Googling Security 142
brothke writes "It has been suggested
that if one was somehow able to change history so that aspirin had never been
discovered until now, it would have died in the lab and stand no chance of FDA
approval. Similarly, if we knew the power that Google
would have in 2008 with its ability to aggregate and correlate personal data,
it is arguable that various regulatory and privacy bodies would never allow it
to exist given the extensive privacy issues." Read below for the rest of Ben's review.
In a fascinating and
eye-opening new book Googling Security: How Much Does Google Know
About You?, author Greg Conti explores the many security
risks around Google and other search engines. Part
of the problem is that in the rush to get content onto the web, organizations
often give short shrift to the security and privacy of their
data. At the individual level, those who make use of
the innumerable and ever expanding amount of Google free services can end up
paying for those services with their personal information being compromised,
or shared in ways they would not truly approve of; but implicitly do so via
their acceptance of the
Google
Terms of
Service.
| Googling Security: How Much Does Google Know About You? | |
| author | Greg Conti |
| pages | 360 |
| publisher | Addison-Wesley Professional |
| rating | 9 |
| reviewer | Ben Rothke |
| ISBN | 978-0321518668 |
| summary | Explores the many security risks around Google and other search engines |
While the book focuses specifically on Google, the security issues detailed are just as relevant to Yahoo, MSN, AOL, Ask and the more than 50 other search engines.
My friend and SEO guru Shimon Sandler has a blog around search engine optimization (SEO). In the over three years that his blog has been around, my recent post on The Need for Security in SEO was the first on the topic of SEO security. Similar SEO blogs have a very low number (and often no) articles on SEO and security. Sandler notes that when he mentions privacy issues around search to his clients, it is often the first time they have thought of it.
The book opens with the observation that Google's business model is built on the prospect of providing its services for free. From the individual user's perspective, this is a model that they can live with. But the inherent risk is that the services really are not completely free; they come at the cost of the loss of control of one's personal information that they share with Google.
The book lists over 50 Google services and applications which collect personal information. From mail, alerts, blogging, news, desktop, images, maps, groups, video and more. People are placing a great deal of trust into Google as each time they use a Google service, they are trusting the organization to safeguard their personal information. In chapter 5, the book lists over 20 stated uses and advantages of Google Groups, and the possible information disclosure risks of each.
In the books 10 chapters, the author provides a systematic overview of how Google gets your personal data and what it does with it. In chapter 3, the book details how disparate pieces of data can be aggregated and mined to create extremely detailed user profiles. These profiles are invaluable to advertisers who will pay Google dearly for such meticulous user data. This level of personal data aggregation was impossible to obtain just a few years ago, given the lack of computing power, combined with the single point of user data. The book notes that this level of personalization, while golden to advertisers, is a privacy anathema.
Chapter 6 is particularly interesting in that it details the risks of using Google Maps. Conti explains that the privacy issue via the use of Google Maps is that it combines disclosure risks of search and connects it to mapping. You are now sharing geographic locations and the associated interactions. By clicking on a link in a Google map, the user discloses and strengthens the link between the search they performed and what they deemed as important in the result. By aggregating source IP addresses and destinations searches, Google can easily ascertain confidential data.
After detailing over 250 pages of the risks of Google and related services, Chapter 9 is about countermeasures. Short of simply not using the services, the book notes that there is no clear solution for protecting yourself and company from web-based information disclosure. Nonetheless, the chapter lists a number of things that can be done to reduce the threat. Some are easier, some are harder; but they can ultimately add up to a significant layer of protection. Chapter 9 details 11 specific steps that help users appreciate the magnitude of their disclosures and make informed decisions about which search services to use.
Googling Security: How Much Does Google Know About You? is an important book given that far too many people do not realize how much personal information they are disclosing on a daily basis. An important point that the book makes is that small information disclosures are not truly small when they are aggregated over the course of years. Advances in data mining and artificial intelligence are magnifying the importance of the threat, all under the guise of improving the end-user experience. The book emphasizes the need to evaluate the short-term computing gains with the long-term privacy losses.
The final chapter notes that apathy is the enemy. As a user becomes aware of the magnitude of the threat, they will see it grow every day. But the next step is to take action. Be it with technical countermeasures, taking your business where privacy is better supported, or petitioning lawmakers.
As to the underlying question, "how much does Google know about you?", the answer is that it is a colossal amount, far more than most people realize. For anyone who uses the Internet, Googling Security should be on their list of required reading. The risks that Google and other search engines present are of great consequence and can't be overlooked. If not, privacy could slowly be a thing of the past.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Googling Security: How Much Does Google Know About You? from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
So many inventions (Score:5, Insightful)
Denial works well here. (Score:5, Insightful)
Google's reputation, however, is mighty squeaky clean, and until it is revealed just exactly what kind of information their computers can put together from your web habits (and what, exactly, they do with it), I have a feeling we'll be in denial about it for a very long time. I mean, they really, really have a couple billion metric fucktons of money.
I refuse to put any more information into Facebook than I already have because, unlike Google, Facebook doesn't have quite so evident of a business model.
Google away.
Comment removed (Score:5, Insightful)
Re:Why does nobody ask Google anything today? (Score:4, Insightful)
Regardless of why they're not doing it, I'm glad they are not. Collecting personal information which was willingly disclosed is not a crime and should not be.
Re:Aspirin? (Score:3, Insightful)
Aspirin is harmful in large doses, it will deteriorate the lining of your stomache, contributing to ulcers. At low enough doses, the stomache is able to repair the damage, and you gain the blood thinning benefits that help prevent heart attacks.
Isn't any drug dangerous in doses past the prescribed rate? Typically they say that overdosing on something will kill you, but the truth is that it will lead to something that will eventually kill you.
Isn't that the point of warning labels? "Do not take past X pills for every Y hours?"
Re:Aspirin? (Score:5, Insightful)
The more usual example given is penicillin.
Penicillin which has saved a million times more lives than even the most hyperactive cartoon hero.
Penicillin which has made so many nightmare deadly diseases into matters of a week feeling a bit off.
That same penicillin wouldn't have a chance of getting through drug trials.Penicillin allergy is one of the most common drug allergies and the way drug trials are run the moment the first test subjects went into anaphylactic shock the trials would stop and the drug would be thrown in the bin. Never mind it's potential. Never mind the value we now know it has, it would have gone in the bin if it had had to pass modern drug trials and countless lives would have been lost.
Funny side note. If you thought peanuts might cure cancer and you put them through trials as a drug they wouldn't even get to the stage of being given to actual cancer patients since someone would almost certainly have a severe reaction before that point.
Re:Aspirin? (Score:5, Insightful)
The aspirin thing is retarded. If aspirin were created today, it would cost $5 a pill and make billions for Bayer. Then a plaintiff's lawyer would sue Bayer for billion bucks after Reye's syndrome kills some flu-ridden kids who took aspirin, and then Bayer would be rocked with a scandal when the blood-thinning properties of aspirin causes deaths in the elderly who got ulcers using aspirin.
Re:About that asprin comment. (Score:2, Insightful)
Poorly?
Re:Aspirin? (Score:1, Insightful)
You think the stuff that's being approved today has no side effects? Give me a break.
Re:Denial works well here. (Score:4, Insightful)
Google's reputation, however, is mighty squeaky clean, and until it is revealed just exactly what kind of information their computers can put together from your web habits (and what, exactly, they do with it), I have a feeling we'll be in denial about it for a very long time.
It isn't denial, it's personal experience.
Google has been turning out very useful products that pretty much do what they're supposed to. They've been doing some philanthropic stuff too. They give back to the community with their Summer of Code and things like that. Overall, my personal experiences regarding Google are positive. Thus far I do not have reason to distrust them inordinately. This doesn't mean that I'll blindly go along with anything and everything they do, but I don't question their every decision either.
By contrast, I've got a long history of frustration with Microsoft. Product after product released late and in buggy condition. Patches that break more than they fix. Hours of frustration trying to troubleshoot issues and track down fixes. Constant press releases about how wonderful the new version will be, and then most of the new features don't show up. I'm talking about a good 10+ years of frustration with Microsoft. So, naturally, I'm a bit skeptical when they announce a new product.
Willingly disclosed? (Score:5, Insightful)
I'm not sure I agree. Do people "willingly disclose" the contents of their emails, their searches, their map queries, their photos, their videos, etc by using Google services? Personally, I'm trusting them not to compile all that information and sell it - but what if they did?
With data mining, the whole is much more than the sum of the parts. Your individual queries might not be worth protecting - "ooh, I can't have Google know that I want an office chair!" - but in aggregate, they might reveal where you live, your financial status, your relationship troubles, your medical problems, what products you like.... stuff that marketers would die for.
If people knew what their "willingly disclosed" info could be used for, maybe they'd be less willing.
Re:Why does nobody ask Google anything today? (Score:4, Insightful)
Which misses the point of the book - that you can be disclosing personal information without being aware of it.
Google's "Do no harm" PR smoke screen... (Score:3, Insightful)
Also from the main title page: "Similarly, if we knew the power that Google would have in 2008 with its ability to aggregate and correlate personal data, it is arguable that various regulatory and privacy bodies would never allow it to exist given the extensive privacy issues"
That's basically saying the boiled frog principle. So implying people other than governments, would see the danger with Google and then seek to pressure governments to stop it. Well *some* people have seen the power of google and did see the danger it opens up years ago, but no where near enough people stood up and said something about Google, to even limit its ultimate goal to becoming effectively an advertising version of Big Brother. Problem is even now, most people still cannot see the full danger, so nothing will be done.
e.g.
http://slashdot.org/comments.pl?sid=465072&cid=22544268 [slashdot.org]
by invitation only (Score:1, Insightful)
the most obvious way I thought of Google as gathering data on your connections is that for Gmail they enforced a "by invitation only" registration system. Once you had been invited and signed for Google, one day, they gave you 5 or 10 or 50 invitations that you would *normally* send to your buddies so they can register too. Here's your perfect way to track who you know and who they know etc.
The point isn't to find your Bacon number, but to profile you even more accurately (birds of a feather, anyone?).
AC
Re:Why does nobody ask Google anything today? (Score:2, Insightful)
Information in this new digital world is a far cry from disclosing your information to marketing surveys that would simply end up with your address on multiple mailing lists. Now it can tie up what do actually do online and off, where you do it and who you do it with, and that's probably the tip of the iceberg.
My opinion is that if governments had this kind of insight, would you trust them not to abuse it? Would you trust a profit-driven company more, or less?
Re:Apathy has always been the enemy (Score:3, Insightful)
The problem is NOT that people ask for or give out SSNs. The problem is that banks and businesses stupidly use knowledge of SSNs as a means of authentication. Obsessing over the "privacy" of such non-private data is trying to fix the wrong problem.
Re:Why does nobody ask Google anything today? (Score:3, Insightful)
The point of the book is educational, it points out the obvious so that people realize the information they're giving away.
Re:Aspirin? (Score:3, Insightful)