> The data Google has on you can fill millions of Word documents.
> Google offers an option to download all of the data it stores about you. I’ve requested to download it and the file is 5.5GB big, which is roughly 3m Word documents.
This link [Google Takeout] includes your bookmarks, emails, contacts, your Google Drive files, all of the above information, your YouTube videos, the photos you’ve taken on your phone, the businesses you’ve bought from, the products you’ve bought through Google …
Well duh, Google stores your gmail emails and Youtube videos and Drive documents and so on! This is the service they're providing you! Google Takeout doesn't give you a 5GB archive of advertising profile or covertly gathered info, it gives you a 5GB archive of the documents you deliberately uploaded to Google services - emails, docs, pics, videos, calendar appointments. The list of Android apps installed on your devices is there so that when you link a new device to your Google account, these apps will be automatically installed on it. And so on.
There's a single link on that list related to surveillance - namely, your Google Ads profile, which only shows very basic data, I'm sure they have vastly more complicated data stored on me.
There's enough genuine reasons to be upset with Google's surveillance, let's not promote this kind of silliness. Google knows which Google Groups you're subscribed to, really? 5GB could fill 3m Word docs - how many is that in Libraries of Congress?
This is typical. As a techie, you're triggered by technical detail because you understand the technical details of that example that is intended to illustrate the size of the data collected.
Rest assured that this happens all the time and when people read news about a topic that they are an expert on, they cringe all the time. For example, a paraglider pilot will get triggered if the reporter uses the word "Jumped" in a story about a paraglider pilot who crash-landed and injured two more people. This is because paragliders don't jump but take off from hills etc.
Usually reporting on technical topics is very hard because you need to reach the non-technical audience so you will HAVE TO use illustrative examples and not exactly accurate descriptions so that can be absorbed by the non-technical readers. Unfortunately, this will put you in a position where can be called on by technical readers who are triggered by the "implementation details" of your story.
I do believe that calling out the 5GB illustrative example is missing the point of the article. It's just a way to portray size of the data collected on you, it doesn't have any meaning even if this data was 3Mb or 100Gb. For example, if it was 3Mb Google might have used it to convey how little data they collect on you as if the size that this data takes has any correlation about the impact, then why even bother with such an irrelevant point of the "article implementation"?
> I do believe that calling out the 5GB illustrative example is missing the point of the article.
Please see my reply to bhauer's sibling comment, I think it applies here too. The problem isn't with the 5GB size or how they compare it to 3 million Word docs. The problem is with measuring the size of something completely irrelevant. The problem is with saying "Google collects data on you for advertising, they have data you wouldn't expect them to have" and then linking to data you explicitly, deliberately uploaded to Google yourself. The problem is with linking to Google Takeout and pretending it's something that it's not.
The difference between an incorrect description of a paraglider launch and a nonsensical comparison regarding the amount of data Google stores is that the latter is intentionally being presented as a proxy for the potential impact of that data.
To be able to interpret the article in a useful way, it is important to be aware that a single long, high-res youtube video could be 5.5 Gb and therefore that figure doesn't imply anything about what google knows about you. Of course, it would be easy for a non-expert to mischaracterize an aircraft accident in a way that matters to a layperson's understanding of why the accident happened and who is responsible.
“Briefly stated, the Gell-Mann Amnesia effect is as follows. You open the newspaper to an article on some subject you know well. In Murray's case, physics. In mine, show business. You read the article and see the journalist has absolutely no understanding of either the facts or the issues. Often, the article is so wrong it actually presents the story backward—reversing cause and effect. I call these the "wet streets cause rain" stories. Paper's full of them.
In any case, you read with exasperation or amusement the multiple errors in a story, and then turn the page to national or international affairs, and read as if the rest of the newspaper was somehow more accurate about Palestine than the baloney you just read. You turn the page, and forget what you know.”
Some of us do not subscribe to the "ends justify the means" theory. And with that, I'd consider this example a form of failed journalism. Regardless of whether or not there is actually an underlying point, this particular piece of pseudo-journalism didn't capture it. I chuckled when I read the author's description of himself/herself: "... who does extensive research into spreading technical awareness ...". One might think with the extensive research they have done so far, some of that technical awareness should have had reached the author, themselves.
> Some of us do not subscribe to the "ends justify the means" theory
I don't think that this is the case here. To be an "end justifies means" the writer would have to give a false information on an information that is relevant to the core of the story. Does it really matter what's the size of some digital data? Would it be O.K. if Google collected 100Mb of data but totally unacceptable if that was 5Gb?
The size of the data is an irrelevant implementation detail of the story. Even assuming that this is all the data about you is silly in the first place but the articla is not about that - even if the title says so.
When you start your article with, "I’m going to show just how much of your information the likes of Facebook and Google store about you without you even realising it", then include the user uploaded data in your proof, it's a bit disingenuous and reeks of FUD.
Is it really the responsibility of a journalist to hold the hand of people not well versed in the topic at the expense of technical correctness? I don't think so, I'd prefer we hold a standard of being correct and put the onus of education on the readers. They can Google what they don't understand. We can educate the public better to not be afraid of technical details. I agree with danarmak, this piece like so many others is just a bunch of sensationalized details. You should know what you're signing up for, nobody should be surprised by anything in there.
>Is it really the responsibility of a journalist to hold the hand of people not well versed in the topic at the expense of technical correctness
I think they don't have a choice but to do it this way. A typical news outlet will report on hundreds of topics a day and probably covering the entire spectrum of topics out there.
How likely it is that all of the readers will be well versed in all the areas of expertise that human race was able to achieve in the last few thousands of years of recorded history?
Also, these journalists[not necessarily this one but in general] are usually not experts on the topic that they write on and the better ones usually would consult with someone who is well versed on that topic. There's no way that the expert that the journalist is consulting with, will be able to educate the journalist, so he/she will dumb it down and then the reporter will dumb it down further and re-shape it in a form that the news outlet can sell it to its audience(right wing, left wing, alt-right, communist, highly educated ... whatever, they too are making a product for their customers).
In this case the author is not (yet? apparently he is hoping to do this kind of thing full-time) a professional journalist but someone who made a viral Twitter thread, which was picked up by the media and of which the article is a lightly edited version.
The word "triggered" should really be reserved for military vets and those who have experienced traumatic events in their past that would cause severe distress, not as a synonym for "annoyed."
A veteran who relives the horrors of war when fireworks go off is not nearly in the same space as a developer who is annoyed that someone misused technical jargon.
> The word "triggered" should really be reserved for military vets
Certainly not. While many military personal certainly have faced mind-altering situations, they are far from the only ones who have ever suffered from traumatic events.
Children and Women are the subjects of the most twisted and abusive stories I've ever been able to fathom.
> The word "triggered" should really be reserved for military vets AND those who have experienced traumatic events in their past that would cause severe distress
(emphasis mine)
You can't just cut a sentence in half and then try to form an argument against it. That's not fair.
Words shift in meaning over time. They're defined by the active usage, not the ideal usage. Resisting that change is like trying to fence in water, however righteous it feels.
As with most things, the choice is more difficult than either giving up and accepting a new, more lax definition, or "righteously" rejecting it. That process requires an application of judgment. In this case, my judgment says that it's an unnecessary cheapening of a psychological term, and that pointing out its origins might help people understand why.
Simply giving up on definitions means always ceding power.
It's not giving up so much as accepting that there's theater in chastising linguistic drift. Telling strangers they shouldn't use a newer, ironic form of a word is as hopeless as The Very Smart Guy raging at people over "literally" not being literal.
The entire world is participating in shaping English and we have no Académie Française equivalent. Sometimes the changes are unflattering.
That said, I do appreciate your points and see your intention with empathy about this word in particular.
I don't think that the fact that there _is_ theater renders the underlying struggle worthless, though. Words have meanings, and in the case of law, quite serious repercussions - eg. corporate personhood.
It's not so much "you shouldn't use that word in that manner because of some linguistic pedantry" but "you shouldn't use that word because the externalities of doing so have outsized effects on certain people," or for the self-centered and machiavellian, "you make yourself look bad when you use it such."
As you say, it is a matter of empathy. The N-word has been around for a while - it's still not acceptable for certain people to say it[0]. As for why, that's a matter of education, and it begins with pointing it out.
Google has tons of data on you that isn't available in Takeout as well. (So does Facebook.) Bear in mind, these companies know which ads they've shown you and when, for example, and at least in one case, buys your credit card transaction history to compare your purchases with the ads you've seen.
Which is why it would be reasonable to write an article about those things (with evidence). The article linked here is pointing to completely normal and desirable behavior and seems to hope readers won't notice.
> Bear in mind, these companies know which ads they've shown you and when, for example, and at least in one case, buys your credit card transaction history to compare your purchases with the ads you've seen.
Correct me if I am wrong but are you saying one of these two companies buys people's credit card transaction history and then compares people's ad history against the transaction history? If yes, that sounds really incredible.
"And even if your business doesn’t have a large loyalty program, you can still measure store sales by taking advantage of Google’s third-party partnerships, which capture approximately 70% of credit and debit card transactions in the United States."
IIRC, this was announced as part of a program that uses double-blinded crypto that allows google to perform matching against this data in aggregate (Set intersection knowledge), but not individually identity of what a given user purchased, at the same time preventing the merchants from learning the identities of individuals either.
According to what they presented at a crypto conference, they went to great pains to avoid capturing personally identifiable transactions. The overall strategy is that Google Knows = Set A = (all ads shown for user X at Merchant Y) Merchant/Credit Card Proccessor Knows = Set B =
(all $$$ paid by User X at Merchant Y), and that it is possible to cryptographically compute sum($$$ of A intersect B) without either side learning Set(User X).
Now whether you believe in the security of the algorithm and whether there are side channel leaks or attacks is another issue.
Very much this. I downloaded my data from Facebook last week, and as you say, it's just stuff I have shared and not any of the tracking/profile stuff. Can't say I was surprised at all.
Right before deleting my account, I also downloaded my data. The most illuminating thing I discovered that there were several advertisers that 'had my contact info' that I had never dealt with in any way (as far as I know), including lots of political groups from all over the country, even though I made a point to never engage in or post anything even remotely political when I had an active account.
There's a ton of it. This should be beyond obvious. The purpose of Takeout is to let you retrieve all the data that you have uploaded to G. You can take this data and then, perhaps, move to a competitor or even good your search engine. None of this includes or precludes the sophisticated analytics and surveillance that G performs to enrich and value-add this data. That is proprietary secret sauce stuff.
This article is just dumb clickbait. It's too bad the conversation is now being driven by rank nonsense. G, Jolie Facebook, does not sell data or profiles of you to third parties. That is what people should be focused on as a first step, the buying and selling of data.
I provided an example in the comment already, and in a child comment, I've now linked to a Google source where they state the data they are getting. And of course, to connect the credit card data they are buying with the Google accounts they are showing ads to, they have to be able to associate a given credit card transaction with a given Google user account.
The Activity one is a bit scary though. How many Android users are aware that Android tracks their app use and whatnot in this fashion?
I think that's a point to take home. Users know that Google looks at their "location information". In their minds, it's to provide relevant weather info and whatnot. Seeing it aggregated in this way makes you realise that you actually are sending your entire life to Google servers.
Every time I've shown people stuff like that, they shrugged: "so what ?". They. Don't. Care.
That's the problem, right here.
Not that entities are selling people's privacy. Bad guys have always been there, and will always be. But usually people want to act against them.
In this situation people don't want to. We got a very sudden outrage out of sheer media amplification effect. It will fade. And they will go back to trading what's important to what's convenient.
> Every time I've shown people stuff like that, they shrugged: "so what ?"
Some of this is genuine indifference to the problem, yes. But I think some of it is a lack of perspective.
After years of sweating tech privacy issues, it's very easy for me to say "oh, they track app usage, which means they track app opening times, which means they can probably tell when you go to bed every night based on the last time you open Twitter." Or construct a hundred other scary (and accurate) stories about how this sort of data can be used to build whole-life profiles of people.
Outside of tech, it's not so obvious. "They track which apps I open when, and said it's to help improve battery usage. What's the big deal?" And of course that's also true, this is useful data for innocent purposes like "predicting what you'll reopen next to expire that from memory last".
But my concern is that there's an enormous gulf between showing people what's been collected, and how it's used. This article makes a bit of an effort, but it's still far short of the sort of example narrative that actually catches people's attention.
Back during the Snowden stuff, there was a lot of talk about three-hop collection. And I think basically no one cared, because it's such an arcane description. But somebody made a tool (which, damn it all, I can no longer find) showing how location + call data at three hops could create a false-but-convincing narrative that someone was a terrorist. I showed that to a couple of family members, and suddenly they were way more concerned with the topic.
It's not easy, I think this is a losing battle and I'm not sure how to change that, but I think people do care when they have useful context to work with.
Most of these people don't even know how the technology works. Enabling firewall makes them feel secure because it shows them a Green tick mark in a green circle. A file shred application is good to them (if they even care) because it shows an animation that feeds a file to a shredder and breaks them into pieces.
They are never going to agree that they can be manipulated this way. Oh, and some people feel website x is secure because there is a green lock symbol in the URL bar. Some are more secure, because the green bar is a bit longer.
We just have to be careful thinking everyone is ignorant except us. Stating how some UI patterns are interpreted by some people doesn't mean anything. That some people are ignorant doesn't mean they all are. I'd like to think I'm not, and I don't see many of these "problems" as worthy of new legislation.
Except when all other measures have been exhausted, we shouldn't be so quick to run to the legal system clutching our ban hammer with our perceived state of righteousness.
Another problem I often see (not here, just saying in general) is how false equivalence is constantly brought up. Oh, so we should just let companies poison food or build insecure cars or whatever. I hope that with user data we can be more reasonable in how we legislate it and at least try to realize the unforeseen costs on the "good guys" vs the "bad guys".
I know “how the technology works”, and I don’t care. If anything, I think I might benefit in the future from availability of all that behavioral data they gathered on me, because one day a sufficiently advanced AI might analyze it and provide some insight into my personality.
If people are in a burning building and half of them keep putting the content of the bar into the flames saying it pretty and fire can't harm us anyway, it's a problem.
Windows 10 do for Microsoft (sucking up and sending to M$ EVERY THING you do) what Android does for Google.
Apple is a bit better (less-worse) on this. They do log many things in the background, and hopefully stopped (as they promised) to upload everything on every sync you do.
I agree with you on the technical merit (or lack thereof) of illustrating the magnitude with colorful metaphors.
However, a counter point: I feel it is useful and helpful to our cause to have authors such as this creating those colorful metaphors. We have tried in vain to communicate to laypeople the importance of data safety, self-ownership of data, being mindful of one's privacy, and being suspicious of the data collected by third-parties. I believe laypeople remain disinterested because the way we raise these concerns is abstract.
In order to convince laypeople that control of one's data is important, those of us who are matter-of-fact on the matter will convey the facts and try to construct fairly mild-tempered plausible threat scenarios that are, frankly, unconvincing to the majority of people we are trying to convince.
For a good chunk of those we're trying to convince, vibrant and (to our minds, exaggerated) illustrations of the magnitude of the threat are what is necessary to tip the scale. The recent twitter thread that showed a map of Ireland with every point the user had been in the past several years was a poignant visual representation of our argument. It made the argument way better than repeatedly saying, "Google tracks your location, always!" When we've presented that abstract point previously, we've heard "I don't care, that's fine" as a response every time.
And then someone shows them this map and suddenly: "Whoa, that is creepy!" Yes!
I for one welcome a bit of colorful language, as long as we don't get totally carried away. I don't really dig the "Well, duh!" attitude if we convey that to the people we're trying to convince. We're trying to make laypeople value their own privacy and feel good doing so. Not judged for having been ignorant of or disinterested in our previous arguments. Be welcoming of this good favor in the fight for data privacy.
> vibrant and (to our minds, exaggerated) illustrations of the magnitude of the threat
In this case, though, I don't think it's an illustration of the threat at all.
The location tracking map may be visceral enough to motivate
people, and that's fine. Sometimes people need a strong visual to act on something they already knew.
But the "5.5Gb, millions of Word documents!" bit? That's an archive including your Google Drive files, of course it's comparable in size to the free storage Google provides. And perhaps more importantly, if your Takeout archive is only 10Mb, that doesn't even begin to imply Google lacks records on you.
Potent metaphors are great, and I certainly recognize the problem of techies saying "yeah, duh, obviously" without helping people really understand the consequences of a topic. But in the Takeout case it feels like responding to consumer indifference about real problems by sparking fear over a basically meaningless topic.
The problem isn't how they describe the size of the data. It's that the data whose size they describe is completely irrelevant to the point they are trying to make.
I didn't say "well duh, Google has at least 5GB on you, that's a small number really". I said "well duh, of course Google has your gmails and Drive docs" - and they are as small or large as you make them, their size is completely irrelevant.
I did snipe at the comparison to Word docs, not because it's a non-commensurable unit but because Word docs don't have a size - I can easily make a single Word doc 5GB large. But that was an aside quite irrelevant to my main point and maybe I should have omitted it.
It's true but long ago I grabbed my takeout archive and was surprised by a few documents about my history of this and that (can't recall, probably gmaps routes I didn't know were stored)
You might be a bit too critical with the journalist, the example you provide is the final one after pointing all the not so "obvious to ordinary end user" data Google has about someone. Is it perfect, no. But its good that more mainstream media is discussing these things so people get a better understanding of this.
Maybe it will stop folks from uploading unencrypted data to cloud providers down the road and improve research that allows cloud providers to process encrypted data meaningfully without every being able to decrypt.
The 3m pages of word doc is odd, but its not uncommon to convert overall size to word doc pages in journalist speech (just map size to average word doc size), and then they disregarding data type. I have seen this in other places too.
NO, NO, NO. This is not all data Facebook/Google has on me. It's way less.
What I don't get in all of this debate: People grant FB/Google/any other app access to their data and seriously expect that their data isn't harvested? IMHO, there really is zero surprise that Facebook has your call and SMS history, if you granted access to that. Or every single login timestamp.
What is way scarier is that the dump you can download is probably far from complete. My Facebook dump shows rather few items, because I'm not a heavy Facebook user. But I'm quite sure that they have A LOT more on me, because of friends uploading my phone number, profile pictures, meta data from the WhatsApp acquisition.
The big scary question is: How do you access the data in your shadow profile that they won't give to you? How do you even prove that they have more on you than they admit?
Edit: Same for Google. I don't use a Google account most of the time and I bet they STILL have my entire search history associated to some kind of shadow profile.
when you provision a new android device it will try to link your account to chrone, and its very hard even for a developer to catch its chrome and not android os. after that small mistake (which is an optout in the ui pattern) its game over. google have all your history and every webview ad has your full profile. not to mention your web bank passwords are now conveniently save in google servers in plain text.
and yes, an even worse problem is the hidden data/shadow profile.
The section labeled "Google has information you deleted" is a bit misleading.
If files are in your "trash" they will be included in your takeout. If you clear your trash, they will not be included in your takeout (after a reasonable amount of time, if you "empty trash" then instantly go and make a new takeout bundle it might still be included). It's the same way with spam and email trash. It's given to you in your bundle until you manually fully delete it.
Implying they keep everything you ever deleted is wrong.
Edit: I don't want to get into hypothetical arguments about what Google could possibly be doing. I'm simply saying that the reason the author had "deleted" things in their takeout archive was because it was most likely in their "trash" and wasn't fully deleted in the UI. And that "things in your trash folder are included in your takeout bundle" isn't "proof" that they never delete anything.
> If the sender is on gmail, and you delete the message, does it remove it from their sent box as well? What if there are multiple recipients?
Obviously google won't "unsend" email, they aren't a DRM platform that will delete data anywhere that anyone you have ever shared it will has ever sent it.
> If you reported it as "not spam" and then trash it, is it removed from the "ham" training set?
But things like "spam" email will be "unlinked" from your account at the very least, and possibly fully deleted (does information "learned" from a spam email count as that email in your mind? If they use a neural-net to train spam filtering does that become "your data" when it learns from something of yours?)
But regardless, I didn't want to get into internet arguments about what the big companies might possibly be doing through a shitload of what-if's. I just wanted to point out that the reason the author of the blog had 'deleted' things in their takeout was because they were in the trash, and the trash wasn't emptied...
But from what I have seen Google takes infosec very seriously, and will fully delete information when they say they delete information. They even point out that it could "linger" for (IIRC) 90 days after you delete it in backups and other replicated copies, but after that should be fully and completely deleted.
Hopefully they so take infosec as seriously as you assume they do.
However, we have repeatedly seen profits prioritized over security in the corporate world with negligible repercussions when the data is inevitably compromised.
I knowingly and happily give my information to Google, and I trust that they do not overstep their bounds when I tell them not to collect something.
If Google ever gives me a reason to not trust them I won't. But thus far they have been okay in my mind and I'm happy with the services I received and the tradeoffs made with regard to my information.
I fully expect more nastygrams and threats from people for saying this, because it happens every time I say I trust a company.
>Saying "I trust company X with my data" is the same as saying "I trust that company X cannot be hacked".
No it is not, and it's also why I didn't reply at first because I had a feeling it would go down this path.
I don't believe for a second that my data will never be "hacked" at Google (for whatever definition you want to think of for "hacked"). But I do believe that Google has done their due diligence in preventing that kind of attack to the fullest extent they can, they give me the tools to remove data that I want removed, they are competent in their architecture to make leaks and hacks have limited scope, and i'm confident that they will be able to uncover evidence of "hacking" and will use the legal system to go after those responsible limiting the damage that a "hack" can do.
I enjoy the benefits I get from Google. I like that they scrape my email for calendar info, flight info, package info, etc... I like that they track my location and create automatic albums for pictures I take (and upload to them) while at a location. I like that they can get location indoors using wifi APs or that they use my voice in ML training to improve the product, or that they offer me relevant ads to pay for those free services and products instead of ads that have little or nothing to do with my interests. I like that I can go back and search my hangouts (then google talk) chats from my friends from over a decade ago, or that they backup my files that i put on google drive, or that they record what apps are on my phone (and some data from those apps) so that if I need a new phone I can quickly set everything back up, or that they store saved passwords on their servers so that I can easily get the same ones on multiple devices, I like that my reviews of apps/places can have my name and face put on them and that reviews from my family and friends show up over random people online, etc... And I especially like that I get most of this for no effort on my part. No servers to maintain, no software to setup and manage, no security needed on my part aside from keeping my username, password, and second factor auth secure. I only have a limited time on this planet, and I don't want to spend it setting up private email, storage, photo backup utilities, and whatever else that I get "for free" through Google services.
I'm not being tricked here, i'm not "missing something" or pretending that these companies are infallible. I'm making a consensus decision to trade information about myself to a company I trust for tangible benefits. If that company becomes untrustworthy, then I will adjust my feelings and behaviors, and I will most likely be hurt by it at some point (because you can't un-give information, especially not to a bad actor), but again that's a risk i'm willing to take.
I don't know why I typed all this out, and I don't mean to target it all at you personally, just at the boogeyman I've built up in my head of "internet person telling me i'm dumb for trusting a company". It's exhausting constantly having to defend against what-if's because I want webmail, or being constantly berated and insulted for making tradeoffs with my own privacy like it's some kind of personal insult to people that I am not as private as they are (there's nothing wrong with privacy, I advocate for it quite a lot, but your whole life doesn't need to be private all the time, i'm happy to share some aspects!).
Fair enough, you seem much more knowledgable of the risks (at least on an individual level) than the vast majority of users.
However, have you considered the threats to national and global security that are posed by the centralized aggregation of billions of the most detailed psychological data profiles the world has ever seen?
To what extent is this, or will this be enforceable? Is there an obligation to securely erase data? If not, presumably someone could store user data on a log-structured file-system and disable garbage collection, or similar.
I feel a disclaimer that The Guardian uses Google Ads, Google Analytics, and Google Tag Manager on the site to track you and help Google further track you should probably be added to a scaremongering article about Google tracking the user.
I feel most technical people are aware of the level of tracking going on. The more privacy concerned do what they can to mitigate it.
Yeah, but I find it kinda hard to keep up with their development speed. Every year or so, I find out about Google having introduced a new option which is on by default and that Google has started collecting data from me again.
I broadly agree. I've been willingly giving Google, via an account, as little data as necessary since I got a Gmail account ~14 years ago. I've never had a moment where I regretted what I've allowed them to have access to.
Like most people here with a Google Account, I've disabled as much of their harvesting as I can.
I've received an extraordinary amount of value from several of their products - such as maps, search, email, apps - and I never click on ads. The value received versus given disparity is beyond comically in my favor.
By comparison at this point I'd rate my value context with Facebook as net negative across my lifetime use of the product. The value has plunged the last four or five years. The first few years I used the product (after it became freely available to the masses), were slightly positive or quasi-benign at worst.
The difference in terms of product experience is largely that with Google, I don't deal with other assholes that routinely make my day worse, whether in the form of ugly politics, petty rage, or spam posts (whether commercial or personal posts).
Let us reserve our judgment on Google for now. But FB is far worse than what you say here. Suppose I group people into
1. Those who actively use Facebook and willingly tell it everything about their lives
2. Those who actively use Facebook and unwillingly tell it everything about their lives (who don't know what data it collects)
3. Those who once actively used Facebook
4. Those who have never created a Facebook (or WhatsApp or Instagram) account
The real issue is, FB likely has as much private data about group number 4 as group number 1 because of their shadow profiles (which they euphemistically refer to as "future Facebook users"). And their current or past employees seem to be a little too conveniently blind to this matter. See here for e.g.:
https://news.ycombinator.com/item?id=16676720
Google also has a lot of category 4 data; although I don't have any Google accounts I am well aware that they track everything coming from my IP addresses, and from any of their cookies that I inadvertently allow through.
All Google's posturing about 'review and manage your data' is meaningless to me in that regard. Why can't I ask them to delete everything associated with my IPv6 block, for example?
> IIRC, this was announced as part of a program that uses double-blinded crypto that allows google to perform matching against this data in aggregate (Set intersection knowledge), but not individually identity of what a given user purchased, at the same time preventing the merchants from learning the identities of individuals either.
> According to what they presented at a crypto conference, they went to great pains to avoid capturing personally identifiable transactions. The overall strategy is that Google Knows = Set A = (all ads shown for user X at Merchant Y) Merchant/Credit Card Proccessor Knows = Set B = (all $$$ paid by User X at Merchant Y), and that it is possible to cryptographically compute sum($$$ of A intersect B) without either side learning Set(User X).
> Now whether you believe in the security of the algorithm and whether there are side channel leaks or attacks is another issue.
My google activity history, youtube search/watch history, and location history are all completely empty because I've disabled all of it. I would recommend going through the privacy checkup[0] to control what does and doesn't get saved.
I also did it some time ago, but I have a feeling, with nothing to backup my claim, that they still log, store and analyse all my activity but just don't show it in the dashboard. I don't know how targeted ads are (because of ad block) but youtube doesn't suggest me anything based on watch history so I guess I might be wrong here.
One thing I like to do is just leave them all on, but minimize my contact with Google's services. Then I check in every few months just to confirm they haven't collected anything on me.
Off topic - I am actually working on a framework to automate the process of self-hosting these services on some VPS. I might open-source it once it is in usable shape. But some things just have no real alternative(like maps and android)
Has there ever been any statement from anyone even remotely involved with data collection at Google on what "pausing" these collection options actually does internally? I somehow find it hard to believe that they don't just collect it anyway and only "pause" displaying inferences made using the data to you.
In a lot of cases, from my understanding, disabling storing data about "your account" just stores data about you with an anonymous identifier.
For example, voice search history you can enable or disable, if you enable it, you can see and listen to all your queries and delete them if you so choose. If you disable the history, Google still stores recordings of your voice and uses it to "improve their service", they just associate it with an anonymous identifier. The downside here, of course, is that you can't delete the copies of your voice Google is now saving despite your desire for them not to keep your history.
(I am having a hard time finding exactly where Google currently states this, but I have a high level of confidence this is how it works, as officially stated by Google, for voice activity.)
The better Google help article is this one, but it merely states changing the setting determines whether or not the audio activity is "saved to your account": https://support.google.com/websearch/answer/6030020
I recall Google's articles being clearer on this point before, either I'm not looking in the right place or they may have obfuscated it.
I don't have any evidence whatsoever but I speculate that between the options of:
1. collecting data and hiding it during times it was paused
2. checking if data collection is paused during collection time and keeping it/throwing it away
Option (2) is the easiest and most foolproof. For (1), all it takes is a single tiny bug in any code that handles your data history and their whole privacy stance is shot.
Right? Maybe I'm not explaining very well. I feel like we're agreeing.
Checking a bit and discarding at collection time is the easiest. You need to ensure data collection is aware of this setting, and anything that manipulates this data doesn't need to care whether or not some data is "hidden" or not.
> That doesn't sound foolproof at all.
Right - If you go the route of collecting all data and hiding it later then all tools that interoperate with customer data need to make sure they don't accidentally expose "paused" data back to the customer.
Given two choices of throwing away data at collection time, or forever in the future trying to hide data from the customer, it seems simpler to throw away data at collection time.
This person stored their PGP private key on Google Drive, which they use "to encrypt" emails. I'm glad the author is security-conscious enough to know what PGP is, I guess. And that they deleted it from Drive (didn't say why, hopefully they came to their senses about the more-than-usual amount of trust they were placing in Google).
Is there a valid use case for "encrypting" email with a private key? I guess signing a message is technically encryption, but it's not typically called that, right? I'm hoping their use of "encrypt" in this context is just an error, and that tech reporters at the Guardian understand how key pairs work...
One of PGP's functions is to encrypt email. Why would you expect someone be savvy enough to understand how PGP works but not be savvy enough to use its main function?
When you encrypt an email with PGP, you use the public key of the individual you are writing to, not your own private key. You should only use your private key to read the mail encrypted with your public key, or to sign messages.
Who says he was using it to encrypt Gmail email (how would the key being on Google Drive even help with that)? The key may have just been in transit. For example, moving a subkey to smartphone in order to import it into a PGP app on the phone, and Drive just happened to be the most convenient way to do it. If the (sub)key is encrypted with a strong password, as it should be, it's fine.
> Is this really surprising to anyone but the laymen?
That's a pretty huge caveat. "This isn't news, except to the majority of people". It's an article in The Guardian, it's obvious intended for the "laymen", of which there are a pretty big number.
> of course they store everything the user does, why wouldn't they?
That's the crux of it, for me. I agree, they have no incentives not to hoard data. So those incentives, like GDPR, should be created.
> That's a pretty huge caveat. "This isn't news, except to the majority of people"
TL;DR defaults matter to the layman - the 99%, google will say they gave you the options (so many that it's tiresome for most people to bother going through).
Yup, when reading through all of the stuff I was just checking off my mental list of all the things that don't affect me. I don't use google on phones, and for gmail stuff i've already trawled through the massive list of options to stop tracking and logging various stuff. Additionally I only log into a google account in isolation so it can't join history together.
Even after all of this I recognise that google mostly likely has other tricks up it's sleeves like browser fingerprinting to join sessions together and associate their activity with my account in secret, not to mention they are mining all of my email of course, but this is the best I can do while continuing to use a google account (and even without a google account they can still track individuals via other means).
This is only practical for those the most aware of what these companies do and the most interested in preventing - understandably, the layman just wants to use it as intended without doing days of research and digging through piles of options in paranoia trying to turn everything off, these types of services rely on this fact. I am not a normal user and they really don't care that 1e-10% are evading them, they are relying on the fact that almost all of their users wont be going to great lengths to turn all the tracking and logging options off.
>I mean, of course they store everything the user does, why wouldn't they?
Because their behavior fits the legal definition of stalking in many jurisdictions. Yes, the user "consented" to the stalking, but many of their friends which are being stalked as a result did not.
I think that's an unfair assessment. While this is the perfectly easy to access data we, hackernews savvys, are familiar with and isn't insight to the true analysis we know Google has internally. Don't dismiss this as something your average Guardian reader is aware of.
I'm sure many non-technical users will find the article very informative. "Clickbait" implies that the headline is controversial but the content is not. Clearly the content here is extremely controversial, especially if you had no idea that Google is literally tracking your every physical move. On the contrary, I found the article a pretty good list of the information Google and FB have and that's what the title implied. Not clickbait at all.
I wouldn't be so fast to dismiss it as clickbait. Do you really think non-tech people are aware of the amount of aggregated data these companies have on them?
What percentage of users do you think fully understand that Google is literally tracking their every footstep? Yes, it's Google tracking you whether you realized it or not. Tracking is not and never has been "opt-in".
I don't know about clickbait, but The Guardian, NYT and Bloomberg seem to be going very heavy on the Facebook stories. Is it because negative press sells or do they have a vested interest in seeing Facebook fail (as in they hope readership will surge)? Could be both, I guess.
"We would never let the government or a corporation put cameras/microphones in our homes or location trackers on us. But we just went ahead and did it ourselves because – to hell with it! – I want to watch cute dog videos."
You can get people to do anything with the right incentives.
Took advantage to go onto Google and give it even more info on what ads they should (and should not) show me. That's probably not what the Guardian expected/wanted me to do.
I may be alone in this, but I expect that everything I do on the Internet is done in public. Nothing new here.
If I want to send a private message, I'd use Signal since the cellphone company has logs of your text messages. I really like that there's an option to delete your messages after a certain amount of time. Though I only use it over WiFi.
There's also Tor, which I use in combination with an obscure e-mail service that allows you to create accounts and login over Tor.
If you want to encrypt the actual email message, then I use GPG, but it isn't always practical.
I bought an entry level fountain pen, some ink, some lightly cotton blended paper and stamps.
Then I got hooked.
I learned how to fold paper into its own envelope. I bought supple wax and sent a design for a custom wax seal stamp, so now I can mail a letter that is wax sealed domestically or internationally.
My friends love getting letters in the mail that's not spam. And a few even write back. One made his whole envelope out of duct tape.
We still call and text, of course.
And now I am practicing calligraphy in order to craft my own book, binding and all. I got very inspired when I saw the Book of Kells and Chester Beatty collection in Dublin.
Practically this has cost me (the fountain pen setup plus forever stamps) $100 USD. But that's because I bought a nice ink. So I think if people have a little bit of disposable income, and have Netflix to cut out of their life, could pick up old fashioned writing to catch up on life's details in private.
Heck, could even skip the writing and just buy the envelope and stamps, and type up a letter to print and mail!
I totally subscribe to this novel idea. However, I hear rumblings about doing away with the USPS for various reasons. It's nice to know I'm not the only one still using some "analog" methods to communicate.
I've generally felt the same way, but it seems that in the last couple of years the line has become blurred. For example, if I have a smartphone that is always connected to the internet via 4G, and I speak within range of the microphone, does that count as doing something "on the Internet"? Then devices like Alexa or Google Home enter the picture. As more of our lives become connected, the line between what is and is not online becomes much more difficult to discern.
How feasible is it for Google/Facebook to infer/build profile of private browser activity?
Since most sites implement google Analytics and Facebook tracking code (ghostery is reporting both on the guardian website). They could use browser fingerprinting, which has already been proven to be extremely accurate, to augment known user profiles and data. Facebook already creates shadow profiles for people without profiles. I don't think there's any US law from making these inferences from "voluntarily" submitted information so it's perfectly plausible they would do this without telling people, no?
A more compelling argument for users to take privacy seriously would be to tell them: Hey guess what Google has the ability to know what porn you search for (yea even in your private window) since you're sending them all the data required to track you, and there's no laws in place to prohibit it.
I'm presuming that you're not talking about Firefox's Private Browsing mode, which comes with an actual tracking script blocker.
The biggest factor for tracking without the ability to store things on the client is IP-based tracking. In many cases, the IP address narrows the number of possible persons down to a handful. Then you can use behavioural analysis, fingerprinting or factor in other data to narrow it down those last few meters.
And well, any time you visit a webpage which has a DoubleClick ad on it, uses a font from Google Fonts, incorporates JQuery from Google's server, incorporates Captcha, Maps, YouTube, Custom Search Engine, Google+-Button from Google's server, etc., or in fact, even though this is the least of your worries then, Google Analytics and Google Tag Manager, any time one of these is on a webpage you visit - which is pretty much every time you visit any webpage, your IP address is sent off to Google.
And now comes the bad part: As is information about what webpage you're currently on, as part of the HTTP Referrer.
And I mean, if your URL is not resolved by 8.8.8.8, you can consider yourself lucky, too.
So, Google effectively has your complete browsing history, whether you're in private mode or not.
Facebook is not nearly as bad in this respect, but their Like-Buttons are rather widespread, too, and they do have an analytics framework, as you've already pointed out.
I would like to add that not only does Facebook have like buttons everywhere, many websites add Facebook analytics code as well to track performance of their ads.
This headline is patently false, Facebook is known to purchase information on people from Data Brokers and none of that is included in their data downloads.
Things like MAC address logging and such is also missing.
The only things included in the download are things you've given them; pictures, messages, likes, contacts, web browsing history, and phone metadata if you gave them permission on your phone.
If they were able to purchase phone metadata from your service provider, it won't show up there.
If all Facebook kept was user-submitted data it would be orders of magnitude less creepy than it is.
However, they have also been capturing your webcam as you type out each email. Please see document #3015698 for the top 3 most likely things you will eat for breakfast over the next week over what is most likely in your fridge right now
The Google timeline has surprisingly missed a log places that I have been. They are either not telling me about it, or they don't store everywhere I go.
https://www.google.com/maps/timeline?pb
If your laptop doesn't connect to anything, it has no idea where you are.
If your phone doesn't connect to anything and enable location services (GPS is costly in terms of battery though), it has no idea where you are. Of course, your phone -is- connected to the cell network most of the time, and so theoretically it could calculate where you are to within a mile or so, but that, 1. Takes battery, and 2. Isn't that accurate. So there's a good chance it wouldn't bother.
This misses the wifi router data Google collects via android phones. Android is a sieve designed to enable a spyware economy like the rest of Google who are creepily stalking every human unfortunate enough to use their services.
But most here know about this, many are intimately involved in it and are happy to defend it. Outrage targetted at Facebook while making excuses for Google feels inauthentic.
Everyone wants an ethical society but when it comes to paying a price economics always wins out and we are left with the spectacle of the privileged hand wringing, blaming the system, blaming the victims and acting helpless. If you can't be ethical you can't expect ethical behavior from anyone else and you get the society you deserve.
I was actually surprised going down the list at how little Google has on me. I mean, I've used Duckduckgo for a long time and never used Android, but forgot I had turned off ad personalization and deleted youtube and search history.
I'm surprised they didn't have anything in search or youtube because I deleted the history long enough ago that I didn't remember doing it, so I've successfully stayed away from using them.
Still waiting for the data download, but I know they have all my gmail messages and some stuff I put on Drive a long time ago.
So I clicked on several of the Google links in the article to see what info they had on me, and all of the resulting pages prompted me to sign in to Google to see the info. (Which I did not then do.) So... they're only gathering this info on people who use Google services while signed in? It's not like you need to be signed in to use search or maps. I thought that this article would be about how Google tracks you without being signed in, and even if you clear your browser's cookies.
By making this data so easy to see (which I admit is really nice) Google makes it that easy for other people to see it if they get your account log in. Sort of Scylla and Charybdis here.
“Location Services permission is not set to always. Timeline cannot function properly if you don’t allow Google Maps access to your location while in background. [Skip][Turn On]”
Seems like I should be able to see what historical location data they have without enabling background location.
What kind of noob "data consultant" must you be if you didn't know years ago you can opt-out of most of the google stuff? Google allows to deactivate/delete (we dont know if they do but at least its offered) most of the stuff he wrote about. Facebook is its own story, but then again..his own fault for using and pushing data up there
...and once again, an article that could have actually gone in depth on this topic, manages to leave out the data these companies collect and purchase from third parties (e.g. credit card transactions) and public records.
An accurate title for this piece would have been "This is all of the data Facebook and Google are willing to tell you they have on you"
>Somewhat pointlessly, they also store all the stickers you’ve ever sent on Facebook (I have no idea why they do this. It’s just a joke at this stage).
It's pretty obvious Facebook needs to store the stickers you sent if they store your chat history. They come in their own directory in the bundle so they can be shown in the chat HTML pages.
Both of those services are free of charge. What did people think was going to happen? I really don't get the huge amount of paranoia these stories have been generating recently. You're using an SaaS platform, so yes, they have your data. "Your data" is literally their business model.
Kind of shitty that they didn't mention that you can delete the data from your Google account and disable further data collection (at least for the stuff mentioned in the article). I guess that would have made the article more informative and less scary.
Can you? Does that actually delete data from Google's database? Or does it just flip a switch so the won't serve you "personalized" ads based on that data?
I don't know what really happens when you click the delete button but I assume it does what is says. Why would they offer to delete the data and then not do so? Some intern finding out about that would cause a PR disaster and maybe even legal trouble. Doesn't seem worth it, they could have just not added the feature then.
The fact that Google stores deleted documents from my drive makes me kind of uneasy... why would they ever need this? Speaking of which, does anyone know if the contents of your drive is used for your ad profile?
It's funny, I bet Google is glad this article is out there. Look how easy they make it to see "everything" they know about "you". And you can delete it if you want!
When they are thinking about this article, no one will worry that you can't see any profile they have for you when you aren't logged in.
I believe the primary reason is that there's a pretty big industry around tax preparation that's making that difficult.[0] I've also heard arguments that there are anti-tax motivations that want to keep it difficult so people view taxes more negatively. I don't have any info on the latter, so take that with your daily recommended allowance of sodium chloride.
> The data Google has on you can fill millions of Word documents. > Google offers an option to download all of the data it stores about you. I’ve requested to download it and the file is 5.5GB big, which is roughly 3m Word documents. This link [Google Takeout] includes your bookmarks, emails, contacts, your Google Drive files, all of the above information, your YouTube videos, the photos you’ve taken on your phone, the businesses you’ve bought from, the products you’ve bought through Google …
Well duh, Google stores your gmail emails and Youtube videos and Drive documents and so on! This is the service they're providing you! Google Takeout doesn't give you a 5GB archive of advertising profile or covertly gathered info, it gives you a 5GB archive of the documents you deliberately uploaded to Google services - emails, docs, pics, videos, calendar appointments. The list of Android apps installed on your devices is there so that when you link a new device to your Google account, these apps will be automatically installed on it. And so on.
There's a single link on that list related to surveillance - namely, your Google Ads profile, which only shows very basic data, I'm sure they have vastly more complicated data stored on me.
There's enough genuine reasons to be upset with Google's surveillance, let's not promote this kind of silliness. Google knows which Google Groups you're subscribed to, really? 5GB could fill 3m Word docs - how many is that in Libraries of Congress?