back to article A Google monopoly today means packet snooping tomorrow

Now that America’s lawmakers have repaired the world economy, they can turn their attention to more mundane matters, such as saving the Internet. There’s an inherent conflict between traditional notions of personal privacy and the Internet’s emerging goldmine, targeted advertising. Other than the subscription fees that …

COMMENTS

This topic is closed for new posts.
  1. The Mole
    FAIL

    Very simple optout for Gmail

    There is a very simple opt out to stop Gmail scanning your personal communications...

    Don't sign up to it.

    For bonus privacy don't send emails to anyone on gmail either.

    If people want to choose to use gmail and give consent to its scanning that is there choice. Google do just about let people know on the sign up page, and I'm sure many people consider it a fair price to pay not to have big banner ads, I'm also sure many people don't realise what is happening but that is another issue

  2. Anonymous Coward
    Anonymous Coward

    Private data

    You can't collect more data than is necessary to deliver the service.

    You can't keep that data longer than is necessary to deliver the service.

    You can't cross link other data to extend the data beyond what is necessary to deliver the service.

    You can't sell that data to anyone else.

    You cannot get an 'opt in' to change the above rights.

    Private data is not your's to sell.

    Only exception is any politician or civil servant that campaigns to grab private data. You can release their internet records, telephone logs, showing where they were when, their private bank details, health records. Under the law of Karma....

    That would stop nobody delivering a service to you, and would be the correct treatment of your private data. Anyone who wants to make a service around buying and selling your data, HAS ZERO RIGHT to your data unless you directly give it to them for that service.

  3. Anonymous Coward
    FAIL

    Almost speechless - DPI the same as cookies?

    How can anyone claim that Google which sees a small proportion of anyone's surfing is more intrusive than a system which sees 100% of your surfing?

    The 'Google is Evil' has been around for a long time and getting people to hear that message is hard. The people who are in the know do not use AdSense (why host a script that drives visitors away from your site) nor do they use Google-analytics (why give Google access to all your visitor data, just so that Google can make more money by sending visitors to those sites that pay the most for adverts).

    The DPI BTA suppliers like Phorm, FrontPorch and KindSight also take visitors away from websites and also use the data collected about website visitors to fund their revenue models. Million $$$ businesses exchanging a $10 script to 'protect' from phishing or malware in exchange for harvesting priceless marketing information from commercial websites: what a complete and utter con, perhaps the best (worst?) scam seen so far this century.

    It is all about choice. Websites and surfers can choose to not use Google and block the tracking scripts and cookies. Neither websites nor surfers have any choice when a DPI system intercepts what should be private communications over the internet. How does a website know that the visitor is having their datastream intercepted and analysed by a DPI system and that data being sold to earn revenue which paying the website a licence for the use of their content? (At least AdSense and othe BTA script models pay websites for the use of their content.)

    The article fails because it starts with the premise : "Other than the subscription fees that carriers collect for access to the Internet itself, the only reliable revenue stream the ’Net has ever generated is ad sales, which mostly depend on the advertiser having knowledge of the consumer’s tastes and interests."

    The majority of internet businesses are not selling advertising. A few are and most people in the street could name maybe a dozen such sites. Most sites sell products: if you see an 'advert' on the site it will be for whatever the site sells and not be encouraging the visitor to surf off somewhere else.

    A second misconception is: "Until now, the privacy debate has focused on particular ways of obtaining preference and stressed opt-in vs. opt-out. This approach is wrong-headed, as web spiders can extract more personal information from the Internet than DPI can."

    Do not confuse rogue spiders that go everywhere from well behaved search engine spiders. And, no, I don't regard Google, MSN or Yahoo to have well behaved spiders as they visit and index https pages.

    What a bad argument: there are a few rogue bots out there that have harvested personal data from electoral registers and phone books and made the data public so let's also allow DPI to harvest personal and private data.

    Is it not better to track down rogue bots and fine them for invading privacy than to give up on any idea of ever having privacy? Websites spend a fortune protecting their content from rogue scripts and crawler bots sent out by students using university IP addresses or spoofing the useragent of search engines or human used browsers.

    3rd party scripts invading privacy is one issue.

    DPI invading privacy is another issue.

    Rogue bots harvesting data is another issue.

    The only common factor is the invasion of privacy and privacy is what should be being protected, not the method used to invade that privacy.

  4. Wrenchy
    Linux

    Silence all you nay-sayers!

    ** ALL HAIL THE GOOGLE OVERLORDS **

    ...What is thy bidding my master?

  5. Eponymous Cowherd
    FAIL

    What ARE you on?

    I can easily avoid Google snooping and *be sure* I've avoided it.

    There is *nothing* I can do to ensure Phorm is not spying on me apart from switch to another ISP.

  6. Maty

    Not so

    'Other than the subscription fees that carriers collect for access to the Internet itself, the only reliable revenue stream the net has ever generated is ad sales'

    This statement is total baloney, and destroys the credibility of everything else the writer of the article has to say. Have a look at the ads carried on any website - the vast majority are for products or services that can be purchased through the internet. These products and services generate the revenue that pays for the ads. How can the writer of this article not understand that?

    His conclusions about DPI are extremely iffy as well. Maybe the Reg should expand its icon selection to include a set of buttocks such as those this writer is talking out of?

    ()()

  7. Anonymous Coward
    Stop

    Full Stop

    "the only reliable revenue stream the ’Net has ever generated is ad sales"

    I didn't read any futher than this statement, has the author never heard of porn?

    Porn built the Internet. Porn laughed off the "dot-com bust". Porn is responsible for the wide-scale rollout of residential broadband. Porn revenues are steady and not tied to economic trends.

    All your revenue are belong to porn.

  8. Wonko the Sane

    language

    'Other than the subscription fees that carriers collect for access to the Internet itself, the only reliable revenue stream the net has ever generated is ad sales'

    I agree with the previous poster. Tell Amazon that money they are counting doesn't exist. Tell the states those internet taxes they are on the verge of levying are not going to generate revenue because, as the writer explains, there's no money there.

  9. Anonymous Coward
    Boffin

    Umm, I think some people are missing the point

    "Other than the subscription fees that carriers collect for access to the Internet itself, the only reliable revenue stream the net has ever generated is ad sales"

    I know this statement sounds wrong, but for all the companies involved in this session being discussed in the article, that is exactly what those huge corps bank on in their internet presence. The rest of the web, most of it at least, due to how adds are distributed on the web (also a big issue in the session discussed in the article), the small web merchants and such, make companies like Google, MS, etc. money through their advertising.

    Since the web site hosting the page makes some money from the adverts they display as well, then they have a vested interest in whoever can pay the most, and do the best, to advertise on their site, much like television and radio. Historically, whoever can pay for the advertising has a LOT of say in the functionality and control of that distribution medium (demise of music on MTV is a good example, and commercialization of sports [this comment brought to you by Brawndo! The Thirst Mutilator ©]), or whatever they might want to do, the imaginations the limit really. They are the same as lobbyists, they are trying to push a product or agenda, their job isn't to figure out how to do it right though. And that is the issue, currently things as they are being done now cannot keep going without alienating the very people the advertisers are trying to target, the customer. (I'll bring up MTV again for this one)

    One big reason this session needed to happen is the number of times companies have had their customer data stolen, or even sold, to people and companies none of us would want. I personally do not want to owe money on a loan I didn't take out, and getting ones self out of trouble someone else put you in is not that easy. If you are a target of fraud, the banks still can hold you responsible, as the assumption in their business model is that they could not possibly have been the source of the information, and it is up to the customer to keep their information safe, so are responsible for any misuse of such information. And with our information scattered about the internet, enough to get someone money one way or another if they were to use that info, any of us can be targeted completely randomly, and we still do not have enough protections to keep us from having to carry the debt.

    If I'm completely off base, I apologies, but that's just how things look to me. In order to really make an informed comment on this article, one needs to possess and understand a lot of historical knowledge, and I've only really brought up a couple of the issues brought about by the "business models" used today, and the things done that made them this way.

  10. Anonymous Coward
    FAIL

    For God's sake. Don't be so stupid.

    Google, intrusive though it may be, is nowhere near as intrusive as Phorm.

    Google does not sniff a user's entire web traffic at ISP level.

    Phorm sniffs a user's entire web traffic at ISP level.

    Never thought I'd read such idiotic trash on El Reg, of all places, after everything that has gone before. Shame on you.

  11. WhatWasThat?
    Pirate

    Potomac Myopia

    As in all cases when intelligent people make their way to the hallowed halls of Those That Serve US, there is a kind of side-blinders that are handed out, particularly at those events of monetary policy making, the Congressional Hearing. These are known as "Hearings" because no one listens to anyone else, allowing all who participate to declare themselves, and their agendas, as "advancing for the common good of the people."

    Alas, it is commonly known that the "common good of the people" is not the same as "the good of the common people." "The people" in the former sense are each a small group represented by one or more of the participants of the "Hearing."

    This is simply another case of the same. The author attempted to bring some range into the discussions taking place, but the myopic tendancies of the very nature of the "Hearing" found himself falling into its effects; reduced to simply a check list of opposing viewpoints.

    A good start, but ultimately only one exchange in one skirmish within one battle of the war.

    Pirate - the last true bastion of personal freedom left?

  12. Anonymous Coward
    WTF?

    Less lobbying, more thinking please.

    "Now that America’s lawmakers have repaired the world economy, they can turn their attention to more mundane matters, such as saving the Internet."

    What planet is this author on?

  13. Mike 61
    Grenade

    I said it once

    And I will say it again and again, until I goad someone into coding it. Make a modified version of adblock that actually opens the advertised links in a hidden window and then closes them. Death to online advertising, just that simple.

  14. ElReg!comments!Pierre
    FAIL

    Worst. Article. Ever. (almost)

    Way to take a real problem (privacy on the web) and twist it to complete irrelevance and counter-productive advice...

    "Other than the subscription fees that carriers collect for access to the Internet itself, the only reliable revenue stream the ’Net has ever generated is ad sales" WTF? When are you living, in 1998?

    "Google's targeted advertising program AdSense is even more intrusive than the controversial Phorm and NebuAd systems." WTF? The first is trivial to dodge and concerns a tiny part of the web, the others are almost impossible to avoid and scan your whole internet traffic.

    "there is no opt-out, and using a secure tunnel is no protection." Oh I get it. Also, a flea is more deadly than a charging elephant because you can't stop it with a .375 H&H Magnum round.

    "as web spiders can extract more personal information from the Internet than DPI can." WTF? Do you really believe that? I thought you knew a few things about networking, I was apparently misled.

    "Utopian notions of net neutrality that simply protect the search monopoly’s position, my sense is that they’re outnumbered by pragmatists who would be pleased to allow a lightly-regulated market and the public relations machinery of the public interest organizations"

    Oh, here is the hidden agenda... explains all. So because google is a cold money-making machine, we need to deploy DPI everywhere -only way to "deneutralize" the net based on the content- and/or prioritize traffic based on the "content providers" bribes to the ISPs? What's the link again? And the privacy angle you choosed is the most clumsy foot-meet-bullet moment I've seen in the last couple years: because Google uses cookies to indulge in some light snooping when you visit sites that use websense (annoying, yes, but limited to the web -actually a small part of the web- and utterly trivial to thwart), we need to have some "public interest organization" (IWF anyone?) analyzing all the traffic that goes up or down our pipes? In the bloody name of bloody privacy? You' 'avin' a laff, right? Either that or I misunderstood your statement and by your "lightly-regulated" (opposed to "neutral") you actually mean privacy laws, data retentin laws and the like. But then, why the opposition with "neutrality"? Why the mention of "public interest organization"? Nah, doesn't make any sense, you definitely means traffic analysis "a la " DPI by the IWF.

    The only almost sensible part is the "the only way to ensure personal privacy in the long term is for users to pay for content and services". *Almost* sensible because of course it won't work. Whether the users pay for the services or not makes little difference. Advertising outfits do not aim for the user's money, but for the sellers' (or content providers') money. And these will try to make as much money as they can, regardless of what the user pays. The real cut-off here is the user's tolerance to ads, not the amounts he pays. That's a result of the web's (not Internet as you wrongly say) business model, which is "let's make as much money as we can". So the real way to change things is of course *not* to make the user pay much beforehand, but to raise the user's awareness. If ads stop to produce enough money to overcome the user-deterrent effect, they will disappear. And content or service providers will charge more, which will result in the user paying a bit more (as a *consequence*, not a *cause* for the change). And also the content providers will pay a bit more, or get around to using non-google traffic analysis tools, a lot of which are free software or available freely. Let's not forget that the google tech you are so critical about mostly provides services to the *website owners*, not users.

  15. Anonymous Coward
    FAIL

    What utter garbage

    So allowing anyone to collect all the private data they like is OK, so long as you can request that they delete it?

    OMG, what planet are you from?

    There are only a few hundred ways of avoiding that pesky little problem, from not telling anyone you've got the data, to distributing it around a group of companies so you can reconstruct the deleted bits, to passing it on quickly so the data subject can never keep up, to just deleting the bits explicitly identified and keeping the rest, to just pretending you've deleted it (honest!), to all those "accidental" transfers to other parties that really should never have happened (honest!), to claiming the data isn't private because you've (ahem) "anonymised" it, to just marking it as "deleted" but keeping the data anyway, to conveniently forgetting to delete those backups, to burying conditions in the small print that allow you to keep it regardless, to re-harvesting data that's been deleted, to...

    Need I go on?

    No, once your private information has been stolen, your chances of exerting control over how it is used are pretty near zero. Think about getting your email address off a spammer's distribution list and that's the sort of chance you stand. Forget it! It's a complete waste of time! Concentrate on controlling the harvesting of data because it's your only chance of winning.

  16. Anonymous Coward
    Anonymous Coward

    This is seriously bad, even for El Reg

    "AdSense is even more intrusive than ... NebuAd?"

    I am confused that a network engineer could believe that unfettered access to every packet I send out to the Internet is less of a threat than Gmail, a service I don't use. NebuAd knows almost all my user names and passwords, can watch me shop, see what, when and how often I watch things on YouTube or Hulu, read all the posts I make in forums/comment pages/blogs. The only traffic they can't read is what is strongly encrypted and that is around only when I am done shopping and ready to order; but they got to watch me shop so they already know what I am buying when I finally hit an encrypted page.

    Even if we assumed Google could put a script on every page on the Internet, I can browse with scripts off, use addons like NoScript, or even Google Chrome's anonymous mode and these can eliminate Google's snooping ability. But NebuAd gets to touch every single bit I send out to the Internet -- there is is more on the Internet than Web servers. Maybe I would reconsider if Google could insert scripts into DNS servers.

  17. Anonymous Coward
    FAIL

    @Less lobbying, more thinking please

    Not from that country who don't understand sarcasm are you?

  18. Oninoshiko
    FAIL

    I AM A BANNANA!

    @Less lobbying, more thinking please.

    On one where people actually comprehend satire.

    He also made reference to "A Modest Proposal for Preventing the Children of Poor People in Ireland, from Being a Burden on their Parents or Country, and for Making them Beneficial to the Publick." by Dr. Jonathan Swift (c 1729). If you want to understand his world a litlle, I recomened reading it. (http://www.gutenberg.org/files/1080/1080-h/1080-h.htm)

    @DPI the same as cookies?, et. al.

    Google has become pervasive enough that they don't even need the cookies anymore. Almost every site you go to makes a request to google. That means that when you go to the page for that whip-vendor after hitting your favorite personals site, google knows. They dont even need that cookie, because both pages made a call to their servers. The have your IP, no encryption stops it.

    While it may not be WORSE, it's not better either.

  19. ElReg!comments!Pierre
    FAIL

    Worst. Article. Ever. (almost)

    Way to take a real problem (privacy on the web) and twist it to complete irrelevance and counter-productive advice...

    "Other than the subscription fees that carriers collect for access to the Internet itself, the only reliable revenue stream the ’Net has ever generated is ad sales" WTF? When are you living, in 1998?

    "Google's targeted advertising program AdSense is even more intrusive than the controversial Phorm and NebuAd systems." WTF? The first is trivial to dodge and concerns a tiny part of the web, the others are almost impossible to avoid and scan your whole internet traffic.

    "there is no opt-out, and using a secure tunnel is no protection." Oh I get it. Also, a flea is more deadly than a charging elephant because you can't stop it with a .375 H&H Magnum round.

    "as web spiders can extract more personal information from the Internet than DPI can." WTF? Do you really believe that? I thought you knew a few things about networking, I was apparently misled.

    "Utopian notions of net neutrality that simply protect the search monopoly’s position, my sense is that they’re outnumbered by pragmatists who would be pleased to allow a lightly-regulated market and the public relations machinery of the public interest organizations"

    Oh, here is the hidden agenda... explains all. So because google is a cold money-making machine, we need to deploy DPI everywhere -only way to "deneutralize" the net based on the content- and/or prioritize traffic based on the "content providers" bribes to the ISPs? What's the link again? And the privacy angle you choosed is the most clumsy foot-meet-bullet moment I've seen in the last couple years: because Google uses cookies to indulge in some light snooping when you visit sites that use websense (annoying, yes, but limited to the web -actually a small part of the web- and utterly trivial to thwart), we need to have some "public interest organization" (IWF anyone?) analyzing all the traffic that goes up or down our pipes? In the bloody name of bloody privacy? You' 'avin' a laff, right? Either that or I misunderstood your statement and by your "lightly-regulated" (opposed to "neutral") you actually mean privacy laws, data retentin laws and the like. But then, why the opposition with "neutrality"? Why the mention of "public interest organization"? Nah, doesn't make any sense, you definitely means traffic analysis "a la " DPI by the IWF.

    The only almost sensible part is the "the only way to ensure personal privacy in the long term is for users to pay for content and services". *Almost* sensible because of course it won't work. Whether the users pay for the services or not makes little difference. Advertising outfits do not aim for the user's money, but for the sellers' (or content providers') money. And these will try to make as much money as they can, regardless of what the user pays. The real cut-off here is the user's tolerance to ads, not the amounts he pays. That's a result of the web's (not Internet as you wrongly say) business model, which is "let's make as much money as we can". So the real way to change things is of course *not* to make the user pay much beforehand, but to raise the user's awareness. If ads stop to produce enough money to overcome the user-deterrent effect, they will disappear. And content or service providers will charge more, which will result in the user paying a bit more (as a *consequence*, not a *cause* for the change). And also the content providers will pay a bit more, or get around to using non-google traffic analysis tools, a lot of which are free software or available freely. Let's not forget that the google tech you are so critical about mostly provides services to the *website owners*, not users.

  20. Christophe

    Irony

    For those of you who are using noscript: right-click on any theregister.co.uk page, and there it appears, a glorious script from googlesyndication. Thumbs up to The Register for facilitating Google's evil, I mean corporate, task of keeping tabs on everyone.

  21. Will 6
    Terminator

    Privacy

    I'm not a geek, just a user, but it seems to me this is all a bit of a moot point.

    Disclosure: I use all Google products every day.

    Seems to me that a large proportion of the great unwashed out there (i.e. people worth collecting data on in the first place and have money, will spend) are more than happy to throw up all the personal info about themselves by their own hand via Facebook, bebo, and all mannor of other webtivities. In addition to this, they (the majority) also will happily click anywhere on the web with no idea of the potential risks. I am astounded I still get chain emails sent to me from people I assumed had a fraction of common sense. There is the rub. They don't.

    So, as a humble user, dear reg readers, I think your deeper and not doubt technically legitimate concerns about the implications of the various data transfer models are somewhat akin to a Doctor being concerned about McDonalds. The law of numbers and the great unwashed will prevail.

  22. Christopher E. Stith
    FAIL

    onyl reliable revenue stream?

    I suppose Newegg, Thinkgeek, Amazon, Powell's, eBay, and a few tens of thousands of other businesses don't rely on their income.

  23. Anonymous Coward
    Boffin

    Less lobbying, more thinking please. (Part II)

    @Oninoshiko I am now suitably enlightened.

    Listen up everyone!

    The article we are discussing is in fact a cleverly disguised polemic attacking the outrageous practice of commercial spying on private communications..

  24. Anonymous Coward
    Grenade

    Welcome to the Obama administration

    Personally, I didn't vote for the toad... And voted for two members in the House and two Senators (one who probably owes me money), so to all you good folks who aren't citizens of the US, you should all get down on your hands and knees that he's not trying to muck with your income, health benefits, auto industry, banks or whatnot...

  25. Mark Barratt 1

    ""there’s precious little privacy on the Internet"

    No shit? Not like last year, then.

  26. Anonymous Coward
    Paris Hilton

    @ AC 14:19

    Polite applause.

  27. adrian sietsma
    Troll

    @b ws 23:21

    <quote>

    so to all you good folks who aren't citizens of the US, you should all get down on your hands and knees that he's not trying to muck with your income, health benefits, auto industry, banks or whatnot...

    </quote>

    Ahh yes. The US Auto industry, banking system, and healthcare......all shining examples of free enterprise at it's best.

    Hint - it's a little like iron.

  28. Big Al
    Boffin

    Opting-out made simple.

    "More recently, Google has stepped up the aggressiveness of its program by shifting the tracking cookie used by AdSense from an opt-in to an opt-out system of consent, where opting-out requires arcane knowledge on the part of the consumer"

    Or the 10 seconds needed to install something like the TACO (Targeted Advertising Cookie Opt-Out) add-on for Firefox - which takes care of Google and another 83 networks.

    There, that wasn't too difficult, was it?

  29. Anonymous Coward
    Pint

    @Richard

    Were you expecting the Spanish Inquistion ?

    Have a cold one mate on me.

  30. Anonymous Coward
    Grenade

    Dealing with Cookies

    Surely the way to deal with cookies is to accept them, then fill them with random data and send them back. I wonder how many of these sites coding would be good enough to handle the wrong data? I wonder how many would break? I'm surprised the hackers of the world haven't fallen on cookies as a free back door.

  31. Anonymous Coward
    Grenade

    @the Porn AC

    You are right, the internet was built on the back of porn.

    As was the video industry (the porn kings chose VHS, Betamax died)

    As was movie making

    Photography

    Cheap printing

    Even most of the developments in life like painting were made to make nudes look better.

    But this slump has even hit the porn world.

    Sites I subscribed too years ago are suddenly spamming me with cheap subscription offers.

    I woman I was talking too who runs her own porno site was saying that subscriptions are down 30% and that many of her friends are doing much worse than her.

    The porn industry goes in for dodgy advertising practices at a level no even moderately legitimate business would even think about.

  32. Field Marshal Von Krakenfart
    Grenade

    There's no place like 127.0.0.1

    My privacy, my data, my battle field.....

    Adblock, NoScript Peer Gaurdian, and an updated host file see http://www.mvps.org/winhelp2002/hosts.htm (I’m sure there are more out there, just Google for them while you can)

    I work for a large multinational bank and I would like to ask everybody how they fell about phorn and google performing DPI on the VPN connection I use for support work, never mind then performing DPI on your own connection when you look at your own bank details, are you happy that these companies are going to be trying to snoop on my connection and maybe see details of lots of bank accounts, credit card numbers etc etc,

    Anyone?

    Anyone?

    No, I thought not

    The minute my ISP starts using DPI on my packets I’ll be terminating my contact for security reasons. Oh! And I’ve just abandoned my gmail account; I’ll use google to look for some other email account just so the chocolate factory know what I think of them!

    P.S. my support computer is encrypted and no data is stored locally on it, somebody tell the dickheads that keep loosing private data that's how to use business computers.

  33. Anonymous Coward
    Thumb Down

    @Field Marshal Von Krakenfart

    So you do tech support for a "large multinational bank", do you?

    Do they know how crap you are?

    Read up on how Phorm actually works, (and brush up on VPN tunnelling and SSL while you are at it), then re-read your rant and you will see what I mean.

  34. Field Marshal Von Krakenfart
    Black Helicopters

    @AC 11:47 GMT

    That's the difference between you and me, I know what *actually* happens on some of these 'secure' connections, you only think you know what happens. I'm not saying anything more.

  35. Stephen Gray

    @ By b ws

    LOL, nothing to do with selling credit to the unemployed then?

  36. Anonymous Coward
    Troll

    @Will 6

    >> I'm not a geek, just a user, but it seems to me this is all a bit of a moot point.

    You are not a geek, but you are posting on El Reg. That either makes you a liar or an oxymoron - unlike the rest of us commentards, who are just regular morons.

  37. Point

    Fundamentally flawed

    A lot of people here seem, dare I say it, obsessed with repeating the charge that there is clearly an opt-out for Google but not for Phorm. That just simply is not true. Phorm has developed a network-based opt out that ensures none of your traffic whatsoever is analysed.

    There are various news stories like this where public confirmation of the NBOO has been given. Try here for proof: http://www.v3.co.uk/vnunet/video/2244091/phorm-executives-discuss

  38. Field Marshal Von Krakenfart
    Grenade

    @AC 11:47 GMT

    Come to think of it, why don't you search ElReg for 'SSL'

  39. ElReg!comments!Pierre
    Pint

    @Point and @"Google doesn't need cookies"

    Point: you missed yourself by a couple miles here. There are easy ways to thwart Teh Big G's attempts at snooping. The first one would be not subscibing to their services (so it's clearly "opt-in" here, no crappy "opt-out" scheme), one other would be "sensible cookie management" -plenty of ready-made luser-friendly solutions available there-, ad a pinch of assorted good practices such as not allowing stupid scripting and random redirections unless absolutely necessary (for the windoze users, I find Proxomitron is quite welcomed by non-technical users.. If you're using a *NIX system, you probably already know how to do that more efficiently, solutions abound.).

    Now about Phorm: "opt-out" only, and the opt-out is checked by Phorm's kit so it's up to Phorm to decide whether or not they snoop. Conveniently remotely managed, too, so that things can be changed in a snap if needed. Of course we could take Phorm's word for it. We could. But should we?

    One other rather important concern is that the tech has the potential to rip open any kind of network authentication-based encryption. Again, Phorm says they won't, and we *could* theoretically trust them. But do we want to take the chance? One of the few things about security that managed to make its way through my thick skull is "when unsure, always assume that the security has been compromised". This means end-to end encryption using keys privately exchanged via sneakernet, for everything that needs to be even remotely confidential. That's gonna be easy. Not.

    Now, finally, to the "google doesn't need cookies anymore cause they control the network already" comment. That is a concern. However you seem to assume that the websites make direct requests to Google. That's (mostly) not true. The websites tell your browser to make a request to google, and it's very different. The obvious way to thwart that if you're totally google-o-phobe is to redirect every query for google's servers to 127.0.0.1. A slightly less radical way would be not to allow javascript, as most of the time the query is triggered by a piece of JS. You could also, as I do, forbid any non-explicitly-allowed cross-domain request. Yes, it breaks the interwebz, as a lot of pages use external ressources, but so be it. Anyway, a "deep-embedded" youtube video is only very marginally more convenient than a link to the same. So as much as google's snooping is a pure annoyance, it's not very difficult to bypass. Now give me an easy way to make absolutely sure whithout the shade of a doubt that my whole internet traffic is not examined by Phorm and the like, when in place, and I might reconsider my opinion.

This topic is closed for new posts.

Other stories you might like