Google's data mining bonanza and your privacy: an infographic

Do you use Google? These days the question sounds almost absurd. If you use the Internet, or an iPhone, or an Android phone, or a Kindle or an iPad, then of course you use Google in some shape or form. And if you take a keen interest in how your personal information is used, you probably know that on March 1, 2012, the world's largest collector of personal data, Google, changed the way it uses information about you. But how big of a deal is this? And what, if anything, should you be doing differently today to protect data that Google may be collecting about you?

Click for larger version of the Google Privacy InfographicLet's start answering those questions by picturing just how much data about its users Google has the potential to tap. The infographic on the right is titled: "Google Data Mining Bonanza." It shows some, but not all, of the different "pools" of data that Google could potentially access in order to build a picture of you and your interests as you use different Google services.

Just to be clear, I'm not saying that Google is actively mining all this data to create detailed profiles of people that are shared inappropriately with third parties. But I am saying that the changes Google made on March 1 have raised numerous questions to which I have not yet found answers, and I'm not exactly new to Internet privacy (I wrote a book about it 10 years ago).

The most visible sign of those March 1 changes is a "unified privacy policy" that combines over 60 separate privacy policies for different Google services into one. There is much to be said for the benefits of a unified privacy policy, but applying one retroactively is problematic. That's why the folks who first thought about privacy and computer-based information systems chose, as the first privacy principle: Notice/Consent.

To its credit, Google gave plenty of Notice of the March 1 changes, but when you first signed up for something like Gmail I'm guessing you did not give informed consent to what Google is doing with your data today. And millions of users of those scores of Google services have time and data invested in them which make withholding consent, where that is an option, problematic to say the least.

Take Google's Gmail for example, which I started using in 2005. (Google claims there are now 350 million active Gmail users.) Even though I don't use Gmail for all my email, there are currently more than 47,000 messages in my Gmail Inbox. You could draw a fairly detailed picture of the last 7 years of my life from that lot.

How about Google Search? A quick back-of-the-envelope calculation tells me it is quite possible that I've performed more than 47,000 searches via Google in the same time period. What a picture those search terms could paint! And if it's moving pictures you want, consider the YouTube videos that I have uploaded, commented on, searched for and watched.

Not that I think I am personally of great interest to Google or the world in general, the point is I am valuable to Google as a potential clicker of online advertisements; and Google has found that my value increases each time the company can pipe another source of data about me into the ad targeting mix. Like a lot of people, including many fans of Google, I am now wondering what could happen to my "pooled" Google data.

So what are my options if I want to cut back on Google's use of data about me? The place to start, a place you should visit even if you're not that bothered about what Google does with data about you, is the Dashboard.

The Google Dashboard

You need to be signed into Google to see your information on the Dashboard and you might be surprised at just how much information that is. I counted 32 different entries plus a note that says "15 additional products are not yet available in this dashboard." (It would be nice to know what those are so I will keep checking back.) Below you can see the top of my Google Dashboard, with some of my personal information blacked out.

The first thing on the Dashboard that caught my interest was the entry titled: "Websites authorized to access the account." When I clicked on this link, lo and behold there were some surprises, including connect.thedailyshow.com and socialize.cnet.com.

Google access revokeNo offense to Jon Stewart or The Daily Show or CNET but I don't recall giving them special access to my Google account, so I used the Revoke Access link to remove them, leaving just the Google Mail Notifier and Google Calendar.

While revoking access was easy, this page could do a lot better job of explaining what exactly access means, and what the implications of adding or revoking access might be. The same page does present a lot of information about "application-specific passwords" and "2-step verification" but again there is not enough context.

Me on the Web

The second item on my Google Dashboard is "Me on the Web" and it has three sections, although that is really over-selling the content Google has put together for this section:

  1. How to manage your online identity: Tips on searching for yourself to see what is out there; creating a Google profile as a way to control what people learn about you; removing unwanted content and search results, and; getting notified when information about you appears on the web.
  2. How to remove unwanted content: More about the same topic covered in section 1.
  3. About Me on the Web: More about the section you are looking at.

Despite the redundancy, this is good information, stuff that people who are heavily involved in social media probably know and do already (for example, I regularly Google myself to make sure nothing bad pops up and I have a Google Alert on myself for the same reason). What may come as a surprise to the more casual Google user is the amount of work it takes to manage your online identity.

Web History

What may also come as a surprise when you start to explore the Dashboard is the fact that the privacy item most people seem concerned about–Web History, the information that Google stores about what you search for–is way down at the bottom of the page. (I know that's because the page is alphabetically arranged, but to me that is weak user interface design.) When you do work your way down to Web History it can make interesting reading. Here's what I saw when I clicked the "Remove items or clear Web History" link:

Google Web History

When you check out this page for yourself, don't be surprised to find that it includes searches conducted on multiple devices. From my entries it was clear that Google was tracking my searches on my laptop, my iPhone, and my Kindle Fire. It is this kind of all-embracing, cross-platform tracking of what you do with Google that seems to bother some privacy-conscious people. Fortunately, Google makes it easy to put a stop to this: just click the Pause button. According to Google, the Pause button will "prevent your future web activity from being saved in Web History and from being used to personalize your search results." If you then click Remove all Web History all your past activity will be erased.

Private browsing on the iPhoneAnother way to avoid Google tracking your search activity is to use search without signing in. If you go to www.google.com in a web browser on a laptop or desktop and you see your name at the top of the page, that means you are signed in. You can click on your name to access the Sign out option.

If you are using Google as your search engine on your Apple iPhone and you are using iOS5 then you can go into the Safari settings and turn on Private Browsing to turn off tracking. (I'm pretty sure Private Browsing is off by default and I don't recall signing into Google on Safari on my iPhone, but I can assure you my searches from that phone were tracked by Google until I turned on Private Browsing.)

You may have noticed that Google is pretty persistent about signing you back in and keeping you signed in once you have logged in from a particular browser. One strategy to consider on your laptop or desktop is multiple browsers because Google login is browser specific. That means you can use the Chrome browser for your "logged in" Google activity but Firefox for activity where you don't log into Google. For good measure you can turn on the "Do not Track" option in Firefox.

How problematic is it that Google records your search history? The answer is largely subjective, based on how you feel about other people knowing what subjects interest you. Not that people at Google sit around reading your search history, but there are clearly issues of trust around what could happen to your history.

Consider the section of the Google Privacy Policy titled "For legal reasons." Basically, it says Google will indeed share your personal information with companies, organizations or individuals outside of Google if the company has "a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to meet any applicable law, regulation, legal process or enforceable governmental request." I'm no lawyer but I would say that's a pretty broad definition and there seems to be a lot of room for interpretation in phrases like "good-faith belief" and "reasonably necessary." The extent to which you feel you can rely on Google to screen and vet such requests is a matter of trust. And Google would clearly have no control over the way in which a third party would interpret my Google searches for subjects like "missile silos near me" and "where to buy arsenic."

Ads Preferences

One reason Google would like to track your searches is to improve the targeting of adverts. The company argues that such targeting is better for you. The stock market suggests it is also better for Google. But although Google allows you to exercise some control over the ads you see, those controls are strangely absent from the Dashboard. You have to go to a place called Ads Preferences to make changes. The preferences are broken out into "Ads on Search and Gmail" and "Ads on the Web."

You will find the latter very interesting if you have been allowing Google to use its cookie to track your activities. The page presents "a summary of the interests and inferred demographics that Google has associated with your cookie." Frankly, I was surprised at what I found because it was not a very well-rounded picture of my interests. This suggests that Google is not doing all the correlation of data that it could, at least not yet. (For example, the fact that my demographic age is listed as 45-54 has to be intentional flattery since my date of birth is in my Google Profile and it proves I'm older than that).

The Ads Preferences page allows you to opt out of seeing targeted ads and gives you access to the Remove and Edit features for ad preferences. These enable you to tailor ads by removing erroneous categories or adding fresh categories. As with many things Google, the details are quite complex. For example, a cookie is required to prevent tracking. So if you routinely erase your cookies you potentially remove your opt-out preference (we will have more to say about this in a future post).

More to be Said

Indeed, there is a lot more to be said about Google's privacy policy changes and the way they are being handled, starting with the fact that Google went ahead with them despite a chorus of objections from legislators and regulators in the U.S. and the E.U. There is also the question of corporate and government agency use of Google products and what the changes mean for them. Expect to see more blog posts on this topic in the coming weeks. (For further reading right now, the San Jose Mercury News offers a fairly balanced review of reaction to the recent Google privacy changes and there is an extended discussion here on NPR.)

During the financial crisis of '08 we all became familiar with the term "Too big to fail." I find it hard to escape the feeling that, given the vast size of Google's installed base and the broad range of its services, its privacy policy changes are: "Too big to understand." Certainly, getting a clear picture of where things now stand will take a lot of work on the part of Google users, even as Google continues to build out tools like the Dashboard, which is still a work in progress (for example, I got a "page not found" error when I checked out the link titled "About privacy and security in Google Voice").

We'd love to hear your thoughts about Google privacy and your experiences with the Dashboard.

Author Stephen Cobb, ESET

  • Ari Goldstein

    I love the ESET security blog, and I also am an avid reader of the posts. I think we need to tweak our thinking to generational mentalities when discussing what Google Privacy means.  While the readers of this blog may be concerned about the privacy of their companies or their personal information, there are few teens who will take interest in this. In fact it can be argued that there are few twenty-somethings who care about this.?I applaud Google for offering up a unified privacy policy and not playing the 'If you don't like it then leave' routine, we so often find with information sharing in credit card companies, and banking establishments, for example.?Information gathering and sharing is everywhere. Unless we go by the methods of JJ Luna, we are not going to escape being melded into this Sharing Fold. Yet we can make choices without moving to a plot of land in Costa Rica without water or electricity.?Sun Microsystems was one of the leading information technology companies to work directly with the US government and several (all?) security divisions and had a reunion presentation of their establishment and growth at the Computer Museum. This reunion interview in 2006 was with the four Sun founders. Toward the end, Scott McNealy actually said – reflecting on Sun's historical interaction and work with government – to simply forget about your privacy. This was in a different context than the same statement made by Google's CEO Erik Schmit a few years ago.?My point is privacy is probably nonexistent if you want to be online, or even a part of the US infrastructure (use a bank account, pay bills, have a car, have insurance policies, have a brokerage account, etc.). You have choices to make as to which online services you can be involved in, and you, the end-user, must pick and choose what services to be a part of and what you write and document.  No modern social media company has been more abusive in their policies than Facebook. At first they offer a service where you are firewalled or blocked away from other members who are not part of your school class or those people who you have no association. As of today, this premise has gone away, and now FB members have to actively go into privacy settings to alter their 'sharing' features several times a year, to try and remain semi-private. Most kids don't care that much. This is where the generational attitudes kick in. Jump down in five year brackets and see how people care less and less about their privacy.?I personally prefer to keep track of which service i use and what information I put into those services. This is not the mindset of younger generations. I prefer a unified privacy policy over a service that has different policies for different products they offer. It is simply too difficult to keep track of these things on more than one product each year, not to mention each week. This is real transparency and other services like Yahoo!, Facebook, web cookie advertising houses, and even Microsoft are too obscure in their policy guidelines and unavailable to make changes that suit me.  Google is a forerunner in helping the end user against their other industry partners.
    These 'discoveries' of how Google "REALLY" uses their tracking is a little strange to me because it singles out Google. It is simply business as usual and not a secret conspiracy as so often propertied.  Apple had one of these scandals regarding their iPhone  tracking people and supposedly sending geo location data back to Apple. NO ONE mentioned that these 'discoveries' were mostly quality of cell service, and not private information tracking for implied 'marketing purposes'. No one in the press mentioned that this was not clearly understood and tested to be sure of tracking. Even the two people who announced this Apple tracking discovery, later within their premier announcement claimed that they don't have proof of Apple transmitting data back to their data centers.  They finished their presentation with the conclusion that their findings were inconclusive. Amazingly the entire press corps never watched the entire boring video to realize that they contradicted their initial claim in the same video!?Everything you  and I use on the Microsoft platforms are probably tied to a different EULA and Privacy Terms contracts: Microsoft Operating Systems, Windows Live, Windows Messenger, Windows Live Messenger, Microsoft Media Player, Live Essentials, Microsoft Internet Explorer, XBox Live, etc. All carry unique and different privacy policies.  Yet no one mentions these services carry different privacy policies while criticizing Google's Privacy Policy changes. The same holds true with Yahoo Mail, Yahoo Search Toolbar, Yahoo Messenger, etc.?I honestly appreciate this blog post. It is very helpful. I don't necessarily agree that Google is doing something bad, as compared to other services online. The stark omission of mentioning other services makes these shocking Google Privacy reports kind of weak and one sided. 
     

  • Don

    what seems most obvious to me is why would anyone open a Google account or any other account using their real name and profile information, such as zip code, gender, etc., unless it is absolutely required FOR YOUR OWN BENEFIT.  I never;
    - use my real name
    - use my real zip code
    - use my real gender (actually I mix it up to confuse)
    - use my real age (same as gender; sometimes I'm 16, or 25 or 57, etc.)
    - input my annual salary (same as gender; sometimes I make $20,000/year, sometimes 0, sometimes $50,000/year)
     - and so on.
    My hope is that even my false self has information that is totally contradictory and inconsistent.   If I Google my real name nothing comes up.  Seems to be that simple.  Then again, I'm not into all of the social nonsense nor have a need to be connected all of the time sharing my life with the world.  I don't believe my life is any more or less interesting than that of others, I really just don't care if you had a great bowel movement this morning or not.  Further if I want to connect with friends, I can stiull do it using a false ID; I just need to tell my real, actual friends (not the 461 friends some have on Facebook) that my Facebook page is under the name of Stephen Cobb, in Waterloo, Montana, age 31, gender female, annual income $ 13,500/year.  Why do people feel the need to be honest on any of these social sites at all.  This also, screws up any empolyers or potential employers that want to look at a Facebook or Google+ page.
     

  • Janet Batchelor

    This is the first time I've seen one of these newsletters — read your article and went to Dashboard. Wow!!  Thanks so much for the education and information.

  • Carl

    When I look for the "Websites authorized to access the account" that link does not appear at all.  When I look for "Web History" I see "Disabled."  When I visit the Ads Preference page, it complains that I have cookies disabled. I take it this means I have already taken action and as private as is currently possible with Google?  It's not clear to me.

  • Marda

    Upon reading this page, I just opt out of two opt outs, I do not remember the names.  Google has been dealing me a fit the past three days.  When I search for a site, it sends me to a page of advertising for a particular item.  And then I have to close the google page down because it does not let me back up.
    Here is hoping that this works.

  • chris

    I must echo Janet. Have not seen such in-depth explaination of what is going on with little ol’ email.
    Thanks.
    Chris

  • John Roberts

    I have used Google's search engine quite a lot but I do not use Gmail.  I do not have a Google "account", at least as far as I know.  I have used Google Chrome, and the now discontinued Google Desktop in the past.  I have not been a user of Google's other services.  It woudl appear I have nothing to do with Google's privacy policy, am I correct or diluded.
    John 

    • Aryeh Goretsky

      John,

      Have you tried visiting the Google Dashboard page, just to see if anything is displayed?

      Regards,

      Aryeh Goretsky

  • Herve

    Excellent. As TEd says, the missing piece is location though this is not a displayed on the dashboard. Woudl probably freak people a lot.
    Interestingly though, I can not find the web history! It's Tasks, YouTuber and Others. Really looked up and down many times with no luck. Very weird. Wonder if this is because I am in the UK.

  • Just Me

    This was a great read.  I have a Google Ad Sense account that I signed up for using an anonymous user name.  I have also never given Google my legal name or mailing address at any time, on any product.  I am big into privacy and actually have never given my legal name or address to any web site with the exception of secure HTTPs connections with banks.
    Shorty after I signed up for Google Ad Sense, I started receiving $100 coupons in the mail.  They were addressed only to me (despite living in a house with multiple people).  I am very curious if it is legal for Google to be “somehow” linking my anonymous user ID to my legal name and address.  Especially when I never gave them that information, and they obtained it “somehow.”  Thoughts?

  • Fish Fry

    I recently bought an Android smartphone (regretably). What really bothers me is the ease and insistence with which Google helps you to connect your various contacts. If I connect an email address of a friend from my gmail contacts with their cell phone number from my SIM card address book, I have just given Google private information on my friend. So it is not only my own privacy I have to be worried about, but also that of my "real" social network. That is really too much!
     

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.