Login  |  Register  |  Contact

YouTube, Viacom, And Why You Should Fear Google More Than The Government

Reading Wired this morning (and a bunch of other blogs), I learned that a judge ordered Google/YouTube to turn over ALL records of who watched what on YouTube. To Viacom of all organizations, as part of their lawsuit against Google for hosting copyrighted content. The data transfered over includes IP address and what was watched.

Gee, think that might leak at some point? Ever watch YouTube porn from an IP address that can be tied to you? No porn? How about singing cats? Yeah, I thought so you sick bastard.

But wait, what are the odds of tracing an IP address back to an individual? Really damn high if you use any other Google service that requires a login, since they basically never delete data. Even old emails can tie you back to an IP, never mind a plethora of other services. Ever comment on a blog?

The government has a plethora of mechanisms to track our activity, but even with recent degradations in their limits for online monitoring, we still have a heck of a lot of rights and laws protecting us. Even the recent warrantless wiretapping issue doesn't let a government agency monitor totally domestic conversations without court approval.

But Google? (And other services). There's no restriction on what they can track (short of reading emails, or listening in on VoIP calls). They keep more damn information on you than the government has the infrastructure to support. Searches, videos you've watched, emails, sites you visit, calendar entries, and more. Per their privacy policies some of this is deleted over time, but even if you put in a request to purge your data it doesn't extend to tape archives. It's all there, waiting to be mined. Feedburner, Google Analytics. You name it.

Essentially none of this information is protected by law. Google can change their privacy policies at any time, or sell the content to anyone else.

Think it's secure? Not really- I heard of multiple XSS 0days on Google services this week. I've seen some of their email responses to security researchers; needless to say, they really need a CSO.

I'm picking on Google here, but most online services collect all sorts of information, including Securosis. In some cases, it's hard not to collect it. For example, all comments on this blog come with an IP address. The problem isn't just that we collect all sorts of information, but that we have a capacity to correlate it that's never been seen before.

Our laws aren't even close to addressing these privacy issues.

On that note, I'm disabling Google Analytics for the site (I still have server logs, but at least I have more control over those). I'd drop Feedburner, but that's a much more invasive process right now that would screw up the site badly.

Glad I have fairly tame online habits, although I highly suspect my niece has watched more than a few singing cat videos on my laptop. It was her, I swear!

—Rich

Posted at Thursday 3rd July 2008 1:57 am Filed under: googlelawsuitnon-geekyoutube

Previous entry: Defining (Blog) Content Theft | | Next entry: The Mozilla Metrics Project

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Zach  on  07/02  at  09:54 PM

This story has made me nauseous (and I may have even thrown up in my mouth a little). There isn’‘t much left for Viacom to do in the way of "generally pissing people off" with their tactics.

Whenever *any* privacy related issue like this rolls around, I’‘m reminded of a quote from Tom Sizemore’s character, Max, in the film "Strange Days":

"The issue isn’‘t whether you’‘re paranoid…the issue is whether you’‘re paranoid enough."

By Scott Wright  on  07/03  at  07:55 PM

At the risk of incrementally adding to the incriminating evidence Google has against me, it would be good to hear if you think Google will also get into the "Behavioral Targeting" game (if they aren’‘t already). I posted yesterday on my blog about the kind of deal Charter Communications just deferred with NebuAd, due to congressional pressures. But a bunch of BT marketers are already installing devices at ISP facilities in the UK to "anonymously profile all unencrypted traffic".

http://securityviews.com/blog/2008/07/03/privacy-alert-isps-putting-ad-service-boxes-in-the-clickstream-is-bad/

Can Google be far from buying one of these guys? Kind of makes them a "one-stop-shop" for the authorities looking for evidence. The only obstacle seems to be in the sheer quantity of information they’‘ll have to sift through. But that doesn’‘t seem to be much of a barrier, with everything so neatly profiled and indexed.

By Arthur  on  07/06  at  07:47 PM

<i>Think it’s secure? Not really- I heard of multiple XSS 0days on Google services this week. I’ve seen some of their email responses to security researchers; needless to say, they really need a CSO.</i>

So true, they just don’‘t seem interested in the least bit…

By rmogull  on  07/06  at  09:11 PM

@christian I don’‘t recommend them for anything sensitive. Throwaway content only. Also depends a bit on the service- I use Postini, but on my own email domain.

I don’‘t even use Google calendar, even though it would solve some problems I currently struggle with.

By Christian  on  07/07  at  04:28 AM

@rmogull that’s sort of what I thought you’‘d say.

Surprised you don’‘t use Gcal, even though I only use it for personal/non-sensitive stuff, I find the SMS notification feature really useful.

By secure commerce  on  07/08  at  06:06 PM

And these are the same people who also want to keep your personal medical records?

Given the posts above, you have to just shake your head and wonder.

By Individual Privacy vs. Business Drivers | securosi  on  07/21  at  05:49 AM

[...] posted a blog entry on “YouTube, Viacom, And Why You Should Fear Google More Than The Government” on this topic as well. Technically I disagree with Rich in one regard, that being to have a degree [...]

By n0where.org » Blog Archive » Can’  on  01/05  at  02:06 AM

[...] recent post by Rich Mogull got me thinking about just how much I’ve come to depend on Google — and how scary it [...]

Page 1 of 1 pages

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: