

Google ToS rated: “keeps your searches and logs for an undefined period of time” - hugoroy
http://tosdr.org/#google

======
magicalist
I'm not sure about this site...it would be nice if someone like the EFF ran it
and got actual lawyers to look at these. In this case:

> _Google can share your personal information with other parties: Google will
> share your personal information with other parties. For sensitive
> information (medical, racial, ethnic, political, religious or sexuality)
> Google requires “opt-in”. Google can also share or publish aggregated data
> that does not identify a person_

links to this discussion:
[https://groups.google.com/d/topic/tosdr/QZgR8faRWDU/discussi...](https://groups.google.com/d/topic/tosdr/QZgR8faRWDU/discussion)

which quotes this part of google's privacy policy:

> _We do not share personal information with companies, organizations and
> individuals outside of Google unless one of the following circumstances
> apply:_

> _With your consent: We will share personal information with companies,
> organizations or individuals outside of Google when we have your consent to
> do so. We require opt-in consent for the sharing of any sensitive personal
> information._

and then he proceeds to conclude that because google separates the notion of
"personal information" and "sensitive personal information", and the latter is
covered by the "opt-in consent" clause above, that must mean that the former
(plain "personal information") must be sharable because consent is assumed.

Logically that doesn't follow at all, since the base assumption would be that
they don't share personal information unless it falls under one of the listed
exceptions, and just because one "consent" has "opt-in" in front of it, does
not mean that any other "consent" means some kind of assumed consent. If the
words "opt-in" had never appeared, there would be no reason to guess
otherwise.

What's worse, that line appears to be the sole source of information for him
(and no one else came in to discuss it), so that becomes the authoritative
line, without a caveat about how he arrived at that conclusion (though,
luckily, a link to the "discussion" of that line). The site also says Hugo Roy
is an "Economic Law student" in Paris, but his reading of those terms doesn't
sound legal in the EU even if that was the correct conclusion.

One great thing about this project is that it's something no old media company
would have ever attempted, through worries about liabilities, or fear of
offending corporate partners, or just a perceived lack of interest from their
viewers. It will hopefully be a great way for the actual users of the internet
to keep companies accountable. On the other hand, if somehow an old media
company _had_ written about this, many would have consulted an expert (and
possibly google themselves) before making that kind of sweeping conclusion.
The EFF would have too. Hopefully participation can increase in this project
so it's not just one guy's reading of a bunch of ToSs. I can consult random HN
comments for that sort of thing :)

~~~
rurounijones
> I'm not sure about this site...it would be nice if someone like the EFF ran
> it and got actual lawyers to look at these. In this case:

I agree with everything you said but isn't it pathetic that we require a
trained lawyer to be able to interpret something that affects a staggering
amount of people.

A ToS shouldn't have to require the above, I also kind of like the idea of a
layman having a stab at it, I would love to have a site that lists ToSes and
allows wiki style discussions on certain points (Think Github pull request
commenting). If only to highlight how bloody stupid it is that no one can
understand or can agree on them.

------
GuiA
For most services, I agree to a ToS when I sign up. If I don't agree with the
ToS, I can't create an account. (e.g.: dropbox, spotify, twitter, etc.)

But for Google, anyone can perform a search without agreeing to any ToS at
all. What are the legal groundings and implications with regards to this?

~~~
sev
I believe they can only connect your searches if you are logged in while
searching. Otherwise, of course they can collect data on anonymous searches
but not ones that would be specific to you.

I hope I'm wrong.

~~~
asperous
I can see from an clean request to google.com that they set two cookies on
your browser that are set to expires 6 months from the last request to
google.com.

So assuming you use google more than once every 6 months they can keep a
running log of your searches, and as soon as you log in to any google service
with that cookie they will associate it with your account (I'm guessing).

If you clear your cookies reguarly or use incogneto it's not an issue.

~~~
dustcoin
Even without cookies, Google stores IP addresses and can use those to
correlate searches.

~~~
bchar
IP address seems incredibly unreliable in this regard. What exactly is to be
gained by associating it with an IP? If a company uses one external IP, are
all my searches altered/bubbled by what everybody else in the company is
querying?

~~~
zwegner
There's a lot more information than just IP address they can use to
distinguish you: <https://panopticlick.eff.org/>

------
eksith
GitHub's one clause is a rather alarming.

    
    
      Your account can be suspended and your data deleted any time for any reason.
    

The addition:

    
    
      ...forfeiture and relinquishment of all Content in your Account
    

I'd like to think they go to suspension first and deletion as a very last
resort well _after_ you're notified of a reason. This rather draconian
provision feels unnecessary when you could similarly go with just a "if you
store illegal/liebelous/infringing stuff here, we'll delete it" clause.

They're not unique in this regard, but I'm curious as to why companies that
genuinely care about the integrity of the data and the trust you place in them
to store it will include such a statement in the first place.

That conflicts with the next one quite badly.

    
    
      Transparent security practices
    

How is an opaque deletion policy considered transparent?

~~~
hugoroy
We don't consider their opaque deletion policy transparent. We only consider
that they are transparent about some of their security (compared to most
equivalents i'd say). See the whole thing (click "Expand"):

> \+ Transparent security practices Discussion

> GitHub gives a detailed overview of their own security practices and their
> service providers' practices and obligations.

[https://groups.google.com/d/topic/tosdr/2vIh4l7sTnk/discussi...](https://groups.google.com/d/topic/tosdr/2vIh4l7sTnk/discussion)

------
deno
Some background on the 18 months they’re referring to:

[http://www.europeanpublicaffairs.eu/eu-enforcement-action-
ag...](http://www.europeanpublicaffairs.eu/eu-enforcement-action-against-
google/)

------
a1a
"[thumb_down] Spotify doesn't guarantee data security" I do not really agree
on that being a "thumb down" - rather the opposite.

Also the "You cannot delete your account" is present under some sites, but not
on facebook. Last time I checked it wasn't possible to remove all data on
facebook(?).

~~~
kyrias
Is it a good thing that Spotify doesn't guarantee that they won't leak your
data? So you're saying that it would be a good thing for them to make it easy
for people to steal your payment information?

You can't be sure that they actually delete your data but you /can/ delete
your account.

~~~
a1a
My point being that to guarantee that would obviously be irresponsible - since
there is no such thing as 100% data security. It's way better, in my opinion:
"you probably shouldn't put anything too sensitive here - we have been hacked
and will get hacked again". Obviously they will try their best to secure their
systems either way, this because the biggest cost is the "user reaction"
(users leaving the service or alike) when getting hacked.

------
Samuel_Michon
That’s quite a contrast with DuckDuckGo: <http://tosdr.org/#duckduckgo>

~~~
StuffMaster
Also <http://startpage.com>. I'm getting more wary of google as time goes
on...

------
nnnnni
undefined != unlimited

Just sayin'.

~~~
jrajav
Pretty sure they're equivalent in this case, as long as you're taking
unlimited literally and not as "infinite."

------
recoiledsnake
Looks like Bing is better in this aspect.

From its policy:

We store search terms (and the cookie IDs associated with search terms)
separately from any account information that directly identifies the user,
such as name, e-mail address, or phone numbers. We have technological
safeguards in place designed to prevent the unauthorized correlation of this
data and we remove the entirety of the IP address after 6 months, cookies and
other cross session identifiers, after 18 months.

~~~
magicalist
OTOH: [http://arstechnica.com/tech-policy/2012/06/how-microsoft-
and...](http://arstechnica.com/tech-policy/2012/06/how-microsoft-and-yahoo-
are-selling-politicians-access-to-you/)

------
OGinparadise
It's amazing how many people ware willing to let Google (or anyone for that
matter) see and keep their most private information for ever. Your online
searches and emails can truly show what's on your mind, there's no way I am
going to let an advertising company connect them to my real name and address
and /or catalog them forever.

Nope, not even if you show me what movie is playing when I pass near a
theater. I'll manage to do without that or associated advertising that will
almost certainly come.

~~~
yuhong
Can you respond to this: <https://news.ycombinator.com/item?id=5654301>

~~~
OGinparadise
you a stalker now? But here's the answer
<https://news.ycombinator.com/item?id=5654301>

------
nijk
They are anonymized after 18 months, unless you have Web History enabled.

[https://www.eff.org/deeplinks/2012/02/how-remove-your-
google...](https://www.eff.org/deeplinks/2012/02/how-remove-your-google-
search-history-googles-new-privacy-policy-takes-effect)

