Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Comments on Google's Privacy Announcement

From: David Farber <dave () farber net>
Date: Thu, 15 Mar 2007 08:38:43 -0400


Begin forwarded message:

From: Lauren Weinstein <lauren () vortex com>
Date: March 15, 2007 2:45:51 AM EDT
To: dave () farber net
Cc: lauren () vortex com
Subject: Comments on Google's Privacy Announcement


             Comments on Google's Privacy Announcement

         ( http://lauren.vortex.com/archive/000217.html )


Dave,

Google has announced significant changes to their data retention
policy.  Since I'm already being asked for my opinion regarding
their announcement, I'm sending this out now rather selfishly to
avoid having to generate a large number of individual responses
(though I'll be glad to discuss this in more depth upon request).

First, the "raw" material:

Google's Press Release:
http://googleblog.blogspot.com/2007/03/taking-steps-to-further- improve-our.html 

Google's PDF with more details:
http://216.239.57.110/blog_resources/google_log_retention_policy_faq.pdf

Michael Liedtke's AP piece:
http://www.chippewa.com/articles/2007/03/15/ap/hitech/d8nsbf801.txt

The gist of the announcement is two changes: The obscuration of some
IP address bits (currently it appears that this would involve the
least-significant octet of IP addresses recorded in the Google user
activity logs), and changes to provide for some form of cookie
anonymization.

Such an IP address change would allow for identification of any one
computer out of a group of 256, rather than the existing ability to
identify each computer individually.  The actual impact of this
change from a privacy standpoint would vary greatly depending on the
type of addresses (dynamic vs. static) and the total range of those
IP addresses associated with any given organization.  Cookie
anonymization effectiveness is more difficult to analyze until more
information regarding the algorithms to be used become available.

Both of these changes would be applied to data after an 18-24 month
period -- during which time data would be retained intact -- unless
future government data retention mandates require longer periods.
This is in contrast to Google's policy up to this point of
maintaining all log data intact on an indefinite basis.

The AP piece referenced above notes that AOL apparently already goes
farther than Google plans to go in terms of IP address anonymization
and some other related issues.  In light of that, my many public
statements over time that have been critical of Google data retention
policies, and my "Open Letter to Google: Concepts for a Google
Privacy Initiative" from last year
( http://www.vortex.com/google-privacy-initiative ),
what is my take right now on this move by Google?

It's much simpler than you might expect.  I am not particularly
concerned at this point about the details of the policy.  I could
(and at some point no doubt will) critique the various aspects of
Google's changes in detail regarding both perceived strengths and
shortcomings, but not today.

For today, let's view Google's announcement with the broadest
possible scope -- not so much for what it says but for what it might
portend for the future.  For while these changes can be reasonably
viewed as only a first step on the road to the kinds of data
retention privacy enhancements ultimately needed, taking that first
step at all can be reasonably viewed as an immensely positive sea
change to Google's attitude toward this data.

Time will tell if the rest of that privacy road is traversed in due
course.  It will be a challenging path indeed, especially in a
political environment where the pressure to retain data for extremely
broad retroactive investigatory purposes is growing at an alarming
rate.  And as we've seen in the recent revelations regarding the
FBI's violations of the PATRIOT Act
( http://lauren.vortex.com/archive/000215.html ),
the issues are all interrelated, and Google of course
must obey these laws.

But those are issues for another day.  For now, I'll simply thank
Google for listening, and express the hope that we can move forward
together into a very uncertain future, where deeds will always speak
more strongly than words, and where the decisions we make now about
these matters are likely to have impacts for generations to come --
as we all ideally try to live by the "Don't be Evil" creed.

It won't be easy.  But we have no honorable choice but to try.

--Lauren--
Lauren Weinstein
lauren () vortex com or lauren () pfir org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
   - People For Internet Responsibility - http://www.pfir.org
Co-Founder, IOIC
   - International Open Internet Coalition - http://www.ioic.net
Founder, CIFIP
   - California Initiative For Internet Privacy - http://www.cifip.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com



-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/@now
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: