Feeds

Vint Cerf: 'Google doesn't know who you are'

Identifiers don't identify

Providing a secure and efficient Helpdesk

Interwebs founding father and Google evangelist Vint Cerf has insisted that when you search Google, the company doesn't know who you are.

Thursday morning, at a mini-conference in San Francisco, the always entertaining Cerf sat down with Wall Street Journal columnist Walt Mossberg and other tech luminaries to discuss "open" mobile networks. But at one point, the conversation turned to the epic amounts of user data pouring onto Google servers across the globe.

As Mossberg started to complain about Google using Gmail and other sign-in services to tie more and more search data to real live people, Cerf quickly interrupted. "We still don't know who you are," said the Google figurehead.

Mossberg begged to differ, pointing out that as netizens sign-in to their Google accounts in order to use other services, the company also ties those accounts to search data. "When I search Google, you can see - right up at the top of page - that I'm logged in. You can see my Gmail address," he told Cerf. "You know who I am."

But Cerf insisted that even in those situations, Google doesn't know you. "You are somehow conflating things that I think need to be disaggregated," Cerf told Mossberg. "A Gmail identifier doesn't tell us anything. It's just an identifier. We have no other thing to tie that to. It's just an identifier [You said that already. -Ed]. And by the way, you picked it. We didn't."

As ridiculous as that may sound, it's a common Google argument. When a federal court recently asked Google to divulge the identity of an innocent Gmail user - if the account was still active - the company told us that wasn't possible.

"It's...incorrect to say that we are able to disclose somebody's identity," Google told us. "We only have the information associated with the account, and federal law sets limits on what is discoverable." Never mind that when you sign up for Gmail, it asks for your name.

Google won't say whether the user's identity was divulged or not - and neither will the court. But for some reason, we expected a little, shall we say, openness from Vint Cerf.

The net's founding father went on argue that you don't have to be logged in to your Google account to use search. When Mossberg pointed out - once again - that his Gmail address appears at the top of his search page, Cerf said: "If you've logged in because you were using Gmail, the system tells you that you're logged in," he said. "You wouldn't want us to hide that?"

Sitting to Cerf's right, Adobe CTO Kevin Lynch piped up to say that users have the option of turning off Google's link between search and services like email. Then he pointed out that it's on by default.

The conference crowd chuckled. And Cerf hit Lynch in the head with something akin to a rolled newspaper.

It was a playful hit. But it was yet another way that Cerf - like his Google overlords - carefully steers clear of acknowledging exactly what personal data the company is collecting.

"We don't care who you are. We only care about the pattern of behavior you exhibit."

-Google's Vint Cerf

Yes, you can search Google without being logged into your Google account. But Lynch is correct when he says the two are linked by default. And at best, it's naive for Cerf to say that Google doesn't know who are when you're logged in. Vint Cerf may not know who you are. But Google's servers do - and when a subpoena or national security letter arrives on the doorstep, you can certainly be identified.

You can be identified even if you search while logged out. Google still tracks your IP address. And as much as the company likes to say that an IP address is not personal information, we can safely say that's nonsense.

Just before Cerf landed his Chewbacca defense on conference attendees in San Francisco, Google unveiled a new "Dashboard" that ostensibly explains what Google knows about you. But this is merely the latest example of Google Privacy Theatre.

The new dashboard shows you an (apparently random) collection of data associated with your Google account. But as the consumer watchdog known as Consumer Watchdog points out, it doesn't tell you what data is associated with your IP address. And there's no way de-linking data from your IP.

"This was a PR gimmick," Consumer Watchdog's John Simpson tells The Reg. "All it does it put in one place the info you've consciously given them."

Plus, we all know that relatively few people will actually visit the thing - just as relatively few will actually log out of their Google accounts when they start searching its search engine.

If you do log out, Google insists, it will "anonymize" your data after nine months. But this is the most amusing act of Google Privacy Theatre.

After nine months, Google scrubs out only the last eight bits of your IP address - and it leaves your cookie data untouched. It does scrub cookie after 18 months, though it won't say how.

Which means that restoring your IP data after nine months is trivial. Google may erase eight bits on your nine-month-old search queries, but those bits will remain intact on newer queries - and both sets of queries carry the same cookie info. Recovering the missing bits on older data is a one-step process.

Come to think of it: Restoring the missing bits is hardly beyond the realm of possibility after eighteen months. It's only eight bits.

The point here is that Google refuses to delete your IP outright - whether nine months have passed or 18. So-called efforts to protect your privacy don't go quite as far as Google would lead you to believe.

"We don't care who you are," Cerf told yesterday's conference. "We only care about the pattern of behavior you exhibit." Which is true. But that might be read in more ways than one. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.