Patriot Act Haunts Google Service

The Globe and Mail has an interesting piece taking a look at Google's latest headache, the US Government. Many people are suddenly deciding to spurn Google's services and applications because it opens up potential avenues of surveillance. "Some other organizations are banning Google's innovative tools outright to avoid the prospect of U.S. spooks combing through their data. Security experts say many firms are only just starting to realize the risks they assume by embracing Web-based collaborative tools hosted by a U.S. company, a problem even more acute in Canada where federal privacy rules are at odds with U.S. security measures."

Not just Canada...

[uid7306m]

Yup. In the UK, here, the Data Protection Act makes it legally dubious to put anyone else's data onto Google. Here, there's a responsibilty to protect personal data.

Unbelieveable!

[Flakeloaf]

You mean, if I enter personal information on a free web server run by some organization whose business model is the harvesting and sale of personal information, that my personal information might not be kept private?

Horror of horrors.

Re:Not just Canada...

[26199]

You could replace the word "Google" in that sentence with the name of any other company. You can't just randomly give out personal data to anyone if you're following UK law.

If it's part of doing business and done properly, you can do it. It's standard that when the recipient is an American company there is a "safe harbour" agreement that requires they follow the provisions of the Data Protection Act.

The question is, do crazy US laws make it impossible for US companies to respect the privacy of their customers?

Probably. Ho hum.

Re:VIRUS ALERT

[Anonymous Coward]

This has a spoofed link whose structure identical to this post http://science.slashdot.org/comments.pl?sid=496946&cid=22837250 [slashdot.org] which, when clicked on, downloads a virus, brings up dozens of pages in Firefox in seconds and tries to use mailto: BEWARE curious people.

In-Q-Tel

[triffidsting]

Surely it helps their cause that Google was originally partly funded by the venture capital investment arm of the CIA (In-Q-Tel)... Are people just now becoming wise to this, or did they just forget?

Re:Unbelieveable!

[Crypto Gnome]

Since when is Google an

organization whose business model is the harvesting and sale of personal information

?

I could accept the argument that "processing your private emails to better qualify my search engine results" could be considered "harvesting" but I wasn't aware that Google in any but the weirdest and most remote sense "sold" the information they collected.

Yes, they effectively "sell" the results of the analysis of what they collect, but that is not the same thing at all.

Otherwise I've got this "analysis" of 100tons of Pure Gold I'd like to sell you, bargain prices ;-)

Re:Don't keep logs

[vux984]

There's no reason why Google (et al) need keep logs of who's doing what.

Ok, how naive are you?

Websites keep logs largely to trace attacks, don't they?

That's one element of it, but for most sites its a minor element. Most sites keep logs to trace where users are going, how they are using the site, etc.

Most site-admins are interested in where users are going on the site, how they get their, where they leave, how they arrive, how long they spend on each page, etc. They want to know which pages are popular, they want to know at which stage people usually abandon their shopping cart, etc, etc.

They generally want to make the site more effective, and logs (and analysis of those logs) are a primary tool.

Google, of course, being an ADVERTISNG company first and foremost, is further interested in logs in order to generate profiles, to attach your surfing habits to demographics. They want to know how old your are, what your interests are, how much you make, your ethnicity, level of education, etc. Now, getting that from one site would be nearly impossible. But when you consider that every site that has 'ads by google' on it, is doing its best to track you, they actually CAN get a lot of that information with a high degree of accuracy.

These logs are valuable. If they develop a new algorithm to extract new information they can run it against their logs and pull out that additional information.

And with google its not just -logs-, its content. Google apps like gmail, groups, documents, maps, store your content. So now they have your content (your email messages, your text documents and spreadhseets + a good chunk of your browsing history, possibly including what you've bought online... or at least what you've added to shopping carts, etc.

Google isn't in business to provide you with free useful applications. The value to google of google docs and gmail is to be able to data mine the content to generate profile information.

Can't they have a standard EFF-approved `we keep logs for 24 hours` policy, after which time they're removed permanently?

Even if they -would- delete your logs after 24 hours (They won't without a huge fight.) that still doesn't address the issue of google hosting (and data mining) your content, not to mention the risk they might turn it over to the us government if they ask.

Re:Unbelieveable!

[JustinOpinion]

Just in case you're serious (or someone else suffers from the misconception embodied in your post):

The issue here is not with users voluntarily using Google services (search, gmail, etc.). Rather it is with companies who want to outsource their data needs to Google. In addition to the visible public products that Google has, it also offers corporate solutions: for instance if a company wants to outsource their email system, or have Google run search and collaborative software for use inside the company.

Google is trying hard to make these new kinds of products work. But unfortunately U.S. laws mean that any data that ends up on Google servers can be snooped by U.S. authorities. Many companies don't like the idea that the U.S. government will have such broad access to their data. In many countries where strong privacy laws exist (Canada, U.K., etc.), allowing the data to be managed by a U.S. company would then actually be illegal--since the company couldn't guarantee integrity or privacy of the data.

The end result of this is that Google is at disadvantage in the global marketplace because of the over-reaching U.S. laws. Google isn't the only one, of course: I'm sure U.S. companies have been losing lots of contracts because international businesses are wary of storing or moving data through U.S. systems since it is now well-known that such systems are not immune to U.S. government monitoring or interference.

Re:Don't keep logs

[AHuxley]

Its the NSA at the choke points of google's wonderful optical roll out that should have most of you thinking a bit harder.
Google wants to play nice in Asia, the NSA upgrades in Hawaii.

http://cryptome.org/google/kunia-us.htm [cryptome.org]

Re:Huh?!

[SwashbucklingCowboy]

If you don't care about your Constitutional rights that's fine, but some people do and we'd like to protect them if you don't mind.

Re:Not good enough

[CodeBuster]

It is sad, but that is precisely what used to happen in the old days of the Soviet Union except then it was the list of "enemies of the people". One might reasonably ask what the "wrong book" is doing in the library if checking it out gets one's name put onto the list of "enemies of the people" but such questions are invariably ignored in pursuit of "the enemies of the people". The punishment continued even after one had served time in the form of a wolf ticket [wikipedia.org] and being sent to the 101st kilometer [wikipedia.org]. It is scary to think that certain types of ex-criminals are effectively getting the same treatment today in the United States.

You sir... are correct.

[coren2000]

Thats actually a very good idea. I did a school project on Google Apps Education a few weeks ago and became familiar with Puk's disagreements to Google Apps Education at the time.

While Lakehead is not the only university (Arizona State is another education institution which uses Google AppsEd), it has the distinction of being a _Canadian_ university.

Arizona state already has its email server fall under the purview of the Patriot act, as it is in the US. Lakehead is in Ontario Canada and thus has troubles with the legality of following both Canadian Law, and US federal law. In the specific interest of privacy the two laws do not mix. Lakehead has a legal (and moral) obligation to protect the privacy of it's students, however by using the GoogAppsEd they knowingly violate this...

HOWEVER

Students and faculty _do not_ need to use GoogAppsEd. Gmail is a parallel service to their old email servers which are hosted in Canada.

So there is a choice... use the old shitty server OR relinquish your privacy (somewhat... its not like the FBI is selling your info to spammers, they just might treat you badly when trying to enter the US... which is their right when you think of it).

A better solution is for Google to start hosting Canadian email addresses in Canada so that Canadians do not have to submit to US Federal law... which many Canadians feel is unjust in many ways (we have our own laws that we bitch about... we dont need yours too).

BTW another solution is to encrypt your email... if the US border patrol picks you up for what you write in your encrypted email, well you can now alert major media that the US has methods of defeating modern accepted encryption techniques (do they really want to be outted?)

Anywho... my point is. You are correct, Google should move services to Canada.

Re:You sir... are correct.

[casuist99]

One point I'd like to make about encrypting your email: you have to trust the person on the receiving end not to pass your (now) decrypted email on to another party. If you're picked up by the Feds after sending an email detailing an illegal act, I'd look to your "friend", the recipient, before I jumped to the conclusion that the government defeated your encryption.

This could work

[fv]

I agree that exposing the extent of this could definitely help. When I received multiple FBI subpoenas in 2004 for Insecure.Org [insecure.org] web logs, I notified Nmap users [seclists.org] and it was posted to various web sites, including Slashdot [slashdot.org].

After all of that press four years ago, the subpoenas stopped and I haven't received another one since. Maybe it is just a coincidence, but I'm happy about it nonetheless.

In other Nmap news, version 4.60 was just released [seclists.org]. You might want to download it with Tor though, just to be on the safe side in case the subpoenas resume :).

-Fyodor

Re:Not good enough

[theonetruekeebler]

Qwest. And shortly afterwards the U.S. government started finding excuses to (a) cancel existing contracts with Qwest, (b) declare them ineligible to for future no-bid contracts, and (c) preventing them from bidding on other contracts. Qwest alleges that hundreds of millions of dollars were routed around them to telcos more willing to play along. Good summary here [washingtonpost.com].