of people seem to be hopping onto the network these days, with companies becoming increasingly nosy.

Re:

[Bragador (1036480)]

What about a ratio system like they use on private torrent websites? One could have a ratio of upload and download and if you don't give back to the community, your IP is temporarily banned from using the network. That wouldn't pose a problem since knowing that IP adress is wants to use the network doesn't mean they know where it is going when it connects. You are still anonymous.

Re:

[Bragador (1036480)]

Yes but will the leechers really give money? They are leechers you know...

Also, I kind of understand most of them. I would have no problem with setting a relay for the Tor network if I used it but owning a relay that is also an exit point to the Internet would be a problem.

I wouldn't want to be responsible for everything my own IP would do on the net...

Re:

[moonbender (547943)]

Seems like a bad idea to have a single organisation providing a significant number of servers. Although placing them in several countries reduces the risk of bad guys (the gubment) to get hold of all of them.

Re:

[McGiraf (196030)]

"Dont trust anybody what they say about your "privacy".

Install Firefox 3, AdBlock+, noscript, and torbutton.

You want complete anonymity, click torbutton (you have to set up tor). You're now damned hidden. No cookie leaks and stuff;.
"

I do not trust you. So I will not do this :)

Re:

[Creepy Crawler (680178)]

Whatever floats your boat.

That's why the source is open. Make your own decision.

Re:

[McGiraf (196030)]

"Make your own decision."

Shit! Now I can't make a decision! Damn you untrustworthy person!

Re:

[msormune (808119)]

You would get better anonymity if you wrote your own browser.

Re:

[Bragador (1036480)]

If more people set relays, no.

Also, I2P is coming out eventually. They need more developpers though so... heard that, Slashdot?

I2P: http://66.111.51.110/ [66.111.51.110]

Re:

[SanityInAnarchy (655584)]

And you linked to an IP address, why?

http://www.i2p2.de/ [i2p2.de]

The picture sucks, though -- I think I know how it's supposed to work, but looking at that, I have no clue what it's trying to say.

Re:

[carlmenezes (204187)]

Your link worked. Downloading I2P now. Cheers.

I2P will never get out of beta.

[Spy der Mann (805235)]

The problem is that to enter I2P you need an i2p gateway to connect to. It's like TOR but reversed: TOR nodes let you get from the anonymous net to the outside world... I2P gateways let you get from the outside world to the anonymous net. So what happens when these addresses get banned?

No matter how you look at it, if it ever gets popular it will be declared illegal by governments for supporting "terrorism or other illegal activities" (such as p2p, doh) and they'll come out with "if you have nothing to hide

Re:

[carlmenezes (204187)]

Well, I've tried downloading I2P several times already in the past n months and I always encounter the same roadblock - the download link for the I2P installation from dev.i2p.net always takes too long to respond. Has anybody got around this?

Re:

[Colz Grigor (126123)]

I noticed that, too. Maybe we could convince Google to create a TOR service?

Just kidding.

Why does Google risk customer relations?

[wandm (969392)]

I don't get it. I'm sure I'm not the only one looking for a good Google substitute, and the number of skeptics will just grow, unless Google gets it privacy protection act together. It's just a matter of time that another AOL-type leak happens.

In the internet age, companies' luck can change quite quickly. Please Google, just get rid of those logs quickly and completely..

Re:

[tylerni7 (944579)]

Well first, while I'm sure you aren't the only person looking for a Google substitute, that doesn't mean a significant amount of users are. With the percent of the market that Google already has, a few people going somewhere else won't even make a dent.
That said, at least they are working on the issues rather than just ignoring them completely, as most companies do.

And second, that AOL leak wasn't really a leak. Instead they purposefully released the data for research purposes, thinking that a random,

I'm appalled that anyone expects privacy at all

[postbigbang (761081)]

Sure-- it's a great thing. But Google and Yahoo and myriads of other online sites live and die for your IP address, so that they may serve you better-- after running you through great behemoths of analyticals. Anonymizing after such a time serves no one's real privacy interest. Anonymizers have the ability to help you peruse privately, but even those are becoming easier to predict-- making anonymizing increasingly difficult. It's best to start your own botnet if you really want to be anonymous these days and this is just what a few good anonymizers do. Face it folks, Google's not trying at all and is financially compelled not to do so.

Re:

[Adrian Lopez (2615)]

"Anonymizing after such a time serves no one's real privacy interest."

Do we really want Google to become a one-stop shop for all of law-enforcement's "what did this person search for this year" needs?

What have you done with Slashdot?

[bigtallmofo (695287)]

OK, I thought it was strange that there was an "Apple is Evil" story about sneakers earlier today. But now there's a "Google may be evil" story! What's next? A story about how "SCO was right about Linux all along"?

Re:

[CaptainPatent (1087643)]

Shhhh! don't make them hunt the 256 of you down!

Re:

[bigtallmofo (695287)]

Shhhh! don't make them hunt the 256 of you down!

Oh crap! I'm screwed then because I own my entire Class-C netblock! Stupid sexy last octet....

Re:

[Arimus (198136)]

Err???

255.255.255.0 doesn't give 256 host addresses ;)

One for broadcast, one for network so 254 is the number you looking for...

Why do they keep them at all?

[Sark666 (756464)]

These issues concern me, but I admit I do not know much about this. How about I do a search and you keep nothing? Does any search engine provide that?

Re:

[Bender0x7D1 (536254)]

Ask.com has AskEraser. Here's the description. [ask.com]

Re:

[pbhj (607776)]

These issues concern me, but I admit I do not know much about this. How about I do a search and you keep nothing? Does any search engine provide that?

Basically you're asking does any search engine spend millions of pounds and not expect to extract any financial worth our of its relationship with you ...

Maybe in Soviet Russia?

Anonymizing IP info properly.

[Animats (122034)]

I have something that actually does anonymize IP data. I need a roughly unique identifier for web sites for load balancing and queuing purposes, but don't need to identify the remote site. So I run the IP address through MD5, the cryptographic hash, then take the absolute value, then reduce mod 1,000,000. So the world of IP addresses is mapped into 0..999999. About 4000 IP addresses map to each number, but they're spread pseudorandomly across IP space.

So there's no real problem doing this if you just need enough info to make your server farm run smoothly. Of course, Google wants more.

Re:

[supersat (639745)]

How many of those 4000 IP addresses are valid and allocated?

Re:

[perlchild (582235)]

If you include zero, you're going 256 minus two, that's 254 usable, everyone says 253 usable because everyone's used to having the default gateway being "at the providers" and therefore unusable. But if you're delegating a /24 to internal use, you'll have 254 usable ips, counting the router you're using for that subnet.

Re:

[Duncan Blackthorne (1095849)]

Damnit.. I wish there was a way to edit comments here. That was a typo on my part, and I didn't notice it until I saw 6 people beating me in the head with it. :p

Re:

[Lennie (16154)]

And if it's part of a bigger block the 0 and 255 are possible usable, depending on where in the large block they are.

Re:

[pbhj (607776)]

What benefit does Google have to semi-anonymize after 9 months, then "fully" anonymize after another 9 months?

They get 9 months longer to attempt to tie that data to a username on some other Google service.

Once they have it hooked to a username, ie if you logged into any Google service during use of that IP then they can throw away the IP (once they've tied it to the ISP and location of course) - so they know your @gmail.com email address (and your profile data) and can link that to your usage pattern, location and ISP .. why do they still need to keep your IP address then?

Re:It only gets worse

[nog_lorp (896553)]

How are these "revelations"? A massive web-app provider HAS LOGS? No way! They might even do analysis of them for RESEARCH PURPOSES? How dare they! And if they are legally required to disclose them, THEY DO? The evil of it!