All posts tagged ‘Google’

File Under: privacy

Google’s New Privacy Policy: What Has Changed and What You Can Do About It

Today’s the day Google’s broad new privacy policy goes into effect. European regulators are claiming it violates data protection laws, but it’s here and it may be here to stay.

There are some not-completely-foolproof ways to hide from Google, but first let’s talk about what’s changed. Prior to today, Google had more than 70 privacy policies for its various products. But with the company trying to create a seamless experience across search, Gmail, Google+, Google Docs, Picasa, and much more, Google is consolidating the majority of its policies down into just one document covering most of its products. This will make it easier for Google to track users for the purpose of serving up personalized ads.

“The main change is for users with Google Accounts,” Google said at the time of its January announcement. “Our new Privacy Policy makes clear that, if you’re signed in, we may combine information you’ve provided from one service with information from other services. In short, we’ll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience.”

An example? Google search results can already bring up Google+ posts or photos that have been shared with the user. “But there’s so much more that Google can do to help you by sharing more of your information with … well, you,” Google said. “We can make search better—figuring out what you really mean when you type in Apple, Jaguar or Pink. We can provide more relevant ads too. For example, it’s January, but maybe you’re not a gym person, so fitness ads aren’t that useful to you. We can provide reminders that you’re going to be late for a meeting based on your location, your calendar and an understanding of what the traffic is like that day. Or ensure that our spelling suggestions, even for your friends’ names, are accurate because you’ve typed them before.”

Today, Google’s official blog reminded users of the change, saying it had been the subject of “a fair amount of chatter and confusion.” 

The updated policy can be read online, and describes how Google collects device information, search queries, cellphone-related data, location information, and collects and stores information on users’ devices with the use of HTML5 technology, browser storage, application data caches, and cookies and other “anonymous identifiers.”

Before the changes, Google was “restricted in our ability to combine your YouTube and Search histories with other information in your account,” Google Privacy Director Alma Whitten wrote in the company blog. Now Google can provide a simpler, easier-to-understand privacy policy to users, and improve its products “in ways that help our users get the most from the web,” Whitten wrote.

Google recently promised to follow Do Not Track guidelines in an agreement with the White House, but those changes won’t take effect until sometime later in the year. With Google’s expanded ability to serve up personalized ads, the company makes certain privacy promises. For example, “when showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health.”

The policy does not affect most business customers, those who have a signed contract with Google to use Google Apps for Government, Business, or Education. Those of us with free accounts will be affected, and while there are ways to anonymize your Google usage they’re not universally effective. Google’s privacy policy notes that “You may also set your browser to block all cookies, including cookies associated with our services, or to indicate when a cookie is being set by us.” However, Google was recently found to be serving up advertising cookies to users of Safari and Internet Explorer using methods of circumventing the browsers’ default privacy settings.

So what else can you do? Most browsers today have private surfing modes that you can select. You can visit Google’s “Data Liberation Front” website for instructions in exporting data out of Google products. The Electronic Frontier Foundation also has instructions on removing your Google search history from your account. However, even this is not as simple as it sounds. Disabling Web History in your Google account “will not prevent Google from gathering and storing this information and using it for internal purposes,” the EFF notes.

Google does hand over user data in response to government requests on a regular basis, as noted in the company’s Transparency Report. The EFF notes that disabling Web History “does not change the fact that any information gathered and stored by Google could be sought by law enforcement.”

If your account has Web History enabled, Google will keep the records indefinitely. “With it disabled, they will be partially anonymized after 18 months, and certain kinds of uses, including sending you customized search results, will be prevented,” the EFF states.

For those who are really willing to put some work into staying anonymous, downloading a Tor client may be the right step. Tor encrypts your web traffic and sends it through a randomly selected series of computers, preventing shadowy third parties from learning what sites you visit or where you’re located. The Tor Project even played a role in helping Iranians get back online after a recent government crackdown on Internet usage.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

File Under: Browsers, privacy

Google Tricks Internet Explorer into Accepting Tracking Cookies, Microsoft Claims

Google was caught last week bypassing default privacy settings in the Safari browser in order to serve up tracking cookies. The company claimed the situation was an accident and limited only to the Safari web browser, but today Microsoft claimed Google is doing much the same thing with Internet Explorer.

In a blog post titled “Google bypassing user privacy settings” Microsoft’s IE Corporate Vice President Dean Hachamovitch states that “When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies.”

Hachamovitch explains that IE’s default configuration blocks third-party cookies unless presented with a “P3P (Platform for Privacy Preferences Project) Compact Policy Statement” indicating that the site will not use the cookie to track the user. Microsoft accuses Google of sending a string of text that tricks the browser into thinking the cookie won’t be used for tracking. “By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked,” Microsoft said.

The text allegedly sent by Google actually reads “This is not a P3P policy” and includes a link to a Google page which says cookies used to secure and authenticate Google users are needed to store user preferences, and that the P3P protocol “was not designed with situations like these in mind.”

Microsoft said it has contacted Google to ask the company to “commit to honoring P3P privacy settings for users of all browsers.” Microsoft also updated the Tracking Protection Lists in IE9 to prevent the tracking described by Hachamovitch in the blog post. Ars has contacted Google to see if the company has any response to the Microsoft allegations, and we’ll update this post if we hear back.

UPDATE: It turns out Facebook and many other sites are using an almost identical scheme to override Internet Explorer’s privacy setting, according to privacy researcher Lorrie Faith Cranor at Carnegie Mellon University. “Companies have discovered that they can lie in their [P3P policies] and nobody bothers to do anything about it,” Cranor wrote in a recent blog post.

UPDATE 2: Google has gotten back to us with a lengthy reply, arguing that Microsoft’s reliance on P3P forces outdated practices onto modern websites, and points to a study conducted in 2010 (the Carnegie Mellon research from Cranor and her colleagues) that studied 33,000 sites and found about a third of them were circumventing P3P in Internet Explorer.

“Microsoft uses a ‘self-declaration’ protocol (known as ‘P3P’) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form,” Google Senior VP of Communications and Policy Rachel Whetstone says in a statement e-mailed to Ars. “It is well known—including by Microsoft—that it is impractical to comply with Microsoft’s request while providing modern web functionality.”

Facebook’s “Like” button, the ability to sign into websites using your Google account “and hundreds more modern web services” would be broken by Microsoft’s P3P policy, Google says. “It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality,” Whetstone said. “Today the Microsoft policy is widely non-operational.”

That 2010 research even calls out Microsoft’s own and for providing invalid P3P policy statements. The research paper further states that “Microsoft’s support website recommends the use of invalid CPs as a work-around for a problem in IE.”

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

File Under: Browsers

Chrome 17 Released, Will Preload Autocompleted URLs as You Type

Google has just released Chrome version 17, which brings several minor enhancements to the company’s web browser — including a new web address preloading feature and improved protection against malicious downloads.

The new Chrome introduces a “preemptive rendering” feature that will automatically begin loading and rendering a page in the background while the user is typing the address in the omnibox (the combined address and search text entry field in Chrome’s navigation toolbar). The preloading will occur in cases when the top match generated by the omnibox’s autocompletion functionality is a site that the user visits frequently.

When the user hits the enter key and confirms the autocompletion result, the pre-rendered page will display almost instantly. The feature extends Chrome’s existing predictive page loading functionality to autocompletion results. Unlike Chrome’s instant search capability, however, the autocompletion preloading waits until the user hits the enter key before displaying the rendered page.

Google has also added some new security functionality to Chrome. Every time that the user downloads a file, the browser will compare it against a whitelist of known-good files and publishers. If the file isn’t in the whitelist, its URL will be transmitted to Google’s servers, which will perform an automatic analysis and attempt to guess if the file is malicious based on various factors like the trustworthiness of its source. If the file is deemed a potential risk, the user will receive a warning.

Google says that data collected by the browser for the malware detection feature is only used to flag malicious files and isn’t used for any other purpose. The company will retain the IP address of the user and other metadata for a period of two weeks, at which point all of the data except the URL of the file will be purged from Google’s databases.

Users who are concerned about the privacy implications of this functionality can prevent the browser from relaying this information to Google by disabling the phishing and malware protection features in the browser’s preferences. You can refer to the official Chromium blog for additional details about the malware detection feature.

Chrome 17 is available through the browser’s automatic updater and can also be downloaded from Google’s website. More information about the new release is available in the official Google Chrome blog.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

File Under: Web Standards

Google Works on Internet Standards with TCP Proposals, SPDY Standardization

As part of Google’s continuing quest to dole out web pages ever more quickly, the search giant has proposed a number of changes to Transmission Control Protocol (TCP), the ubiquitous Internet protocol used to reliably deliver HTTP and HTTPS data (and much more besides) over the ‘net.

Google’s focus is on reducing latency between client machines and servers, and in particular, reducing the number of round trips (either client to server and back to client, or vice versa) required. When data is sent over a TCP connection, its receipt must be acknowledged by the receiving end. The sending end can only send a certain number of packets before it must wait for an acknowledgement. The time taken to receive an acknowledgement is governed by the round-trip time (RTT). With high bandwidth, high latency connections, clients and servers can end up spending most of their time waiting for acknowledgements, rather than sending packets.

When a new connection is made, a computer may initially send three packets before acknowledgement is required. Google wants to increase this to 10. With 10 packets, a browser can typically deliver an entire HTTP request to a server before it has to stop and wait for a reply.

TCP connections require a certain amount of negotiation between client and server, requiring a round trip, before data can be sent. Google is proposing to modify TCP so that some data can be sent during that negotiation, so that the server will have it on hand already, and can start processing it straight away.

TCP waits a predetermined time (the RTO or retransmission timeout) for acknowledgments to arrive. If the RTO expires, unacknowledged packets are assumed lost and retransmitted. This ensures that if the data has been lost in transmission that the sender is never waiting for an acknowledgement that will never arrive. This timeout value varies according to the network conditions and RTT, with a default of three seconds. Google wants to reduce this default to 1 second, so that if data has been lost, neither end needs to wait so long before it has another go.

Finally, Google wants to use a new algorithm to adjust how TCP connections react to packet loss. Packet loss can indicate networks that are congested, and TCP reacts by reducing the rate at which data is sent when this congestion is detected. The company claims that the algorithms currently used to respond to this packet loss can exact too great a penalty, making connections slow down too much and for too long, and that its new algorithm is better.

In addition to these proposed changes, Google is also suggesting other modifications, especially to make TCP recover better on mobile networks.

Changing TCP is not to be taken lightly. The protocol is already suffering due to buffer bloat undermining its built-in handling of network congestion. While Google’s proposed changes are well intentioned and might improve network performance, they come with the risk that an overlooked problem or a bad interaction with other traffic could cause widespread damage to the internet.

The proposed changes to TCP to reduce latencies and start sending data sooner are a continuation of previous work Google has done to try to make web serving, in particular, faster. The company has previously proposed other modifications to protocols such as SSL to similarly accelerate data transmission.

More far-reaching than these SSL tweaks is Google’s proposed alternative to the HTTP protocol that underpins the web: SPDY.

Initially, SPDY was a proprietary Google protocol implemented only in Google’s Chrome browser. That’s changing, however. Amazon’s Silk browser includes SPDY support, and Firefox 11 will include preliminary SPDY support. Partially motivated by SPDY’s uptake, the IETF’s HTTPbis Working Group — the team of industry experts tasked with maintaining and developing the HTTP specification — is considering the development of a new specification, HTTP/2.0, with the goal of improving the performance of HTTP connections. The working group will solicit suggestions from the industry, and with two, soon to be three implementations already, SPDY is likely to be well placed among those suggestions.

This article originally appeared on Ars Technica, Wired’s sister site for in-depth technology news.

Photo: Ariel Zambelich/

File Under: search, Web Services

Hack Swaps Google’s Search Plus Your World Results for the Wider Social Web

Shortly after Google launched Search plus Your World earlier this month, critics accused the company of favoring its own nascent social network over the much richer results on others, like Twitter or Facebook. As Wired’s Steven Levy quipped, “there’s too much Plus and not enough of Our World, which has oodles of content on other social networks.”

Now developers at Twitter, Facebook and MySpace have put together a demonstration of just how much relevancy Google sacrifices in order to push Google+. The demo, which uses only Google’s own results, shows, among other questionable results, how Google routinely ignores more relevant Twitter pages to show off seldom-used Google+ profiles. To see it in action, head on over to the new Focus on the User website.

If you decide you prefer the often more relevant results from the Focus on the User experiment there’s a bookmarklet available, cheekily entitled “don’t be evil.” Just drag the bookmarklet into your web browser’s bookmarks bar and then click it whenever you want to see more than just Google+ results in Google’s search results.

The developers behind Focus on the User do work for Google+ rivals, but that doesn’t change the results of the experiment which speak for themselves. The developers also point out that their tool relies entirely on Google’s own data to rank social search results. Here’s their description of how the don’t be evil tool works:

the tool identifies the social profiles within the first ten pages of Google results (top 100 results). The ones Google ranks highest — whether they are from Flickr, Twitter, Facebook, LinkedIn, MySpace, Quora, Tumblr, Foursquare, Crunchbase, FriendFeed, Stack Overflow, Github or Google+ — replace the previous results that could only be from Google+.

In other words the bookmarklet largely returns Google to its previous state, before the Search Plus Your World Update. If you’d like to know more about how the bookmarklet works or see some examples and situations in which the emphasis on Google+ social results actually degrades the quality of search results be sure to check out the video below.

Photo: Rene Tillmann/AP