Peter Fleischer, Google’s Global Privacy Counsel, has posted a short video to help explain basic search privacy concepts, such as what appears in a search query log entry, etc. This is really basic stuff, but a good step towards educating users.
The video follows the normal company line (paraphrasing): “we collect search query data to improve our services, protect against fraud, and maintain security.” The latter two of those reasons are never explained, but I suppose we just need to trust them (seems like a culture of fear they’re trying to harness, but that’s for a different post).The video also goes to some lengths to explain that one’s IP address isn’t personally identifiable, and that cookies don’t tell Google “personal stuff about you, like where you live or what your phone number is.”
Well, that’s true – just like my social security number doesn’t actually tell anyone my name, address, or credit history. My SSN itself doesn’t reveal that data – but my SSN can be (and is) associated with personally-identifiable and sensitive information. Given my SSN, a simple database search reveals a wealth of information about me.The same is true with the cookie Google issues for each of its searchers. While the cookie value itself reveals nothing, it can be associated with all of my searches (assuming, like most, I haven’t deleted or cloaked it). The video is misleading in this regard, and ignores the kind of sensitive searches that appear in the logs which are all associated — and easily accessible — with my cookie.The video also fails to mention how other personally-identifiable information might also be associated with my cookie, unrelated to search query logs.
A very simple example comes from the Google’s own post about the video. They provide a link to a feedback page where you can fill out a nice web form and respond to the video. Upon visiting that page, Google gave me a tracking cookie (they actually sent about 6 different cookies) with the value “170426872f660800.” I then left my comment, which also required I give my name and e-mail address (something a concerned user might willingly provide if they’re hoping for a response).
When I submitted this comment, that same cookie was passed by to Google along with my message. Now, it seems, Google can associate my name and e-mail address with my cookie. Ok, perhaps no real harm there. But next I notice Google provides a search box on the page confirming receipt of my feedback, so I go ahead and run a search for some information I’ve been wanting to find:
Again, my cookie was passed to Google along with the search query keywords, allowing my name and e-mail address to be associated with that search topic via the cookie. And while Google says the cookie will expire after 24 months and that they will anonymize the search logs after 18 months, that means little if someone wants to access a record of searches from my IP address (or even those associated with my name or e-mail address) before those deadlines expire. Google is silent as well regarding any other databases that might exist with user data that aren’t covered by their new privacy procedures. Finally, all their efforts could be moot if law enforcement has back door access to query data, which is no longer entirely outside the realm of possibility.
So, the very act of submitting comment about Google’s slick video on search privacy might allow them to have a log file associating your otherwise anonymous cookie ID to your name and e-mail — a threat to your privacy. (And I didn’t even get into what’s required to create a YouTube account if you wanted to comment there instead).
To be clear, I’m thrilled Google is taking these kinds of steps to educate the public about search privacy issues — I just wish they were much more clear as to the full capabilities of their infrastructure of dataveillance to capture users’ data trails from various activities, and link them together via cookies and Google Accounts.