Proven is explicitly saying "I don't want Google to have anything to do with my searches", which your "fix" won't actually achieve. Google will still receive the search query and most likely store the terms you used together with more metadata. Only thing that toggle does is disassociate it from your user.
If you are logged in on a device, then somoene can see all your emails. Is the history of all your searches more sensitive than your emails? Perhaps, but it's not 100% obvious where to draw the line. The main determinant is probably that people check their history legitimately so rarely that re-auth is a small burden.
What is wrong with this? Someone who has access to your computer can already do ctrl+H on your computer. Google just added extra verification for myactivity.
Let's call it "auto-disassociation" instead as they surely aren't deleting the search history everywhere, they are simply removing the association between your account and the search history.
I'm 99% sure that's misleading, as not 100% of "my" data gets deleted. For example, you surely have analytics around what search terms are being used (for Google Trends but probably even more granular data in-house), so when I search for something and then delete my account via that process, do you roll back the metrics on those search terms I used?
What about all the anonymized data, it's surely not removed either, because you don't even have a link to the original author of that data anymore.
I think we both know that Google doesn't actually delete the search history (as how could Google Trends work then?), but instead they make sure the history is not associated to any user anymore. Which is disassociation rather than deletion.
I think it's correct to call this a deletion. Assuming the anonymization happened correctly (for this argument, let's say it did).
Namely, I disagree that the anonymized constitutes "your data" now and it was disassociated at the time of inclusion of the "pool". You may have generated it, but there's no way of knowing that you or anyone else generated that data. There's literally no way to show proof of claim for that dataset - otherwise it not anonymous.
Because of that, I think Google can claim they are deleting your data accurately while still maintaining usage analytics.
abraham. What about search log data? Based on the search log data you could easily map back my searches to my account (IP address and search query). Is the log data also deleted?
At birth, it will be common to post a “hello world, here’s my public key” as a Bitcoin blockchain message. In the long run, may be the cheapest way to have it be archived.
Oh, so you're one of "those people." My wife and I knew a couple who chose to natural birth their child. Needless to say, they are besides themselves with grief. Maybe you're different. Best of luck. /s
I recommend it, although it’s basically a quest/fantasy book at that point.
If you ever wondered what the deal with Enoch Root is, this book explains it. Quite well too, I think.
Also his idea of a purdah as an identifier is something I think society will eventually need to come up with to address what happens with new states of identity.
I think they just hold the same information as is written in the passport, in which case it does little but to avoid the need to use OCR for entering passport data into a computer system. (Well, ignoring that bad actors might find a way to read your passport's data at a distance.)
What you'd ideally want is a source of cryptographically strong random numbers and some storage.
If storage is cheap, you should have lots of storage, and then you can mint as many keys (including persistent public identity keys) as you like, indexed by context. This is preferable.
If storage is very expensive you can't afford to do that, you should mint one long-term symmetric key, never given to anybody, and then do the same trick that's inside cheap FIDO devices to mint key pairs, then encrypt the private half with the symmetric key and context, so that you can give both halves to relying parties. If played back in the correct context you can decrypt your private key again. You incur considerable practical inconveniences but you do keep key privacy and security guarantees from the above approach.
Today some places will issue you with a single long term identity key bound to your legal identity. Which is useful but (intentionally) lacks privacy guarantees, and, since it's an external device, you can lose it.
The Orphan Yatima (and presumably also the ordinary children conceived in what amounts to the "natural" way for Polis Citizens) in Greg Egan's novel "Diaspora" has public key crypto inside. Once the polis concludes that Yatima has personhood, it seals their cryptographic key management so that nothing anybody else can do (short of destroying the polis physically) can tamper with it. Yatima can prove they are Yatima, if they want, and nobody else can ever impersonate them.
Because our culture/society fundamentally lacks the understanding of security that you and I do.
Education needs to adapt for the modern times. Media literacy, CS fundamentals, and a basic understanding of how the Internet works should all be learned well before college. If we don't have a shared cultural understanding about the way we exist relative to technology, I fear we are destined to become enslaved by it.
> It doesn't really help if you have auto-fill enabled for your password.
If you autofill your passwords via the browser, you probably don't think very much about privacy in the first place and password-protect the history page won't change much.
> It should do that "no, you need to actually type your password" thing.
Yeah, that'd be awesome for us who use password managers and set our passwords to be at least 32 characters long with special characters.
Please developers, never ever disable pasting passwords, it worsens security.
I know that HN doesn't like +1 posts, but soo much this.
Even worse is if you make me type them on a phone[1], I am actively hating you. As in I am actively going to recommend we switch from whatever products you support.
[1] Because you purposefully broke web app so you can drive your app usage.
On Android, I've used KeePassDroid which had an alternate keyboard for its "autofill" support. I never had issues with that.
There's the related behavior where autofill doesn't clear the "something happened" check, so you have to add a character and remove it again to tickle the "missing field" JS checks into recognizing you typed something in.
Besides the obvious that anyone in front of your unlocked computer can see and extract your password, those passwords are also stored on disk and can be extracted via different methods. Although if you do use a Master Password to protect those passwords, you're slightly more protected.
All my disks are encrypted and I never leave my unattended computer unlocked. Besides, anyone in front of your unlocked password manager can see and extract your password as well.
But realistically, our setups are not the norm, in any place I've seen at least, from small personal setups to huge enterprises. Most people leave their computers with the defaults, and leave their computers unlocked all the time.
For them to use a dedicated password manager is a step up as password managers are built for security. The password manager built-in in your browser is meant for comfort. Password managers usually hides the passwords, removes them from the clipboard, auto-locks themselves after X minutes and more, while the strongest protection the browser password managers have is a master password.
So yes, probably for you it's fine, because you have other measures. But for most others, especially casual users, they don't have those measures and would be better off with a password manager.
Every place that I've worked has a pretty serious policy that machines need to be locked when you're away from the computer. They also force full disk encryption on all machines and the "defaults" are managed by corporate IT and are often annoyingly strict.
Plus, offices generally have some sort of physical security preventing anyone from just walking through, and with open offices, it's pretty damn obvious when someone is using a computer belonging to another person.
> It should do that "no, you need to actually type your password" thing.
That would be a delicious egg-on-face from the Google that pushed the 'aggressively ignore autocomplete=off on password fields' in Chrome because they thought that no real web site should have a reason to disable that.
Interesting thing I noticed is that Google communicates with their "dark pattern" they rather not have you enable this — the Save button is greyed out and the Cancel button is solid and blue for a change.
Just to make sure: this protects you from your co-worker/spouse looking at your search history at your desk/device. The advertisers and corporations can freely purchase your search history from Google. It does not seem like a significant step towards privacy to me.
Do you know the difference between targeting based on data and having the data? I can show you an AD based on ur search I can't buy ur search history and see you looked up hentai.
Maybe I am too cynical, but I think in Google's case, the difference between targeting based on data and having the data will be several extra zeros in their price point.
The only real way google makes money is by selling ADs. The only reason they are sooo good at it, is because of the amount of infomation they have about you and me. If they willy nilly sell that information to entities that directly devalues that data. Now ask your self why would google devalue their core competitive advantage.
Yes and people’s whole careers are built on maintaining that fiction that they’re meaningfully different.
We sent you this ad because we know you like hentai and “we asked Google to look through their data and show ads to hentai watchers” is a distinction without a difference when it’s equally uncomfortable that Google is looking at this information as it would be for Google’s clients.
Yes? The difference between hentaidirect.com buying your data and analyzing it, then buying ad space and serving you an ad based on your search history and hentaidirect.con asking Google to do the same on their behalf is the same to me. In both cases I have an entity who is a stranger looking through my search history to serve me ads.
Well, for one, Google says that they don’t sell user data. And they work with thousands of advertising agencies all over the world, so if it was a lie I’m sure it would have been been revealed in a front page NYT article by now. There are a ton of people who would be in a position to leak that the claim is a lie, and a lot of people very financially interested in learning it’s a lie.
For two, you can look up Google’s history of fighting back against court orders to access customer data. There wouldn’t be much point in that if this data was just “available to advertisers and government agencies”. Except maybe PR, which going back to point one.
For three, Snowden’s leaks revealed that the NSA installed fiber taps in Google datacenters to steal this data, precisely because Google wouldn’t give it to the NSA without a valid warrant. Google has since publicly claimed that they have encrypted all traffic on their internal network.
“Google sells your data!” is an old meme, but a tired one, and not one that stands up to inspection.
We may take as given that advertising agents cannot simply buy the history of your usage, outright.
Does that mean much? Google would not be so foolish as to hand over everything at once, when they could do something else that allows them to sell it, or the use of it, again and again. They doubtless have a hundred ways, each more clever than the last, to sell it again and again. Since they control the whole apparatus, they can make full use of all your history at all times without revealing to advertisers anything that would allow Google to be bypassed next time.
So, Google's pledge is simply that every use of your data will necessarily involve paying Google again. And, anything at all that can help Google uniquely identify you with activity anywhere online certainly is collected into your file, the use of to be dold for what the traffic will bear.
I don’t think this addresses any of the three points, unless you’re interpreting the OP’s “advertisers, gov agencies and corporations can freely purchase your search history from Google” in an entirely non-literal sense that has nothing to do with the literal meaning of the words.
> Your ISP has a different set of incentives.
Indeed, ISPs are known to wholesale sell their user’s traffic history.
I'm unclear how you have a threat model that isn't based on speculation. Unless they are having third party audits that I'm unaware of, I basically have Google's word right now that they are deleting my data. I agree that the evidence suggests that right now, Google does not sell your data, and that they have adequate security. That doesn't mean I trust them when they say they delete my data, or that my data will be safe forever.
I'm not even saying that Google is selling it, I'm just arguing that it makes practical sense to me to have that assumption from a privacy standpoint.
It's interesting to see this change because in the last Google Chrome team refused to password protect the passwords database because they believed physical access was Game Over anyway.
But this change isn't much different from the other sensitive pages that demand re-authentication.
77 comments
[ 4.5 ms ] story [ 179 ms ] threadAppreciate the feature but I don't want Google to have anything to do with my searches, password-protected or otherwise.
That's actually very easy to fix, don't use Google for your searches.
Otherwise, obviously, the property you're using to do X with, will be able to see that you're doing X, otherwise it wouldn't work in the first place.
Not sure what you're arguing for/against here really.
Under "Activity controls," click Manage your activity controls. Turn off the activity you don’t want to save.
https://support.google.com/accounts/answer/7028918
fixed that for you
https://support.google.com/accounts/answer/465
Disclosure: I work for Google
What about all the anonymized data, it's surely not removed either, because you don't even have a link to the original author of that data anymore.
I think we both know that Google doesn't actually delete the search history (as how could Google Trends work then?), but instead they make sure the history is not associated to any user anymore. Which is disassociation rather than deletion.
I think it's correct to call this a deletion. Assuming the anonymization happened correctly (for this argument, let's say it did).
Namely, I disagree that the anonymized constitutes "your data" now and it was disassociated at the time of inclusion of the "pool". You may have generated it, but there's no way of knowing that you or anyone else generated that data. There's literally no way to show proof of claim for that dataset - otherwise it not anonymous.
Because of that, I think Google can claim they are deleting your data accurately while still maintaining usage analytics.
-- the universe
https://en.wikipedia.org/wiki/Gattaca
If you ever wondered what the deal with Enoch Root is, this book explains it. Quite well too, I think.
Also his idea of a purdah as an identifier is something I think society will eventually need to come up with to address what happens with new states of identity.
Although, comically I wasn’t willing to spend a few cents back when it was a few cents and certainly not willing to spend $15 now.
I think they just hold the same information as is written in the passport, in which case it does little but to avoid the need to use OCR for entering passport data into a computer system. (Well, ignoring that bad actors might find a way to read your passport's data at a distance.)
[0] https://www.gov.uk/government/publications/biometric-passpor...
What you'd ideally want is a source of cryptographically strong random numbers and some storage.
If storage is cheap, you should have lots of storage, and then you can mint as many keys (including persistent public identity keys) as you like, indexed by context. This is preferable.
If storage is very expensive you can't afford to do that, you should mint one long-term symmetric key, never given to anybody, and then do the same trick that's inside cheap FIDO devices to mint key pairs, then encrypt the private half with the symmetric key and context, so that you can give both halves to relying parties. If played back in the correct context you can decrypt your private key again. You incur considerable practical inconveniences but you do keep key privacy and security guarantees from the above approach.
Today some places will issue you with a single long term identity key bound to your legal identity. Which is useful but (intentionally) lacks privacy guarantees, and, since it's an external device, you can lose it.
The Orphan Yatima (and presumably also the ordinary children conceived in what amounts to the "natural" way for Polis Citizens) in Greg Egan's novel "Diaspora" has public key crypto inside. Once the polis concludes that Yatima has personhood, it seals their cryptographic key management so that nothing anybody else can do (short of destroying the polis physically) can tamper with it. Yatima can prove they are Yatima, if they want, and nobody else can ever impersonate them.
Because our culture/society fundamentally lacks the understanding of security that you and I do.
Education needs to adapt for the modern times. Media literacy, CS fundamentals, and a basic understanding of how the Internet works should all be learned well before college. If we don't have a shared cultural understanding about the way we exist relative to technology, I fear we are destined to become enslaved by it.
It should do that "no, you need to actually type your password" thing.
If you autofill your passwords via the browser, you probably don't think very much about privacy in the first place and password-protect the history page won't change much.
> It should do that "no, you need to actually type your password" thing.
Yeah, that'd be awesome for us who use password managers and set our passwords to be at least 32 characters long with special characters.
Please developers, never ever disable pasting passwords, it worsens security.
Even worse is if you make me type them on a phone[1], I am actively hating you. As in I am actively going to recommend we switch from whatever products you support.
[1] Because you purposefully broke web app so you can drive your app usage.
There's the related behavior where autofill doesn't clear the "something happened" check, so you have to add a character and remove it again to tickle the "missing field" JS checks into recognizing you typed something in.
What's wrong with auto-filling passwords?
But realistically, our setups are not the norm, in any place I've seen at least, from small personal setups to huge enterprises. Most people leave their computers with the defaults, and leave their computers unlocked all the time.
For them to use a dedicated password manager is a step up as password managers are built for security. The password manager built-in in your browser is meant for comfort. Password managers usually hides the passwords, removes them from the clipboard, auto-locks themselves after X minutes and more, while the strongest protection the browser password managers have is a master password.
So yes, probably for you it's fine, because you have other measures. But for most others, especially casual users, they don't have those measures and would be better off with a password manager.
Plus, offices generally have some sort of physical security preventing anyone from just walking through, and with open offices, it's pretty damn obvious when someone is using a computer belonging to another person.
Hotdesking to the rescue.
This is about security, not privacy. I lock my machine whenever I'm not in front of it, and require password/fingerprint to unlock.
And why do you require a password/fingerprint to unlock your machine? Is that not to preserve your privacy or is there some other reason?
That would be a delicious egg-on-face from the Google that pushed the 'aggressively ignore autocomplete=off on password fields' in Chrome because they thought that no real web site should have a reason to disable that.
We sent you this ad because we know you like hentai and “we asked Google to look through their data and show ads to hentai watchers” is a distinction without a difference when it’s equally uncomfortable that Google is looking at this information as it would be for Google’s clients.
I hope you have some information backing this claim.
For two, you can look up Google’s history of fighting back against court orders to access customer data. There wouldn’t be much point in that if this data was just “available to advertisers and government agencies”. Except maybe PR, which going back to point one.
For three, Snowden’s leaks revealed that the NSA installed fiber taps in Google datacenters to steal this data, precisely because Google wouldn’t give it to the NSA without a valid warrant. Google has since publicly claimed that they have encrypted all traffic on their internal network.
“Google sells your data!” is an old meme, but a tired one, and not one that stands up to inspection.
Does that mean much? Google would not be so foolish as to hand over everything at once, when they could do something else that allows them to sell it, or the use of it, again and again. They doubtless have a hundred ways, each more clever than the last, to sell it again and again. Since they control the whole apparatus, they can make full use of all your history at all times without revealing to advertisers anything that would allow Google to be bypassed next time.
So, Google's pledge is simply that every use of your data will necessarily involve paying Google again. And, anything at all that can help Google uniquely identify you with activity anywhere online certainly is collected into your file, the use of to be dold for what the traffic will bear.
Your ISP has a different set of incentives.
> Your ISP has a different set of incentives.
Indeed, ISPs are known to wholesale sell their user’s traffic history.
I'm not even saying that Google is selling it, I'm just arguing that it makes practical sense to me to have that assumption from a privacy standpoint.
It it established Google keeps "shadow" behavioral data that isn't accessible to users?
I'm sure they have some in other systems to some degree (i.e logging).
I just did a takeout for my location history (which I keep off) and it was empty.
But this change isn't much different from the other sensitive pages that demand re-authentication.