ARC's 1st Law: As a "progressive" online discussion grows longer, the probability of a nefarious reference to Karl Rove approaches one

Sunday, January 22, 2006

A Techy View of the Google Bruhaha

Google Subpoena is the tip of the iceberg

Submitted by brad on Thu, 2006-01-19 21:52. Privacy


Google is currently fighting a subpoena from the DoJ for their search
logs.
The DoJ experts in the COPA online porn case want to mine Google’s
logs, not for
anybody’s data in particular, but because they are such a
great repository of
statistics on internet activity. Google is fighting hard
as they should. Apparently several Google competitors caved in.


These logs are a treasure trove of information, just as the DoJ experts
say they are. No wonder they want them. They are particularly valuable to
Google, of course, so much so that they have resisted all calls to wipe them or
anonymize them. In fact, Google has built a fancy system with its own custom
computer language to do massively parallel computing to let it gather statistics
from this giant pool of
data.

The DoJ and the companies that didn’t fight the order insist there is
no
personally identifiable information in these logs, but that’s certainly not
true of the source logs. Even if you remove the Google account cookie that
is
now sent with most people’s queries, the IP address is recorded. I have a
static
IP address myself on my DSL. It’s always the same, and so it would be
easy to
extract all my searches, which include some pretty confidential
stuff, things
like me entering the names of medicines I have been
prescribed. (It even
includes me searching for “Kiddie Porn” because I
wanted to see if any adwords
would be presented on such a search. (There
were not, in case you are wondering.)
Yahoo and MSN state the IP address and
other information was stripped from what
they handed over.


Static IPs are the norm for corporations and more savvy internet users,
but while most DSL and cable users have a dynamic IP, it isn’t really very
dynamic. If you have a home gateway box or computer that is on all the time, it
changes very infrequently, in some cases, never. All your activity can be linked
back to you through that address. Only dial-up users can expect any anonymity
from their dynamic IP, and even then ISPs keep logs for some period of time
which connect dynamic IPs and accounts.


But there is something far more frightening about this collection of
data. I hope Google wins its fight over this data, because the DoJ really has no
business forcing a private company to help them with their statistics
problems.
But what about when a subpoena comes about an individual? Imagine
you are under investigation for something, or just in a frivolous lawsuit or
even a messy divorce. You can bet lawyers are going to want to say, for those
with mostly-static IPs, “I want the search records for this IP, or this cookie.”
And it’s going to be a lot harder for search engines to turn down those
requests, because they will be specific and
will relate to the data the
search companies are holding on all of us.

One way to hold the lawyers back will be to make it expensive. But how long
will it
remain expensive? After a few requests, the software to pull the
records will
exist, and it will not be possible to claim it’s more expensive
than the data
mining Google already does for itself, to improve its own
business.
Now, before it seems like I am ragging on Google here, let’s not
forget that Google’s
competition — AOL, Yahoo and MSN — hasn’t been even so
good as to fight this
first salvo. Yahoo has a whole department to comply
with legal requests for
their records, and famously handed over the ID of a
journalist who sent an
E-mail that has landed him in a Chinese jail. When it
comes to intent, Google
has indeed been the “do the least evil” company
here.

But with court orders, intent matters not. This pool of data is an
“attractive nuisance.” In the end, I think Google will realize it has to start
anonymizing this data to the point that it can respond to requests with “we
don’t have that information.” Doing so will erase information that can be
valuable to Google’s business. It will come at a cost to them. Worse, the cost
can’t be predicted because they will lose the
ability to learn new things
they haven’t even realized they want to learn about
how people use their
tools. But in the end, it’s the only choice, both to keep
their subpoena
costs down, and to make users comfortable with
searching.


Perhaps these logs were handed over without IPs or user names. But
what if somebody browses them and sees queries on things like kiddie porn or
white house security or how to build a nuclear bomb? Could that be
sufficient
cause for a further order to get the identifying information
associated with
that query?


In the meantime, if you feel motivated to foolishly search for things
that could be misinterpreted, as I did, may I recommend you do so through Tor, the anonymizing proxy. (The EFF(o) provided significant
financial support to the development of Tor.) Tor bounces your web requests
through a series of randomly chosen servers, all encrypted, so nobody can trace
back your requests to you. Be sure not to login when using it, though!
» brad's blog




Your Co-Conspirator,
ARC: Monterey John

Comments (6)
Brian said...

Whats your point John?
Some items:

IP's are both identifying and non-identifying as pointed out in the post.

You have no expectation of privacy with respect to Google's records. They are Google's to own. I notice that you haven't said squat about Yahoo's records, and they willfully turned over the same information to the DOJ without argument.

There is no evidence that I have seen that the DOJ is using this subpeona to go after anybody's personal search records. Rather an aggregate so that they can use that information for reinstatement of COPA.

Should they be allowed to subpeona those records? Personally, I don't think so, but thats why there's a fight underway.

Monterey John said...

Geeze this is frustrating...

My point?

This is something the law enforcement people OUGHT not to be doing, not that the CAN not be doing it.

In this particular case they are performing a LEGISLATIVE function. Why? Out of the goodness of their hearts to help their pals over on The Hill?

Please!

Brian said...

It's easy to get frustrated when you just post the text of another post verbatim without any commentary. You lead your reader to make assumptions as to your point.

As to the case at hand, they're performing a judicial function. I.e. preparing arguments for the judicial branch.

Just like the president can ask for legislation to be written. Or judges can overturn the law.

So you are upset that they are asking for the aggregate results. Not that Google is keeping the information around.

Let me guess you think you have a constitutional right to Google. Another thought experiment, what if Congress passed a law saying any company providing search aggregation had to provide the records of said searches to a special task force of the FBI. Uncontitutional? It certainly falls under interstate commerce, more so than some of the gun laws that passed congressional muster.

Let me say I thought the COPA was a stupid law. Best way to keep porn out of kids hands is to filter. Not software filters, but parental filters. Computers in common areas, software logs and auditing, etc.

But I think people descend into silliness when they get upset that a company turns over information about them that they willingly gave to said company.

The issue isn't Google in this case, its Yahoo, who didn't even bother to fight the requests for info and willingly turned it over.

Should Google have to turn over the records? No. Does the government have the right to ask? Sure. Should they ask? I'm not upset if they keep it high-level (like they are here).

Monterey John said...

Brian,I hope this is the last thing I have to say on this subject for awhile ;)

Not sure what I did to deserve the "let me guess you think you have a constitutional right to Google" remark. I don't even think one has a "right" to privacy as pointed out in the series of posts. I guess it was an attempt at sarcasm or something, so I'll just let it go.

"Expectation of privacy" is criminal law speak steming in the 4th amendment and resulting case law blah, blah, blah. And that is exactly my point, criminal law. Why are we even engaged in criminal law and criminal law enforcement agencies here? Maybe because the Justice Department got involved? Ya think?

Brian, at the risk of being blunt, it is astoundingly nieve to think that Justice does not have ulterior motives here above and beyond Google and its competitors. They are testing the waters and using this as a vehicle. They want to see how far the courts will let them go.

This goes beyond legal questions to political and policy questions. I did not vote for this administration to see this sort of thing go on. It is stealth power expansion.

Brian, I've been around for awhile. Believe me, this is not the first time I have seen this sort of thing. It has has happened before. Even good men can do the wrong thing.

A few side items, I refer to this as the Google matter because that is the ball in play. The chickens at Yahoo, MSM etc are not at issue. I kind of admire Google for taking the position they have.

However, if you look at what they are contesting it is NOT on privacy grounds. It is based on the subpoena being overbroad and burdensome. Clearly they did not want to take on the core issue, privacy, probably because they knew they would lose.

I am going to let it go now. When the Feebs start sorting through your reading habits, let me know what you think about it when its too late to bring pressure to stop this sort of thing.

Brian said...

Sorry John, I didn't mean this to be contentious. Just throwing up some thought experiments, mostly. And as I said, I think we're in the same camp here really.

My attitude is probably shaped from a podcast I listen to every week called "Off the hook" which is basically 2600 magazine's audio program broadcast on WBAI in NYC weekly.

There was one host that was complaining that Google didn't respect his privacy rights and his attitude was more that he had a right to Google, and to privacy, despite the fact that everything he was getting from Google was essentially free. Sorry for attributing your arguments with theirs.

I agree that I don't want the Fibbies reading my email, or perusing my browsing habits, etc. Because without probably cause, its just none of their damn business. And even then they better have good damn reason.

That being said, unless you trust both endpoints of communication on the internet there is no sense of privacy, and everyone should be aware of that. At best there is a custom of privacy.

I agree that the DOJ is looking for this data to expand their powers. And as I said I hope the court strikes them down. As to Google using the overly broad and burdensome argument, I think thats the argument they decided on because its the best argument for winning. And if Google wins, whats it matter. If the DOJ wins, I'll join you in petitioning Congress to repeal the stupid law. As I made arguments similarly when COPA was passed in '98.

Desert Rat said...

John, I'd take the whole Google kerfuffle a lot more seriously had the Google folk resisted the Chinese attempt to stop open debate with anywhere near as much enthusiasm as they are fighting attempts here to stop child pornograpy.