RSS Alerts

Related Links

Related Stories

  • Google Chrome in anonymity blunder
    The latest version of the Google Chrome browser is negating the efforts of anonymous browsing services to protect users' identities, according to bug reports.
  • Google launches DNS service
    Google is hoping to beef up the web's security by providing its own domain name service (DNS). The search engine giant is asking companies to point their computers at its own DNS servers to get extra protection from DNS attacks, and to speed up their browsing.
  • Breakthrough security Firefox plug-in stops man-in-the-middle attacks
    Researchers at Carnegie Mellon University have released a security plug-in for Firefox 3 that can detect – and block – access to a Web site that has problems with its security certificate.
  • Weekly brief - October 5 2009
    Deviousness, Defenses, and Disappointments - read all about the week's security news in our weekly brief.
  • Blippy suffers credit card number leak
    Shoppers’ social networking service Blippy suffered a security flaw late last week, after some of its users’ credit card numbers began appearing in search results.

News

Microsoft, Marlinspike threaten Google data gathering policy

21 January 2010

Google faced challenges to its search engine's data gathering policy this week from two sides. Microsoft bettered the search engine giant by revising its own search privacy policy, while security researcher Moxie Marlinspike delivered a service that allows users to bypass Google's data gathering procedures altogether.

Microsoft's chief privacy officer, Peter Cullen, announced that over the next 12–18 months, it would be slashing the retention time for users' IP addresses on its Bing search engine. Currently, it keeps users' IP addresses for 18 months, but anonymizes the data immediately. In the future, it will delete the anonymized addresses after six months. This is an important development, because both Microsoft and Google keep users' cookie data for 18 months.

Privacy experts have alleged that even with anonymized user data, where bits of the IP address are changed or deleted, it is still relatively easy to correlate those addresses with user cookies to get a lock on a search engine query author's identity.

Google changed its data retention policy in 2008 after considerable pressure from Europe's Article 29 Working Group. The company now anonymizes IP addresses only after keeping them for nine months, and Google doesn't have a policy on deleting the addresses permanently. It also retains cookies for 18 months.

In separate news, Moxie Marlinspike, author of the WPA Cracker wireless password cracking service, announced a service called Google Sharing. Consisting of a FireFox add-on and a proxy server, the service reroutes Google queries via the proxy server. The proxy then forwards the query, stripped of all identifying information, to Google, using a session initiated by the proxy.

"The response is proxied back to you", explains the service's web site. "Your next request will get a different identity, and the one you were using before will be assigned to someone else. By 'sharing' these identities, all of our traffic gets mixed together and is very difficult to analyze."

The Google Sharing service also injects fake search queries into the information stream to further obfuscate users' searches, and as a bonus, it automatically communicates in HTTPS with the client, so that, for example, traffic cannot be sniffed by local users on a public network.

The obfuscation service will not work for Google account-based services, such as Gmail and Google Docs. However, it will stop Google's analytics service from tracking surfers' visits online – something that it currently does for participating sites even if a web surfer doesn't find that site via Google's search engine.

 

This article is featured in:
Compliance and Policy Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water