Google: An Escape Plan – Part I – Bones Beneath the Chromatic Garden

tumblr_ng00oaxf0k1rqbl96o1_1280

It preaches “don’t be evil” and updates its search engine page with a cute holiday-relevant animation on occasion. Google practically oozes its quirkiness with a range of promises including tons of different “free” services, but let’s be honest, we all know nothing is really free (not digitally, at least). I sometimes catch flak for my distaste for Google and its services, but it’s only because I’m honestly tired of feeling trapped in their almost omnipotent snare. Everywhere you turn, with every digital service you use, they seem to be so closely affiliated.. that is, if they don’t already own whatever you might be using. It’s almost as if you don’t even have a choice as to whether you want to use Google’s services or not anymore; outside of unplugging from the internet completely. When you begin to do some research on the company, this all starts to sink in.

For example, if you look through the Wikipedia entry for ‘List of Mergers and acquisitions by Google‘, you will see a listed table than runs 181 rows long. If you’re reading this post even a few weeks or so after the date it was published, it is sure to be longer. Among these acquisitions is the popular aggregate-focused antivirus tool VirusTotal, multiple facial recognition programs, home monitoring and home automation companies, and even the popular robotics company Boston Dynamics. Now, of course I’m not worried about Google sending out sentient robots to my house, but I am worried that one company (that collects a whole lot of my information, which I consider pretty personal) has so many outlets at their disposal. Having a Google account, so many of the different internet services I use every day are all connected into one company. Gmail, YouTube, Google Music, and the list goes on. Vacuuming up as much user data as they can. Remember, Google is the self-proclaimed world’s largest advertising and search monetization program.

~

Beyond the fact of how much Google owns, there are several factors of what exactly they are doing with their products which stand as irksome to me.

There is, for example, the matter of Google striving to give off a posture of openness – in terms of software and APIs. This is often less true than false. Take for instance Google’s Android OS. As Ron Armadeo of Ars Technica put it, things on Android have become “look but don’t touch”:

When Android had no market share, Google was comfortable keeping just these apps and building the rest of Android as an open source project. Since Android has become a mobile powerhouse though, Google has decided it needs more control over the public source code. For some of these apps, there might still be an AOSP [Android Open Source Project] equivalent, but as soon as the proprietary version was launched, all work on the AOSP version was stopped. Less open source code means more work for Google’s competitors. While you can’t kill an open source app, you can turn it into abandonware by moving all continuing development to a closed source model. Just about any time Google rebrands an app or releases a new piece of Android onto the Play Store, it’s a sign that the source has been closed and the AOSP version is dead.

It’s true, as Android has soaked in a relevant share of the mobile OS market, the demise of once-open-source applications on Android – the Music, Calendar, Photo gallery, and several other applications has occurred as well.

There are also the broken promises or lapses in expectations from the company in terms of privacy/security-conscious OS implementations. Take for instance, the recent backpedaling on encryption-by-default settings being prepared for the next Android version update:

..despite all those promises, Google hadn’t updated its Android Compatibility Definition document for Lollipop, which lists rules for its hardware partners, to include a stipulation for encryption. It stated the following: “If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data… as well as the SD card partition if it is a permanent, non-removable part of the device… For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience. While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.”

And there you have it. Though it looks to be laying down the law at first, Google simply recommends partners add encryption by default, though they must support it (this is no different from previous Android iterations, though). It seems Google pushed the button too early, at least for some manufacturers worried about the performance impact on phones that can’t handle the extra data load.

Here is the update on the change in plans from Google‘s official Android Blog:

Update: In September, we announced that all new Android Lollipop devices would be encrypted by default. Due to performance issues on some Android partner devices, we are not yet at encryption by default on every new Lollipop device. That said, our new Nexus devices are encrypted by default and Android users (Jelly Bean and above) have the option to encrypt the data on their device in Settings —> Security —> Encryption. We remain firmly committed to encryption because it helps keep users safe and secure on the web.

Encryption is a crucial piece of security for what’s basically a handheld computer you carry around with you each and every day, and while in the height of legal strain on the idea of “crypto for everyone” this may have been a “too idealistic” pitch for Google HQ, this doesn’t seem to resonate in the official statement from the company. The fact that the ability for encryption remains an option for users makes this a sort of small quibble, but is it really too much to ask for a company that stores and transfers so much user data to have such security implemented out-of-the-box? Even Apple uses fairly robust system encryption in iOS8 all by default, which even includes a type of public-key cryptography scheme with their popular iMessage service.

~

In a more human aspect, Google pulls some serious bureaucratic strings. According to the Center for Responsive Politics, Google was the ninth highest spender in political lobbying through 2014. It’s remained in the Top 20 of this list for the last three years.

Top Spenders in Political Lobbying - 2014 (Center for Responsive Politics)

Top Spenders in Political Lobbying – 2014 (Center for Responsive Politics)

But just in case you’re not as firm a believer as I am in the “money talks” principle that suits our political system, we can take a look at the particulars of the company’s stake in the situation:

A Revolving Door, Indeed.

A Revolving Door, Indeed.

Yes, that charts clearly spells it out: ~82% of the time a Google lobbyist has previously held a government job. You can further investigate each of the individual Google lobbyists yourself, if you’re still not convinced of its presence.

This leads me to the largest issue I personally have with Google – the realm of user privacy. Regardless of several several higher-ups claiming that Google will stand against mass surveillance, there are several very blatant actions Google has taken to do just the opposite. Yes, Google had filed a First Amendment lawsuit against the NSA shortly after the Snowden leaks began to reveal the extent of the agency’s capabilities under their PRISM program, and sure, they fight against the secrecy behind National Security Letters as well, but it would be wise not to start cheering here. Again, Google’s priority is expanding their assets and mining as much user data/metrics as possible for businesses and agencies they have relationships with (basically every business and marketing agency with an internet connection). If they build it, who will come?

When most people think of mass digital surveillance, several three-letter agencies come to mind. But the fact is major corporations – especially ones that process well over 20 petabytes of user data per day – are generally overlooked in this aspect. These are the companies that we are supposed to trust day in and day out to keep us safe as we use their services through our various personal devices. Scraping the bounds of user information they do, they are leaving critical pieces of our devices open as ripe targets for people striving to scrape the same information for their own benefit and other malicious means.

Google both uses personally and lets their advertising/marketing clients use their browser cookie technology to monitor the way users interact with their websites. It does this by injecting a cookie into the user’s browser as they travel along the way, which communicates back to Google’s servers, and to an advertising account/dashboard the client has control of as well. This is what the information from a DoubleClick (Google-owned) cookie looks like:

time: 01/Aug/2015 9:01:45
ad_placement_id: 105
ad_id: 1003
userid: 0000000000000001
client_ip: 209.85.128.1
referral_url: http://www.facebook.com/Google

This includes the site you visited, when you visited this site, the IP address you visited this site from, and the unique cookie generated and “fed” to your browser during this visit. Most of the time, these DoubleClick cookies are deployed over HTTP – an unencrypted protocol, thus making them susceptible to hijacking. The way Doubleclick’s advertising scheme functions has also left a door open for several attacks attempting to spread malware through webpages running the advertising service as a redirect. Even besides these instances, the idea of harnessing that amount of data on users should at least make you think about the repercussions involved. We are talking about a cookie that usually lasts a minimum of 30 days and keeps track of any other sites you’ve visited besides the original one, as long as they are running the DoubleClick from their page as well (and as long as they are not deleted locally from the browser *cough*). According to a digital advertising buying guide printed in 2011, the use of tracking by means of DoubleClick is extremely widespread. Here are some details from the “Who We Are” section, presumably written up by an employee working at Google:

Buyers have access to a vast, global pool of inventory to reach their audiences with the frequency they want across more than 2 million sites. Google reaches 80 percent of Internet users worldwide, serving hundreds of billions of impressions to more than 500 million users each month, in 100 different countries and 20 languages. This massive inventory pool is uniform across DoubleClick Ad Exchange and the Google Display Network, and is readily accessible to Invite Media clients.

Our clients can reach hundreds of millions of users classified into demographics and interests..

While this does benefit businesses to understand user behavior involved with their products, it seems more and more like the user is becoming the product. Having been in a digital marketing environment before, it has become clear to me that Google and its clients want, more than anything, a particular wealth of information more than anything else – a full layout of each individual user and their browsing behavior. The company has been recently striving to find ways to tie an individuals devices together, so that actions such as web searches and page views can be all rounded up under a unique user profile – regardless of which device you’ve used, which network you were connected to, and regardless of if you were even logged into your Google account while you made them.

While Google does probably have some keen internal checks and balances involved to try and protect user information, their Privacy Policy is vague at best. This strikes up yet another concern involved, one regarding the Privacy Policies and End User Licenses agreements (see details on the complexity/criticism surrounding Google’s EULA’s in this post) you’ll be (probably blindly) agreeing to before using Google’s services. Well, that is most of the time you’ll be agreeing to them before you use the product, unless you are using something like their commuting route optimization tool Waze, which won’t let you view its Privacy Policy until after you’ve agreed to let it utilize your location on your phone.

~

While I think that at this point its pretty plain to see that my thoughts towards Google as a company and all-around entity on the internet are not fond ones, that’s not to say that I don’t appreciate certain things they’ve been involved with. For one, I think their coveted team known as Project Zero has done a fantastic job at digging into vulnerabilities, bugs, and things that are way over my head. I also think that Google has brought an idea of convenience in their product that has changed the way developers of tech tools approach making things “user-friendly”. But with this convenience, Google has managed to convince users opening an account with them to tie seemingly every asset they use to the company. Your email, your internet searches, your wallet, your locations, your frequent routes, the music you listen to, your spreadsheets, your photographs, your home thermometer, your.. well, you get the point. And what happens when your Google account gets hacked? What about when Google decides to change their mind and start selling your data to the highest bidder? Believe me, data gets retained, and its not like the entrails of your Google account will just vanish into thin air upon closing it.

Compartmentalization is a big deal in terms of privacy and personal data security in this day and age. It’s a very scary idea to me that all of these are tied together per a single user account in the name of “convenience”, all created by one of the world’s largest corporations. Take it from Moxie Marlinspike, an expert in the field of privacy and digital security: Google is something regime intelligence agencies could only dream of having within their grasps:

A transcription of the embedded video, starting from 12:10:

Slide reads: “Develop the technology to easily mine the massive amoiunt of data you collect – that’s Google’s jam!”

..

“Now, clearly, their [Google’s] intent is different; they’re not John Poindexter, they’re trying to sell advertising. But make no mistake about it, they are in the surveillance business. That’s how they make money: they surveille people and use that to profit, and so the effect is the same.

So there’s this quote, ‘who knows more about the citizens in their own country: Kim Jong Il, or Google?’

Now I think its Google,.. it’s pretty clearly Google.

So once again, there’s this question, why are people so concerned about the surveillance practices of the John Poindexters of the world, and not as concerned about things like Google?

Again, I think it comes back to this question of choice; you choose to use Google, and you don’t choose to be surveilled by John Poindexter or Kim Jong-Il, but once again I think the scope of this choice is expanding, and it’s going to become harder and harder to make that choice, until its a choice of participating in society or not.

I mean, already, if you were to say “I don’t want to participate in Google’s data collection., so I’m not going to email anybody who has a Gmail address.” …that’s probably pretty hard to do. I mean, you would in some sense be removed form the social narrative – you would be cut out from part of the conversation that’s happening that’s essential to the way society works today.”

Looking back on this talk, it seems things have only become more polarized towards a Google-glazed internet. So what’s a user to do about it? In this series of posts, I intend to find out if Moxie Marlinspike’s predictions from that Defcon18 talk ring as true as they seem they might. I’m going to attempt to ditch Google. I mean this in its the purest way possible – an attempt to completely sever myself from anything Google related. In this trilogy of posts, I will explore the scenario as follows:

Part One: What are the reasons I want to get rid of Google? What makes them worth straying away from? (This is the post you’ve just read/skimmed through)

Part Two: Just how much of Google’s services do I use? What is “ditching Google” going to look like? (an escape plan, if you will)

Part Three: This is where I will make my “escape” and share what happens along the way. I will be documenting alternative services used, practices, and any instances of failure.

How hard is it to use the internet without Google? Will doing so disqualify me from fully “participating with society?” It’s questions that have my mind stirring, questions I intend to answer, and ones that will surely require some stiff drinks along the way.

Advertisements

Leave a comment

Filed under Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s