77 comments

[ 4.5 ms ] story [ 179 ms ] thread
Cool, but to me it's a liability, not an asset.

Appreciate the feature but I don't want Google to have anything to do with my searches, password-protected or otherwise.

> Appreciate the feature but I don't want Google to have anything to do with my searches, password-protected or otherwise.

That's actually very easy to fix, don't use Google for your searches.

Otherwise, obviously, the property you're using to do X with, will be able to see that you're doing X, otherwise it wouldn't work in the first place.

Not sure what you're arguing for/against here really.

Good news:

Under "Activity controls," click Manage your activity controls. Turn off the activity you don’t want to save.

https://support.google.com/accounts/answer/7028918

Proven is explicitly saying "I don't want Google to have anything to do with my searches", which your "fix" won't actually achieve. Google will still receive the search query and most likely store the terms you used together with more metadata. Only thing that toggle does is disassociate it from your user.
s/disassociate/hide/

fixed that for you

Then what's your point? Just don't use Google or turn search history off.
This xkcd is apt: https://xkcd.com/463/
I was thinking the same, like why weren't they checking it was actually me before this.
This is for devices already logged in. So if your phone is unlocked or your browser open.
If you are logged in on a device, then somoene can see all your emails. Is the history of all your searches more sensitive than your emails? Perhaps, but it's not 100% obvious where to draw the line. The main determinant is probably that people check their history legitimately so rarely that re-auth is a small burden.
What is wrong with this? Someone who has access to your computer can already do ctrl+H on your computer. Google just added extra verification for myactivity.
A lot of people actually clean their history every now and then.
And Google provides auto-deletion of search history.
Let's call it "auto-disassociation" instead as they surely aren't deleting the search history everywhere, they are simply removing the association between your account and the search history.
"We then begin a process designed to safely and completely delete the data from our storage systems."

https://support.google.com/accounts/answer/465

Disclosure: I work for Google

I'm 99% sure that's misleading, as not 100% of "my" data gets deleted. For example, you surely have analytics around what search terms are being used (for Google Trends but probably even more granular data in-house), so when I search for something and then delete my account via that process, do you roll back the metrics on those search terms I used?

What about all the anonymized data, it's surely not removed either, because you don't even have a link to the original author of that data anymore.

I think we both know that Google doesn't actually delete the search history (as how could Google Trends work then?), but instead they make sure the history is not associated to any user anymore. Which is disassociation rather than deletion.

We're being wordy technical so I'll join.

I think it's correct to call this a deletion. Assuming the anonymization happened correctly (for this argument, let's say it did).

Namely, I disagree that the anonymized constitutes "your data" now and it was disassociated at the time of inclusion of the "pool". You may have generated it, but there's no way of knowing that you or anyone else generated that data. There's literally no way to show proof of claim for that dataset - otherwise it not anonymous.

Because of that, I think Google can claim they are deleting your data accurately while still maintaining usage analytics.

So never ever search your own name or anything that could personally be used to identify you is the lesson I guess.
I think it's fair to make a distinction between "deleting data" and "erasing the past".
abraham. What about search log data? Based on the search log data you could easily map back my searches to my account (IP address and search query). Is the log data also deleted?
I have a feeling that in the near future, newborns will receive an id card and a password form to secure their data
At birth, it will be common to post a “hello world, here’s my public key” as a Bitcoin blockchain message. In the long run, may be the cheapest way to have it be archived.
Personally I wasn't capable of posting such a message until quite a few years after my birth.
Oh, so you're one of "those people." My wife and I knew a couple who chose to natural birth their child. Needless to say, they are besides themselves with grief. Maybe you're different. Best of luck. /s

https://en.wikipedia.org/wiki/Gattaca

(comment deleted)
This (well something like it) is a major plot point in Neal Stephenson's newest book Fall, Or Dodge In Hell.
I couldn't get through the second half of that book. Do you recommend finishing it?
I recommend it, although it’s basically a quest/fantasy book at that point.

If you ever wondered what the deal with Enoch Root is, this book explains it. Quite well too, I think.

Also his idea of a purdah as an identifier is something I think society will eventually need to come up with to address what happens with new states of identity.

More likely it'll be on Ethereum, not Bitcoin.
More likely it will be on neither, but if I had to do one, I’d choose bitcoin.

Although, comically I wasn’t willing to spend a few cents back when it was a few cents and certainly not willing to spend $15 now.

Don't even propose this idea.
That is already true today in Portuguese ID cards, secured with a chip.
Some UK passports also have a chip. [0]

I think they just hold the same information as is written in the passport, in which case it does little but to avoid the need to use OCR for entering passport data into a computer system. (Well, ignoring that bad actors might find a way to read your passport's data at a distance.)

[0] https://www.gov.uk/government/publications/biometric-passpor...

Why a password ? Passwords are terrible.

What you'd ideally want is a source of cryptographically strong random numbers and some storage.

If storage is cheap, you should have lots of storage, and then you can mint as many keys (including persistent public identity keys) as you like, indexed by context. This is preferable.

If storage is very expensive you can't afford to do that, you should mint one long-term symmetric key, never given to anybody, and then do the same trick that's inside cheap FIDO devices to mint key pairs, then encrypt the private half with the symmetric key and context, so that you can give both halves to relying parties. If played back in the correct context you can decrypt your private key again. You incur considerable practical inconveniences but you do keep key privacy and security guarantees from the above approach.

Today some places will issue you with a single long term identity key bound to your legal identity. Which is useful but (intentionally) lacks privacy guarantees, and, since it's an external device, you can lose it.

The Orphan Yatima (and presumably also the ordinary children conceived in what amounts to the "natural" way for Polis Citizens) in Greg Egan's novel "Diaspora" has public key crypto inside. Once the polis concludes that Yatima has personhood, it seals their cryptographic key management so that nothing anybody else can do (short of destroying the polis physically) can tamper with it. Yatima can prove they are Yatima, if they want, and nobody else can ever impersonate them.

>Why a password ? Passwords are terrible.

Because our culture/society fundamentally lacks the understanding of security that you and I do.

Education needs to adapt for the modern times. Media literacy, CS fundamentals, and a basic understanding of how the Internet works should all be learned well before college. If we don't have a shared cultural understanding about the way we exist relative to technology, I fear we are destined to become enslaved by it.

We already do this with social security numbers (which is a terrible use of social security numbers for obvious reasons).
It doesn't really help if you have auto-fill enabled for your password.

It should do that "no, you need to actually type your password" thing.

> It doesn't really help if you have auto-fill enabled for your password.

If you autofill your passwords via the browser, you probably don't think very much about privacy in the first place and password-protect the history page won't change much.

> It should do that "no, you need to actually type your password" thing.

Yeah, that'd be awesome for us who use password managers and set our passwords to be at least 32 characters long with special characters.

Please developers, never ever disable pasting passwords, it worsens security.

I know that HN doesn't like +1 posts, but soo much this.

Even worse is if you make me type them on a phone[1], I am actively hating you. As in I am actively going to recommend we switch from whatever products you support.

[1] Because you purposefully broke web app so you can drive your app usage.

On Android, I've used KeePassDroid which had an alternate keyboard for its "autofill" support. I never had issues with that.

There's the related behavior where autofill doesn't clear the "something happened" check, so you have to add a character and remove it again to tickle the "missing field" JS checks into recognizing you typed something in.

> If you autofill your passwords via the browser, you probably don't think very much about privacy

What's wrong with auto-filling passwords?

Besides the obvious that anyone in front of your unlocked computer can see and extract your password, those passwords are also stored on disk and can be extracted via different methods. Although if you do use a Master Password to protect those passwords, you're slightly more protected.
All my disks are encrypted and I never leave my unattended computer unlocked. Besides, anyone in front of your unlocked password manager can see and extract your password as well.
Same here, encryption buddies!

But realistically, our setups are not the norm, in any place I've seen at least, from small personal setups to huge enterprises. Most people leave their computers with the defaults, and leave their computers unlocked all the time.

For them to use a dedicated password manager is a step up as password managers are built for security. The password manager built-in in your browser is meant for comfort. Password managers usually hides the passwords, removes them from the clipboard, auto-locks themselves after X minutes and more, while the strongest protection the browser password managers have is a master password.

So yes, probably for you it's fine, because you have other measures. But for most others, especially casual users, they don't have those measures and would be better off with a password manager.

Every place that I've worked has a pretty serious policy that machines need to be locked when you're away from the computer. They also force full disk encryption on all machines and the "defaults" are managed by corporate IT and are often annoyingly strict.

Plus, offices generally have some sort of physical security preventing anyone from just walking through, and with open offices, it's pretty damn obvious when someone is using a computer belonging to another person.

> with open offices, it's pretty damn obvious when someone is using a computer belonging to another person.

Hotdesking to the rescue.

> you probably don't think very much about privacy

This is about security, not privacy. I lock my machine whenever I'm not in front of it, and require password/fingerprint to unlock.

Haha, well, I'd say it's about both :)

And why do you require a password/fingerprint to unlock your machine? Is that not to preserve your privacy or is there some other reason?

> It should do that "no, you need to actually type your password" thing.

That would be a delicious egg-on-face from the Google that pushed the 'aggressively ignore autocomplete=off on password fields' in Chrome because they thought that no real web site should have a reason to disable that.

I use Safari so the autofill of passwords is controlled by Face ID / Touch ID.
Interesting thing I noticed is that Google communicates with their "dark pattern" they rather not have you enable this — the Save button is greyed out and the Cancel button is solid and blue for a change.
The save button is only grayed (disabled) if you haven't changed the value
Just to make sure: this protects you from your co-worker/spouse looking at your search history at your desk/device. The advertisers and corporations can freely purchase your search history from Google. It does not seem like a significant step towards privacy to me.
Do you know the difference between targeting based on data and having the data? I can show you an AD based on ur search I can't buy ur search history and see you looked up hentai.
Maybe I am too cynical, but I think in Google's case, the difference between targeting based on data and having the data will be several extra zeros in their price point.
The only real way google makes money is by selling ADs. The only reason they are sooo good at it, is because of the amount of infomation they have about you and me. If they willy nilly sell that information to entities that directly devalues that data. Now ask your self why would google devalue their core competitive advantage.
Yes and people’s whole careers are built on maintaining that fiction that they’re meaningfully different.

We sent you this ad because we know you like hentai and “we asked Google to look through their data and show ads to hentai watchers” is a distinction without a difference when it’s equally uncomfortable that Google is looking at this information as it would be for Google’s clients.

You know the "we" is google right?! the company provides google an AD and how they want to target it. Then google serves that AD
Yes? The difference between hentaidirect.com buying your data and analyzing it, then buying ad space and serving you an ad based on your search history and hentaidirect.con asking Google to do the same on their behalf is the same to me. In both cases I have an entity who is a stranger looking through my search history to serve me ads.
(comment deleted)
"The advertisers, gov agencies and corporations can freely purchase your search history from Google"

I hope you have some information backing this claim.

(comment deleted)
Why wouldn't I operate under this assumption though?
Well, for one, Google says that they don’t sell user data. And they work with thousands of advertising agencies all over the world, so if it was a lie I’m sure it would have been been revealed in a front page NYT article by now. There are a ton of people who would be in a position to leak that the claim is a lie, and a lot of people very financially interested in learning it’s a lie.

For two, you can look up Google’s history of fighting back against court orders to access customer data. There wouldn’t be much point in that if this data was just “available to advertisers and government agencies”. Except maybe PR, which going back to point one.

For three, Snowden’s leaks revealed that the NSA installed fiber taps in Google datacenters to steal this data, precisely because Google wouldn’t give it to the NSA without a valid warrant. Google has since publicly claimed that they have encrypted all traffic on their internal network.

“Google sells your data!” is an old meme, but a tired one, and not one that stands up to inspection.

We may take as given that advertising agents cannot simply buy the history of your usage, outright.

Does that mean much? Google would not be so foolish as to hand over everything at once, when they could do something else that allows them to sell it, or the use of it, again and again. They doubtless have a hundred ways, each more clever than the last, to sell it again and again. Since they control the whole apparatus, they can make full use of all your history at all times without revealing to advertisers anything that would allow Google to be bypassed next time.

So, Google's pledge is simply that every use of your data will necessarily involve paying Google again. And, anything at all that can help Google uniquely identify you with activity anywhere online certainly is collected into your file, the use of to be dold for what the traffic will bear.

Your ISP has a different set of incentives.

I don’t think this addresses any of the three points, unless you’re interpreting the OP’s “advertisers, gov agencies and corporations can freely purchase your search history from Google” in an entirely non-literal sense that has nothing to do with the literal meaning of the words.

> Your ISP has a different set of incentives.

Indeed, ISPs are known to wholesale sell their user’s traffic history.

Because it is pure speculation and is honestly not backed by any evidence?
I'm unclear how you have a threat model that isn't based on speculation. Unless they are having third party audits that I'm unaware of, I basically have Google's word right now that they are deleting my data. I agree that the evidence suggests that right now, Google does not sell your data, and that they have adequate security. That doesn't mean I trust them when they say they delete my data, or that my data will be safe forever.

I'm not even saying that Google is selling it, I'm just arguing that it makes practical sense to me to have that assumption from a privacy standpoint.

that doesn't help anyone when google just gives away the data or sells it
I have turned off web, location and youtube history in google. No historic data, no password, no creepy ads. Less is more!!
They still collect and save all of that information. It's just not displayed to you ;)
I'd be interested in the amount of truth behind this.

It it established Google keeps "shadow" behavioral data that isn't accessible to users?

I'm sure they have some in other systems to some degree (i.e logging).

I just did a takeout for my location history (which I keep off) and it was empty.

(comment deleted)
Do you have any evidence besides "well it's technically possible, and they might be violating GDPR and lying in their product documentation"?
It's interesting to see this change because in the last Google Chrome team refused to password protect the passwords database because they believed physical access was Game Over anyway.

But this change isn't much different from the other sensitive pages that demand re-authentication.