Googling Security: How Much Does Google Know about You?

In his review of this book Ben Rothke, author of Computer Security- 20 Things Every Employee Should Know (2nd ed), stated "It has been suggested that if one was somehow able to change history so that aspirin had never been discovered until now, it would have died in the lab and stand no chance of FDA approval. In a report from the Manhattan Institute, they write that no modern drug development organization would touch it. Similarly, if we knew the power that Google would have in 2008 with its ability to aggregate and correlate personal data, it is arguable that various regulatory and privacy bodies would never allow it to exist given the extensive privacy issues." Rothke may have been semi-prescient. Google Street Maps have been encountering increasing resistance and legal issues related to privacy concerns in countries from Japan, to Germany, to England, to Greece, and others. Granted, it is a decade or so too late to protect against most of the issues Conti analyzes in this book, but it illustrates that those concerns do exist as Google continues to expand the products and services it provides on the Web. Johnny Long has evangelized on the topic of data security on Google for years. His book, Google Hacking, is more about targeted techniques for extracting sensitive information that users should have protected better rather than an indictment of Google or its methods. But, it illustrates essentially the same point- there is a virtually endless amount of data catalogued and indexed on Google's servers and, either intentionally or unintentionally, it can have significant privacy and security ramifications. Greg Conti's take on the subject makes for an interesting and compelling read. It has tips, but is short on actual solutions. It is good to be aware of the security implications of resources such as Google though. Give it a read.

Disclaimer: I know the author personally and was given a review copy of the book. I haven't read many (non-religious) books that totally change my outlook about the world we live in. In 2008, Robert O'Harrow's "No Place to Hide" is one such book and Greg Conti's Googling Security is the second. The book begins with a simple question. "Have you ever searched for something you wouldn't want you grandmother to know about?" A simple but powerful question. Of course all of us have searched for topics we would rather our grandmother, friends, or spouse not know about. Would you ever consider posting the sum of your Google queries on your blog or website? Probably not, but just about all of us have given this information to Google in our dealings with them over the years. The book helps you take a look at how the sum of that information gathered through the use of the multitude of Google's "free" tools adds up to take a huge chunk of our privacy and very well could be giving Google a solid look into our personalities to include things most of us would prefer keep private. Breakdown of the chapters: Chapter 1: Googling 1 Chapter 2: Information Flows and Leakage 31 Chapter 3: Footprints, Fingerprints, and Connections 59 Chapter 4: Search 97 Chapter 5: Communications 139 Chapter 6: Mapping, Directions, and Imagery 177 Chapter 7: Advertising and Embedded Content 205 Chapter 8: Googlebot 239 Chapter 9: Countermeasures 259 Chapter 10: Conclusions and a Look to the Future 299 A common theme that the author found while conducting research for the book was "Google will collect personal information from you to provide you with a better experience." Right now we expect Google to "do no evil" and their current policies say they don't personally identify its users but as the author points out through the chapters in the book; Google gathers A LOT of data they DO tell us about and the ability to gather even more data is already built into its "free" services. Some other reviewers have said that its "preaching to the choir." While I agree that the normal person that would buy this book is in the IT field, I wouldnt be so quick to immediately say that the average system admin or evern security guy understands the magnitude of information gathering that could possibly be going on and the value and power of that information. While not specifically mentioned in the book I would encourage anyone interested in the topic to check out Conti's DEFCON 16 presentation on "Could Googling Take Down a President, a Prime Minister, or an Average Citizen?" When you think about the importance or value of that first page of results returned by Google and think about how events, commerce, or public opinion could be shaped by crafting the results that are returned you have a powerful tool(weapon?). What if the top results for a certain political candidate consistently only returned negative commentary? or if events were "buried" by Google never returning those results?

There's no question that Greg Conti writes excellent books. Last year's Security Data Visualization book earned 5 stars, and I put Googling Security in the same league. Conti takes a thorough and methodical look at the privacy consequences of Google's services, incorporating technical realities and thoughtful analysis. My only question is whether this book will matter to the intended audience. Ben Rothke's review does a nice job summarizing the book, so I won't do that here. Instead, I'd like to share this thought: do the millions of Google's users care about how Google collects and uses personal information? I argue the answer is largely "no," and I recognize that Conti's book is intended to try to change that point of view. However, I really doubt it will have that effect. I see three main consumers for Conti's book, meaning groups of people most likely to play close attention to the technical details while trying to implement privacy-preserving countermeasures. The first includes organized criminals. A certain component of organized crime is tech-savvy, motivated, and likely to adopt practices to shield their less technical colleagues. The second includes national intelligence services and related operatives. When reading Googling Security I thought to myself "This is a big OPSEC manual," similar to Johnny Long's great No Tech Hacking book. Google Security contains all the right material for an operative to construct a false identity, and then know how to act as safely as possible to not compromise that identity. In fact, the operative could move to the other extreme and use Google's services to construct what looks like a convincing false person, with a presence on a variety of sites. The third group (which receives some attention in the text) includes national governments and other regulatory agencies. Even without sustained popular pressure, we have seen regulatory bodies exert privacy measures on private companies. This is probably the best route to move Google in the direction Conti would like. One related note on nation states: Conti writes on p 4: "I view Google as the equivalent of a nation-state because of its top-tier intellectual talent, financial resources in the billions of dollars, and world-class information processing resources combined with ten years of interaction data." I reject that argument, just as I reject similar arguments regarding Bill Gates' wealth and so on. Neither Google nor Bill Gates nor any other similar actor can deny a person of life, liberty, or property. If any Google employee tried to imprison any person on behalf of "Google," he would suffer criminal charges. The tiniest nation-state on Earth has more legal power in this regard, especially when you add in other aspects of sovereignty like issuing passports, minting currency, imposing taxes, and the like. I also think Conti fails to appreciate the benefit of putting your data in the hands of a provider. At one point Conti ment

It has been suggested that if one was somehow able to change history so that aspirin had never been discovered until now, it would have died in the lab and stand no chance of FDA approval. In a report from the Manhattan Institute, they write that no modern drug development organization would touch it. Similarly, if we knew the power that Google would have in 2008 with its ability to aggregate and correlate personal data, it is arguable that various regulatory and privacy bodies would never allow it to exist given the extensive privacy issues. In a fascinating and eye-opening new book Googling Security: How Much Does Google Know About You?, author Greg Conti explores the many security risks around Google and other search engines. Part of the problem is that in the rush to get content onto the web, organizations often give short shrift to the security and privacy of their data. At the individual level, those who make use of the innumerable and ever expanding amount of Google free services can end up paying for those services with their personal information being compromised, or shared in ways they would not truly approve of; but implicitly do so via their acceptance of the Google Terms of Service. While the book focuses specifically on Google, the security issues detailed are just as relevant to Yahoo, MSN, AOL, Ask and the more than 50 other search engines. Until now, Google and security have often not been used together. As an example, my friend and SEO guru Shimon Sandler has a blog around search engine optimization (SEO). In the over three years that his blog has been around, my recent post on The Need for Security in SEO was the first on topic of SEO security. Similar SEO blogs also have a very low number (and often no) articles on SEO and security. Sandler notes that when he mentions privacy issues around search to his clients, it is often the first time they have thought of it. The book opens with the observation that Google's business model is built on the prospect of providing its services for free. From the individual user's perspective, this is a model that they can live with. But the inherent risk is that the services really are not completely free; they come at the cost of the loss of control of one's personal information that they share with Google. The book lists over 50 Google services and applications which collect personal information. From mail, alerts, blogging, news, desktop, images, maps, groups, video and more. People are placing a great deal of trust into Google as each time they use a Google service, they are trusting the organization to safeguard their personal information. In chapter 5, the book lists over 20 stated uses and advantages of Google Groups, and the possible information disclosure risks of each. In the books 10 chapters, the author provides a systematic overview of how Google gets your personal data and what it does with it. In chapter 3, the book details how disparate pieces of data can be