back to article Yahoo! mocks Google Privacy Theatre

The privacy gap between Yahoo! and Google is greater than you think. It's not just that Yahoo! will anonymize user search data 6 months before Google anonymizes user search data. It's that Yahoo! anonymization is less nonsensical than Google anonymization. Today, as we dutifully reported, Yahoo! said it would anonymize user …

COMMENTS

This topic is closed for new posts.
  1. tim
    Paris Hilton

    google are scum

    well something like that...maybe...they're just too fucking big these days and are seemingly on a MS mission from god to take over the world... i don't even use search anymore i just randomly put addresses in to see if they have the answer for me.

    paris because she's as drunk as i am (probably)

  2. Anonymous Coward
    Anonymous Coward

    Cookies

    "Google may erase certain IP bits on your nine-month-old search queries, but those bits will remain intact on newer queries - and both sets of queries will carry the same cookie info."

    I'm stunned by how many people allow cookies to fester indefinitely. Firefox can clear them every time it closes, and I've been doing that for years regardless. Why would anyone NOT be doing this as a matter of routine? I can only imagine it's a) most likely ignorance of the situation or b) less likely there are some session to session settings which are really required.

  3. Vincent Ballard
    Coat

    Hash functions

    "Run the user's Yahoo! ID through a one-way secret hash and delete the last 50 per cent of the hashed identifier"

    So run the ID through a one-way secret hash. Unless they actually specify how many bits the hash output has, saying that they're going to delete 50% of them is irrelevant.

  4. Anonymous Coward
    Anonymous Coward

    Yahoo!

    Great, they can see a Google Achilles heal. Now can we get rid of those Icahn parasites on the board please?

  5. Charles Manning

    Yahoo!'s ultimate privacy policy

    Go out of business so they won't be touching any more of your stuff anyway.

  6. Iain

    Freedom of choice

    Everyone who complains about Google's policy is a complete freetard for the following reason (IMHO):

    Google is providing a service free of charge

    There is no requirement to use said service

    They are a business - they will try to make money in any way possible which includes targeted advertising, use of user's data etc etc

    Ok, so Google build up an abstract based on my IP which details my surfing habits. So? I haven't told them my name, address, telephone no., bank details and so forth. All they have is a profile which is built on data I chose to share (by using their service) and my IP which, if it wasn't proxied, would only reveal my locality. As far as I know my customer info held by my provider is still subject to data protection laws so it's not as if Google is going to start raiding my bank account or sending me mailshots.

    You don't drive a car around without learning how it works, same principle for using the tubes, learn about security penis

  7. Elrond Hubbard
    Paris Hilton

    We have a comedian in the house

    "As far as I know my customer info held by my provider is still subject to data protection laws"

    Heh.

  8. Anonymous Coward
    Flame

    @Freedom of choice

    "Ok, so Google build up an abstract based on my IP which details my surfing habits. So? I haven't told them my name, address, telephone no., bank details and so forth."

    Unless you've used any of the other Google tentacles. Gmail will have some of those details; if you've used Google Checkout, well, they'll have the whole set. If you exist in the modern world, you'll have used at least one of their services (even if only search).

    When a company has a near-monopoly, there needs to be additional regulatory supervision to ensure it doesn't abuse that monopoly. Would you be happy if the government logged 70% of all search queries, or would you be up in arms and pointing at the Constitution / Human Rights Act?

    @Chris: your cookies get deleted every session? Fine, but your IP address stays pretty much the same if you're on a broadband connection, and your Google credentials remain the same. If you sign in to your gmail account just once per IP change, then they have your entire history, cookies or not. If you want to be secure, search through Tor. Otherwise, legislate against this kind of bull****.

  9. Frumious Bandersnatch
    Flame

    @Vincent Ballard

    You beat me to much the same comment I was going to make. This is meaningless on so many levels. I can "hash" the text "string" to "stringstring" (it's still a one-way function) and then delete half the bits resulting in zero information loss. Also I note the word "secret" used to describe this so-called "hash function". If we are to trust the hash function, there is nothing to lose by making it public, and everything to lose (trust-wise) in keeping it secret.

    Finally, what exactly is the point of putting things into a one-way hash function in the first place? If the data is meant to be unrecoverable, then it should simply be deleted. Otherwise, there's nothing stopping Yahoo! from searching for a specific text by passing that through the hash function before comparing it with the stored value. Which just happens to be the way that the Unix password function has been implemented for, oh, 25+ years.

    While it's good to hear that Yahoo is, at least on the surface, attempting to Do The Right Thing, I have serious doubts on the first three bullet points listed in the article.

  10. Tim J
    Boffin

    Firefox's anti-phishing and Google

    I use Firefox - I understand it has anti-phishing protection provided by Google. I also occasionally surf whilst logged in to Google.

    Simple question - are Google linking my account ID with what what sites I'm surfing? I understand it's technically possible - but do they actually do this, or is the relevant privacy policy robust enough to ensure these two things stay entirely separate?

  11. BioTube

    Yahoo! can do this

    Because they make money selling things besides personal information. If Google responds by taking real privacy measures, I think we can count on Yahoo! to go even further(again, they make money elsewhere).

  12. Kanhef
    Stop

    Possibly useless

    Most cookies have [alpha]numeric values. Changing that to a different number doesn't really make a difference. All occurrences of the cookie still have the same value, and so are associated with each other. If the original cookie is stored anywhere, it can be hashed to look up the data again. The hash will only really anonymize data if it generates a large number of collisions, but we know how likely that is, don't we? Most hash functions (as in hash tables) are designed to avoid collisions as much as possible. Similarly, unless there are collisions in the first half of the hashed ID, removing the second half won't do anything. The only way to be sure this "anonymization" is effective is to make the hashing algorithms public.

    Dropping the last octet of the IP address is somewhat better. But if records include search query, cookie, and IP, it doesn't matter since the cookie is still traceable. As for the fourth point, who the hell searches for a credit card number or SSN!? And "non-popular names" is a very loose term.

    If they do this the right way, they should get credit for at least making it hard to associate data with a particular user without deliberate effort. Or they could be making a big show of caring about users' privacy without making their data any less useful.

  13. Nick L

    cookies ?

    You mean there are some people who allow Google to set cookies ?

  14. David Wilkinson

    freedom of choice

    Yes you get to chose to use their service or not ... but you need to make informed decisions.

    Articles like this make people aware of issues and perhaps pressure the companies to make change.

    Of course that only works if people see this as a real problem.

    Personally I do. I just don't like companies collecting vast amount of information on me. But its not a big deal. So I will try yahoo search and if it works about the same us it instead of Google. If it doesn't meet my needs as well I'll probably switch back and just accept they are keeping too much information on me.

  15. Alex

    BTYahoo! By! Any! Means!

    they "give" with one hand

    and "knock your back doors in" with the (ph)other

    mines the one with a link to:

    http://www.scroogle.org/scraper.html

    no cookies | no search-term records | access log deleted within 48 hours

    on the back!

  16. Johnny G

    You! Forgot!

    The! Obligatory! Exclamation! Marks! In! The! Title!

  17. Anonymous Coward
    Thumb Down

    Gotta love Google....

    ...we won't touch cookies because the user can delete these.

    Translation:

    We won't touch them becuase 90% of users don't have a f'ing clue what a cookie is, so we can get away with it.

  18. ElFatbob

    @ Iain

    what's a 'security penis'?

    i'm slghtly puzzled...

  19. Jason Scrutton
    Thumb Up

    Use scroogle.org instead!

    Problem solved...

  20. Anonymous Coward
    Linux

    @Freedom of choice

    "There is no requirement to use said service"

    There is also no (or very little) chance of using the 'net without being exposed to said service. Every time you're served a google ad, along comes a little cookie to identify you to their ad network.

    Even if you were to choose to avoid visiting any website containing "google" in the URL, they're still tracking you.

    With google ads present everywhere you go, there is indeed a "requirement to use said service" and not very much freedom of choice at all.

    (all of which is not to say that I have a problem with using Google or their services -- I don't. But to state "you have a choice" is naíve at best)

  21. mr.K
    Coat

    cookie jar

    "Of course, most users don't even know what a cookie is."

    If my mum knows what it is, everybody does. So I asked her and she said that she knew what it was and that I couldn't have one. Then she asked who had been in the cookie jar. I said I saw my brother near it earlier today.

    Can I have my coat, please. My mum wants me to play outside for a while.

  22. Anonymous Coward
    Thumb Up

    Heh

    Firefox, NoScript, forbib google-synication, google-analytics, google.... (I guess there are similar measures available for Opera etc).

    Maybe not the entire answer, but certainly better than none.

    I pity the fools still using IE.

  23. Anonymous Coward
    Anonymous Coward

    @Iain

    "Free of charge"? At risk of feeding the troll: try turning your ad blocker off, there's nothing "free of charge" about Google.

  24. Steve
    Stop

    @Freedom of choice

    "Google is providing a service free of charge

    There is no requirement to use said service"

    Unless you go to one of the millions of sites running the google urchin system, which in nearly every case is used by an imbecile who has no idea what sort of security risks they're presenting their users and themselves by such action, but they do to see some pretty graphics (sorry, useful statistics) for free.

  25. Anonymous Coward
    Alert

    Ahem !!!

    What! happened! to! the! !!!'s!

  26. Anonymous Coward
    Thumb Down

    what a hash

    "Run the user's Yahoo! ID through a one-way secret hash and delete the last 50 per cent of the hashed identifier"

    On the grounds that this is then not reversible? Hm. Let's think. How long would it take to hash up a billion recorded Yahoo! IDs and compare them with the magic anonymized ones? No, not very long, really. And if its a cryptographic hash, then the likelihood of a collision even in 50% of the bits is pretty slim. So the de-anonymization sounds pretty trivial to me.

    I hope the Reg has missed something: otherwise, this approach is no better than the Google one they so enthusiastically slate.

  27. Luther Blissett

    Freedom of choice by another name

    www.scroogle.org

  28. Thought About IT

    I'd like to make a donation to scroogle ...

    ... but then they'd know who I am!

  29. Daniel Brandt

    Be sure to wash your hands after surfing

    Think about how many times a day you click to watch a YouTube video, no matter which site it's on. It might be Obama's weekly chat at change.gov, or even Consumer Watchdog's YouTube video on Chrome's privacy problems. Before you even click to watch the video, you collected several YouTube cookies. And after you click to watch, about ten seconds into the video, Google reads your universal google.com cookie. This is the one with the globally-unique ID. It used expire in 2038, but now it pretends to expire in two years. However, every time you visit any Google site, it gets pushed two years ahead, which means it expires when your hard disk is replaced.

    If you don't already have a Google cookie, you get a new one with a new ID. If you have one already, it reads the old cookie. Put your PC on a packet scanner and click on a YouTube video. The GET request to google.com, which apparently is done from the embedded Flash code from YouTube, includes the site you are on, as well as the video you are watching.

    This information is available to the U.S. government without a court order. It's called a "National Security Letter" and when Google gets one, it comes with a gag order. How many other governments around the world have similar laws?

    Delete your Google cookies and your YouTube cookies when you exit your browser. It's common-sense hygiene - the equivalent of washing your hands after you visit a dirty bathroom at a gas station.

  30. Jon Kale
    Boffin

    re: Firefox's anti-phishing and Google

    "are Google linking my account ID with what what sites I'm surfing?"

    You bet they are. Google's (stated) mission is to know everything about everything and their slightly-less stated rationale is to allow them to sell eyeballs to as many advertisers as is humanly possible for as high a price as they can get. As has been pointed out in these parts previously, when all's said and done, they're the world's biggest small-ads platform. Everything else is just gravy, allowing them to sell more, better-targetted ads.

    "I understand it's technically possible - but do they actually do this, or is the relevant privacy policy robust enough to ensure these two things stay entirely separate?"

    Ha! Hahah! ROTFLMAO...

    Lemme see: respect the users' privacy or -- ooh, a Big Sack O' Cash. Which way would *you* think they'd go? (not to mention that Google, as a publicly traded company, has a fiduciary responsibility to place the interests of the shareholders before those of the users).

This topic is closed for new posts.

Other stories you might like