back to article Privacy watchdog barks for federal Gmail probe

An influential net watchdog has urged the US Federal Trade Commission to shut down Google's so-called cloud computing services, including Gmail and Google Docs, if the web giant can't ensure the safety of user data stored by these online apps. With a petition (PDF) filed yesterday, the Electronic Privacy Information Center ( …

COMMENTS

This topic is closed for new posts.
  1. Mark Dowling

    oh, and give us and our mates $5m

    58. Compel Google to contribute $5,000,0000 to a public fund that will help support research concerning privacy enhancing technologies, including encryption, effective data anonymization, and mobile location privacy.

  2. Bug
    Paris Hilton

    Even Paris Hilton knows this...

    There is no 'expectation of privacy' when posting your documents online,into a free web service hosted by a search engine company, whose terms of service state that they have all rights to any content you upload into their system.

    This is a complete non issue. T BONEHEADS, DO NOT STORE YOUR CONFIDENTIAL DOCUMENTS ON A PUBLIC WEB SERVER PLZ K THX

  3. some
    Stop

    And that would be

    the privacy group swarming with Microsoft employees. Epic fail.

  4. Will
    Pirate

    well at least is only americans

    you go for it Epic and fuck it up for your countrymen, but leave me and my decisions about how I use cloud computing to me.

  5. Ian Bradshaw

    The cloud ... safe ... you having a laugh?

    The Google Cloud - Is it safe?

    Nothing is secure ... security is merely the fact that a bug hasn't been found yet in the wekest link in the chain.

    The complexities of anything useful mean that everything will be vulnerable ... there just not all found ... Google docs ... Adobe Flash as recent examples.

    Sticking stuff into a cloud can never be secure.

    Is it more secure than storing it at home? Possibly.

    Security should be defined along the lines of ... 'data is unavailable to unauthorised users based upon the highest technically abilities of the best technical user with access to that system or any link in getting to the end system'.

    This obviously dictates that the bar for online data being secure is greater than one at home or in a general office / corporation.

    It's worth remembering that, for example, with the DNS hijacking of recent times, it's not necessarily the respective cloud that may be the problem; it could equally be the router you go though to get there, over which 99% of users have no control.

    How long before someone presses the wrong button or a disgrunteled employee presses the 'sitck into search engine results' button?

    The cloud ... safe ... you having a laugh?

  6. Paul Framhein
    Alert

    Privacy?

    RANT:

    Didn't we learn anything from the Sarah Palin incident? Don't put your private, confidential information into a (free) online web service! There is no such thing as security for human stupidity, and no way that google can combat things like some idiot giving away their account information.

    /RANT

    On the technical side, doesn't google mail still have the "beta" tag? What genius would take production, sensitive data over a BETA system? Oh, wait... I live in the US.... I'll be getting my coat

    -.-

  7. Chronos
    Thumb Down

    Um, priorities?

    I would have thought that they would be more interested in (in order of importance):

    * Google's new behavioural advertising data mining of people's browsing habits. AdBlock users, don't be naive: Your web surfing habits still get collected even when you don't see the ads. This one is way above the top of the list - it's so important it's written on the desk in Sharpie;

    * Urchin.js, Google-analytics and web beacons all over the web gives them an almost omniscient view of what people are browsing. Don't bother reminding me that El Reg use analytics: It's blocked on the firewall and gets an ICMP unreach response to speed up client handling of the failure to reach Google's server;

    * Excessive cookie validity at two years, renewing with every use; a moderate search user will never get rid of that cookie short of deleting it manually and thus her unique ID will be associated with every search and encounter with a Google script or web beacon. This seems to be the reason they prefer webmasters to let the Goog host urchin; if it's not on a Google host, they can't retrieve the Google cookie. It's not quite as bad as cookies with an expiry date of 2038 but it has made very little difference to the end result;

    * Even with safe-everything turned off, the associated Google URLs removed from the config and the Google search plugin removed completely, Firefox still periodically attempts to connect to www.l.google.com for no reason when sitting idle. The reason this is at the bottom of my list is because I have yet to dismantle the source and outgoing packets to find out for what purpose it does this. It'll be happening soon. $DEITY only knows what Chrome does but, since I won't let anyone use it, I guess we'll never find out.

    These are things that happen in the background that normal people ignore. People using [G|Google]mail and their other "cloud" offerings do so voluntarily and, while not exactly deserving everything they get, are certainly more to blame than a web-surfing MOTP. Those of us that want nothing whatsoever to do with this outfit have a far harder time keeping our web footprint away from the prying eyes of their data mining servers. I think that falls within the interests of a self-appointed "privacy" group, don't you?

    I suppose the bottom line to all of this is "What do Google get out of this?" If you think about that for long enough, the motives behind all of these "innovations" become clear.

  8. Chris Simmons

    EPIC

    ...can bleat on all they like and I do agree with some of their campaigns, however in this case they can just go screw themselves - I have made a decision to use gmail for most of my mail and it has served me well since February 2005.

    I have no problems with this fantastic service.

  9. Anonymous Coward
    Anonymous Coward

    all well and good

    However, some people neither know nor want to know about computers (a bit like some other people with banks) and will take assurances from a respected multinational corporation at face value.

    In order that normal uncynical people (not like me I hasten to add) can have happy and unperturbed lives, laws have been passed to punish people who tell lies or engage in reckless acts. It's called consumer protection and, by and large, it's good thing.

    Carry on having fun mocking people who don't know what you know, and hope that you don't need _their_ expertise one day.

  10. Anonymous Coward
    Coat

    extensive policies?

    <rant>

    Translation: We have terms and conditions that indemnify us from any damages that our lazy ass programmers and cheap skate management manage may cause, by bone head decisions or cut corners. Since YOU were in such a rush to get to the 'perceived' goodies, you didn't bother to read the legal-ese that strips you of any leg to stand on, should our freely offered products do any thing naughty to your property. Oh, and if you are still stupid enough to sue us, even though we have a legal and binding contract, we will seek counter damaged. So, that last leg you thought you were standing on, well... Nothing personal, but in order to show consumers that we are very protective of our products, intellectual property and branding, in the astronominically remote chance you actually win the law suit, we will appeal and keep it tied up in the court system for decades. Otherwise, that leg are belong to us.

  11. Alex
    Alien

    safer than storing on your own hdd???

    whahahahahah ha hah ahha hah ah hah ahhhhah ahah ah hah hah ah

    oh and Chronos, I think "Firefox still periodically attempts to connect to www.l.google.com for no reason when sitting idle." may be that nice little browser search box?

    I'd be interested to learn more about your methods of hobbling the googlebeast, it drives me bananas!

  12. Neil Bauers

    Leave your cloud on a train.

    I wonder if uk.gov will find a way to do this?

  13. Edward Miles
    Flame

    Gmail? Secuity?

    If you have sensitive information in an email, then YOU'RE DOING IT WRONG (tm)

  14. BlueGreen

    @Alex @Chronos

    I'm pretty sure it's the well documented stuff about the tickboxes you find in Tools|Options|Security tab for "tell me if the site I'm visiting is a suspected forgery/attack site"

    FF downloads blacklists from google as I understand it, that's all. De-tick these two and see if that shuts it up.

    Just intercepting the http (you can even do this with squid logging) would probably be enough to tell you what's up - no packet sniffing or disassembling required. Even scroogling for

    firefox connects google regularly

    would have come up with answers on the first few links.

    Talk about making an easy job hard, Chronos.

  15. Anonymous Coward
    Coat

    EPIC

    As in EPIC FAIL

  16. Chronos

    @Alex

    No, I've removed it from the installation (rm /usr/local/lib/firefox3/searchplugins/*) and replaced it with Scroogle SSL, changed the default Firefox/Google co-branded homepage (actually, my Fx starts with a blank page) and removed all Goog associated URLs from about:config. The search plugin code isn't even present, nor did it come back sneakily with the 3.0.7 update as I have to update manually on this OS as Moz don't produce a binary for it. I'm going to have to set up a dummy server, use a next-hop redirect on the firewall and try to fool Fx into thinking I'm Google to see what it is doing.

    Hobbling the Google beast? Ideally you need a decent firewall and Squid to do it properly. There is this way http://4crito.com/linux/tips/block_google.html but it's a little out of date. The Goog now also have a pair of IPv6 allocations, a /32 and a /48.

    A quick rundown of my methodology starts with ipfw2 and tables. Outgoing traffic from internal clients to Google netblocks on the table get an ICMP filter-prohib response. This is fatal as far as the client's IP stack is concerned, so the client stops trying to connect immediately unless the host has round-robin DNS, in which case it tries the next record and gets the same again until all records are exhausted. Typically, this takes very little time and is rarely noticed by the user unless Google/Doubleclick/Picasa et al is where they want to go. Incoming traffic from the WAN interface is blackholed. Similarly, the IP6 blocks return an ICMP6 admin-prohib packet which works in a similar way to IP4. Also I have a transparent Squid-with-SquidGuard setup, replacing any blacklisted URLs (much more scope to block ads and malware here) with a single-pixel transparent GIF that takes an awful lot of work away from the firewall. The advantages are clear and the only drawback is educating people to use Scroogle SSL instead of Google, which also has the added advantage of being encrypted to confound the likes of Phorm. Since I control the browsers, this isn't difficult to enforce. That, and personal [G|Google]mail accounts don't work, but we can live with that, can't we? ;o)

  17. Jimmy

    @ BlueGreen

    IIRC In previous versions of Firefox these two tick-boxes allowed you the option to download the database or connect directly to the Google server each time you visit a new site. What happens now with the options being changed to

    1) Tell me if I'm visiting a suspected attack site.

    2) Tell me if I'm visiting is a suspected forgery.

    is ambiguous to say the least. Fellow paranoiacs may consider this lack of clarity and the fact that Mozilla is awash with Google cash to be good enough reasons to take evasive action.

    Click the search box drop down menu and select Manage Search Engines. Delete the Google search engine and select Get more Search Engines. Search for and install Scroogle SSL.

    But hey, maybe that's just boring old me, with nothing to hide, nowhere to go and fuck all to spend.

  18. Jimmy

    And, obviously.......

    ......leave those two tick-boxes unchecked.

  19. Chronos

    @BlueGreen

    Safe-EVERYTHING is disabled in about:config and options and the Google URLs pertaining to it removed as I said in the first post. No reason for it to be doing what it's doing, so I need to find out what data it is trying to transmit and what it would send if it did succeed in getting a TCP connection to Google. And no, Squid logging won't work since Goog's many netblocks are blocked for security reasons and I already know which host it's trying to contact, so I need tcpdump output and access to the web server it thinks is Google. It may be innocuous but I need to be sure, so just let me do my research my way, mmkay?

    Anyway, we're veering way off topic here. That the last item on the list, which I can actually do something about, got more attention than the other three, especially Google targeted advertising, just shows how complacent we really are about our privacy online. And if you think it's harmless, just ask Thelma Arnold, AOL search user #4417749 just how anonymous this kind of data mining is.

    @Jimmy: Spot on.

  20. Chronos
    Black Helicopters

    @Me

    OK, sussed the Fx thing: It's a favourite site of mine with a Google search embedded into it that I left idling while I was AFK. It auto-refreshes, which is why it seemed to me that it was Fx doing things in the background. Mystery over, nothing to see here, please move along and my sincere apologies to Mozilla for casting doubt. /me grabs a heaping helping of crow.

    The referrer string in the dummy web server log told me what was going on. I'll have to document that method of diagnosing odd connects from web browsers. It may come in handy again.

This topic is closed for new posts.

Other stories you might like