Google can and should do better.
The interweb is alight with the buzz that Google is fighting the DoJ over turning over a ton of search results, and that’s a good thing, right? Damn right it is.
The DoJ is requesting the info because they are trying to resurrect a law that the supremes struck down a few years ago, the “Children’s Online Privacy Protection Act of 1998″. [1] MSN, AOL, and Yahoo all rolled over without a peep.
So here we have a law, that immediately got slapped with an injunction, never was put in to force, struck down by the courts, and the DoJ is spending tax dollars trying to revise this affront to free speech instead of catching terrorists or something. Great.
Anyway that totally proves that Google is not evil right? Not so fast. If you use Google regularly, just think about all the info they have access to. Milly has.
Now the potentially bad. You use Google a lot, right? If someone was peering over your shoulder, watching every Google search you made; making a note of what you looked for; what you found; and sometimes where you visited from the results; (and maybe every email you sent and received); and did so for years and years: they’d grow to know quite a bit about you, eh?
Google gives you a cookie with a unique number in it that’s sorta like your Socialist Insecurity number except it’s a lot easer to get, and get rid of. That cookie is sent back to Google every time you interact with Google. Even if your ISP provider changes your IP address. Even if you use your laptop at a coffeehouse or a friend’s house. And because Google does not have a “data retention policy“, all of that data presumably gets warehoused, forever, just in case they ever find it useful.
So if Google ever gets served with a “National Security Letter“, or they lose their court case, or they change their privacy policy moments before they sell off parts of themselves, your personal private data goes from the “Don’t be evil” company to someone who might not have the best ethics.
I figure we all learned this during the dot-bomb. Go bust on your crazy stock selling Ponzi scheme and you have to sell off all your assets when you go into receivership. Guess what? The domain name have value, so does that little sock puppet mascot. And hey, so does that list that has all your former customers and what pets they have and their address and credit card info that you swore you would never sell.
OK. so let’s talk about what we can do about this. One thing you can do is upchuck your cookies after every session. This is fairly easy to do on most browsers, look for a setting that says something like “session cookies”. I do this with every cookie that does not provide a direct known benefit to me. However, the Google cookie holds your preferences, like “English results only, don’t filter my results please, and give ‘em to me 20 at a time”.
So I’d like to keep that cookie around, but I don’t like the sixteen digit unique tracking number Google gives me.
I used to just save my preferences, and then just edit the Google cookie to remove their 16 digit hex number that use to be my Google ID. I would change it to all zeros. Recently, however, Google starting enforcing a “check digit” on their cookie, and if your zeroed cookie didn’t pass the test,Google would swap it out with a new one.
Enter Milly again. She figured out a way to crunch the checksum and wrote a little bookmarket program. It works similar to my Merriam-Webster tool. To use it, you just drag it over to your tool bar, go to Google and click on the button. It will then prompt you to set your prefs. Done.
Please understand though, If you do all your Google searching from a computer that has a static IP address, this little hack will do little or nothing for you. Presumably Google will track you search requests by using your static IP address. In this case you can use something like the Scroogle Scraper. This service from Scroogle.org, however, does not let you search “Google groups”, “Google images”, etc…
Another possible workaround is to use an anonymous proxy such as the Cloak. That, however is above and beyond the healthy level of paranoia I like to cultivate. Perhaps if I was a terrorist.
Now if you want to do what I do and upchuck all your other cookies each time you restart your browser, except for the special Google one we just “zeroed out” (and any others you wish to retain), here is the step-by-step with screenshots.
Update: 2006-01-22: This step-by-step is for Firefox only. There are other worthy browsers out there, and there’s IE out there too, but this procedure won’t work on ‘em. Sorry about that. It should work fine on Firefox running on either Linux or Windows. Sorry, but I do not have any experience running Firefox on a Mac.
Update: 2006-01-21: Let me clarify exactly what this hack does. Google normally gives you a sixteen digit number that is your and yours alone. You then give this number back every time you interact with Google. Google uses this number to track you. What we are doing here is changing that unique number to something different, all zeros. My cookie is zeroed out, Milly’s cookie is zeroed out, and everyone else that follows this step-by-step shares the same cookie. Therefore, singling out your search requests from mine is significantly harder.
The standard mischief is detailed below the fold.
[1] “Children’s Online Privacy Protection Act of 1998“, which comes in at only 3402 words and no, I did not read the whole damn thing.
(Below the Fold)
1.Use Firefox (right now I’m still using 1.0.7, but I think that will be changing shortly.
2.Install the extension CookieCuller.
3.Go to your Preferences (Linux, under Edit; M$, under (I think) Tools)
4.Under Privacy, hit the +/- to expand it. make sure both boxes are checked (“Allow sites to set cookies” and “for the originating server only“).
5.Set the Keep Cookies: to “Until they expire” (trust me)
6.Hit OK
7.Click on Tools>>Extensions. A window will pop up. Right click on CookieCuller and then hit Preferences on the sub-menu.
Make sure “Delete unprotected cookies on startup” is checked.
8.Go to the same imilly.com page I linked to above
9.Drag the GoogleAnon button to your Links/Personal bar.
10.Go to Google, press the GoogleAnon button.
11.Set your preferences.
12. Right click under Tools>>CookieCuller, in the window that pops up, find your brand spanking new Google cookie. Click on it to highlight it. (Don’t worry if you don’t have all these options on your menu, I have other toys.)
13. Press the “Protect Cookie” button. Protect any other cookie that you want to keep around.
14 Hit OK. You are done. If you want, you can right-click on Milly’s bookmarket and hit delete. You don’t need it anymore.
Let me know via comments if that was not clear or if it does not work properly for your software version.
Thanks Milly.
countertop Says :
Thats pretty damn cool.
Does it work on a Mac? With Safari? Opera? I do run Firefox (and IE at work) so I will try it out there.
I’m not too concerned though since I do most of my porn searches using a different dedicated internet browser with a user id and online identity different than this one and much different than who i really am.
Still, this is good to know.
2006-01-22 01:26 PermalinkStandard Mischief Says :
Milly on her page, says her Bookmarket “should work for almost all browsers, and at least IE4+, Opera, AOL, Netscape, Mozilla and Firefox.”
However, what I am doing here is protecting just the cookies I want to keep (including the zeroed out google cookie) and disposing of the remander persistant cookies (I call it “upchucking”). For that you need the CookieCuller extention, and that only runs on Firefox. Sorry.
2006-01-22 03:05 PermalinkSayUncle » More on Google Says :
[...] Standard Mischief has more on Google v. .gov. He notes: Google gives you a cookie with a unique number in it that?s sorta like your Socialist Insecurity number except it?s a lot easer to get, and get rid of. That cookie is sent back to Google every time you interact with Google. Even if your ISP provider changes your IP address. Even if you access Google at a coffeehouse or a friends house. And because Google does not have a ?data retention policy?, all of that data presumably gets warehoused, forever, just in case they ever find it useful. [...]
2006-01-22 10:01 Permalinkcube Says :
” Even if you access Google at a coffeehouse or a friends house.”
Would that be with a labtop or a regualr desktop? Cookies are computer sepcific. If i use two computers one for work and one for home they would have two different numbers, not the same one.
I dont see how they could track you if you used your friends computer at your friends house, it would just use the tracking number he already has, or create a new one for you.
2006-01-22 19:05 PermalinkStandard Mischief Says :
Yea, that’s not very clear. This technical writing stuff is harder than it appears. The cookie will travel with you if it?s on the hard drive of your laptop, and you take it to a friend’s house or to a coffee house, and either jack in there, or use Wi-Fi.
It will also travel with you if you have a copy of Portable Firefox (USB Drive-Friendly) and take it with you, like I do to avoid using IE on someone else’s computer.
So I reworded it. I also added a bit about surfing from a static IP and about proxies.
Thanks for the feedback.
2006-01-22 20:59 PermalinkDoug Says :
Why not just use CustomizeGoogle extension (customizegoogle.com) and turn on the “Anonymize the Google cookie UID” option in the privacy tab? Of course, I use personalized search with google, so they know everything I do anyway (except when I log out to search for nsfw items).
2006-02-11 23:09 PermalinkStandard Mischief Says :
Doug says- Why not just use CustomizeGoogle extension (customizegoogle.com) and turn on the “Anonymize the Google cookie UID” option in the privacy tab?
Good suggestion. I didn’t suggest it mostly because I haven’t seen it yet. In fact, if you follow the link, you will see that CustomizeGoogle was released on the same day I wrote this post.
Thanks for the tip, I’ll have to try it out.
2006-02-12 11:26 PermalinkStandard Mischief » Blog Archive » AOL releases their customer’s raw search data. Says :
[...] Maybe I’m missing something major, but this seems exactly like the case where the Department of Justice asked Google for a bunch of search data in their attempt to resurrect a law that was struck down, except this time it was AOL, not Google, and the data was released world wide instead of being sent to the DOJ. [...]
2006-08-07 12:43 PermalinkStandard Mischief » Blog Archive » TrackMeNot, a solution for search terms privacy issues? Says :
[...] Just a few days ago I told you about how AOL accidentally released a bunch of users Internet search term records, which was exactly why I had suggested way back in January that everyone zero out their Google Cookie. [...]
2006-08-24 22:29 Permalink_Jon Says :
Or just, ya know, not use Google….
2007-02-20 10:49 PermalinkStandard Mischief » Google doesn’t like my zeroed out cookie Says :
[...] ways back. I wrote a little HowTo on zeroing out and then protecting the perpetual cookie that Google likes to give you. The idea behind using the same cookie as myself, iMilly, and a bunch [...]
2008-03-29 14:30 Permalink