That's their core business.
They track people for a living. Why is anybody expecting privacy from what's essentially a data-mining operation?
Google has seemingly stopped claiming an identifier it uses internally to track experimental features and variations in its Chrome browser contains no personally identifiable information. In February, Arnaud Granal, a software developer who works on a Chromium-based browser called Kiwi, claimed the X-client-data header, which …
Nobody's expecting privacy, most users on here expect Google to be nosey bastards. The question is whether we should just silently watch them do it or kick up a stink. If what they do is covered in new legislation then we need to apply pressure to ensure the legislation is enforced.
Most people don't think of Google of a data mining operation, however misguided they may be. The people that understand and have concerns need to raise those concerns to have a chance of reining Google in.
The question is whether we should just silently watch them do it or kick up a stink.
But for this to happen, you need people to realize the big issue. However, on the other side you have:
(a) catchy arguments that ring, are easy to grasp and are mostly true (like the compelling nothing-to-hide argument) ... and:
If what they do is covered in new legislation then we need to apply pressure to ensure the legislation is enforced.
(b) lobbying against almost all hope of an actual implementation of such legislation by megacorps, because there's money to be lost because of such legislation.
Most people don't think of Google of a data mining operation, however misguided they may be.
Some people think that Google is a really nice philanthropic corporation (compared to traditionally ugly ones like the smoking and pharmaceutical ones), offering services for pittance in form of ads. Let them target me, I'm not that significant, such a person would say.
The people that understand and have concerns need to raise those concerns to have a chance of reining Google in.
Brings us back to (a). Scaremongering really works when the scaremonger uses catchy arguments and have lots upon lots of money to back them up.
I regularly tell people they shouldn't rely on products from Google or insidious crap like Alexa because they are being silently monitored and tracked and they look at me like I'm standing semi-naked on Oxford Street with a huge placard reading "The end is nigh!" The average member of the public does not want to hear about it, they just want their music, security cams, Facebook fix or whatever.
Indeed. Sometimes you get asked "So? I don't have anything to hide."
For some of them, they are probably right. Everything they do and have done for the past 5++ years is on Social Media warts and all (drunken hen/stag nights and the like).
They just don't see 'friendly google or amazon' a threat. They will play an ever increasing part in their lives and they are just blind to what is going on.
Then there is the refuseniks like me who refuse to have anything or as little as possible to do with Google and all Social Media slurpers.
One of these days those who can't see what is going on on a truly massive scale might (a long shot) sit up and take notice. For many it will be too late. They will be part of the Borg.
Are you a deviant...? Nah just a self-determined, non-conformist. I'm with you on that.
I went to claim benefits because of being made redundant. I was asked for access to my social media; purely on a "voluntary" basis and, apparently, for "experimental" reasons of course ahead of its' introduction.
After being refused benefit, on the fourth time of asking I was told it was because I had lied about not having social media accounts.
My name is (as far as 20 years of searching) unique, I don't have social media and don't use a smartphone or tablet.
Anon as waiting for tribunal.
Yes.
But just because that's true doesn't mean that, all of a sudden, I need to be monitored. Society has castrated [almost] every single person by telling them that "deviant" equals "morally corrupt and a social risk", and therefore makes you toe a line of boring conformity to appease...the rest of the weak-minded sheeple morons.
I am an adult. Therefore, what I choose to 'deviate' by/from/to is my own damn business as long as it doesn't hurt anyone or impose on their own personal freedoms. And no, I'm sorry you shit-for-brains egotistical fundamentalists bastards, just because I have the nerve to exist somewhere is NOT an imposition on your "freedom".
Anyway, I prefer quiet privacy. And, just like those squalid fundamentalist scum, others do not have a right to my business just because I do something. So I turn off all trackers, don't Faceplant or Twatter, or Instagrope, or any of the other 100 ways in modern society that people with absolutely no self-esteem seek social confirmation of their identity even 20 minutes, use privacy blockers and actually clear my cookies at the end of my browsing session.
I think it will take an armed revolt to gain control of our own lives again, from those who have deemed it in THEIR benefit to grab as much of it as they can.
"I was told by a HR droid that my lack of social media was a major problem for my future career. "
You'd think that a company looking to hire you would be pleased you aren't telling the world about every little thing. Info like upcoming products and down turns in business.
Problem is it's not up to you to decide you have nothing to hide, somebody else will decide. You might have missed it but there was the case of a guy in the US who was riding the bike in his neighborhood and passed three times in front of a site where a burglary was committed. Guess what, when asked by the police, Google reported him because the location services signaled him as being at the site of the incident and that made him a prime suspect. So repeating this "I have nothing to hide" is meaningless.
Most people think bad things only happen to someone else.
And that's not entirely wrong. What they aren't paying attention to is what happens when, remote as that may be, they are the unlucky victim under suspicion or accused of something they never did.
What staggers me is that plenty of people truly don't believe Human Rights legislation is needed, should be revoked,. They see it as only benefiting ne'er-do-wells,, paedophiles and terrorists, standing in the way of justice being done, unable to comprehend that it gives them rights and, maybe one day, rights they will wish they had.
It often does seem; "one can't cure stupid".
They will be part of the Borg.
Oh C'mon, we must be able to do better than appropriate someone else's theme :o)
although, those damn Borg do have all the catchy phrases ready to go, whereas here at El Reg, I feel TITSUP may no longer be usable as a go to for the day we all DO succumb :o(
T - his
I - s
T - he
S - ervice
U - niversally
P - referred
The sad thing is that most people don't care. They willingly browse with Chrome, talk to Alexa, and post to Facebook. Few even bother to adjust any (limited) privacy settings that companies make available.
The masses are sheep being sheared by the shepherds of Google, Amazon, and Facebook while they wander through the fields of the internet baaing contentedly.
Even with a low-entropy number, it's still possible to identify people with a bit of detective work, so technically, it might be said to be "identification" data. Hell, just your first name is already identification data, and some first names are so common that they give less information than that...
Why is it important for a website I visit to obtain knowledge on my Chrome installation ? I come with a browser, they serve the page, that's the deal. Why is it important that they be notified of any extensions I have ?
If I ever have the chance of meeting someone from Google, before shaking their hand I'm going to ask them the brand and size of their underwear, their shoe size, what deodorant they're wearing and how old their socks are. Let's see how they like that.
Why is it important for a website I visit to obtain knowledge on my Chrome installation ? I come with a browser, they serve the page, that's the deal. Why is it important that they be notified of any extensions I have ?
To fingerprint your browser (therefore you), so they could track you, so they could target ads depending on which websites you visit.
If I ever have the chance of meeting someone from Google, before shaking their hand I'm going to ask them the brand and size of their underwear, their shoe size, what deodorant they're wearing and how old their socks are. Let's see how they like that.
That's like the analogy I give to laypeople to explain this. Imagine that you're riding a cab when somebody slides into the seat next to you with a clipboard, asking you for where you live, where you work, what your interests are et cetera, jotting down your answers in minute detail. Any sane person would tell them to go mind their own business.
I use a similar analogy about Alexa and Google Home. Imagine if the police asked you to put a listening device in your home that they promised would only listen for gunshots or screams for help, would you accept their offer? Of course not. But you pay to have a listening device in your home that is listening all the time by a company who makes money knowing everything about you.
If the government did what these businesses they, they would be rightly disgusted; but since it is not a government but a business, they shrug and don't care.
@Wade
There seems to be a difference between British and Americans here. Americans resist all government monitoring as if they were still fighting against George 3rd. British accept government monitoring within reason, but object to commercial monitoring especially from large American corporations.
And the result is that the police can release you "under investigation" for the rest of your life and put arbitrary restrictions to your life, or expel you without trial.
some Reg readers have been released like that.. for YEARS (not me..).
I would rather have the us version of privacy, just remove the Civil Forfeiture bullshit.
"That's like the analogy I give to laypeople to explain this. Imagine that you're riding a cab when somebody slides into the seat next to you with a clipboard, asking you for where you live, where you work, what your interests are et cetera, jotting down your answers in minute detail. Any sane person would tell them to go mind their own business."
I think you might be surprised, Judging by the (unsolicited) phonecalls and visitors at the door who appear to take it for granted that I'll happily answer all sorts of questions without them really explaining (or proving) who they are or why they are asking. If everyone was as concise with an answer of 'None of your business' as we are at home then I doubt they'd be bothering.
(!Sherlock because the clueless are everywhere)
That pretty much guarantees you a spot on most BBC shows these days, even if you are utterly useless for the role!
Those that like Chrome as a browser should can to one of the alternatives using the same base code without the tracking stuff. Chromium, Brave, maybe Pale Moon or something similar.
"Judging by the (unsolicited) phonecalls and visitors at the door who appear to take it for granted that I'll happily answer all sorts of questions without them really explaining (or proving) who they are or why they are asking. "
There are three ways to deal with this shit:
1: Answer them
2: Tell them to bog off
3: Deliberately feed them misinformation
If you do #2, they'll simply obtain the data other ways. I'm coming more and more around to the approach of choking them with a firehose of sewage
... I read one story (don't know if it's true or not) of some guy answering the door for a couple of holy solicitors glad only in underwear, a rather large python, with both of them covered with oil.
While I'm not going to try anything like that stunt, (or answering the door naked for that matter) I'll cheerfully mess with people's heads if they are being aggressive with their proselytizing.
Now where did I put that ceremonial kris and the goat skull....
"Imagine that you're riding a cab when somebody slides into the seat next to you with a clipboard, asking you for where you live, where you work, what your interests are et cetera, jotting down your answers in minute detail."
This same sort of thing happens quite often. You visit the doctor or other professional and are handed a form(s) to fill out. Just like they taught you in school, you do your best to fill it out completely, printing neatly. People rarely stop to question why this office needs a particular piece of information.
Are you paranoid "enough"?
I have come across developers who said why they do this....
Feature X is onyl available in Version Y and higher of browser Z.
How do you know when you can start to use that feature..when only a few percentage of your visitors are still using verions older than that..."we do not care about the last few percent of customers we can drop them as our turnover is 10%+ per month anyway"!!
Otherwise everyone would be compatible with IE6 and legacy compatability code would have to be written for every page!
It's called the user agent string. It tells you what version of browser your visitor is running, and often some extra data about their system. You don't need more than that. And you won't get more than that for the majority of your visitors who aren't using a browser you've compromised. Only Chrome sends those headers, and only to Google. You as an average web developer gain nothing at all from that feature.
Alternatively, use a local script to redirect to a simplified page if a feature doesn't work. Then, check how many times you're getting requests for that simplified page. When it drops to a level you're good with, delete the script and the page.
> If I ever have the chance of meeting someone from Google, before shaking their hand I'm going to ask them the brand and size of their underwear, their shoe size, what deodorant they're wearing and how old their socks are. Let's see how they like that.
You shouldn't be shaking their hand anyway - you're meant to be bumping elbows or something now.
Because they don't want a phone made by Apple. That's where I find myself. My latest plan is to use Android but run as many Microsoft services as possible because they're properly cross-platform so I can get at my notes and reminders from both my Mac and my Surface.
I would happily use more of Google's services if they were just transparent. The biggest issue for me is where to store photos. Nobody seems to have any idea what Google Photos does with customer photos. If it's purely to get data to train AI then that's not the worst privacy invasion, but if they're actively mining data from people's personal photos collection, that's creepy in my book. And is there any privacy difference between the free and paid tier? Nobody seems to know.
There's nothing magical about a MITM proxy that requires it to be on a company network. While most organisations use appliances for this feature, it is excessive in both price and capabilities for a home/small network, but there are plenty of software proxies out there that can do it just as well that run fine on a RPi or an old junk computer.
Just put a transparent proxy in and put the certificate of the proxy into your local cert-store (certmgr.msc on windows for the system-wide cert store or wherever your browser needs it to be based on specific browser and O/S).
If the cert isn't in the local devices/clients cert-store the user will get nasty messages in their clients, but if a guest wants to use the proxy features such as blatting unwanted headers, then they'll need to accept my proxies certs. If they are happy proceeding on my network without the privacy protections of such a proxy, they are free to bypass it if they like.
I believe the answer is "yes". An earlier El Reg article mentions software dev Arnaud Granal as challenging Google over the header info, based on what he had seen in the open-source Chromium code.
----
My purely personal, naive opinion: we should consider any open communication network as a public space, and there can be no expectation of privacy in a public space. Where I went wrong early on was thinking that the internet would allow private connections to one or a few other individuals. Shouting at a friend on a busy sidewalk is not private, and neither are the intarwebs.
I think that Google-Amazon-Facebook-et-al pragmatically use people's automatic expectation of privacy in order to harvest data. The ways they can do this are multitudinous. The article to hand only deals with Google's header-info. List off some of the other data-harvesting techniques we know about -- cookies, system profiling, ISP records, tracking beacons -- and then remember that the best data harvesting tricks are the ones that aren't yet public knowledge. Those techniques won't be on your list.
For most normal internet purposes ("normal" in the sense that one wishes to buy 60-degree corner clamps, or pay a phone bill, or post a picture on WhatsThatBug.com) one has to surrender some information. One must consider that at least some of that information will be public, and proceed appropriately. In a few instances it may be possible to limit most tracking and obfuscate the rest, but I think that now we're talking about Snowden-level secure communications. Communication between individuals who are both taking extreme care and who have prearranged anonymous connections and encrypted streams. Not people buying corner clamps.
I'm not saying we should behave as if online privacy is a lost cause. I think we should raise a hell of a fuss about it. But I think the assumption should always be that, viewed pragmatically, our online activity simply is not private.
If Google can use it track you, so can your ISP. Or anyone doing a man-in-the-middle attach, like SuperFish* or some nonsense like that
Just a thought - I wonder if this was one of the tools they used to bust people who used TOR recently?
* that thing Lenovo used to load on ThinkPads that was super buggy and they wouldn't let you remove it, that's the one I'm thinking of anyway.
It's unfortunate that there's a distinct lack of standardisation about the meaning of "PII". It can refer to either:
PII1) information which allows you to _identify_ an individual, or
PII2) information about an individual who can be _identified_.
I tend to use PII as an acronym that refers to things like name, passport number, mobile phone number, database index (I would say it stands for "personally identifying information"). That's PII1. The second category, PII2, is what in Europe is more often called "Personal Data" though I've also seen it called "personally identifiable information" - religious belief, health conditions, favourite food, life history, etc.
Thus it might be correct to say that there is no PII2 (personal data) in this tracker, the point that is being made is that the tracker is PII1 (identifying data). While neither is good, it seems -based on the text quoted - that the article might be blaming Google for something they never said. Could The Register perhaps lead the way in standardising on terminology, to help avoid this - my experience is that many computer users apply security policy designed for personal data to PII and vice versa (and it leads to problems).
PS. I do understand that sometimes (but not always) data can be simultaneously personal data and personally identifying data.
I read somewhere - short memory, sorry - that credit card companies can determine from three or four of your purchases whether that's really you that made the purchase. Which only sounds scary, because if I have your name, address, phone, id, and your purchase history over many years, it seems easy to figure out whether something fits your profile.
On occasion, this even works to our advantage: Someone scammed my credit card info, made a new card with it, and went shopping - of all places at a shop that sells camping equipment, sports equipment, golf clubs, guns, ammo, bows and arrows. I never was in such a store in my lifetime, so they immediately flagged it as potential fraud. Definitely more of an "in-doorsy" guy I am. I hate camping. Golf is terrible, because of the people on the course. If I ever would need a gun, maybe because of a zombie apocalypso (a new dance), then I am not worried, because people in the US will have killed so many of their own crazies, for fun and profit, that there will be plenty of guns on the ground, allowing me to subsist on raccoons and squirrels. So, what, me worry?
Following in the footsteps of Microsoft, who managed to engineer AI tacking software for the coronavirus outbreak, Google seeks to chime in with their own version. This however, is in line with the many amateur netizens, who've also managed to engineer AI tracking software, using various technology, such as blockchain, etc.
~Vibhor Tyagi (Techie at Engineer.AI)