[IP] EFFector 17.13: Google's Gmail: A Rough Guide to Protecting Your Privacy
For more information on EFF activities & alerts:
<http://www.eff.org/>
To join EFF or make an additional donation:
<https://secure.eff.org/>
EFF is a member-supported nonprofit. Please sign up as a member today!
* Google's Gmail: A Rough Guide to Protecting Your Privacy
As we noted in last week's EFFector, Google has introduced a new
beta email service called "Gmail" that raises a number of privacy
concerns.
While the media has largely focused on the fact that Gmail will
scan the contents of your email messages in order to target ads,
the more serious problem from a privacy perspective is Google's
ability to link your Gmail account information with your Google
web searches. By linking your complete Google search history -
tagged with your name and personal details - to your email records,
Google can create a highly nuanced picture of you as a reader
and as a person. Such pictures present irresistible targets for
government investigators, civil lawsuit plaintiffs, and even
identity thieves. A single attack or disclosure could release
deeply sensitive details about your life to the world without
your knowledge or consent.
Below, we explain how personal information from your Gmail
account can be linked to your Google searches, provide a
technical "how-to" for (temporarily) keeping the two separate, and
offer our recommendations for a longer-term solution to the
problem. Although we focus here on Google, these recommendations
apply to any business - Yahoo, Hotmail/MSN - that offers both
search and email services and can link the two.
~ The Problem
Google uses cookies - bits of identifying data that automatically
allow a website to "recognize" you - to link every Google search
you conduct on the same computer and browser. This could be used
to help Google to refine your search results or their display to
match your preferences more closely. Even though Google keeps
this search information stored on its servers, without your name
and other personalized information it has no way explicitly to
link searches to your other activities and correspondence on
the Internet.
The problem is that the Gmail service may change this. All of a
sudden, Google can know exactly who you are every time you search
the Internet using its service. And not only that, its databases
know who is sending you email, to whom you respond, and even what
you write about. With innumerable search results and up to 1 gigabyte
of email messages per Gmail account at its disposal, Google could
pull together an extremely detailed dossier on each of the
millions of people who use its services every day. Such a vast
assemblage of nuanced personal information could become a bigger
privacy nightmare than government projects such as Total
Information Awareness (TIA).
As we note above, Google isn't the only threat. Yahoo and Hotmail,
although they're not (yet) offering to archive a full gigabyte
of your personal email messages, can also link your email account
to your search history - and to your instant messaging as well.
Amazon is getting in on the game, too, announcing this week its
new "A9" search service, which will allow the company to correlate
your book browsing and purchases with your search and click
history via cookies.
~ The Fix
Contrary to what we suggested last week, merely deleting cookies
"often" is not enough to prevent this from happening. You would
have to delete cookies both before and after you use Gmail - each
and every time. There's a better way.
Delete Past Linkability
For current and prospective Gmail users, we suggest that you start
by deleting your existing Google cookies before you use Gmail
(and before you enter your real name or existing email address in
any Google form). This will help prevent your pre-existing search
history from becoming associated with your identity in the future.
(Note that it will also cause you to lose any Google preferences
you have entered, such as language or adult content preferences.)
Prevent Future Linkability
In addition, we suggest that you use one of the two following
schemes to prevent a link between your Gmail account and your
Google searches:
(1) If you don't already have two or more web browser programs
installed on your computer, obtain a second browser. Use the
second browser only to access Gmail, and never use it for Google
searches. To serve as a reminder for which browser to use, you
could configure your second browser to load Gmail automatically
when it starts.
(2) Use an "anonymizing" or cookie-controlling proxy service such
as Anonymizer.com whenever you use Google search. For example, if
you are an Anonymizer.com subscriber, you can create a web browser
bookmark to the URL <https://anon.ssl.anonymizer.com/http://www.google.com/>
Use this bookmark whenever you want to make a Google search. You
can then feel free to log on to the Gmail service using your
ordinary web browser.
~ Our Recommendations to Google
Google doesn't have to make us jump through these kinds of technical
hoops in order to protect our search privacy. In fact, Google could
easily reassure its users about linking email to search with one
simple step. Because each cookie is associated with a particular
domain, Google could move the Gmail service from gmail.google.com to
www.gmail.com - thereby keeping the gmail.com cookie separate from the
google.com cookie. While using separate domains may not be as
convenient for some users as a single sign-on at a single domain,
single sign-on could easily be offered as an opt-in feature, giving
people a fair opportunity to assess the privacy/convenience
trade-off before Google starts collecting their data.
Finally, Google has said that it will not use Gmail to determine
who is using the Google search engine for particular searches.
This is a good policy, but it needs to be spelled out clearly on
the Gmail privacy policy page: www.google.com/gmail/help/privacy.html
~ What's Next?
EFF is pleased that Google has so far been forthcoming about many
of the features and issues raised by Gmail. We plan to continue
our talks with the company, and we hope that Google will adopt our
recommendations. When the final version of the Gmail service is
released, we'll take a fresh look and let you know whether or not
the service makes the grade for protecting your privacy.
~ The Big Picture
What we've offered here is a short-term fix for current/prospective
Gmail users and a few brief recommendations for Google, barely
scratching the surface of the privacy issues surrounding Web mail.
A temporary work-around is just that - temporary. In the longer term,
we are exploring bigger picture issues including:
* Concern over the growing trend to move large portions of people's
lives online via 3rd party providers, abandoning hard-won legal
protections.
* Risks of potential correlation of large swaths of private online
activity beyond mail and searching at all the major providers:
MSN, Yahoo, AOL and now potentially Google.
* Different legal rules that may apply to mail that is indexed,
searched or keyword matched by a third party - even when all these
tasks are entirely automated.
* What risks users should be aware of, what technical measures they
can take to protect their privacy, and what legal and contractual
measures they should demand to protect their rights.
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/