[ insider_reports_insider ]
Google’s Having Fun With Numbers
SecurityProNews
Staff Writer
2008-09-12
 Insider Reports RSS Feed
Nobody's going to challenge Google's skill with math-its algorithm is currently on the path toward world domination-and the company's banking on those mad skills dizzy privacy and security experts and, more importantly, regulators to push their new anonymizing standards proffered to the EU. In addition to better ads and search results, Google justifies its need for such data by efforts to fight search worms.
 | | Google's Having Fun With Numbers |  |
European regulators went after the search giant over their anonymization policies, which included deleting data after 18 months. That was too long for regulator comfort and they countered that data should be held for no more than six months. As though negotiating a sale price, Google came back with the agreement to anonymize IP addresses after nine months, which regulators seemed pleased with.
They explained that IP addresses were a necessary part of how they make better search results and that the information also helped them target search worms and search poisoning. Search worms target searchers via specific queries indicating vulnerability. Search poisoning involves bots created to artificially boost websites in the search results and spread malware.
However, as a former Google intern writing for CNet explains, the new policy is more of a numbers game designed to look good enough to skate by regulators. Chris Soghoian pushed for clarification of exactly what kind of data was collected on searchers. Google gave him this response:
After nine months, we will change some of the bits in the IP address in the logs; after 18 months we remove the last eight bits in the IP address and change the cookie information. We're still developing the precise technical methods and approach to this, but we believe these changes will be a significant addition to protecting user privacy.... It is difficult to guarantee complete anonymization, but we believe these changes will make it very unlikely users could be identified.... We hope to be able to add the 9-month anonymization process to our existing 18-month process by early 2009, or even earlier.
Soghoian convincingly demonstrates how this is basically nothing. Removing the last octet of the IP address places the user in a field of just 254 others. Combined with keywords and cookies that are never anonymized, it would still be possible to identify someone in much the same manner users were identified during AOL's historic data leak a couple of years ago. The kicker is, though IP addresses would be anonymized after nine months, the other information is held for 18 months, which means a user with the same cookie at the same IP address would remain identifiable in perpetuity. Thus, it's only anonymity on the surface.
To Google's credit, no information has ever been leaked and Google has turned down the Dept. of Justice's requests for search information in the past. When forced to hand it over by the courts, the scope of information the government was allowed to have was significantly reduced.
Critics have noted also that Google competitors like Microsoft and Ask delete all records immediately. One might note that while it is true they anonymize immediately, it actually bolsters Google's argument that the data they collect leads to better search queries. With Google running 71 percent of the search market in US and 75 percent in the UK while all others fall, their better results seem self-evident. At the same time, market dominance also brings privacy and security concerns into a brighter spotlight.
About the Author:
SecurityProNews is a daily online and email publication focusing on internet security issues.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
