A Search History Privacy Tale

Worth a read. This fellow has noticed a flaw in how security is – or is not – handled in Google's approach to personal search history. Yes, I did give my permission for someone to log in to their Google account from my laptop. However, I reasonably expected Google…

Worth a read. This fellow has noticed a flaw in how security is – or is not – handled in Google’s approach to personal search history.

Yes, I did give my permission for someone to log in to their Google account from my laptop. However, I reasonably expected Google to log him out after a while even if he did not log himself out. Then I realized that this is probably not a bug, but rather an architectural limitation. Google cannot tell when a person has finished using a particular computer or if in fact if that person actively uses multiple computers. For personalized search to work well, Google needs to capture all of a user’s search activity. While doing that aggressively, Google became a tool for compromising my privacy.

As a result, my search results are not only “owned” by someone else, I don’t even have access to them.

13 thoughts on “A Search History Privacy Tale”

  1. I imagine that’s why personalized search shows the current user info and says “sign out” in big friendly letters on the upper right of every page, and why you have to check “remember me on this computer” when you sign in.

    I would classify this as user error, not a problem with google. I would be annoyed if I had to sign back in every hour or two–and I don’t see how google could make it any more obvious who you’re signed in as without making it blink or something…

  2. My guess is that when anyone logs into a Google account, by using a machine that is already logged into a different Google account, Google knows this by checking its record of which username matches the 2038 cookie with the unique ID in it. If it doesn’t match, the cookie is overwritten with a new unique ID. That machine becomes your friend’s machine as far as Google is concerned, until such time as someone performs a logout, or someone else performs a new login on top of it.

    If you had noticed that your friend’s account was still active on your laptop after he left, you could have looked at all of his Google terms, the same way that he looked at yours. What this amounts to is that your friend was logged into two machines simultaneously — your laptop and his usual machine at his home.

    The logical point of interception for Google to improve this scenario, would be for Google to refuse to accept a new user login if someone is already logged into the same machine. They should require a password from the old user in that case, so that the old user can log out before the new user takes over.

    And the logical point of interception for users is to avoid Google’s sloppy security, and its cookie that expires in 2038, and use a proxy so that Google doesn’t even get your IP address. Google is not your friend.

  3. I would classify this as a google error, not a problem with users. I would be annoyed if I forgot to logout and wasn’t automaticly logged out in every hour or two–and I don’t think google putting your id at the top right makes obvious who is signed in nor do I think someone else would obviously notice it and always “logout” for me.

  4. In order to protect one’s privacy online, one must practice good “internet hygiene”: Log out after using any service, clean your browser regularly (browser history, cache, and especially cookies), verify who you are logged in as, etc.

    If your hygiene habits aren’t good, you can’t really be surprised when they fail to protect you from this kind of thing. Don’t brush your teeth, get cavities. Don’t use a condom, get STDs (or a baby). Don’t log out or clear your cookies, get a stranger in your accounts.

    Cleaning your cookies is especially important, since many sites out there (which I sometimes end up at when I misspell a domain name) can use scripts to read your cookies and thus help themselves into whatever account you are logged into at the time. Well, it’s not quite that trivial, but still pretty dangerous.

    I have two different Google accounts I use for many services (one which is personal, used for serious things and for emailing friends and family, and one whose email address is given out online, likely to be spammed, and not easily connected with my real name), so every time I visit any Google-related page, the very first thing my eyes do when looking at the page (it’s almost not conscious) is to see which account (if any) I am using.

    I also have more than one PayPal account, bank accounts with three banks, and credit from three OTHER banks. You can bet your behind that I am never logged into any of these sites for any longer than I need to be; As soon as I’m done, it’s “LogOut”!

    Google puts the Google Account information on the top right for a reason. If you ignored it, and if you don’t log out, then that’s your fault. And if you’re surprised that it did not log you out, then that’s your fault too: Upon signing up for a service that holds such precious information, you should have either read about the persistence of its log-in, or tested it, rather than just assumed it works as you wish it did. You know what they say about when you “assume”…

    I realize this particular user might have never signed up for Google’s search-history feature himself. Someone just went on his computer and logged on to a service that allowed them to see the Google searches he made from then on.

    I guess a good part of online hygiene is to let other people use your computer as little as possible, and to monitor them closely when they do.

    Is it the responsibility of the company who hosts your account (Google, your bank, your credit card company) to make it impossible for you to allow someone else access to that account? Yes, in part. But beyond a certain point, the responsibility falls on the account’s individual owner. Yes, Google has the responsibility to make sure no one can access your account unless they have your username and password, or access to your computer. But it’s up to you to restrict who gets access to your username and password or computer, and (if you care about your account) to watch the people to whom you give that access.

  5. If you pay for something with your credit card by giving it to a retail worker at a store or to a delivery person, and you then forget to ask for your card back and the salesperson/deliveryperson keeps it and buys stuff with it… is it Visa’s fault?

  6. Wrong questions produce wrong answers.

    The right question is, “Has Google demonstrated sufficient awareness of fundamental security issues so that it can be trusted to operate search history or search personalization features in a socially-responsible manner, even for users who have no conception of how cookies, browsers, and other web protocols work?”

    The answer is, quite clearly, “No.” If you study the situation and do some research, and you are aware that users must do certain things to protect themselves, such as logging out and deleting one’s Google cookies at least once a day, then go ahead and use Google’s services.

    But if a web newbie asks you about starting a Google account, you should advise them against it unless you are willing to teach them the basics.

  7. I don’t see where is the big deal, of course if someone else is using your computer you have to logout to “have back your browser”.
    The same is true if you are going to use any G’s product.

    This is not something about Google, but something about the users.

  8. If they’re that naive, maybe they shouldn’t be using a web browser at all (especially on a Windows machine). Just set them up with AOL and a browser that deletes all cookies on quit (like Firefox). Ta-da, no search history, no Google tracking. No adware tracking cookies, either, which doesn’t hurt. All they have to do is trust AOL.

    Or you could make them a tinfoil hat. I hear that works almost as well :-).

  9. I think Google is responsible in the sense that it is not making consumers aware of privacy issues with Google sites. A good company should try to educate its users about potential negative consequences and how a user can protect against those.

    Google has a very clean home page. It has links to their advertisement products, may be useful, for 1% of their visitors who advertise on Google. But no link to their privacy policy, which is relevant for 100% of their users. Most users do not even know that search log is a sensitive information. Heck, even AOL researchers did not know as they demonstrated last year. By simply putting a privacy policy link at least users can be made aware that there are some privacy issues. Those who want can then try to seek more education. At the moment Google users do not even know there is something to learn as far as privacy on Google searches is concerned.

  10. “Most users do not even know that search log is a sensitive information… By simply putting a privacy policy link at least users can be made aware that there are some privacy issues… At the moment Google users do not even know there is something to learn as far as privacy…”

    I think it’s just common sense. If you think that the terms you search for over a period of time are sensitive private information, then keep track of who has access to them! If you don’t think that the terms you search for over a period of time are sensitive private information, then there’s nothing to worry about.

    I think my emails are sensitive private information. So I don’t give out my email password, I make sure I log out of any email site before I leave my computer, and I log OTHER people out of THEIR email sites after they use MY computer, in case they forget. I did not need to read Hotmail’s privacy policy to figure THAT one out.

    Are you saying that banks and credit card companies must have links on their front page that take users to statements that say “We take your privacy very seriously, so we don’t give out your account numbers and passwords to just anyone, and we recommend you to not give them out either”?

    If a user values their information, then common sense should tell them to keep track of where this information goes. If a user feels that some of the things they do online are private, then they must pay attention to what accounts are being used on what sites, who has access to which aspects of those accounts (some things are public, such as Amazon wish lists, favortited YouTube videos, dugg links, etc), and whether those accounts can be easily connected to the individual’s identity. Isn’t that just common sense?

  11. I completely agree with Hiroko (first comment). The fault is partly with the google account owner for not logging out, and partly with the other guy for not ensuring that he was logged out of somebody else’s account (or logged into his own). I cannot believe that you could be oblivious to the logout sign and account email address on the top right corner of every Google page for over two months.

    However, this problem comes at an opportune time, because I am just trying to raise awareness on a security issue that stems from the same problem: the fact that people are more or less constantly logged into their Google account and often do not bother to sign out from their personal computer. This implies that all of their Google information is available for viewing by anybody who happens to get access to this computer for a couple of minutes. Google has justifiably taken steps to increase security for sensitive data: remember how the guy couldn’t access the searches in the other guy’s search history ; even though he was already logged in (though in the wrong account), Google asks to re-enter the password to see this page. But there are other Google Services which are still not secured. Here’s an illustrated example of a suggested fix for Google Docs and Spreadsheets: Increasing security in Google Docs & Spreadsheets

  12. Bernardo,

    There are two flaws in your reasoning. First privacy risk on other places are triggered with one piece of information leak, such as you leak you bank information and risk your bank balance. Whereas on a search engine privacy risks are cumulative, i.e., one needs to have a trail of searches from one person to risk his/her privacy. So in the search engine case, privacy risks are not obvious. If they were then AOL researchers would not have done that grave mistake of releasing search trails after anonymizing users identity.

    Second, people do not even know that Google is storing their search trail. Many people simply think that if they close the browser and search again on Google, then these searches are not associated with the previous searches. It is Google’s responsibility to at the very least educate its users on the risks of using its products. This is not any different that numerous warning you see on various products on store shelves. It is Google’s responsibility to make make sure that people could defend themselves against such risks. I do not know about your banks but all my banks quite regularly send me flyers on their privavcy policies and what step can I take to actually improve it.

    Finally, a heard a quote that common sense is actually not that common. This quote is quite applicable here.

  13. Folks,

    Great to see a good discussion on this topic here and on our company blog. I would like to add a couple of points to the comments made here:

    First of all, my bigger concern going forward is the possibility that someone could turn this into real spyware, something that only runs for a few seconds and logs you in to some bogus “Google” account. After that, the mechanism that Google has so efficiently designed would kick in and start sending your searches to the bogus account. Other variations on this may include changing your login to something undetectable by replacing the letter “l” with the digit “1,” as suggested by Daniel Brandt on my original post. Since the spyware would only run for a few seconds, it could be virtually undetectable.

    Second, as some of you have asked, I also asked myself the question “how on earth did I miss the upper right hand corner login for two months?” Let me clarify that I never use the Google main page. I use the little search window in Firefox and directly go to the search results (you could also be using Google toolbar, for example). Here is a link that will take you to a heat map (which tracks eye movement) of Google’s search results page, which shows that people almost never look at the upper right hand corner. This is probably why Google moved some of their higher-paying ads directly above the search results.

    I think it is important to keep these discussions going. It is the best way to make companies pay attention and make their services better.

Leave a Reply

Your email address will not be published. Required fields are marked *