'Google even knows what you're thinking'

'Google even knows what you're thinking'

Summary: Privacy advocate Moxie Marlinspike used the spotlight of the SOURCE conference here to call attention to Google's data harvesting practices, warning that the search engine giant can mine information to figure out even what Web surfers are thinking about.

TOPICS: Browser, CXO, Google

BOSTON -- Privacy advocate Moxie Marlinspike used the spotlight of the SOURCE conference here to call attention to Google's data harvesting practices, warning that the search engine giant can mine information to figure out even what Web surfers are thinking about.

During a presentation that discussed the changing threats to privacy, Marlinspike likened Google's data collection to the Pentagon's Total Information Awareness program and lamented that fact that it's near impossible to avoid Google's tentacles without "opting out of the social narrative."

"They have an awful lot of data. They record everything.   They have your IP address, your search requests, the contents of every e-mail you've ever sent or received. They know the news you read, the places you go.  They're even collecting real-time GPS location and DNS look-ups," Marlinspike said.

"They know who you friends are, where you live, where you work, where you are spending your free time. They know about your health, your love life, your political leanings. They even know what you are thinking about," Marlinspike added, warning that the company has found a way to control the terms of the privacy debate by offering what he described as fake anonymization. follow Ryan Naraine on twitter

He pointed out that the Google tool that gives users control of their privacy settings only shows some of the information that are most obviously connected to a Web user.  "It requires that you have an account, be logged in while using the services and maintain a persistent cookie.  It's a brilliant move on their part."

Convinced that he can't opt out of using Google's ever-present services, Marlinspike created an anti-snooping tool to sidestep the company's data collection tentacles.

The tool, called GoogleSharing, is a Firefox add-on that mixes the requests of many different users together, such that Google is not capable of telling what is coming from whom.

GoogleSharing aims to do a few very specific things:

  1. Provide a system that will prevent Google from collecting information about you from services which don't require a login.
  2. Make this system completely transparent to the user. No special websites, no change to yo ur work flow.
  3. Leave your non-Google traffic completely untouched, unredirected, and unaffected.

The GoogleSharing system consists of a custom proxy and a Firefox Add-on.  He said the  proxy works by generating a pool of GoogleSharing "identities," each of which contains a cookie issued by Google and an arbitrary User-Agent for one of several popular browsers.

The Firefox Addon watches for requests to Google services from your browser, and when enabled will transparently redirect all of them (except for things like Gmail) to a GoogleSharing proxy. There your request is stripped of all identifying information and replaced with the information from a GoogleSharing identity.

This "GoogleShared" request is then forwarded on to Google, and the response is proxied back to you. Your next request will get a different identity, and the one you were using before will be assigned to someone else. By "sharing" these identities, all of our traffic gets mixed together and is very difficult to analyze.

Marlinspike said the GoogleSharing proxy even constantly injects false but plausible search requests through all the identities.

The result is that you can transparently use Google search, images, maps, products, news, etc... without Google being able to track you by IP address, Cookie, or any other identifying HTTP headers. And only your Google traffic is redirected. Everything else from your browser goes directly to its destination.

Marlinspike is also building a privacy tool to secure voice calls and SMS messages on mobile phones.  That tool, called Whisper Systems, will offer secure dialing via Phil Zimmermann's ZRTP protocol and an Off-The-Record derived system to secure the privacy of text messages.

The mobile tools, which is being built for Android, will be available in a few weeks from Marlinspike's ThoughtCrime.org website.

Topics: Browser, CXO, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Say no more..

    The one and only, Cylon Centurion
    • RE: 'Google even knows what you're thinking'

      @Cylon Centurion I also think Google uses our privacy data free and give not enough exchange! I'll also install it.
      <a href="http://www.kecioyun.com/">oyun</a>
  • RE: 'Google even knows what you're thinking'

    Great Article! As a social media marketer I use the google tools to find, target, attract and sell to google users. This GoogleSharing tool is great for personal privacy and will most likely be a great tool for myself. The only worries I have is in the coming months, years. If your GoogleSharing takes hold or inspires other competent tools that the masses start to use, my job then becomes even more "FUN" aka difficult.

    Good write up!

    Gordon Green
    Weboptium LLC
  • It will be interesting to see what said....

    ...when all of a sudden things seem to not be tailored to
    you on the web anymore.

    • Tailored, how?

      Of course I don't live and breath Google Services except for search.
  • Nice

    I like it.
  • So wait a minute....

    To keep from sending your info to Google you send it to
    another entity that you don't know much about that could
    very well collect and use the data themselves? And not
    only that they give the proxy away so others can fool you
    into doing the same thing and collect your data as well?
    Brilliant idea....smh
    • Exactly

      My first thought.

      Maybe we need the add-on to create a steady stream of fake requests to Google based on random text from pages linked from pages linked from pages you visit.

      While they will still know you IP address it wont be worth squat.

      Also, don't use only Gmail.
    • storm14k, I agree with you on this.

      What is the guarantee that the proxy is not collecting our data?
      Ram U
  • RE: 'Google even knows what you're thinking'

    Of course, Google doesn't know what we are thinking. They know what someone - or something - has typed at a keyboard. But they don't know much of anything in context, unless you have written everything you think into a google doc or email, etc. They don't know the names of all your friends - unless you have meticously entered every single person you consider a friend into your gmail contacts list. And so forth.

    Of course, the more that you use google applications as the single source of all info about you, the more of that information they do have.

    So create several email accounts, on different services, and silo your usage so that all info about, say, your kids is handled through email service A, while anything relating to work is handled through behind a company firewall, and anything relating to your sweater knitting hobby is handled through service c.

    Make certain that you sign out of your accounts, and delete your cookies at the end of a session, and that's provided at least a bit of isolation for you.

    Of course if you think that is more trouble than privacy is worth to you, then just keep everything in one place. That's just like keeping everything important in your home... as long as there's no flood/fire/earthquake/other natural disaster, you feel relatively safe. If however your home is robbed, and some of your stuff is stolen, then you begin to think about storing it in safe deposit boxes, storage units, etc. ...
  • RE: 'Google even knows what you're thinking'

    Why do I get the strange feeling there's an underlying tone of hysteria in Marlinspike's pronouncements? I doubt if Google - or anyone else, for that matter - can honestly say they know what I'm thinking. They can certainly make informed inferences, but to _know_? And furthermore, just because I may search on certain terms is not necessarily a measure of _why_ I was searching on those terms.

    Given all that Google, Microsoft, and other data and information gathering instrumentalities know about my online behavior, I still don't think they really know everything there is to know about me. I'm not buying this paranoia.
  • Well, I actually thought TIA was a great idea . . .

    I'm not joking.

    All the data that was to be collected was neither priviledged nor the result of monitoring activities in which the person being monitored had the legally described -- and restricted -- "expectation of privacy."

    There are a lot of "civil libertarians" who prefer their own interpretation of the Constitution and its amendments to their true meanings. For example, "freedom of association" means just that; you are free to associate. It does not mean that you are entitled to keep that association secret. If I (or a government agency) want to roam through the parking lot adjacent to a KKK meeting hall and take down license plates, that does not violate your right; you have no expectation of privacy when you parked in a publicly visible location.

    I could go on, but you get my drift.
    • you could go on, but...

      since your example, and any others you can develop are based on the idea that electronic communication is de facto done in a public space, there's not much point.
      4 years ago someone attempted to send me an email, but misspelled the domain name. it ended up in my gmail account. at that point i began to notice the degree to which goog keeps track of internet users: as much as it does internet content.
      btw, before holding yourself out as black's law dictionary or equivalent, you may wish to review:
      the constitution doesn't create freedom of association, it is premised on it.
  • As we have to log in just to reply to this post!

    Its true that Google holds a lot of information
    on us but who would you trust with that info in
    the cloud. Twitter whose every tweet is
    recorded in our national archives? Facebook,
    who is subject to viruses, spam or worse.

    At least I know Google tries to safeguard my
    stuff. They try to hold governments accountable
    for invasions of privacy (within the law). They
    don't sell my info to other companies that
    would likely misuse it. They stand up to China.

    And to be honest, what do they do with that
    info? They make EVERYTHING more relevant to
    your personal interests. Very useful! As far as
    I see it, Google has as much interest in
    safeguarding my info as I do. They mess up
    once...and all their business would be gone in
    seconds. Look at Buzz and the stir that
    created. That was just their most used
    contacts...imagine if that had been something
    more. I think they learned that lesson, don't
    • Sucker...nt

  • Might as well add this page'

  • RE: 'Google even knows what you're thinking'

    It seems Jeffrey Goines was referring to Google when he spoke these memorable words

    "Here's my theory on that. While I was institutionalized, my brain was studied exhaustively in the guise of mental health.I was interrogated, x-rayed, studied thoroughly. Then, everything about me was entered into a computer where they created a model of my mind
    Then, using the computer model, they generated every thought I could possibly have in the next, say ten years, which they then filtered through a probability matrix to determine everything I was going to do in that period.
    So you see, she knew I was going to lead the Army of the Twelve Monkeys into the pages of history before it ever even occurred to me. She knows everything I'm ever going to do before I know it myself. How about that?"
  • Give your data to an even less trustful organization

    Why should anybody trust the "Anonymizer" proxy? It could as well collect the data and use it for something bad. Once they "own" your Google identity, what's preventing them from doing exactly what they accuse Google of doing.
  • Uh . . maybe the Googlesharing add-on is a trojan?

  • RE: 'Google even knows what you're thinking'

    The G in google stands for Governmental systems... If for any reason you do not think that the MAJOR ISPS and CONTENT PROVIDERS are not in bed with Homeland Security... Check your birth certificate... If you really do know your own name then stop thinking they don't. As I comply with the email and password required to send this message... know that this too is part of the problem/pleasure/process/pretense/program.... It is therefore we must. We can attempt to obfiscate the monitoring but like was earlier stated... the only way to get close to out is to OPT OUT Completely... but that only puts you into a different bag for sorting and sizing.