
Google Search/Web history disable does nothing for privacy - jacquesm
http://jacquesmattheij.com/google-search-history-disable-does-nothing
======
Matt_Cutts
Just a quick point. The article says "there is no guarantee whatsoever that
google does anything except for changing what they display to you."

If you're on the page at
[https://history.google.com/history/](https://history.google.com/history/) and
click on the gear and then "Help" the page about deleting search history is at
[https://support.google.com/accounts/answer/465](https://support.google.com/accounts/answer/465)
and it says

"What happens to your history when it's deleted

When you delete items from your Web History, they are no longer associated
with your Google Account. However, Google may store searches in a separate
logs system to prevent spam and abuse and to improve our services."

The article claims that there's no guarantee that Google does anything other
than change the display. Google actually does quite a bit of work to
disassociate items from your Google account if/when you delete them.

~~~
jacquesm
Storing searches in a log to prevent spam sounds pretty disingenuous.

So, how about an unambiguous (as in, without weaselwords such as 'may') update
to the privacy policy detailing exactly what google stores in a user profile
and what it does not, and that what a user sees in the interface mirrors
exactly what google sees in its systems minus some small delta for propagation
across google's servers?

Because what you write above is technically quite possibly true as far as the
viewpoint of a user is concerned but leaves open a ton of possibilities for
clever/creative interpretation on what 'improve our services' means.

~~~
Matt_Cutts
Why disingenuous? An easy example of preventing spam would be to detect and
stop people trying to spam Google Suggest, which is based on queries that
users do.

Jacques, you wrote an article titled "Google Web/Search History Disable Does
Absolutely Nothing." I just wanted to point interested people to Google's
public documentation which points out what happens when people delete items
from their search history.

~~~
jacquesm
Right. And you conveniently avoid any discussion about the difference between
'your account' and 'your userprofile' (the data that google stores about a
user).

So you are essentially confirming the thrust of the article, that as far as
your privacy is concerned nothing changes.

~~~
res0nat0r
These posts are becoming so conspiratorial leaning, that nothing Matt says is
going to please you from the sounds of it.

~~~
jacquesm
What is so conspiratorial about it?

One day the google equivalent of Mark Klein will leak a bunch of userprofiles,
we'll all be shocked at what's inside and then you'll go 'Oh, I knew that all
along'.

~~~
res0nat0r
This is reinforcing my point. No matter what anyone at Google says is going to
be enough to make you happy.

~~~
jacquesm
So you're working for google now?

In that case maybe update your profile. And if you don't work for google then
how does it reinforce your point?

~~~
res0nat0r
What will make you believe they aren't part of some type of large NSA cover up
feeding your clicks to the government? A personal tour of every rack in every
datacenter to inspect logfiles?

Trying to discount official policies or responses as "weasel words" or any
type of other hand waving to every response they give sounds more like you are
set in your agenda vs. wanting to accept a reasonable response.

~~~
jacquesm
> What will make you believe they aren't part of some type of large NSA cover
> up feeding your clicks to the government?

Where did I say that? Or did you just make that up in a second attempt to make
me look like some tin-foil hat type?

>A personal tour of every rack in every datacenter to inspect logfiles?

Again, you're trying to pull this into the ridiculous.

An ironclad privacy policy would do me just fine.

If you're fine with ambiguous statements and finely crafted legalese then
that's your choice, for me that's not good enough for a company that has
presence on approximately 80% of the web.

My agenda doesn't come in to play, I don't really have one, I just noticed
that what google says unofficially and what google does according to its own
privacy policy are not necessarily one and the same. As I noted, I still use
google, I just would not trust them with anything that I consider to be
personal. So my email is not on google servers (even though likely a lot of my
email is because they have the other side of the conversation). My google
'docs' (or drive, or whatever) files can be published in the newspaper for all
I care.

Google, Facebook and just about every other large company that collects
endless realms of data on the users that visit them should be absolutely clear
in what is stored on their users, for how long they store it and what you can
do to opt out. By law they are required to do so but it seems to me (and
you're free to disagree) that google is just paying lipservice to these
requirements while leaving itself enormous leeway to do as they please with
data concerning their users.

I wasn't born in the 'privacy doesn't matter' age, and to me these sort of
things deserve scrutiny because power can easily be abused, and google has in
this sense enormous power.

Feel free to choose to be supportive of google and their noble goals, I'm
sceptical and don't see much to reassure in the words Matt Cutts used above,
if you do feel reassured then good for you.

Official responses are not done on blogs or in support forums, they are done
in the one place where it matters, the privacy policy, which is supposed to be
the document that governs the relationship between companies and their
customers in all matters that concern user data.

~~~
moultano
What would you want to see in this privacy policy?

Any policy is going to be in legalese because that's how legal documents work,
so if that's a deal breaker then I don't think western civilization as a whole
will work very well for you. It has to be broad enough that the company can
continue to do new things, but narrow enough to mean something. Google's
lawyers work really hard doing both, making the language both precise and
understandable. Do you have any specific feedback for what it should say
instead?

~~~
jacquesm
That's a serious question which deserves a serious answer. Let me think about
this and I'll get back to you (I see you have your email in your profile). I
like your definition and I think I see at least a few points where the current
privacy policy does not meet my standard for 'narrow enough to mean something'
so I'll concentrate on that.

Thanks!

------
zmmmmm
I'm curious how the author knows that it "does nothing". It seems that the
argument ends with "because they can" we can "rest assured" that it "is
exactly what they’ll be doing". In other words, if you already have a
certainty that Google is pure evil then you can extrapolate from that that
they will do the most evil possible thing in every circumstance, including
this one. That's not terribly profound. The entire rest of the post is a
litany of ways by which Google can see your cookies, which has little to do
with what they DO with that information, which is what the user account
setting purports to affect.

(to be clear, I have no evidence either whether they continue to track and
store web history or not, but it doesn't seem like the author does either, and
it's disappointing to see such a baseless trashy post from someone who I have
in rather high esteem in general).

~~~
jacquesm
Let's turn that around for a bit. The default assumption that I have is that
advertising companies that deal in user profiles (such as Google) will collect
everything they can about you because this benefits their ability to sell
advertising. Google's terms of service states what they capture, in other
words no matter what their user interface is telling you their _privacy
policy_ (which I consider to be the leading document in cases like these)
tells a totally different story and and generalizes to all of google's
services, including search (they even use that as the example of what they
capture).

The fact that things like cookies are in those logs that they do make (again,
according to the privacy policy) makes it trivial to re-construct the data
that they ostensibly do not keep. If it is trivial, makes good business sense,
enhances the value of the profile and makes more money then you can bet
dollars to donuts that unless there are _strong_ statements to the contrary
from the company involved that they do not engage in such behaviour that they
do.

Privacy policies are generally written in favour of the company writing them
and it would be terribly naive to assume that if it could be written more
strict but wasn't that this is an accident or oversight. Note how long google
fought the EU commission to have any limits set on their permission to retain
user data, and how they tried to spin it as a user benefit when they
eventually caved in.

So if google re-writes their privacy police to state explicitly that they do
not datamine their logs and that the data is used only in a statistical sense
and never in a personally identifiable sense then I would agree with you (and
I would even believe them), but until they do it is fairly safe to assume that
they in fact do use that information.

Of course 'only to enhance your user experience' and never to improve the
bottom line for google.

~~~
magicalist
That's really just begging the question again, though.

It's also not correct, as their privacy policy doesn't state that they always
collect a cookie per log entry, for instance, but that they _may_. This is an
important distinction, because in practice, at least things like doubleclick
and analytics requests do not transmit your google account cookie. In a quick
test, google fonts and google hosted libraries don't appear to send any
cookies at all, though I don't know if that's true under all circumstances.

There's much you could reconstruct from IP addresses and connection patterns
if you were sufficiently motivated, but that's a long way from extrapolating
from their privacy policy. Regardless, assuming "they can, therefore they
will" isn't nearly sufficient here.

~~~
jacquesm
At absolutely zero cost to themselves and good PR as a benefit google could
re-write their privacy policy _if_ that were the case. Note that they still
have not amended their privacy policy to the effect that they indeed anonymize
the log files after 9 months, even though they announced that they would do
that years ago.

So no, short of going to work for google or an insider coming up with hard
proof there is not much to be done there. But with a privacy policy that
details what they _do_ log and a strong financial motive I have little doubt
that this is an accurate representation of what's happening.

If it isn't then google is free to contradict it.

~~~
magicalist
> _At absolutely zero cost to themselves and good PR as a benefit google could
> re-write their privacy policy if that were the case_

I just gave you clear examples where that wasn't the case, examples you can
verify yourself by inspecting the requests.

> _Note that they still have not amended their privacy policy to the effect
> that they indeed anonymize the log files after 9 months, even though they
> announced that they would do that years ago._

here:
[https://support.google.com/accounts/answer/162743](https://support.google.com/accounts/answer/162743)

 _" We anonymize this log data by removing part of the IP address (after 9
months) and cookie information (after 18 months). If you have Web History
enabled, this data may also be stored in your Google Account until you delete
the record of your search."_

> _But with a privacy policy that details what they do log..._

I don't understand why you're ignoring the very important distinction between
of "do log" and logs "may include".

~~~
jacquesm
"may include" in a privacy police is newspeak for "we will".

That 'may' is there so that if you read it you get a warm fuzzy feeling
because _no way_ would google ever do such a thing, and it allows them to
point at it when they're caught doing it saying 'we told you we were doing
this all along, see, we gave ourselves just enough leeway there to squeeze
through'. Call me jaded, cynical, old for all I care but I have yet to see a
big company that did not act in the way I just described when it came to
covering their asses while pulling the wool over the eyes of their end users.

> We anonymize this log data by removing part of the IP address (after 9
> months)

That's not exactly anonymization is it? You're making it _worse_.
Anonymization is removing _all_ user identifiable information. This is merely
stripping some unspecified number of bits of the IP, which more than likely
has changed by then so has lost most of its value, and retains the cookie
which has more resolution than an IP to begin with.

> and cookie information (after 18 months).

What's the normal lifespan of a google cookie?

More or less than on average 18 months.

------
TomaszZielinski
I disabled the history to make the attack surface smaller. Even if Google
retains that data forever, if someone gains access to my account she won't be
able to check my browsing history.

~~~
joesmo
Agreed. I think this is the biggest point missed by the article. Your privacy
as far as Google is concerned may not improve, but your overall privacy will.
It will be much harder for other parties to get to the data Google collected.
Considering that other parties are much more harmful and can lead to real-
world harm (death, imprisonment, etc.), I'd say turning off history absolutely
increases privacy.

~~~
greenyoda
_" Considering that other parties are much more harmful and can lead to real-
world harm (death, imprisonment, etc.), I'd say turning off history absolutely
increases privacy."_

Those guys who can imprison you can easily get your data directly from Google.
If Google doesn't hand it over to them for the asking, they'll get a warrant
(assuming there's probable cause to suspect you of a crime).

~~~
codesuela
I think blackmail/extortion would be a more realistic scenario. As you
correctly stated disabling the Web History is probably a futile defense
against law enforcement agencies of western countries but think about all the
dictatorships or otherwise strongly authoritarian regimes that are the norm
for most of the world. As Google pulled from the Chinese market AFAIK they are
probably not as receptive to warrants from there. Then there are also most of
the African countries and many Asian countries with a high degree of
corruption, low to no political freedom and/or freedom of speech. Not to
forget the Arab countries where staying logged in while a third party has
access to your PC and pulls up your long term search history and figures out
that you are gay and you're stoned to death because of that.

------
CurtMonash
I use several browsers.

1\. Most of what I do is on Firefox. NoScript is turned on, and disallows
Google Analytics. I'm not signed into Google, although as this article points
out, that changes little. I use CookieCuller aggressively. Ad/pop-up blocker
are in play. Etc.

The net effect is to make web browsing less noxious than it otherwise might be
-- few pop-ups, few adds, very few cases of some noisy video spontaneously
playing when I click a link in Firefox.

2\. My monash.com email has long gone through Google Apps. That's in Chrome. I
also open links I get through email in Chrome, but do little else there. In
that browser I'm usually signed into Google.

Chrome/Google consume a lot of resources, e.g by insisting on opening Google
Talk whether I want it or not. But it's a manageable annoyance, as I keep my
open-tab count in Chrome fairly low.

3\. I use IE very selectively. If a page won't open in another browser, I try
it there. A few of my most-annoying and rarely used apps and sites are
relegated to IE -- Facebook, WebEx/GoToMeeting/etc., and perhaps a few others
I'm not thinking of now. Unlike the other two browsers, IE is outright closed
on my PC much more often than it's open.

~~~
r0h1n
I follow many of the practices you list, and then some. I wish there was an
easy way to people - especially lay users - to "subscribe" to a privacy-
enabled version of Firefox. For instance they could be offered pre-selected
choices: 1\. Block analytics [x] 2\. Destroy cookies after session [x] 3\.
Block scripts [x] 4\. Prevent search results tracking [x]

I say this because few non-tech users know or care about the entire gamut of
tracking-blocking services (beyond,say, AdBlock). But if they were presented
with an option like this:

Do you want to install Firefox "clean" -or- Do you want to install Firefox
"Shields Up"

~~~
Raphael
Privacy Badger is an attempt at a single extension with default configuration.
(It may even be possible to bundle with the browser.)

------
blauwbilgorgel
You can try to combat a part of this by installing Ghostery. It will block a
lot of these third-party requests. As a website owner you could link to the
share page, instead of loading the widgets, or load the widgets only after the
user requests them.

As for those server logs, I understand they record my movements, but I don't
think it is my right to stop them from doing that. The one who owns the
server/web property should be allowed to analyze requests to that server. This
can get icky though in the case of major CDN's.

You could choose not to keep server logs as a search engine (forgoing DOS
protection), but then what happens when a user clicks on an advertisement?
Privacy seems only as strong as the weakest chain.

~~~
ds9
Ghostery, the last time I checked it out was closed-source, subject to control
or influence by advertisers, and reporting to the vendor about users'
browsing. Clearly lots of people like it, but I would consider it gross breach
of my security policy.

My recommendation for anyone who's serious about controlling his/her online
footprint is Request Policy. It's open source and simply blocks requests
according to user directions - you can put it on a whitelist or blacklist
basis, and decide for yourself what servers to contact from each page. Of
course this is too inconvenient for most people, but it gets asyptotically
less troublesome as the list is perfected.

~~~
bryans
1\. Closed-source javascript is not a thing, and Ghostery's code is very
readable.

2\. Technically, anything is subject to influence by third parties, but I'm
quite certain you possess zero evidence that Ghostery is actually influenced
by advertisers. Implying that Ghostery might do something nefarious at the
behest of advertisers (based on nothing but personal paranoia) seems
maliciously disinformational.

3\. Ghostrank is opt-in by default. You have to intentionally check a box that
plainly says you agree to send "anonymous statistical data" to them.

~~~
fixanoid
The source is not just very readable, we make it publicly available for
review. Here are some links: \- AMO: [https://addons.mozilla.org/en-
US/firefox/files/browse/254748...](https://addons.mozilla.org/en-
US/firefox/files/browse/254748/) \- Chrome:
[https://www.ghostery.com/ghosteries/chrome/](https://www.ghostery.com/ghosteries/chrome/)

We are most definitely not influenced by third parties, if anything, companies
now contact us directly to provide their registration information for
monitoring by Ghostery. Additionally, we keep the database changes public
here:
[https://www.ghostery.com/en/database/changelog](https://www.ghostery.com/en/database/changelog)

------
tonfa
There would still be an effect:

> [Google] would observe three specific types of data retention periods:
> deletion of the last byte of IP addresses in Google server logs (9 months);
> the validity of cookies placed in users’ browsers (2 years); anonymisation
> of the cookie number in the company’s server logs (18 months).

From
[http://www.cnil.fr/fileadmin/documents/en/D2013-420_Google_I...](http://www.cnil.fr/fileadmin/documents/en/D2013-420_Google_Inc_EN.pdf)
but it was stated publicly e.g. at
[https://www.eff.org/deeplinks/2008/09/google-cuts-server-
log...](https://www.eff.org/deeplinks/2008/09/google-cuts-server-log-
retention-nine-months) or [http://googleblog.blogspot.com/2008/09/another-
step-to-prote...](http://googleblog.blogspot.com/2008/09/another-step-to-
protect-user-privacy.html)

------
GUNHED_158
1\. Of course a certain level of logging and archiving of information is
necessary to maintain the security of a server, it is not always about “THE
USER”.

2\. Again, a certain level of logging and archiving information is mandatory
to offer some services based on artificial intelligence and to make people's
life easier. Just imagine asking your doctor to not having a file of your
information because it is a violation of your privacy! It does have a lot of
benefit in terms of saving time, to learn about user’s search patterns. Google
is able to offer better search results like this.

3\. It does not make sense to be particularly concerned about what Google when
you are actually sending that information out to the whole world. This is like
shouting out something and then complain about people listening to it. If you
don’t want people smell your kitchen, first you should think of closing the
window.

------
alok-g
I follow the practices listed in a few comments already [1] on PCs. But this
has proven to be painful with increasing number of websites depending on
Google via ajax.google.com, etc. As many as a third of the websites won't work
on my browser till I take specific actions to allow something.

What are the recommendations for Android along these lines? Is rooting
needed/recommended? I currently use Maxthon browser, have never signed into
Google Account on my phone ever (this gives a lot of trouble, but sounded
worth ever since I found my older Android phone won't let me remove Google
Account ever without a factory reset).

I use Amazon's Appstore, which could be bringing its own privacy issues. I
found that their Appstore app by default sends App usage data to them, though
this can be disabled.

[1] Private browsing mode, NoScript, Ghostery, Self-Destructing Cookies,
Blocked Google-Analytics, etc.

------
rogcg
Just use DuckDuckGo([http://www.duckduckgo.com](http://www.duckduckgo.com)).

~~~
danieldk
The point here is that you are tracked on website that you visit. No amount of
DuckDuckGo will change that.

------
thomasbachem
Don't forget: Google AdSense, DoubleClick, Google Hosted Libraries (jQuery
etc.), Google Maps Embeds, Google DNS servers, ...

I'd bet Google can track you on ~80% of all websites.

Does anybody know of studies that analyze the reach of these direct/indirect
tracking capabilities?

~~~
jacquesm
Hey Thomas!

Long time no see... what is it, 6 years or so? There's a blast from the
past...

I totally forgot about DoubleClick and DNS, I'll update the post.

~~~
thomasbachem
Hey Jacques, I think it's even more than 7 years :). Reading a lot of your
stuff, hope we'll meet again soon!

~~~
jacquesm
I should be in your hometown somewhere in the next few months, drop me a line
at jacques@mattheij.com with your cell number in it and I'll buy you dinner.

------
JohnDoe365
Not using Googles nameservers and DuckDuckGo helps.

------
sanxiyn
I have been blocking Google Analytics for a very long time now. It seemed no
brainer to me. You may want to do the same.

------
dzhiurgis
How about browser phishing protection? Isn't that calling some sort of server
to check the URL safety?

~~~
jacquesm
Technically it could be done using only a hash of the url, I'm not sure how it
works in practice.

~~~
Matt_Cutts
That's exactly how Google does it. Please see
[http://www.chromium.org/developers/design-
documents/safebrow...](http://www.chromium.org/developers/design-
documents/safebrowsing) .

Periodically, Chrome will download a list of hashed URLs believed to be
dangerous. As you surf the web, Chrome checks client-side if the URL matches
anything in the hashed list. Only if the hash matches will Chrome initiate a
more in-depth check.

~~~
dzhiurgis
Makes sense. How about other implementations?

------
Karunamon
I have to ask - was this truly a surprise for anyone?

Google's entire business is advertising. You'd be silly not to expect them to
log, of all things, what you type in the search box.

Search history is and always has been a convenience feature, and they do not
posture it as anything but this.

------
whyleyc
At what point will browsing via a VPN become the de-facto way of using the web
?

~~~
sz4kerto
Never. People don't care of this level of privacy (except a very small
minority). And frankly, thanks to the sophisticated data mining/statistical
algorithms just using VPN only makes tracking/profiling harder, not
impossible.

~~~
dueprocess
This isn't an issue of privacy, it's an issue of deception. Privacy (or the
control of privacy) is being insinuated, but it's only smoke and mirrors. It's
a lie.

------
woopdy
Aww, mine was OFF the whole time...

------
hwell
That isn't true. Google anonymizes logs after 9 months:
[http://googleblog.blogspot.com/2008/09/another-step-to-
prote...](http://googleblog.blogspot.com/2008/09/another-step-to-protect-user-
privacy.html)

Active web history on the other hand will still be associated with an account
for as long as it's active (not solely to Google's benefit by the way).

I thought this stuff was already sorted years ago and is now common knowledge,
it's like those people only now realizing that Gmail does contextual ad
targeting, it's somehow disingenuous.

~~~
jacquesm
> That isn't remotely true.

Well, you just linked to a text that more or less proves that it _is_ true for
at least 9 months.

That gives google _9 whole months_ to mine those logs for all they're worth,
after which I'm sure they can be safely anonymized. 9 months is plenty.

Note that google does not say anywhere it won't store your web history derived
from those logs, it just says it anonymizes the logs.

Little details like these matter a lot when reading privacy policies.

~~~
hwell
Of course they mine those longs, there is a lot of knowledge to be gleaned
from them, mostly to improve their product. Also some places mandate some kind
of data retention.

Deriving "history" from those logs doesn't matter much as long as they
eventually get anonymized.

You should update your post to reflect the 9 month distinctions between search
history and server logs.

~~~
jacquesm
I'll update the post when someone from Google (rather than some anonymous
account created for the sole purpose of debating this point) steps forward and
_guarantees_ that no information mined and/or copied from those server logs
survives in user profiles after 9 months. You have definitely not made your
point, they only speak about the IP anyway but say nothing whatsoever about
the cookies, which are just as good (or even better) at identifying users.

 _Of course_ it matters that they derive history from those logs. That's what
this whole article is about.

I also note that even though that blog post is now 6 years old wording to that
effect still has not made it into the google privacy policy, which I assume to
be the binding document in cases like this.

~~~
hwell
That's not likely to happen. Nor will anyone else from any other company
volunteer to walk you through their policies and infrastructure.

If a "history" isn't associated with a user then there is no issue there, on
the other hand they can still run a mapreduce job on it and extrapolate
spelling corrections for example.

You ought to at least include Google's blog post for the sake of completeness.

~~~
jacquesm
> Nor will anyone else from any other company volunteer to walk you through
> their policies and infrastructure.

Funny how 'if you've got nothing to hide' seems to apply only to people.
Companies do in fact walk us through their policies, that's why they are
putting them on their websites for us to read.

> You ought to at least include Google's blog post for the sake of
> completeness.

Google should amend their privacy policy, for the sake of completeness.
Assuming of course that anything actually changed. Announcing something on a
blog versus actually doing it and updating the privacy policy to reflect the
change are two different things. It's the same as announcing your intention to
marry someone and actually following through with it.

