Feeds

Vint Cerf: 'Google doesn't know who you are'

Identifiers don't identify

Seven Steps to Software Security

Interwebs founding father and Google evangelist Vint Cerf has insisted that when you search Google, the company doesn't know who you are.

Thursday morning, at a mini-conference in San Francisco, the always entertaining Cerf sat down with Wall Street Journal columnist Walt Mossberg and other tech luminaries to discuss "open" mobile networks. But at one point, the conversation turned to the epic amounts of user data pouring onto Google servers across the globe.

As Mossberg started to complain about Google using Gmail and other sign-in services to tie more and more search data to real live people, Cerf quickly interrupted. "We still don't know who you are," said the Google figurehead.

Mossberg begged to differ, pointing out that as netizens sign-in to their Google accounts in order to use other services, the company also ties those accounts to search data. "When I search Google, you can see - right up at the top of page - that I'm logged in. You can see my Gmail address," he told Cerf. "You know who I am."

But Cerf insisted that even in those situations, Google doesn't know you. "You are somehow conflating things that I think need to be disaggregated," Cerf told Mossberg. "A Gmail identifier doesn't tell us anything. It's just an identifier. We have no other thing to tie that to. It's just an identifier [You said that already. -Ed]. And by the way, you picked it. We didn't."

As ridiculous as that may sound, it's a common Google argument. When a federal court recently asked Google to divulge the identity of an innocent Gmail user - if the account was still active - the company told us that wasn't possible.

"It's...incorrect to say that we are able to disclose somebody's identity," Google told us. "We only have the information associated with the account, and federal law sets limits on what is discoverable." Never mind that when you sign up for Gmail, it asks for your name.

Google won't say whether the user's identity was divulged or not - and neither will the court. But for some reason, we expected a little, shall we say, openness from Vint Cerf.

The net's founding father went on argue that you don't have to be logged in to your Google account to use search. When Mossberg pointed out - once again - that his Gmail address appears at the top of his search page, Cerf said: "If you've logged in because you were using Gmail, the system tells you that you're logged in," he said. "You wouldn't want us to hide that?"

Sitting to Cerf's right, Adobe CTO Kevin Lynch piped up to say that users have the option of turning off Google's link between search and services like email. Then he pointed out that it's on by default.

The conference crowd chuckled. And Cerf hit Lynch in the head with something akin to a rolled newspaper.

It was a playful hit. But it was yet another way that Cerf - like his Google overlords - carefully steers clear of acknowledging exactly what personal data the company is collecting.

"We don't care who you are. We only care about the pattern of behavior you exhibit."

-Google's Vint Cerf

Yes, you can search Google without being logged into your Google account. But Lynch is correct when he says the two are linked by default. And at best, it's naive for Cerf to say that Google doesn't know who are when you're logged in. Vint Cerf may not know who you are. But Google's servers do - and when a subpoena or national security letter arrives on the doorstep, you can certainly be identified.

You can be identified even if you search while logged out. Google still tracks your IP address. And as much as the company likes to say that an IP address is not personal information, we can safely say that's nonsense.

Just before Cerf landed his Chewbacca defense on conference attendees in San Francisco, Google unveiled a new "Dashboard" that ostensibly explains what Google knows about you. But this is merely the latest example of Google Privacy Theatre.

The new dashboard shows you an (apparently random) collection of data associated with your Google account. But as the consumer watchdog known as Consumer Watchdog points out, it doesn't tell you what data is associated with your IP address. And there's no way de-linking data from your IP.

"This was a PR gimmick," Consumer Watchdog's John Simpson tells The Reg. "All it does it put in one place the info you've consciously given them."

Plus, we all know that relatively few people will actually visit the thing - just as relatively few will actually log out of their Google accounts when they start searching its search engine.

If you do log out, Google insists, it will "anonymize" your data after nine months. But this is the most amusing act of Google Privacy Theatre.

After nine months, Google scrubs out only the last eight bits of your IP address - and it leaves your cookie data untouched. It does scrub cookie after 18 months, though it won't say how.

Which means that restoring your IP data after nine months is trivial. Google may erase eight bits on your nine-month-old search queries, but those bits will remain intact on newer queries - and both sets of queries carry the same cookie info. Recovering the missing bits on older data is a one-step process.

Come to think of it: Restoring the missing bits is hardly beyond the realm of possibility after eighteen months. It's only eight bits.

The point here is that Google refuses to delete your IP outright - whether nine months have passed or 18. So-called efforts to protect your privacy don't go quite as far as Google would lead you to believe.

"We don't care who you are," Cerf told yesterday's conference. "We only care about the pattern of behavior you exhibit." Which is true. But that might be read in more ways than one. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.