Feeds

Vint Cerf: 'Google doesn't know who you are'

Identifiers don't identify

SANS - Survey on application security programs

Interwebs founding father and Google evangelist Vint Cerf has insisted that when you search Google, the company doesn't know who you are.

Thursday morning, at a mini-conference in San Francisco, the always entertaining Cerf sat down with Wall Street Journal columnist Walt Mossberg and other tech luminaries to discuss "open" mobile networks. But at one point, the conversation turned to the epic amounts of user data pouring onto Google servers across the globe.

As Mossberg started to complain about Google using Gmail and other sign-in services to tie more and more search data to real live people, Cerf quickly interrupted. "We still don't know who you are," said the Google figurehead.

Mossberg begged to differ, pointing out that as netizens sign-in to their Google accounts in order to use other services, the company also ties those accounts to search data. "When I search Google, you can see - right up at the top of page - that I'm logged in. You can see my Gmail address," he told Cerf. "You know who I am."

But Cerf insisted that even in those situations, Google doesn't know you. "You are somehow conflating things that I think need to be disaggregated," Cerf told Mossberg. "A Gmail identifier doesn't tell us anything. It's just an identifier. We have no other thing to tie that to. It's just an identifier [You said that already. -Ed]. And by the way, you picked it. We didn't."

As ridiculous as that may sound, it's a common Google argument. When a federal court recently asked Google to divulge the identity of an innocent Gmail user - if the account was still active - the company told us that wasn't possible.

"It's...incorrect to say that we are able to disclose somebody's identity," Google told us. "We only have the information associated with the account, and federal law sets limits on what is discoverable." Never mind that when you sign up for Gmail, it asks for your name.

Google won't say whether the user's identity was divulged or not - and neither will the court. But for some reason, we expected a little, shall we say, openness from Vint Cerf.

The net's founding father went on argue that you don't have to be logged in to your Google account to use search. When Mossberg pointed out - once again - that his Gmail address appears at the top of his search page, Cerf said: "If you've logged in because you were using Gmail, the system tells you that you're logged in," he said. "You wouldn't want us to hide that?"

Sitting to Cerf's right, Adobe CTO Kevin Lynch piped up to say that users have the option of turning off Google's link between search and services like email. Then he pointed out that it's on by default.

The conference crowd chuckled. And Cerf hit Lynch in the head with something akin to a rolled newspaper.

It was a playful hit. But it was yet another way that Cerf - like his Google overlords - carefully steers clear of acknowledging exactly what personal data the company is collecting.

"We don't care who you are. We only care about the pattern of behavior you exhibit."

-Google's Vint Cerf

Yes, you can search Google without being logged into your Google account. But Lynch is correct when he says the two are linked by default. And at best, it's naive for Cerf to say that Google doesn't know who are when you're logged in. Vint Cerf may not know who you are. But Google's servers do - and when a subpoena or national security letter arrives on the doorstep, you can certainly be identified.

You can be identified even if you search while logged out. Google still tracks your IP address. And as much as the company likes to say that an IP address is not personal information, we can safely say that's nonsense.

Just before Cerf landed his Chewbacca defense on conference attendees in San Francisco, Google unveiled a new "Dashboard" that ostensibly explains what Google knows about you. But this is merely the latest example of Google Privacy Theatre.

The new dashboard shows you an (apparently random) collection of data associated with your Google account. But as the consumer watchdog known as Consumer Watchdog points out, it doesn't tell you what data is associated with your IP address. And there's no way de-linking data from your IP.

"This was a PR gimmick," Consumer Watchdog's John Simpson tells The Reg. "All it does it put in one place the info you've consciously given them."

Plus, we all know that relatively few people will actually visit the thing - just as relatively few will actually log out of their Google accounts when they start searching its search engine.

If you do log out, Google insists, it will "anonymize" your data after nine months. But this is the most amusing act of Google Privacy Theatre.

After nine months, Google scrubs out only the last eight bits of your IP address - and it leaves your cookie data untouched. It does scrub cookie after 18 months, though it won't say how.

Which means that restoring your IP data after nine months is trivial. Google may erase eight bits on your nine-month-old search queries, but those bits will remain intact on newer queries - and both sets of queries carry the same cookie info. Recovering the missing bits on older data is a one-step process.

Come to think of it: Restoring the missing bits is hardly beyond the realm of possibility after eighteen months. It's only eight bits.

The point here is that Google refuses to delete your IP outright - whether nine months have passed or 18. So-called efforts to protect your privacy don't go quite as far as Google would lead you to believe.

"We don't care who you are," Cerf told yesterday's conference. "We only care about the pattern of behavior you exhibit." Which is true. But that might be read in more ways than one. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.