Hi, (01)
Maybe Google has been doing this for a while, but their recent attempt
to shift everything into one giant user account had me reading privacy
policies again. In their privacy FAQ referred to by the privacy policy
of October 14, 2005 concerning logging, it says: (02)
http://www.google.co.uk/intl/en/privacy_faq.html#serverlogs
<quote>
740674ce2123a969 is the unique cookie ID assigned to this particular
computer the first time it visited Google. (Cookies can be deleted by
users. If the user has deleted the cookie from the computer since the
last time s/he visited Google, then it will be the unique cookie ID
assigned to the user the next time s/he visits Google from that
particular computer).
</quote> (03)
Adopting the stance of the super-paranoid for a moment, I am concerned
about its use of the phrase 'that particular computer'. (04)
How are those IDs generated? Do they encode any information beyond that
a normal session ID does? (05)
Does anyone know whether Google tracks the assignment of unique cookie
IDs? Google doesn't have to do it explicitly, it seems to me. See below. (06)
Even if Google themselves don't, it looks like they can pass that
information on ('legally', under the terms of their policy) to those
'authorised' to view it.
Their logging information looks like this:
"123.45.67.89 - 25/Mar/2003 10:15:32 -
http://www.google.com/search?q=cars - Firefox 1.0.7; Windows NT 5.1 -
740674ce2123e969" (07)
Let's assume that you don't delete the cookies, then over time Google
can build up a profile of NAT assignments for your network, and can
correlate an ID with a usage profile.
Can Google, or some user of its information, deduce anything useful from
the loss of a cookie ID under a given network?
I.e. when '740674ce2123e969' goes missing, is its loss from under a
network tracked? It looks like Google doesn't have to do it explicitly.
If it is the only cookie of a set that goes missing, then an analyst can
still track the particular machine. Assume that produces errors in
tracking now and again so that certainty of identification is lost
short-term, I'm guessing that aggregating the data over time would still
allow _significant_ correlations to be made between specific machines
and usage patterns. (08)
Now tie that to GMail and Orkut. They both use the same privacy policy. (09)
Should we (Joe/Jane Public) be concerned? (010)
--
Peter (011)
--
This message is archived at: (012)
http://collab.blueoxen.net/forums/cgi-bin/mesg.cgi?a=yak&i=437B1C6A.10502@concept67.net (013)
|