Feeds

Vint Cerf: 'Google doesn't know who you are'

Identifiers don't identify

Security for virtualized datacentres

Interwebs founding father and Google evangelist Vint Cerf has insisted that when you search Google, the company doesn't know who you are.

Thursday morning, at a mini-conference in San Francisco, the always entertaining Cerf sat down with Wall Street Journal columnist Walt Mossberg and other tech luminaries to discuss "open" mobile networks. But at one point, the conversation turned to the epic amounts of user data pouring onto Google servers across the globe.

As Mossberg started to complain about Google using Gmail and other sign-in services to tie more and more search data to real live people, Cerf quickly interrupted. "We still don't know who you are," said the Google figurehead.

Mossberg begged to differ, pointing out that as netizens sign-in to their Google accounts in order to use other services, the company also ties those accounts to search data. "When I search Google, you can see - right up at the top of page - that I'm logged in. You can see my Gmail address," he told Cerf. "You know who I am."

But Cerf insisted that even in those situations, Google doesn't know you. "You are somehow conflating things that I think need to be disaggregated," Cerf told Mossberg. "A Gmail identifier doesn't tell us anything. It's just an identifier. We have no other thing to tie that to. It's just an identifier [You said that already. -Ed]. And by the way, you picked it. We didn't."

As ridiculous as that may sound, it's a common Google argument. When a federal court recently asked Google to divulge the identity of an innocent Gmail user - if the account was still active - the company told us that wasn't possible.

"It's...incorrect to say that we are able to disclose somebody's identity," Google told us. "We only have the information associated with the account, and federal law sets limits on what is discoverable." Never mind that when you sign up for Gmail, it asks for your name.

Google won't say whether the user's identity was divulged or not - and neither will the court. But for some reason, we expected a little, shall we say, openness from Vint Cerf.

The net's founding father went on argue that you don't have to be logged in to your Google account to use search. When Mossberg pointed out - once again - that his Gmail address appears at the top of his search page, Cerf said: "If you've logged in because you were using Gmail, the system tells you that you're logged in," he said. "You wouldn't want us to hide that?"

Sitting to Cerf's right, Adobe CTO Kevin Lynch piped up to say that users have the option of turning off Google's link between search and services like email. Then he pointed out that it's on by default.

The conference crowd chuckled. And Cerf hit Lynch in the head with something akin to a rolled newspaper.

It was a playful hit. But it was yet another way that Cerf - like his Google overlords - carefully steers clear of acknowledging exactly what personal data the company is collecting.

"We don't care who you are. We only care about the pattern of behavior you exhibit."

-Google's Vint Cerf

Yes, you can search Google without being logged into your Google account. But Lynch is correct when he says the two are linked by default. And at best, it's naive for Cerf to say that Google doesn't know who are when you're logged in. Vint Cerf may not know who you are. But Google's servers do - and when a subpoena or national security letter arrives on the doorstep, you can certainly be identified.

You can be identified even if you search while logged out. Google still tracks your IP address. And as much as the company likes to say that an IP address is not personal information, we can safely say that's nonsense.

Just before Cerf landed his Chewbacca defense on conference attendees in San Francisco, Google unveiled a new "Dashboard" that ostensibly explains what Google knows about you. But this is merely the latest example of Google Privacy Theatre.

The new dashboard shows you an (apparently random) collection of data associated with your Google account. But as the consumer watchdog known as Consumer Watchdog points out, it doesn't tell you what data is associated with your IP address. And there's no way de-linking data from your IP.

"This was a PR gimmick," Consumer Watchdog's John Simpson tells The Reg. "All it does it put in one place the info you've consciously given them."

Plus, we all know that relatively few people will actually visit the thing - just as relatively few will actually log out of their Google accounts when they start searching its search engine.

If you do log out, Google insists, it will "anonymize" your data after nine months. But this is the most amusing act of Google Privacy Theatre.

After nine months, Google scrubs out only the last eight bits of your IP address - and it leaves your cookie data untouched. It does scrub cookie after 18 months, though it won't say how.

Which means that restoring your IP data after nine months is trivial. Google may erase eight bits on your nine-month-old search queries, but those bits will remain intact on newer queries - and both sets of queries carry the same cookie info. Recovering the missing bits on older data is a one-step process.

Come to think of it: Restoring the missing bits is hardly beyond the realm of possibility after eighteen months. It's only eight bits.

The point here is that Google refuses to delete your IP outright - whether nine months have passed or 18. So-called efforts to protect your privacy don't go quite as far as Google would lead you to believe.

"We don't care who you are," Cerf told yesterday's conference. "We only care about the pattern of behavior you exhibit." Which is true. But that might be read in more ways than one. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.