Hacker News new | past | comments | ask | show | jobs | submit login
The Many Ways Google Harvests Data (wsj.com)
303 points by j32fun on April 23, 2018 | hide | past | favorite | 185 comments



44 blocked scripts loading the article - nearly half of which was tracking related. Surely the irony of that isn't lost on people? Google's ability to track users is 99% entirely due to companies like the WSJ using them for tracking users. These companies are just as much to blame, if not more, than Google itself.

E: What I mean by that is Google provides the means, but Google couldn't track nearly half of all sites if nearly half of all sites weren't complicit in the tracking.


The whole tracking thing should be outlawed in my opinion.

It's like saying that because windows are transparent, it is ok to stare into people's living rooms. It's not - irrespective of transparency or lack of curtains.

In a world where that is clearly not ok, then why is it that this kind of thing (tracking) is deemed ok?

What we need is something that does to our online privacy, what curtains did for peoples real privacy. And, although I fear that this is not technically possible, the absence of the possibility of such protections, still does not make tracking right.


It's like saying that because windows are transparent, it is ok to stare into people's living rooms. It's not - irrespective of transparency or lack of curtains.

Nope. When you enter someone else’s place of business, you have no expectation of privacy. These websites belong to private entities. So it’s more like saying that because you voluntarily walked into my store, it’s ok for me to observe your behavior while you’re there. Which, of course, is completely logical and acceptable to most people.

Don’t want me to track your behavior while you’re in my store? There’s a very simple, 100% effective solution for that: don’t enter my store. Because if you do enter, you have no right to complain that I’m observing you.


Nope. When you enter someone else’s place of business, you have no expectation of privacy.

That's not true at all. When I go to the hardware store to buy a box of nails, I don't have any expectation for the owner to begin following me around for the rest of the day (and in perpetuity thereafter). I also don't expect the hardware store owner to get on the phone with the grocery store owner and ask him what groceries and personal hygiene products I bought.

Also, the comment originally pertained to the Wall Street Journal, a newspaper. Are you suggesting that reading the newspaper at home grants the publisher the right to peer in through my window?

Expectations of privacy have long been enforced by social norms rather than laws. Since technology has granted corporations the means to do an end-run around social norms then we should expect the law to catch up and fill the gaps.

People may not have had a lot of privacy from their neighbours when living in small towns but they could generally count on their community to care about their well being. This is not the case with online businesses of any sort.


Are you suggesting that reading the newspaper at home grants the publisher the right to peer in through my window?

No, nor did I even intimate that. That's your property, not mine. That suggestion is as ridiculous as the one I was trying to refute. But when you enter my property - be it virtual or phyiscal - expect to be observed using whatever technologies and vendors I want that are legal (with a few obvious legal exceptions, such as bathroom surveillance). If, to continue with your newspaper example, you took your newspaper into my store and decided to read it there, I am fully within my rights to observe that you did that, watch you to see if you buy something while you're there, and see if others exhibit that same behavior. Depending on the results of that analysis, I might then decide to move the newspapers to the front of the store, near tables, where you can sit and read because I have determined that newspaper readers are profitable customers. There's nothing wrong with that - I've now used data obtained while you were in my store (where you have no expectation of privacy) to improve both your experience and my profitability.


People that want to move this discussion forward need to stop using analogies for things in the physical world, because the interactions between a website and a browser aren't similar enough to anything physical. Every single time someone resorts to analogy in one of these threads, it immediately and permanently devolves into an argument over the details of the analogy.

Browsers run code delivered by websites. It's generally considered impolite, at least, to provide code that mines cryptocurrency on visitors' machines. Most people wouldn't defend serving up malware, either. So there is well-established precedent for arguing that there are things a website shouldn't do to its visitors.

Extensive tracking scripts are now falling into the same category as crypto miners and malware.

The explosion of ad blockers on users' browsers is a direct result of websites pushing advertising tactics way too far and not putting enough effort into the safety of their visitors. Tracking scripts will be next. Firefox has a lot to gain from pushing browser features intended to make it look like a more privacy-conscious browser than Chrome; there are already extensions like Ghostery and Disconnect, and uBlock Origin blocks a number of other tracking scripts too.

If website developers don't accept some kind of middle ground in this discussion, they'll be relying on their access logs for all of their data before long.


> need to stop using analogies for things in the physical world

That sounds like HN to me. Nothing likes analogies like HN likes analogies.

Put it this way--analogies are like cars. When they're good, they're great, but when they're bad, they're really bad.


>Extensive tracking scripts are now falling into the same category as crypto miners and malware.

That's definitely your opinion, and it is one that is not widely held. How do I know this? Because Facebook's usage - despite a deluge of recent headlines headlines that vastly overstated their privacy issues and made it the poster child for extensive tracking technologies - hasn't gone down. So, roughly 2 billion of the world's Internet users disagree with you.


It doesn't work that way, and I think you know it.

Only 26% of web users in 2016 had installed ad blockers [1]; that doesn't mean you get to say, "74% of web users don't mind advertising and malware".

Facebook announced its first net loss of North American users last quarter. They're expected to post a much larger loss during the Q1 review on Wednesday [2] as a direct result of the Cambridge Analytica scandal.

I guess you can stand steadfastly behind the position that "nobody cares because there are 2 billion users", and ignore the falling metrics for user engagement [3], and the protests (see the picture at the top of [2]), and the senate hearing, and the media coverage, and the millions of Ghostery and Disconnect users who've gone to the trouble of searching for and installing extensions specifically to block tracking, and Firefox's built-in tracking protection. Sure, aside from all that, nobody cares.

But this isn't an issue that's going away yet, no matter how much you want it to.

[1]: https://www.wired.com/story/google-chrome-ad-blocker-change-...

[2]: http://www.businessinsider.com/facebook-users-want-revenge-a...

[3]: http://money.cnn.com/2018/01/31/technology/facebook-earnings...


As for your argument that Facebook usage has dropped as a result of the recent privacy outrage, it has not - at least according to Mark Zuckerberg as of April 10, 2018 [1]. Remember that the outrage of journalists - driven by a desire for clicks - is not the same as public outrage. Other factors (such as people spending more time on Instagram, or life in general) may have contributed to a decline in engagement prior to the media-driven "scandal," but at least at this point the recent headlines have had no discernible impact.

We'll have to agree to disagree on the rest of your argument. Most of the 26% of users that have installed ad blockers (including myself) have done it not so much to thwart tracking, but to put an end to the poor user experience that many intrusive ads create on web pages. Visit any local newspaper site with your ad blocker disabled to view what I'm talking about. Many sites aren't even usable without an ad blocker these days. I am in the ad blocking-for-user-experience camp...I could care less about tracking. In fact, for the ads that I do see, I like them being highly targeted. I went for years without clicking on a single ad on the web. Only in the last year or two have I found them relevant enough to click every now and then. Since these advertisers aren't given any personally identifiable data by the ad networks, I don't feel any violation of my privacy either.

[1] https://www.cnbc.com/2018/04/10/zuckerberg-in-joint-senate-c...


>I like them being highly targeted ... Since these advertisers aren't given any personally identifiable data by the ad networks

The fact that the ads are highly targeted, and the fact that they are used by many companies, means that you are probably personally identifiable by correlation. They don't need your name. They probably have your locale (to a high degree of precision), your shopping habits, your sexual preference, your education level, your family size and many other details.


And what exactly is wrong with that? So some marketers know that someone in the world likes to do X, lives in a certain place, likes to buy things, etc. It's not tied to your specific identity - it's just a collection of data. There's nothing inherently wrong with that.


In the first place, your repeated assertion that you are anonymous in the data is wrong. A combination of zip code, date of birth, and gender will uniquely identify 87% of the people in the country [1], and I assure you advertisers have far more detailed information than that. In some cases, they have your DNA. [2]

Secondly, that information is used to influence you. Cambridge Analytica still proudly proclaims, on their home page, that they "[use] data to change audience behavior." Ads on Facebook are being used by different groups to inflame political tensions [3]. The tracking widgets used on nearly every site you visit now means that some company, somewhere, knows everything you're interested in. They are in the business of using that information against you, to their benefit, whether it's in crafting sensational stories with clickbait headlines to get more of your attention, or selling you products you don't need by preying on your insecurities, or just trading it for money to other companies who will use it in new and creative ways -- like CA, who specialize in tilting voting behavior. [4]

Thirdly, you're counting on advertising firms having perfect security and never accidentally giving your information away to people who shouldn't have it. Advertising companies just don't have good history when it comes to data security [5] [6] [7].

People seem happy to ignore the ramifications of all of this, because it's not like they're feeling physical pain or discomfort or noticing any other immediate negative effect when more tracking data is collected or they see another ad. But this is a form of psychological warfare, and at least some of this stuff is designed to corrupt your thinking, to get more of your attention and change your opinions about things and convince you that it's all very harmless.

We've strayed away from tracking data and into advertising, but they are two sides of the same coin.

[1]: http://latanyasweeney.org/work/identifiability.html

[2]: https://freedom-to-tinker.com/2015/09/07/ancestry-com-can-us...

[3]: https://www.reuters.com/article/us-facebook-ads/majority-of-...

[4]: http://money.cnn.com/2018/03/20/technology/what-is-cambridge...

[5]: https://www.engadget.com/2016/01/08/you-say-advertising-i-sa...

[6]: https://pagefair.com/blog/2015/halloween-security-breach/

[7]: https://entertainment.slashdot.org/story/16/10/09/208249/a-s...


You obviously feel very passionate about this subject, so there is no point in attempting to convincing you to change your opinion, other than to reiterate that it is not a commonly held opinion.

I did want to respond directly to one of your points that is dead wrong. With regard to this statement:

>Secondly, that information is used to influence you. Cambridge Analytica still proudly proclaims, on their home page, that they "[use] data to change audience behavior." Ads on Facebook are being used by different groups to inflame political tensions

There has been no scientific evidence that CA, the Russians, or anyone else was actually successful in their efforts to use Facebook to influence the election or "inflate political tensions". In fact, CA's own customers say that it didn't work [1]. This whole thing was a manufactured controversy.

[1] http://www.businessinsider.com/cambridge-analytica-facebook-...


You confused my statements regarding CA with a separate issue regarding political ads on Facebook, covered in the Reuters article I cited (which didn't mention CA at all).

If CA were a "manufactured controversy", I think HN would've cottoned on to that quite a while ago, rather than the various comments (among thousands on the topic now) expressing surprise that people are suddenly paying attention to this:

50M Facebook profiles harvested for Cambridge Analytica in major data breach: https://news.ycombinator.com/item?id=16606924

Zuckerberg on Cambridge Analytica situation: https://news.ycombinator.com/item?id=16641550

How Cambridge Analytica’s Facebook targeting model really worked: https://news.ycombinator.com/item?id=16719403

Leaked email shows how Cambridge Analytica and Facebook first responded in 2015: https://news.ycombinator.com/item?id=16667805

The Cambridge Analytica scandal isn’t a scandal: this is how Facebook works: https://news.ycombinator.com/item?id=16621885 (solid top comment on that thread)

Palantir worked with Cambridge Analytica on the Facebook data it acquired: https://news.ycombinator.com/item?id=16690721

Users Abandon Facebook After Cambridge Analytica Findings: https://news.ycombinator.com/item?id=16644067

I'm not, by the way, providing any of these links in my comments to try to change your mind. I realized several comments ago that you've got an entrenched and unmovable opinion that pervasive user tracking on the internet is no big deal. I've been providing these links for anyone else reading who might be interested in the topic.


The various analogies used in this thread lead to contradictory conclusions because they start from different places:

Should browsing the Sears website be more like reading a Sears catalog in your own home, or more like physically walking into a Sears store? It's clearly got some aspects of both.

You can't just assume one is the "right" view and then use that to argue your point, because once you boil it down that's precisely the thing you disagree about.

EDIT: I see thaumaturgy made essentially the same point in a sibling comment.


What is the name of your business or employee, @downandout? I wish to avoid it.


I don't think either of these analogies is accurate?

It's more like Home Depot slapping a GPS tracker on my person, which I am take with me when I leave the store, isn't it?


Does HomeDepot.com get to see where else you go on the Internet because they have tracking code on their site? No, they do not. They cannot obtain this data from the major tracking vendors (Facebook, Google etc.) either. Granted, the vendors themselves can often see cross-site behavior, but the individual sites using these trackers cannot and aren't given access to this information.


I agree with the other comments that the analogies kind of hide the ball on the real issues here. But in this case, I think it's more like Home Depot putting up security cameras that send all the footage of you to the camera manufacturer. In turn, that camera manufacturer runs facial recognition to automatically combine your Home Depot activity with your activity from all other business that use their cameras (which is 1/2 to 3/4 of the business you visit [1]), including the pharmacy, gas station, grocery store, bank, etc. Oh, and the information at the registers integrates with the cameras as well. And then the camera manufacturer sells your aggregate, combined data to advertisers who then set up shop at kiosks in the stores (the kiosks are owned by the camera manufacturer by the way), so that they can sell you stuff while you're there. And if the kiosk in Home Depot can't get you to buy something, they'll just get the kiosk at the bank to continue where they left off.

[1] https://trends.builtwith.com/analytics/Google-Analytics


You're effectively suggesting people take all their business offline again.

When I walk into store (a) it's reasonable to assume that store (a) might be observing my behaviour, along with perhaps a sub-contracted security company etc. It's less reasonable to assume that walking into store (a) gets me observed by stores b-z and subcontractor 1-255 which is more like what happens on the web. They don't generally follow around town for the rest of the week either.

Go to web site or store and get observed by Google, Facebook, and dozens of assorted analytics companies who will then endeavour to track you wherever you go next, for as long as possible.

Now then, ignoring JS and adblocking for a moment, which mainstream ecommerce or news sites can one frequent in order to adopt the "100% effective solution" of not being tracked?


"Walking into a store can get you observed by stores b-z and subcontractior 1-255"

Well what about the new amazon retail store, that records your every move?

Also what about stores or shopping malls that contract their security cameras out to other companies? Surely those security companies may be doing all kinds of stuff with people's facial recognition data.


Most of the new data landscape is only adopted reluctantly - no shopper was given a choice in this. The fact that consumers feel powerless, and every medium to large business feels they must grab all the data possible, doesn't make it right.

Amazon's high street store is an easy to avoid aside until a Tesco or Walmart tries it.

I hope that GDPR restricts the extent of "all kinds of stuff" that companies wish to do to cctv security footage. I suspect it won't be nearly enough. The trouble with cctv is the consumer/shopper has effectively no way of knowing thus should be quite strictly regulated.


Sounds like applying the web tracking to the real world could be the next evil business idea.

When I somehow get upgraded to business class while flying it is rather flattering to be greeted by the stewards by name while being offered a glass of decent champagne.

What if your store could do the same for people considered social influencers or "whale" spenders? As they enter the store, dispatch your Personal Shopper squad to gently welcome them, and nudge them towards purchases -- or if nothing else, a little social media moment worthy to share with their followers.

Perhaps their social posting history will reveal a hyper-personalized special offer that can make them buy that $2000 handbag.


> Sounds like applying the web tracking to the real world could be the next evil business idea.

At what point does this behavior run afoul of stalking laws?


Your opinion is not a "nope". It's your opinion. Others differ.

For example, stalking is illegal.

https://en.wikipedia.org/wiki/Stalking#Laws_on_harassment_an...

as is wiretapping

https://en.wikipedia.org/wiki/Telephone_recording_laws#Two-p...


You're right that both of those things are illegal. However, neither one has anything to do with this discussion. It isn't my opinion that a tracking cookie is no way equivalent to peering into someone's window in their home. It's a fact based on knowledge about how each activity works.


That's ridiculous. If a normal shopper walked into a store and had surveillance on him/her (I don't mean the normal security cameras here - I'm talking about in depth surveillance, the in-person equivalent of a website tracker), I am sure them same stores would go out of business fast.

The point here is that they do it just because the snooping is invisible. And that irks me.


You do know that most big stores use automated video analysis nowadays to optimize inventory placement, analyze in-store traffic flow, detect shoplifting, detect slip and falls, etc right? Some have begun using license plate readers at parking lot entrances. Oh and...they are completely within their rights to do it.....being a private business and all.

The point is, don't come on my property - physical or virtual - unless you don't have a problem with your behavior being observed while you're there.


Just because its on your property does give you carte blanche to do anything you want to me. I dont see how this is a reasonable argument.

You cant tracke in your bathroom or changing stalls. You cant listen to my phone calls or ask me intimate personal details about where I have been without explicitly asking me.


Are you arguing that Facebook is watching you in your bathroom or listening to phone calls? To my knowledge, nobody in the physical or virtual world is doing either of these things.


My point, is that there is "observed" and there is "observed".


>Nope. When you enter someone else’s place of business, you have no expectation of privacy.

This is only somewhat true. At the spa for instance, you very much have an expectation of privacy. Practically speaking it is sort of contextual? Even at say a restaurant, I would be both surprised and disconcerted to discovered the business had recorded the entire conversation that occurred at my table, even though I would be unsurprised by a bit of eavesdropping.


There are laws that specify that certain types of surveillance/tracking cannot take place. In most states, you cannot be recorded in the bathroom, for example. There are also federal laws against recording of audio in most public places - this is why casinos have incredibly sophisticated video surveillance and analysis software, but do not have microphones to listen in on conversations.

So the rules of the tracking and surveillance road are well defined, and most businesses adhere to those rules. All of the privacy complaints I have seen recently did not involve violations of the law. Rather, these complaints are essentially that people have a fundamental human right to use private services being run at the cost of private entities on the terms that users choose, which just isn't how the world works.


> So it’s more like saying that because you voluntarily walked into my store, it’s ok for me to observe your behavior while you’re there.

No, it's more like saying that if I phone your store to ask how much some item costs, you think it's OK to come over to my house and peer through all of my windows.


"When you enter someone else’s place of business, you have no expectation of privacy."

So you'd have no problem with a restaurant owner bugging all their tables and listening in on their customers' conversations?


I disagree here pretty strongly, because although I hate tracking, there are perfectly fine technical solutions.

Tracking on websites works like this:

* the site sends your computer content and code

* your computer runs the code, which causes it to send data about you to a whole bunch of third parties

* meanwhile, your computer displays the content to you

All you have to do is decide not to do step 2. It's your computer, it's under your control.


Yes, indeed.

But what's problematic is that most users are clueless. And that browsers by default send all that data. To prevent that, you must (at least somewhat) know what you're doing, tweak settings, install add-ons, etc.

It'd be cool if browsers protected users' privacy, by default.


> it is ok to stare into people's living rooms. It's not - irrespective of transparency or lack of curtains.

Legally, it is. You might advocate to change that law.


There are places in the world where that is often not legally okay.


Cyber stalking is only OK when big companies do it. Preventing it is not a technical problem as you succinctly stated in your first sentence.


> These companies are just as much to blame, if not more, than Google itself.

However, exact same thing applies for Facebook and all the likes. If a website is entirely self-contained, nobody other than your ISP or your browser/OS may track you over there as you directly type its name out to the address bar.

If Facebook is to blame more than the websites putting their like button on their websites, then so is Google.

On top of this, many people use Google as a gateway to the Internet. Even for the websites that they are pretty sure about their domain names, people rather search for it on the google.com, and follow the link from there. This allows Google to track them, even when they do not use Chrome. Yet, many even do use Chrome, very likely tracking you even when you do not visit a website through google.com.

So Google isn't even dependent so much on the other websites using their analytics, definitely not as much as you state with:

> Google's ability to track users is 99% entirely due to companies like [...]

It would be interesting to know the breakdown of contributions of Analytics, google.com, Chrome, etc. to Google's tracking capabilities.


You make an excellent and fair point about the use of Chrome, as well asYoutube and other popular Google-owned products. That certainly makes it far less than my pulled-out-of-my-ass 99% claim. :)

It would be interesting to actually see the breakdown between Google's 1st party tracking (direct-from-Google) vs Google's 3rd party tracking (Tracking thanks to 3rd parties)

>If Facebook is to blame more than the websites putting their like button on their websites

I think the problem here is how Facebook sold the user data and/or used the data to target - as it allowed much more narrow demographic targeting than I think even Google provides. (I could be wrong on this, I've never actually USED either for ads - although I work for a company that does so I really should probably know this...)


While that's certainly true, I'd rather have them report about it hypocritically than not at all. Because good luck finding mainstream media that's not in close quarters with Google, Facebook et al.



Sounds like a similar argument to "guns don't kill people, people kill people".

I'm not advocating that either side is wrong in that statement, but just drawing a similarity.


It's like illegal prostitution. If people didn't have sex with prostitutes, there wouldn't be prostitutes.


Just some of the ways Google collects data [1]:

Google Search, Google Fiber, Google Recaptcha, Google Translate, Google Adsense, Google Chrome (Safe Browsing checks etc.), Google DNS (8.8.4.4 etc.), Google Mail, Android Integrations, Google GSuite (Sheets, Docs, etc.), Google Drive, Google Analytics, Google AMP, YouTube

So on and so forth. Of course, Google keeps most of this data to themselves to improve products and sell ads, but it's scary how much they have especially since they broke down the firewall between services. [2]

[1] https://en.wikipedia.org/wiki/List_of_Google_products

[2] https://googleblog.blogspot.com/2012/01/updating-our-privacy...


The data collected for Google Public DNS is actually very reasonable. Have a look at https://developers.google.com/speed/public-dns/privacy.

I haven’t checked the other products, just wanted to point this out since people seem to assume worse than what’s actually happening (for Google Public DNS, at least).


It's not just what they collect with a single service. It's the amount of clarity that comes from a linkage with their other collected data sets.


On that same web page:

> We don't correlate or combine information from our temporary or permanent logs with any personal information that you have provided Google for other services.

Of course, all of that is meaningless if you want to think that Google is lying in its privacy policies.

(Disclaimer: I work at Google, but not on 8888).


Personally, if they cant prove it, it shouldn't be trusted. And in talking about proving it with the source code. The days of granting benefit of the doubt to these companies should be over. The onus of security should be on the providers proving it, not misplaced trust.


How does providing the source code help with proving trust? You don't know that the service is actually running the source code that was published.

If you're willing to believe that the service matches the published source code, why wouldn't you also be willing to believe that the service matches the published "specifications" (e.g. privacy policy)?


Do any providers you use meet this standard? A few bits of open source software have been subjected to credible public audits, but not most of those. For proprietary services, the detailed results of any audits are typically nonpublic.

This is nice in theory but would prevent you from sharing your data with any third-party services in practice beyond your personal circle of trusted acquaintances.


To be fair, that's also what they said for the other services before they changed their minds.


We don't correlate or combine information from our temporary or permanent logs with any personal information

I'd say that depends on what definition of "personal" they're using.


https://policies.google.com/privacy/key-terms#toc-terms-pers...

"Personal information

This is information which you provide to us which personally identifies you, such as your name, email address or billing information, or other data which can be reasonably linked to such information by Google, such as information we associate with your Google account."


OK, but that just brings up "other data."


Plus all the data gathered from their discontinued Tools. Also even if you're not using gmail/Android/Gsuite, if you're working/communicating with someone who does, Google still get your information.


A more egregious way Google collects data on internet users is through their hosted libraries service. You visit some completely unaffiliated site which happens to use jquery or some other library and instead of hosting it themselves they have a script tag with a src=ajax.googleapis.com/...


For that, see https://developers.google.com/speed/libraries/terms

That stuff is kept separate from all account data (like with Google DNS[0] and fonts[1], too): no common cookies, "unauthenticated" (ie. no cross-referencing with Google accounts), logs retain no referrers

[0] https://developers.google.com/speed/public-dns/privacy [1] https://developers.google.com/fonts/faq#what_does_using_the_...


I don't read it as stating that the data is kept entirely separate. In fact it references the general privacy policy making it quite clear that whatever data is collected is governed by the same rules as everything else.


What data is collected?


What's the meaning of the data being kept separate when these databases could be linked with minimal effort (e.g. via IP addresses), for examples at the request of law enforcement (US or other).


They don't use this data currently. It's a hedge against the day when firefox and safari start including something like uBlock by default.


The solution to this is here:

https://decentraleyes.org


Pretty cool looking service. Since I've never heard of it, I wish the down voters would explain the problem with it (at the time of writing it's a dark gray, so only a little negative).

Is it simply that people don't seem library CDNs as a source of privacy piercing data?


They generally aren't, as far as I can tell?

SRI (no changing content for a specific user) + crossorigin ('The "anonymous" keyword means that there will be no exchange of user credentials via cookies, client-side SSL certificates or HTTP authentication'), no referrers via meta tag or header.

The other end gets your IP and browser UA, with nothing else. It is pretty low on the totem pole of worry.


I guess the problem is that one-liners that just drop a link without explanation are suspected to be spam and they often are.


That certainly wasn't spam, but unfortunately I was in the middle of something else at the time and didn't have time to post the explanation I probably should have included.


> Google Chrome (Safe Browsing checks etc.)

Probably more critical here is Chrome Sync. They can and do read your entire browsing history through that.

With Safe Browsing, they at least still promise (in a legally binding way) that they don't store the data.


> Google Drive

With the small drop of faith I have left in Google, I want to believe they don't read my files and use encryption. Is there any evidence to the contrary?


They use encryption in transit and at rest, but not in between.

So, your data is uploaded over TLS or similar, gets decrypted on the server and then is re-encrypted before it's stored on hard drives.

So yeah, this does mean that they have access to your data. Since the at-rest-encryption happens on the server, Google has the encryption key for that somewhere and can at any point decrypt your data.

Presumably not everyone at Google gets your data for reading at home, but that's about as much comfort as you should assume.

The NSA, CIA, FBI can also request Google to decrypt your data and hand it over. They could not do the same, if Google used proper end-to-end-encryption.

There is one point to be made for not using E2EE, which is that you can't offer a "Forgot Password?"-link. If the user forgets their password, you can't decrypt their data either. All you can do is wipe their data and let them start anew.

If you use your cloud only for syncing, that's probably not a problem (for example Firefox Sync does exactly that on a scale of millions), but if you use it as a backup or to preserve hard drive space, it can certainly be.

So, you'll have to decide for yourself, if you think being allowed to forget your password is worth the surveillance and lowered security.

If not, use a different service. Spideroak, SeaFile and Mega.nz are a few that do E2EE.

If you do think so, at least use a service that's not at home in a surveillance state and surveillance company...



Why not just link the article directly? [1] That KIA subreddit is notorious for being scummy [2]

1. https://motherboard.vice.com/en_us/article/9kgwnp/porn-on-go...

2. https://www.polygon.com/2017/11/2/16591508/reddit-content-po...


Was in the midst of doing some work and it was one of the first results I found on Google, I figured some of the commentary might provide more context, not fully familiar with that sub though.


And the Google Fonts CDN.


Correction: I see now that no cookies are sent with Google Fonts CDN requests:

https://developers.google.com/fonts/faq#what_does_using_the_...


You don't need Cookies. Your browser requests it from Google's server, which gives them your IP address. And your browser sends what webpage you're currently on as part of the HTTP referrer.

So, if every webpage you visit loads in its fonts from Google's CDN, they have your complete browsing history from that alone.

Other commonly used CDNs of Google: GStatic, JQuery, ajax.googleapis.com


I think Google is a lot less creepy than Facebook. Yes, they vacuum a lot of data, but I do get directly related benefits from it, as well as controls that I trust.

Example: Location history. It is turned off by default. I chose to turn it on, so I can know places I’ve been to previously (if I forget the name). It’s like a journal that writes itself.

Google has its privacy issues, but on a whole I voluntarily choose to give them permission to collect my data, because I get direct value from it.


> controls that I trust.

I think this trust might be misplaced.

> Example: Location history. It is turned off by default.

Displaying your location history to you is turned off by default. Google's own recording of your location, for their purposes, cannot be turned off.


> Google's own recording of your location, for their purposes, cannot be turned off.

Citation needed. Android even lets you turn off AGPS, which collects anonymous location data to update itself. As far as I know, this is not even possible on iOS.


I'll copy an earlier post of what I found:

On Android, I noted before that when I turned on and off location services, the GPS lock was near instantaneous (i.e. when I turned on location, Google Maps located me with GPS precision immediately. There could be other ways of how this happens, it was noted in another post of mine, but that had still had me a bit suspicious. I replaced Google Play Services with microG recently (https://lineage.microg.org/). I then saw that it was MicroG, NOT the OS, that had control over my location, and MicroG still tracks my location when Location is off(https://github.com/microg/android_packages_apps_GmsCore/wiki...).

While none of this conclusively points to Google Play Services tracking me when it is off, the way that Android is set up makes me very strongly suspect that's what they did.


By tracking, do you mean the phone keeping track of its own location, or it sending location data back to Google?

Google maintains a database of wifi networks and their locations (I don't know the ways this data is acquired) to help triangulate the position: https://www.quora.com/How-does-android-use-WiFi-to-get-your-...


> I don't know the ways this data is acquired

It's been acquired from a range of sources. Most notably, Google Streetview cars collected a very large initial data set. Once you have that, it's quite easy to maintain an up-to-date dataset by verifying new routers picked up against nearby known routers (as well as verifying against GPS sensor data obviously).

This tech is not only in Android phones, but also every Chrome browser, so that's a lot of incoming data. The API used to be used by iOS and Safari (before Apple Maps) and Mozilla Firefox (before they launched their own WiFi and cell network database; theirs is released under CC0 though so I'm sure Google use their data too).

There are also other competitors to Google, Apple, Mozilla here with their own databases, like Skyhook, Navizon, AlterGeo.


By tracking, I mean MicroG/Google Play Services controls location services, not Android OS.


.. but does the location leave the device?


That's a great question. I cannot conclusively say that Google Play Services does that, but I cannot think of another reason for why Android would be set up that way.

I welcome any alternative conclusions though.


Quite possibly for sensor fusion. E.g., combine with WiFi triangulation, accelerometer deltas from last fix, etc.

Play Services has a lot of stuff in it because it's easy for Google to upgrade it without going through phone vendors or carriers. It was a way to counteract the effects of many phones being on old versions of Android.


Wait, microG does this stuff too? Or did you mean OpenGApps?


OpenGApps is Google Play Services, the only thing open about it is the script to get Google's Apps.

I meant MicroG, it is documented on their site (see the link).


You can just go to active services and check for yourself. Of course it is possible to end the google location service. It will be back in a few seconds. In case you try too hard random pop ups start on your home screen effectively making the phone unusable. Google's biggest trick is that it made people feel like everything is in their hands (including and especially developers which is really sad).


To get around this, ad networks can often buy location data directly from cell carriers themselves. While Google may not sell this, Sprint and others will for the right price and conditions.


They do track it and will prevent logins from unusual locations. Happened to me when using a VPN.


Yes, but not through GPS, or the location information compiled about my logins would be way more accurate than it is (often off by 100-200 km in any direction). Probably IP based geo location (that would naturally trigger with VPNs that give you an IP in $whereever).

That has nothing to do with the GPS setting of your phone.


That's picking a nit. GP or whatever said "GPS", but does it matter which technology is used to track your location? Clearly not. And many users say "GPS" to mean all location technologies too, so this doesn't seem like a useful nit to pick, honestly.


Every time you load a web page they can see your IP address, and IP addresses can be mapped back to rough locations. Sometimes people use "GPS" to also include things like your phone figuring out where it is based on what WiFi names it can see, but I don't think I've ever seen it for IP-based geolocation.

(Disclaimer: I'm an engineer at Google)


Right. There's the IP address, cell tower location, wifi name location, and GPS. People don't care which it is, except they want it (because then they want precision).


Stop communicating silently with your servers. Do it. Ask for each and every call to them unless the communication is already confirmed by users. Make all http* communication go trough http proxy which logs all the traffic in clearly visible form and only than make https. Show the data sent, make google play and framework open source. Enable users to see your hidden syncs (oh yeah those with asterisks infront (you DO know about them, right?) and disable them and keep their settings after updates instead of resetting them. Explain why with microg, the battery and network usage drops for 1/3. And I am not using any of your "services", no maps, no gmail, dns (oh yeah my rom is modified, a lot) nothing. Stop bubbling! Stop corelating order of pages visited to fingerprint users (and I know you are doing this), stop using cell towers to get location even if gps is turned off. Stop giving ISPs your boxes which makes spying on users local on ISP level.

Either you have no clue about what is going on in your company or you are here as a PR guy.

I really hope that GDPR will hit you hard, as far as I am concerned you are far worse than Facebook, more harmfull than Monsanto, you have opened Pandoras box of user tracking and becoase of you now every single company is doing it. And just so you know, by writting this, my karma will fall for at least 10 points as your fanbase (which typically doesnt even understand what I have written) will downvote me a lot. I am telling you this just for you to understand how very pissed off on behaviour of your company some people are. The only thing that is into your favor was actually your biggest mistake - you have mistakenly made android open source which makes it far more feasible to silence it down to the point where it no longer communicates with your domains. This was maybe when you were still having the "don't be evil" attitude, at least as form of PR.


The complaint above was about login screens "knowing" about people's locations.

When you log in to a service (eg. Google), the device doesn't "silently" communicate with the servers, you asked it to. It sends a request with credentials, as it should. That request naturally comes with an IP address, which can be mapped to a rough location with no further information by the client.


Yeah but the rant was in form: "so what, you are inviding users privacy on so many levels that it doesn't matter if login screens know about your location". And I have barely started.


I don't think anyone mentioned anything about GPS until now. We're talking about Google recording your location, which can be inferred from a number of sources, including GPS, WiPS/WFPS, IP, and others. WiPS/WFPS is the most commonly used by Google.


The great-grand-poster:

"Android even lets you turn off AGPS, which collects anonymous location data to update itself. As far as I know, this is not even possible on iOS."

AGPS is GPS, assisted but still GPS.


I guess I was unclear: that could probably be reworded to say "I don't think anyone specified GPS"

That ggp prefixed that line on AGPS with "even"; they were asking for citation that Google persistently tracks location, and just used AGPS as one example.

The point being, saying Google allows you to disable GPS is a world away from saying Google allows you to disable location tracking. And I'm not talking about IP geolocation.

I don't even know if they do completely respect your choice to disable GPS (citation needed indeed here), but I do know that they persistently track you via WiPS/WFPS at the very least, if not other methods.


I assume OP is talking about geo information inferred from IP Address.


Or cell tower... or WiFi SSIDs... or NFC payments...


> Example: Location history. It is turned off by default.

Do you want to turn Location History on?

Are you suuuuure you don't want to turn location history on?

To use maps effectively you need location history on. Turn on?

Location history may affect ____ you wanna turn it on?

How about now, location history is a great thing to turn on....

EDIT: for those of you who downmodded this, the point was that if you have location history off, Google spams you constantly with requests to turn it on. You'll get this request for opening up maps, using Google Now, or a dozen other things generated from many apps. There is also no option to temporarily turn on for app.

Not so nice uses of LocHis: https://www.androidauthority.com/google-android-location-his...

Explains how LocHis tendrils are everywhere: https://qz.com/1183559/if-youre-using-an-android-phone-googl...


I couldn't set a fucking timer with the Assistant on my Pixel without being told I need location history.

Seemed like a low enough bar.


This. The repeated prompts almost seem intent on ensuring that one will click yes inadvertently at some point.


This is not true.


It is true.

Firstly, I was pointing out one small example of Google's privacy settings being non-obvious, which the GP mentioned in their post. There are many, many others one could go into, but we'll stick with just user location privacy for now.

Also, minor disclaimer: What Google does or doesn't collect varies over time (as their policies and regulation changes, and in response to various court-cases). What they might have done according to one source a certain number of weeks/months ago they might have since stopped doing. But my point is that they cannot be trusted to follow the implied behaviour of high-level settings.

However, since you've refuted my statement, some examples:

1. Google's own terms at [0]

> some information (such as the association of your Google Account to your Google Wifi network) is stored by Google even if all privacy controls are turned off.

This is bundled with Google's tracking of the geographic location of each Wifi network to feed their WiPS/WFPS services.

2. As @lern_to_spell has alluded to, "Location Reporting" and "Location History" are separate settings; the former does allow you to turn off some (though not quite all) location recording for your Android device at least, but the latter setting is still very misleading, and the former setting comes with a sacrifice (some apps become unusable). See [1]

3. Even with all of the above granular settings and admissions in terms, Google still have demonstrated in the past that they cannot be trusted to follow even their own loose promises w.r.t. respecting user privacy. e.g. [2] [3] [4] - note these articles are spread over 3 years, and are about events from 6 years previous; not exactly a promising sign of Google's policies being corrected by the court actions.

- [0] https://support.google.com/wifi/answer/6246642?hl=en

- [1] https://www.howtogeek.com/195647/googles-location-history-is...

- [2] https://www.theguardian.com/technology/2010/may/15/google-ad...

- [3] https://www.wired.com/2012/05/google-wifi-fcc-investigation/

- [4] http://www.bbc.com/news/technology-24047235


0 is about Google wifi it is not any wifi. What you claimed is still untrue, you are conflating irrelevant things.


Why doesn't such logic apply to Facebook?

   It’s like a journal that writes itself.
Yes it's good, ONLY IF the data is solely used for this purpose. Same thing goes to Facebook. How could you possibly know what they did with your data?

Google is actually creepier to me than Facebook just by comparing their market share in online advertising (Google is twice as much as Facebook), and how actively their officials engaged in political issues.


Yeah. Basically there are 2 issues : security,privacy. With any data vased company privacy eill always be a concern so they should try to assure users by giving them top notch security. Google does that. Their security is great. Facebook: a big NO. Just a question. Does google listen through the microphone? Some people show demos on youtube that they talk on phone about something or even say something out loud and then see ads about it.


Google's security is as good as they cover their own rear on it. For instance, Google Chrome is hailed as being incredible at security, but they allow extensions which can read and modify the contents of every website you visit with little to no scrutiny. Malware is rampant and distributed directly from Google's extension market, but Chrome is "secure", because by definition, Chrome permits the extensions to be malicious, so it isn't a break in Chrome's definition of security.

In this case, they just blame you for installing an extension that behaves badly.


Firefox extensions can be malicious too, but this has nothing at all to do with backend data security, a red herring.

If you create an open system that allows users to do anything to their systems, you create footguns. I don’t see you whining that this is universally true for desktop computers as well.


The issue is that Google fails to vet those extensions. At all. Google has decided it is better to serve malware and blame the user than invest a modicum of expense on scrutinizing code that has the capability to capture all of a user's personal data.

It's reckless and it's irresponsible. And it's unique to Google.

EDIT: Also, re: desktop computers, if you check out my Reddit comments, you'll find I've been actively advocating for developers to support UWP sandboxing on Windows, and mostly telling off their excuses why their apps need full system access.


I agree with you, though it should be noted that Mozilla does review the addons submitted to AMO, including - if this hasn't changed in the past few years - reviewing the code. I don't know how effective those are in preventing malware, though.


Human reviewers are not fabulous at detecting make are sight unseen. This is also wildly unscalable.


Extensions do not come in at the volume of YouTube videos. Not only is the scale orders of magnitude smaller: But there's little to gain from an endless supply of browser extensions.

Unreviewed browser extensions should not be permitted, full stop. Microsoft has (finally) figured this out: There's a few dozen Edge extensions which Microsoft has vetted, and that's it.

Additionally, scrutiny for extensions can be filtered by their capabilities. In my given example, the issue is the ability to read and modify content on all websites you view: This permission should only be granted after extreme scrutiny, whereas an extension which can only access a single domain and does a simple thing needs only a cursory glance.


> Extensions do not come in at the volume of YouTube videos.

Unfortunately, reviewers who can vet extensions for malicious code also come in lesser volume than reviewers who can watch YouTube videos.

> But there's little to gain from an endless supply of browser extensions.

Debatable. Every move by Mozilla and Google in the past to restrict add-ons has been met by criticism from developers. I doubt many here would share the love for the Windows Store.

> Microsoft has (finally) figured this out: There's a few dozen Edge extensions which Microsoft has vetted, and that's it.

I'm sure Microsoft's gatekeeping has kept many shoddy extensions out of the store, but the fact that Microsoft introduced support for Edge extensions only recently compared to Firefox and Chrome and that Edge has relatively low marketshare probably also factor into the low number of extensions available.

> In my given example, the issue is the ability to read and modify content on all websites you view: This permission should only be granted after extreme scrutiny, whereas an extension which can only access a single domain and does a simple thing needs only a cursory glance.

The add-ons I use that can be restricted to a limited number of domains already do so, but most of the add-ons I use must be able to access any given site in order to function: password managers, tab organizers, etc.

It's true the permission is powerful, but if you're going to ask for "extreme" vetting of extensions which use it you might as well ask for extreme vetting of all extensions since legitimate use cases are not exactly a small category.


That is misplaced. Android for instance is intentionally designed to leak like a sieve. The permission system is convoluted and designed to confuse lay users.

Google search itself creepily insists on telling you your location on every search when it has nothing to do with it and is completely irrelevant.

In this way it constantly seeks to legitimize creepy behavior and has gone all out to make stalking and hoovering up data look as if it is ok and harmless.

Combine Google's massive access to data across properties and their creepy behavior and the results are far more sinister.


Who says Google and Facebook don't share data?


Google is helping the Pentagon kill people with drones. How could they be “less creepy” than Facebook(who I otherwise agree is awful)?


Why is Apple given a pass?

They gave all their China user data to the China government so they could stay in China to make a buck. Is that not selling users data?

Versus Google chose to leave China instead of handing over the data.

https://www.amnesty.org/en/latest/news/2018/03/apple-privacy... Campaign targets Apple over privacy betrayal for Chinese iCloud ...


They make an effort to design their products and services with privacy and security in mind, and are much more transparent about what data is collected and how it's used.

The iCloud-China situation is unfortunate. The situation is very different from Google, both in the opportunity costs, and the fact Apple's products are dependent on China to be manufactured.

Additionally, if you forego iCloud services (namely iCloud backup), then the data that the CCP can access is actually quite limited. All of their phones since the 5s in 2013 have been leaders in security, and if you use a passphrase or 10-digit pin as a passcode then not even the most recent iPhone cracking tools could brute-force your phone (within a dozen years, within a century for 11-digits).

I'm miffed about China, but I still believe Apple is the best option because I don't think there's much that can be done in their position and the impact is limited. For me that would change the instant an actual iOS backdoor is made for any gov't.


Not following. There were billions to be made by Google in China and they decided giving up their user data was a bridge too far. So basically chose to not sell their user data.

Versus Apple handed over all there user data to make a buck. Plus this is actual data not a targeted ad.

Do I have this correct?


You're missing facts that change the whole picture.

Cloud services are required to use Google services & devices. G had to choose between giving China everything or withdrawing from the market.

Cloud services are an add-on to Apple's products. The iPhone is still useful without enabling anything from iCloud. Cloud services are optional with the iPhone.


Cloud is not required with Google. What are you talking about?


What are you talking about? 90+% of Google's services are online. Apple has a substantial hardware business, so I don't see how you are conflating the two.


You can buy an Android phone and never use the cloud if you want just like an iPhone.

The two are actually very similar.

Google services do not matter if you have an Android phone or an iPhone. Suspect there is actually more consumption of Google services on the iPhone then even Android but do not have numbers handy to support.


Huawei selling customized AOSP with WeChat doesn't represent Google's participation in the Chinese market. Chinese Android users aren't Google users.


... what Google products don't require the cloud? You know that pretty much all Google services are in the cloud yes?

As a third party observer, you have gone completely off the rails here.


> They make an effort to design their products and services with privacy and security in mind

This is certainly true, and given that under Cook Apple has clearly decided this is a strategic asset to invest in, will probably become more true over time

> and are much more transparent about what data is collected and how it's used

This is false - Google does just as good a job on transparency. It's trivially easy to see what data they have on you, and control it as you wish. Google's business model would be threatened if people used these facilities, but of course they don't.


Google has lots of data that they don't show you. In particular, Google won't show you the list of non-Google sites it knows you have visited, but they do track that via Analytics, Adsense, etc.


Possibly a fair point (I only write 'possibly' because it's not an area I know that much about).


Because Facebook sold to an entity with the wrong political affiliation and we still have not passed the stage of one group in denial for why they lost and until they exhaust things to point fingers at it is not coming to an end soon.

We all should be highly critical of Apple's stance in China and we should all fear the direction China is going because a great many Western politicians like that direction too and simply are working out how to sell it to us, from think of the children, stopping exploitation, stopping hate speech, and more.


Because Facebook sold to an entity with the wrong political affiliation

Can you clarify what you mean by "sold" here?


He's referring to ads. They sold ad time to Trump during his political campaign.

Clinton and Obama als bought ads there, but the controversy is primarily about Trump.


i find it interesting that no one points out how much data AT&T and Verizon have collected ... they know the location of your phone, which cell tower you are connected to, which stores you've been in and when, who you've called, who has called you, all of which can be cross referenced ... and there is no reason to think they don't where the IP they supplied you has been, to which websites you've visited, etc ... same with Comcast for broadband ... and the GOP last year repealed what privacy was in place on this ... if you combine that with the media properties they own, they also get a pretty good picture, across android, iOS and your desktop, of what a person does ... they also have payment data, a credit profile, possibly health info, possibly data on your kids, etc,

https://www.reuters.com/article/us-usa-internet-trump/trump-...


ISPs present a tiny footprint compared to the global tech behemoths (they're regional), and they already actually are significantly regulated even with the loosening of various restrictions over the past year or so. Contrary to popular belief, ISPs can't sell your browsing history legally, whereas tech companies generally can.


I guess it's cheaper to try and extend this whole facebook/cambridge analytica story than to do actual journalism. What's more you get to attack a business rival (doubly true for wsj v google).


Also when writing about facebook/cambridge analytica story, you can easily add a few lines about the election, which makes the story more shared, generating more clicks (~engagement), so the story is much more talked about.

If the cambridge analytica story was about selling cars or home appliance, it would have been forgotten in a few days.

Edit: And perhaps it's a good thing that it was about the elections? It would mean that it might force a change on first Facebook, then maybe other internet companies


On one hand, I'm glad to see popular concern for (or at least media coverage of) personal data privacy issues. On the other hand, I can't imagine this is news to anyone at HN, or anyone who's been following such issues for years.

Ok ok, maybe the mass public is finally becoming more aware of these issues, but they're also even more heavily invested in the services Google/FB provide than when these revelations were first known to a more niche online community.

I find it hard to believe that all this media attention is anything other than too little too late.


I'm of an opposite mind. The tech world has known about these issues for years and nothing has happened. When the Verge or Wired write about these privacy issues the outside world really is not of much concern. But when the NYT and WaPo write about it, and when there are Congressional hearings about it changes is much more likely to occur.


Because many of us are employed to take advantage of the current situation of data proliferation. I am. I take your information and I pass it along to our marketing partners. I am a professional spammer. Your data is worth a couple bucks to us. We provide no real value (working on fixing this, atm). I get to feed my kids and take vacations as a result. I guess I will continue to float the moral line until actual harm comes out of this. We take data security seriously. We've straight up refused to partner with people who don't, even if it meant passing a lucrative deal. I have hope that as long as there are people like me out there, it will be OK, but I think the worst thing we can do is not talk about it / shame those that do make a living on ad tech to flee the work.


> changes is much more likely to occur.

Be careful what you wish for. Weighing all of the possibilities I can imagine and the likeliness of their occurrence (regardless of intent), I'll take the status quo.


"Recent controversy over Facebook Inc.'s hunger for personal data has surfaced the notion that the online advertising industry could be hazardous to our privacy and well-being."

The NYT can publish stories centering on this notion despite being ??% reliant on said online advertising in order to stay in business.

Would Google (or Facebook) publish similar warnings against the annoyances and harms of online advertising despite being 98% reliant on said online advertising in order to stay in business?

How strong an argument is "Newspapers use trackers in their online editions therefore any news they publish about tracking has no educational value." (or is somehow compromised in some way)

Did newspapers have a choice in whether they chose to participate in the www as we see it today (overrun with advertising and fraudulent, insidious tactics)?

If yes, what was the choice?

What would happen to these newspapers if they failed to "cooperate" with Google?


They'd lose massive amounts of revenue and cease to exist. Even with digital advertising most newspapers are dead or barely staying afloat. They all struggled to convert to digital and tracking-based advertising was just one of many life boats they tried to save themselves with.


I don’t see Google getting the same kind of backlash as Facebook even though Google probably knows far more about me. For most people Google has real utility while Facebook is an indulgence.


Didn't read the article, but does anyone see some media narrative happening here? One part of me would like to think that they are just publishing what readers want. But another part says there is an underlying narrative. I can almost predict the news cycle wrt tech, data collection, privacy, etc. Does anyone stop to think, why now? I fear this is a rolling snowball started during the election and it won't end until those with pitchforks get the laws the rest who are quieter may not want. This media-built furor, while it may have legitimate roots, has me seeing deja vu. I fear the internet equivalent of the patriot act.

Just know when we get things like the cloud act, the next sopa, or the next government-over-tech bill, we asked for it by building this furor. Seems quite unbalanced to me. I wonder how I or others can stop feeding this growing furor.


> but does anyone see some media narrative happening here?

WSJ is owned by Murdoch's News Corp. He has been in a anti-Google crusade for a while.

2009: https://www.npr.org/sections/money/2009/11/murdoch_vs_google...

2014: https://www.theregister.co.uk/2014/08/18/rupert_murdoch_says...


I don't consider this specific to a single media outlet (or ownership group) and I don't consider this specific to a specific company. Media outlets will publish anything anti-tech they can now because it helps stoke this raging fire. Just be careful of what comes out of the ashes. When asking "why was this published" when reading an article, don't get stopped too early by finding some link on the specific article, who wrote it, or who it mentions by name. Instead, think about the broader approach and intended effect.


Why is it that no one ever suggests articles about Facebook's privacy violations are part of some anti-Facebook conspiracy?


Because there are very specific reasons to be suspicious of Fox or WSJ articles and if this anti-Google article had appeared in the NYT it would have been better and free of suspicion.

Anti-Tesla articles are another example of places to be suspicious of the source because a) day traders trying to short the stock have deliberately tried to spread damaging information and b) fossil fuel companies and regular car manufacturers have a vested interest.

That’s not to say all anti-Tesla articles are wrong, just one should be careful that you aren’t being a rube to propaganda.

Also, Facebook wasn’t dinged for collecting data, they were dinged for allowing a third party to scrape it.

The people using Facebook are quite aware of all of the stuff they’re telling FB interests, likes, groups they join, what they don’t want is third parties who shouldn’t know, to know.

I don’t care that Facebook knows what articles I liked. But I don’t want Cambridge Analytica to know in an individually identifiable manner.


Haven't read the article because it is behind paywall, but it is not that hard to stay away from Google if you really care for it.

Search - Use DuckDuckGo or startpage.

Use Fastmail or any other email provider that is not Google.

Watch Youtube videos without creating an account and clear out cookies regularly.

Use Vimeo or some other service to host your videos for private use.

Use Google Translate without a Google Account, and make sure you're not logged into a Google account in another tab or even the same browser.

Use Firefox instead of Google Chrome.

Google Adsense - Block ads using adblocker, Ghostery, and if you're up for it, use Adnauseum. Again, make sure to not leave a trace of a Google account in that browser.

Google DNS - Use your carrier's DNS or even better something like Quad9 instead. Keep changing it among the open ones if you dont want a single DNS provider getting all your history.

Android Integrations - Use iPhone :-) But, if you have something against Apple or dont like it, Use as plain Android as possible. Check if you can live without the Play store. Rooting?

GSuite - Use local Office programs with files living in Nextcloud or something.

Google Drive - Use Nextcloud instead.

Google Analytics - Adblock/Ghostery it.

Google AMP - Note sure what you reveal if you can avoid a Google account. Clear out cookies frequently.

The point being, do NOT use a Google account in the browser, clear out cookies as often as reasonable.


You might be able to dislodge yourself from certain datasets, but good luck getting out of all of them. For example: https://www.inc.com/emily-canal/google-credit-card-purchases...


An easy way to bypass the wsj paywall is to use a facebook redirect.

http://facebook.com/l.php?u=https://www.wsj.com/articles/who...

works as usual. Putting "http://facebook.com/l.php?u=" before the url does the trick.

I've had picked up this technique from a fellow HN user, wanted to share.


To read past WSJ paywall, rename wsj.com to fullwsj.com, which redirects through Facebook and displays the full article.


I thought you said it was easy!


(Disclaimer: I work at Google, though on unrelated things. Opinions my own, yada, yada)

Worked at a privacy obsessed place before (Mozilla) where I worked on building privacy-preserving ad infrastructure.

I think we've more to fear about the other data brokers (so-called DMP's and their sources of data, e.g. your bank) than Google. At the very least, we have some assurance Google is competent with handling the data.

Google is a big well-known target and definitely poses a central point of failure for our data, but this piece could've been more than a dig at Google and rather, could have explored how private information is handled in the Ad industry in general.


and yet most ads I see on the internet are almost less targeted then tv ads. what are they doing with all this data i wonder. to be fair though i dont even know myself what i might be interested in.


Solution: Ban Lobbying?


This is disappointing from WSJ. Google's data collection is a good story but pulling Facebook in and then devolving into what-about-ism is not. This is toeing the what-about-Google/twitter stance Facebook took in it's release.

> Google gathers more personal data than Facebook does, by almost every measure—so why aren’t we talking about it?

Because one problem at a time. If we are going down this path, how about,

> Many people die of hunger every year more than Facebook, by almost every measure—so why aren’t we talking about it?


I think your getting the "what-about-ism" argument backwards. This isn't avoiding talking about Google by saying "What about Facebook". This is comparing the two to highlight it's point about Google, the subject of the article.


Maybe I have it wrong but what-about-ism isn't only about avoidance. It is also about drawing an equivalence saying - "Yes, X is bad but what about Y?" The idea being if everyone does it then X hasn't done anything wrong.


Noone is saying Facebook hasn't done anything wrong. We just don't want Google to get away with it.

Whataboutism would be if we were to suggest Facebook isn't that bad because Google does it too. But articles like this are trying to point out that both companies are doing bad things: We should be going after both of them.


> Because one problem at a time

This is dealing with one problem at a time. The problem is unchecked commercialized mass surveillance, and any laws that come out of this should apply to Google, Facebook, and every other company that has been engaging in these practices.

Your attempt to spin these as unrelated with that last line doesn't even make sense.



The mail is only as secure as who you send it too. If you email a Yahoo or Gmail account the email may be secure on your proton server but open to the others. The thing about security is everyone else has to do it or it breaks down. Gmail and other free email providers make it so easy people don't want to change.


Protonmail does have the ability to send emails in a secure fashion regardless of the receiver’s provider via a link.

Obviously it’s inconvenient and I wouldn’t use it for the lion’s share of my emails, but if I were sending something like a password or a code I certainly would.


You could send a link to a secure pastebin instead of the actual message.


One of these things is not like the other. DuckDuckGo and Proton were founded on the basis of protecting privacy and not sharing personal data. The other is part of the cabal.


Insofar as we have limited options on mobile phones: Currently between a company built around profiting from data collection and a company built around profiting from selling hardware, the latter is the best possible choice.

(Android is mostly a lost cause even if you try and strip Google out of it, and doing so in an even mildly secure fashion is beyond most people's competency. Most other OSes are more or less toys without even basic ability to replace a modern smartphone.)


Exactly. Apple is also one of the participants in the NSA's PRISM [1] domestic surveillance program. Their participation shows at least some disregard for the privacy of their customers in and of itself, but more tellingly it's also indicative of the NSA's appreciation for the amount and quality of unique and identifiable data that Apple has or can readily obtain on their users.

[1] - https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%...


What I hate about Apple is no transparency. Google has a dashboard with everything they collect in one place and can remove and even download.

Apple terms let them collect tons but no dashboard. No transparency. No way to download.


> Their participation shows at least some disregard for the privacy of their customers in and of itself

Why? Apple is legally required to hand over the court ordered data whether or not they participate in the FBI's data integration program. By implementing a proper data integration system, Apple can standardize audits and alerts and make sure the FBI gets only what is required and not somebody else's data by accident as might happen if the data were sent by hand each time.


I'd recommend checking out the article and other reading on PRISM. PRISM is operated by the NSA and involves egregious breaches of personal privacy including bulk collection of loosely targeted data, warrantless data retrieval in some instances, the collection and use of "inadvertently collected data" and more. This entire period of extreme surveillance and secret courts, which are in effect kangaroo courts, will likely be looked at in the history books similar to how you look at things like the Stasi. Keep in mind that the Stasi was founded in 1950 and prosecutions only began once East Germany fell, some 40 years later.


> PRISM is operated by the NSA and involves egregious breaches of personal privacy including bulk collection of loosely targeted data, warrantless data retrieval in some instances, the collection and use of "inadvertently collected data" and more.

No, according to Snowden's documents, PRISM is a data processing system that consumes data sent to the FBI's Data Intercept Technology Unit following a Section 702 order for communications sent to or from a specific foreign user not in the US.

https://medium.com/@alecmuffett/how-to-talk-about-prism-and-...


I would avoid basing your knowledge on blogs.

The wiki page's synopsis are contradictory as usual, but the original images as well as Snowden's comments are not ambiguous. The slides show real time access to video, voice, VOIP, etc.

Snowden's synopsis was, "In general, the reality is this: if an NSA, FBI, CIA, DIA, etc. analyst has access to query raw SIGINT [signals intelligence] databases, they can enter and get results for anything they want."

Quoting Greenwald who received the information and disclosure directly from Snowden: "...even low-level NSA analysts are allowed to search and listen to the communications of Americans and other people without court approval and supervision." Greenwald said low level Analysts can, via systems like PRISM, "listen to whatever emails they want, whatever telephone calls, browsing histories, Microsoft Word documents. And it's all done with no need to go to a court, with no need to even get supervisor approval on the part of the analyst."


> The slides show real time access to video, voice, VOIP, etc.

For the specific users whose data was requested in the Section 702 request.

> Quoting Greenwald who received the information and disclosure directly from Snowden: "...even low-level NSA analysts are allowed to search and listen to the communications of Americans and other people without court approval and supervision."

Funny how Snowden didn't have any evidence of this. All his documents match the description I gave you. The FBI's DITU is right there in the system diagram slide. This is just a misunderstanding of the documents by a low-level sysadmin who never actually saw the programs and a credulous reporter who didn't even try to check his facts.


What makes you believe Apple sells their customer’s data?


Facts? I mean we have.

https://www.amnesty.org/en/latest/news/2018/03/apple-privacy... Campaign targets Apple over privacy betrayal for Chinese iCloud ...

Apple gave up their user data in China so they could make a buck and Google instead chose to leave China instead of giving up the data to make a buck.

Apple it is more data and more money made and therefore believe the largest selling data example we have had in my lifetime? Do you know any examples that are bigger?

This is also actually giving the data instead of targeting an ad.


Closed source, with many anti-user mechanisms. It's extraordinarily hard to investigate what your mobile device is doing at any time. One would require a Stingray and networking analysis gear to determine whom the packets are meant for - and even that is defeated with Pinned certs.

Primarily, the onus is on them to show that they do not have contractual allowances to sell data to internal or 3rd parties.


Or is that more marketing? How do we really know what they are doing with our data?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: