How Does Google Work? - All About Privacy

[BobH]

My understanding of google, facebook, twitter, et al is that they make their bread by gathering data about you and selling that data to others. For example, google or Amazon or whomever, sees what I search for, buy, or whatever, and store that information. They sell the data (much like states sell drivers license lists) to people who are interested in selling me something or influencing the channel I use to purchase goods or get information - or whatever.

How 'm I doing so far? If I misunderstand the business model (admittedly from a very broad sweep), then the rest of this post probably makes no sense either.

What I've tried to figure out, is how the data accumulators identify me. Cookies? How does that work? They place a cookie on my machine and then retrieve it when I browse to their site? The cookie contains information that lets them get the storage keys that identify me? If that is the case, then it seems that I should be able to block cookies from being sent from my system and solve the problem, but doing so has its price in inconvenience because I have to re-establish my preferences each time I visit any particular page. Am I getting warmer? It seems to me that if cookies are the mechanism used to exploit my habits and choice then I should be able to control what is in the cookie and whether or not it is sent from my machine. Can I?

The other possibility is that an IP address is somehow involved. If I send out an IP address with every email and every url sent from my browser, and , if this IP address is a constant, then I can see how it could be used to identify me. If this is the case, then it should be possible to have one-time IP addresses that are much like one-time encoding pads - use it once and throw it away. The next time I send an e-mail or direct my browser, a new IP address would be used.

Finally, if an IP address or a cookie is required for my ISP to know me, that's OK; but why shouldn't the ISP randomize my identity forward to the network?

Obviously, I value my privacy. I don't like the idea of having to give it up or give up using the Internet. Seems to me that there should be other choices. Quite frankly, I believe the framers of the Bill of Rights missed a very important point when they failed to grant the right for individuals to choose to do business and conduct their affairs privately so long as no laws are broken. I don't mean to turn this off charter but I make those statements in support of my quest for information about how privacy is lost and how one might preserve it.

TIA

[Argus]

Bill of Rights are universal?

[StuartR]

Bob,

They use lots and lots of different information about you that is gleaned from many different sources. This could include cookies, flash player cookies, or IP address, or login details on sites where you login, or information about the size of your monitor (this can distinguish two otherwise similar PCs.) or ...

The full set of information that you can see at a site like this is a kind of fingerprint. If you log in to one web site and they get this fingerprint, then another site where you never log in may still be able to tell that it is you.

[DaveA]

StuartR,
The getyourip program needs to be up dated.
I am on a 64 bit machine it it says that I am on a 32 bit.

[PaulB]

I am on a 64 bit machine it it says that I am on a 32 bit.

Perhaps it is referring to your use of the 32 bit version of IE8 instead of the 64 bit version?

[DaveA]

No, just tried in the 64 bit version and I get the same message.

[ChrisGreaves]

... gathering data about you and selling that data to others.

Hi Bob.
See also #2 in Top 10 hacking tricks of 2010

[BobH]

Thanks for all the input, folks!

I wasn't really aware that the inter webs were quite so devious. Having developed and supported my first remote telecommunications network in 1970 (or thereabouts), I can appreciate all the protocol handling that must go on for the web to work; but I remain convinced that there is much that could and should be done to at least allow the user to choose privacy (if not to put the force of law behind its guaranty). I'm for an opt-out law that would do the same for the Internet that the do-not-call list does for telephones (though, IMO, even that doesn't go far enough).

For Argus: I'm sorry if I implied that the American Bill of Rights was universal (and even sorrier that it is not). Didn't mean to give offense. I would point out however that the framers of the US government seemed to believe that some things were universal when they stated (in the Declaration of Independence), "We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness." They had to be a bit more explicit when the US Constitution was not fully understood and they found it necessary to amend it by adding the first 10 amendments, the Bill of Rights to which I referred. Although we have no intention of asking others to observe those sentiments, many stand in our belief that those rights are indeed universally deserved if not universally granted and that others ought to be. I would include privacy of person among those rights, for only if I trespass against the law or someone else's rights should my privacy be invaded and then only under warrant. (Hope that clarifies what I meant. Again, I meant no offense.)

[ChrisGreaves]

gathering data about you and selling that data to others.

Then there's Browser firms plan 'do not track' systems

[BobH]

That is encouraging news, Chris.

Thanks for the link.

[Argus]

I'm sorry if I implied that the American Bill of Rights was universal (and even sorrier that it is not). Didn't mean to give offense.

Bob, I was just trying to joke a bit there; I think you all have a lot of things to be proud of. So, absolutely no offense taken; and I hope you didn’t, no offense was intended with my comment.

By the way, straying off topic, our Instrument of Government, one of the fundamental laws here, is clear when it comes to the beliefs about inalienable rights. As is UN's Universal Declaration of Human Rights. Then as you said, some have different constructions; there are amendments or other laws. As for privacy and UN's declaration, see Article 12:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

But it's much more difficult than fundamental laws, basic laws, or declarations, since they only give us the framework. True for any subject I believe, not only privacy.

Back to the topic:
Your subject - all about privacy - is quite broad, it involves many topics, I think. But looking at some of the questions you have mentioned; some thoughts from me:

Cookies aren’t much of a threat to privacy. We can clean them, but if we don't, they can read some old choices we have made, as you mentioned. That is because we need them (many times, but far from always), since browsing (using a protocol such as HTTP) is stateless. (There are some alternatives to cookies, if needed, some use some sort of "session IDs" in the links to keep track.)

Then we have other issues: such as what sites do with the information we give them. Not much have changed there from the “old world”, only the speed (since on the net) and how companies interact with other companies. If I become a customer at company A, it can happen that they share some information with an affiliated, company B. How that is dealt with; how and if I can opt-out is a different matter than general Internet privacy, I think, more part of customer-company relations, but there definitely is an "Internet-twist" to this, since I think people deal with lots of more companies nowadays. Perhaps we will see some changes there; the net is still quite young.

As for the IP address and your question “if an IP address or a cookie is required for my ISP to know me, that's OK; but why shouldn't the ISP randomize my identity forward to the network?”

They don’t use cookies, those are for browsers, as per above. They use IP addresses, since they are the ones who assign the IP address to you. But before that, they often use the MAC address (of your card or router) to recognise you as a kind of auto-login when you start your router or computer. Previously they used user names and passwords.

Most people have dynamic addresses. They can change over time, but it might also take a very long time, so they appear to be static. And they have to be the same at least during a session otherwise the whole client-server thing gets confused. But apart from that, one can use some kind of proxy, anonymizer. So, one answer could be that there isn’t much demand for that. And the whole “net-thing” is still quite new.

As for online shopping; a quite new thing is using some sort of virtual post office box; not so much for being able to shop in another country, as for using it when doing online transactions and you don't want to tell them your real address.

[BobH]

Hello Argus!

My old brain is not as nimble as it used to be. I was afraid that by speaking of the governmental/political conditions in my country that I had given offense for being off charter when I was really trying to use that history to leverage my argument. Not good rhetoric, I know. I was taught better but have drifted into slack habits with age.

Thank you for not being offended and thank you again for reassuring me!

I would be interested in reading about Swedish legal constructs for government and what rights are granted under them; however, I know no Swedish (a few very nice Swedes, but no Swedish) and would not be able to understand them without translation to English. It has been far too many years since I struggled to learn first Latin, then German, then Spanish (without much retained of any of them - and certainly no mastery) to take up a new tongue at this point in life. Perhaps if I had the good fortune to spend some extended period of time there I might pick up a bit, but I've come to struggle remembering English words some days.

Returning to topic, my op was an attempt to provoke others with far more knowledge than I to expose some of the mysteries for me. My speculation about protocols (TCP/IP or any others that might be in use involved in the Internet) are only that - speculations. I have no real training in them, only enough acquaintance to know of their existence and role. (Do they still speak of the functional layers of a network these days?)

I was thinking, for example, if, instead of binding sessions between ISP and user for all user connections to all hosts and nearly all sessions, could the protocol not define a bind outward from the ISP which could then be used by the ISP to route responses back to the user? Wouldn't anonymity be achieved for the user? Perhaps this is what you meant by the Internet being "stateless" (meaning, I think, that all parties do not have to achieve the same state of communications simultaneously - not that it functions without regard to political subdivision). I was wondering if placing the burden for session management at the ISP wouldn't provide anonymity yet preserve traceability. No host could possibly know of anything that the user didn't choose to pass forward by meeting the host's usage requirements in such a construct. It would even be possible for the user/host session to exist independently of the user/ISP session with appropriate protocols, no? This would require ISP's to have hyper-dynamic IP addresses (or something like them) only on the outer connection. Authentication for access shouldn't necessarily carry an identification of users throughout all possible network connections or even across different sessions, I wouldn't think, if the protocols accounted for it. Let the user and host manage their own session ID independently and by volition, not by protocol enforcement. There's always overhead in any network. The trick is in not making it congestive, I guess.

Finally, online shopping ultimately requires that goods be delivered which means that the seller must know where to send them. Absent a PayPal-like function for physical addresses, this can't be achieved. Perhaps UPS and FedEx could be asked to provide that functionality ???? I very much believe that the credit card marques should be required to provide a PayPal-like means of preventing credit card number and magnetic stripe (or smart card) data exposure. I spent 30 years in that industry starting before they had electronic authorization systems. There is no longer a valid reason (other than grandfathering functionality) for the credit card marques to identify cardholders to sellers; yet the practice continues and it costs the industry billions of dollars in fraud every year. Merchants have little incentive to guard cardholder data being allowed to store it at will along with any other data they choose - and without consumer rights given a care. There have been dozens (if not hundreds) of incidents where merchant records have been compromised and cardholder information taken en masse. It is one of the bases for identity theft which burdens markets and economies with horrendous costs which could be avoided. If there were laws giving consumers rights to privacy, incentives would be added to the mechanism for merchants to eschew having the data.

Sorry for rambling on. So far you are the only one to take the bait and engage in the discussion. Thank you, yet again.

[Argus]

Hope you didn't learn German via Latin.

Have to think about it for some time; maybe I'll return to the topic. I have read somewhere the last months (but finding that now ... see Searchers' Laws) that there is some new thing with virtual post office boxes, sort of, as I mentioned earlier, but not the usual mail forwarding; or perhaps it wasn't new, just some variant.

There are "virtual" prepaid cards out there that can be used as an alternative in different situations.

As for real credit cards and similar cards, straying off topic; we have moved on to using chips here (and I know that they are not completely secure either, whatever “completely secure” means, but better than using the old magnetic stripe). However, I understand that not all use it all the time, even though many countries do. And one argument, over here, why they can't completely abandon the old magnetic stripe is that being in universal use it's not possible at the moment. So, we, and all other countries using it, are waiting for the guys dragging their feet on this matter.

[StuartR]

I think that the biggest privacy issue is caused by people who combine all the data from many different sources. Knowing that I made a particular purchase on a specific day is not too bad, but if you combine this with a log of every web site I have ever visited and every other purchase I have made it becomes very intrusive. That is why the tracking cookies and browser fingerprints are such a big issue.

I did like the link Chris provided above, which led me to http://www.networkadvertising.org/managing/opt_out.asp

[StuartR]

Coincidentally, I just restarted Firefox and it installed an update to NoScript. When I reviewed the content of the update I noticed that it contains this do not track feature.

[DaveA]

Check this out
http://www.komonews.com/news/problemsol ... 60348.html" onclick="window.open(this.href);return false;?

Make sure you view the video, by clicking the tab.

also check out http://codebutler.com/firesheep" onclick="window.open(this.href);return false;

[BobH]

Thanks for joining in this discussion. If knowledge is power then privacy might just be the antidote to the abuse of power. (I won't go into the philosophical dialectic by which I arrived at that hypothesis here, if you don't mind.)

I followed the link to NoScript and enabled it on my browser. I had disabled it when I installed Fx V4.09b some weeks ago. After enabling NoScript, I followed the link to KOMONews to read about Firesheep. The add-on intrigued me. I want to see it at work. I was able to read the KOMO web page but I could not run the video to see the interview with Butler. NoScript prevents it; and, despite having watched the NoScript video on how to use it, I can't figure out how to give temporary permission to scripts in order to see the video. I gave temporary permission to KOMONews but there seem to be others that I don't recognize, or trust, for whom permissions are required.

I then used the Fx Tools/Add-ons process to try and discover Firesheep. Either it does not exist in the lists that Mozilla allow to be checked, or they have blocked it. So, I turned to my friend Androogle (thanks, Andy) and entered "Firesheep" and got no response. I don't know what's up with that, but entering the argument in the google search panel returned hits. I was even able to download the .xti file, but I don't know how to install it in Fx.

I guess I'm not allowed to see what others see with Firesheep. I only wanted to see it to discover how I might react to the information . . . to see if it might make me even more paranoid. I think that the fact that I've had difficulty getting Firesheep to work makes me, indeed, far more paranoid than I would be if they let me see its results.

But, on the bright side . . . no make that the Orwellian 1984 side . . . I discovered that I couldn't add a smiley because NoScript was blocking Eileen's Lounge. At least, I couldn't until I temporarily allowed it. (Where's the whisper conspiratorially smiley when you need it?) Looks 'round furtively. Holds hand over mouth. Whispers secretively, "They're watching! And they're EVERYWHERE!"

[DaveA]

Try the link using IE and then you might be able to view the full video.

On the linked page, there is two tabs withing the page, and one is marked Video.