Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Google's new feature creates another user privacy problem

From: David Farber <dave () farber net>
Date: Sun, 12 Jun 2005 14:52:07 -0400


Begin forwarded message:

From: Lauren Weinstein <lauren () vortex com>
Date: June 12, 2005 1:06:48 PM EDT
To: dave () farber net
Cc: lauren () vortex com
Subject: Google's new feature creates another user privacy problem



Dave,

Most Google users are probably unaware that a new Google "feature" is
not only distorting Web server statistics, but is creating a
potentially serious user privacy problem.

Apparently about a month ago, Google started triggering "prefetch"
page data for the top listings in search results.  This behavior is
reportedly currently limited to users on Mozilla-based browsers
(Mozilla, Netscape, Firefox, etc. -- Firefox is my browser of
choice).

The goal of this procedure is to allow users of those browsers to see
the top link results faster, since they'd already be cached locally.
But there are big downsides to this process.

One obvious problem is that it can distort Web server statistics, by
creating "hits" from users who never actually chose to visit the
sites in question, but were prefetched when their search listed those
sites at the top of results.  For some sites, this may be a mere
annoyance, for others it could be a significant problem that could
affect their revenue patterns.  This also has the side-effect of
creating a sudden artificial boost in Mozilla-based browser usage
statistics.

A much more serious issue is that the prefetching causes users to
actually access sites without ever having touched the associated
links -- and this includes the receiving of cookies.  You can see
this behavior yourself (if you use a Mozilla-based browser and have
cookie notification turned on) by simply doing a Google search for
the keyword "soundbite".  Note that even though you have not touched
the current top link ("www.soundbite.com") you will receive a cookie
attempt from their site when the search results are displayed.

This means that your IP address and other typical connection data
have *already* been dropped into that site's logs, even though you
never chose to access that site, and you may now already be holding
cookies from them as well.

Now, this isn't a big deal in the particular case of soundbite.com.
But imagine if an innocent search returned results where the
top-listed site contained information you'd never want to be
associated with nor access in any way (child porn, browser exploit
sucker-bait sites, illicit files -- you name it).  Keep in mind that
such sites will often use various techniques specifically to boost
their rankings in search results.

What to do?  If you use the affected browsers, adding the line:

   user_pref("network.prefetch-next",false);

to the:

   prefs.js

file in the browser profile directory should stop this behavior --
some Mozilla-based browsers may also have other ways to disable
prefetching.  Of course, since prefetching is turned on by default,
most users (who won't even be aware of this privacy problem) won't
know to turn it off.

Bottom line: Creating a situation where users are "automatically"
accessing search-result sites without their having taken explicit
actions to do so is very bad policy.  This problem is not the fault
of Google alone -- the prefetching mechanism has been present in
Mozilla-based browsers for quite some time.

However, when the planet's major search engine begins to routinely
use this technique in the manner that Google has done, it at the
very least suggests that they did not fully think through the
potentially serious anti-privacy ramifications of their actions, when
applied on the vast scale of their user base.  This unfortunately
has become typical of various Google features and policies.

--Lauren--
Lauren Weinstein
lauren () pfir org or lauren () vortex com or lauren () eepi org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
  - People For Internet Responsibility - http://www.pfir.org
Co-Founder, EEPI
  - Electronic Entertainment Policy Initiative - http://www.eepi.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: