When you say selling the information , do you mean actually selling the information or selling ad slots to target specific people/groups based on data.
Within reason. Data is valuable. You make far more money gathering data, keeping it private but selling the ability to advertise against that data , than outright selling it. Think of it as “Data-As-A-Service”. Your data loses value if you’re just outright selling it.
It is not as easy or silent as you are implying. If you enable Location History you get a monthly email reminding you that it is enabled, with a link at the top of the email to go turn it off if you want.
False. Prove it to yourself. Visit https://timeline.google.com/ to verify that it is off, or to turn it off. Now go to https://www.google.com/maps/ , click menu → Your places → Labeled to see your home and work, or to add one.
To use home and work when you search or use directions, you must turn on Web & App Activity. If you can't find home and work in Maps, learn how to turn on Web & App Activity.
Oddly enough, I do have "Web & App Activity" disabled (everything disabled except YouTube history to sync watch progress across devices), yet I'm still able to register a home address and ask the Maps Android app to route to it.
...I wish you could delete YouTube history on a 1-week basis, yet Google only allows you to delete it after 3 months at minimum. More tying.
This was definitely the case as of ~1 year ago, in the Google Maps Android map. It appears to no longer be the case on the web or Android interface now. I'm glad Google has stopped doing it, but at this point my trust in cloud services has been spent and I won't be adding my home address or enabling location history (until I travel enough to make it helpful for direction-finding).
Another creepy incident that's happened with me is, with Location History off, the Maps app would prompt me to leave a review for a restaurant I visited and left. So Google (either the app locally, or the servers) is stalking you even with Location History disabled.
(full disclosure, I work for the Google but I think what I'm saying is equally true for Facebook, Twitter, Reddit, rsync.net, Backblaze, etc)
That's not true at all. Things like FISA gag orders are relatively rare (and maybe phased out now? Haven't followed that super closely). For a typical search warrant or subpoena, the person being targeted gets an email about it. If you're familiar with "warrant canaries", they're an interesting way to track the relative frequency of unspeakable law enforcement actions.
Title is inaccurate. They are not auto-deleting searches, but location history. Also, it isn't "health clinics", but a set of places that they are not being completely open about (but which does include some health clinics).
I'll take that bet. Google has lots of flaws but it is still has lots of people who are genuinely trying to do the right thing. I just don't see the people at Google implementing a feature like this designed to make people feel safer about their personal medical data only to turn around and betray them to law enforcement.
They could have genuine intentions but still mess it up. Developers messing up secure and complete deletion of user data may be particularly likely since such deletions are not generally common practice (across the industry, not just at Google.)
That's not true at Google though. Google has a systematic user data removal architecture called Wipeout and Wipeout integration is a required checklist item for product launches. Wipeout compliance is systematically monitored by a central privacy group. I've worked at a bunch of companies and only Google has an organized, universal scheme for user data privacy. Everywhere else in my experience is just winging it and has basically no idea what's going on.
If there were one company who I trusted to delete shit correctly, it's Google. There are already loads of other laws that they need to comply with that require unrecoverable data deletion.
Look, I agree Google has tons of flaws, but these types of conspiracy theory "bet they're not going to really delete it" missives don't even make sense if you consider Google's incentives. It would be a gigantic, massive blow to Google if they said they were deleting data and they didn't. There is literally 0 reason for Google to do this. When Snowden's revelations came out, Google was furious and they rearchitected basically all of their systems to encrypt everything at rest and in transit.
You're correct, with that comment I was more referring to the original "Wanna bet it's just "marked" as deleted, and actually stored forever, to be served in response to any subpoena?" than your post.
And while I agree that all organizations can make mistakes, I think it's more important to look at the structure and incentives of any company to see how reasonable those risks are:
1. Google knows they collect a ton of data on people, and they have giant, giant financial incentives to keep that data secure.
2. Google is profitable enough that they can have huge teams focused on data security and integrity (a smaller company may have the same financial incentives to keep data secure, but not the resources to back it up)
3. Google is large and established enough that they can ensure real rigor in their processes (again, as opposed to some rando company that did just enough to pass their SOC 2 audit).
Again, mistakes can be made but we all pretty much take risks every day (banking, getting in a car, getting on a plane, getting in an elevator, etc. etc.), and I think the risk of Google fucking this up is lower than failure of a lot of those other systems.
Because that's what we're talking about here in some instances. You're asking people to bet their life on the fact that a theocratic government won't be able to compel Google to give up location data for the purposes of punishing people for what the state says is murder.
> Because that's what we're talking about here in some instances
You have to opt-in to location history, and it seems to me Google is trying to act in good faith by automatically deleting information that might be sensitive. Who are we asking to bet their lives? People who don't feel like turning off their phone before going to the clinic and have opted-in to location history?
Isn't location history tied to other, very basic features to compel people to use it?
And I just accepted a software update on my Pixel phone a couple of days ago and found that it had reset my default apps for browsing and music playing -- what are the odds that Google will surreptitiously do the same to my location tracking consent?
I basically "bet my life on it" every time I take an Uber with some random driver where neither I, nor Uber, has much data about their driving ability beyond recent accident/ticket history.
I think the real risk to my life is about 1000 times worse in a car than some diaphanous threat of a future evil government, and I trust Google about 1000 times more than I trust some Uber (or Lyft or taxi) driver.
>If there were one company who I trusted to delete shit correctly, it's Google. There are already loads of other laws that they need to comply with that require unrecoverable data deletion.
They might be deleting the data but are they deleting the metadata? There are always some bread crumbs left.
The people making the announcements, and even some of the engineers working on higher-level systems, might not even know whether the (multiple layers of the) underlying storage system actually deletes or just adds a "tombstone" that won't take effect until the next compaction or equivalent. They also might not know about copies left around in caches, during rebalancing, etc. Or whether "trimming" or overwriting data on a particular device - really anything short of a full device wipe - really makes the data go away. Secure deletion is a harder problem than most people think; I certainly wouldn't assume that Google or any other organization has really handled all the corner cases.
Source: I've worked on many large storage systems, including the largest (by bytes at rest) at Facebook. They were subject to the exact same kinds of requirements as Google, and as the code continued to evolve gaps would still appear from time to time.
We have very strict and very well engineered data retention systems. When we say data is deleted, we mean it. Various levels of automation ensure the data is purged, and all data is tracked meticulously for violations across every datastore.
It's one of those systems I wish we talked about more -- it's a marvel to behold just how much work goes into retention policies and the automation that drives it.
I note that the announcement is VERY VERY SPECIFIC about the data being gone from the opt-in "Location History" feature (with the capitals and everything).
It does NOT say that every copy Google has is deleted. It just says that the user-visible copy is gone.
What about, say, Sensorvault? Or whatever other internal systems I don't know about?
Have you considered the possibility that someone on the inside works for an intelligence agency (domestic or foreign) and is secretly exfiltrating the data for the purpose of obtaining blackmail material?
It's definitely been considered because it has definitely happened before (explore the history of Google cutting ties with China for about a decade).
... in response, Google took measures to prevent that category of insider-knowledge attack. With audited builds, zero-trust internal model (xref BeyondCorp), and infrastructure cross-checked by multiple human beings to guard against hardware-level attacks, such an insider attack is infinitesimally probable now.
In the PRISM disclosure of 2013, the slide deck stated that the NSA had direct access to Google's systems. The deck claimed "collection directly from the servers". That, by its very design, goes around all the safeguards people are discussing here.
>We have very strict and very well engineered data retention systems. When we say data is deleted, we mean it. Various levels of automation ensure the data is purged, and all data is tracked meticulously for violations across every datastore.
Ok, how would you know that is true?
How many ways can you think of would there be for your statement to be false?
If someone "higher clearance" than you decided to make you believe the above, but actually retain it somewhere in someway you weren't allowed to see. Are the number of ways more than one? How valuable could deleted data be in the case of blackmail or espionage? Can you actually be confident that someone above or before you didn't write a false delete function?
I'm not implying, I'm suggesting that "things we know to be true" is a smaller list than people think.
You suspect WIPEOUT is real, but can't actually know, and you are inside. Why would I believe for even a second?
There is a reason behind the usual in court phrase of "..tell the truth, the whole truth, and nothing but the truth...". So, if a third party would get copies of the data, it would be true Google deleted it...It just not be "the whole truth".
> How many ways can you think of would there be for your statement to be false?
Not as many as you might think.
The systems at Google may seem incredibly complicated--and they are--but when I worked there, the scenarios where somebody intercepts and exfiltrates data without your knowledge are extreme.
> If someone "higher clearance" than you decided to make you believe the above, but actually retain it somewhere in someway you weren't allowed to see.
The way this data is stored, it is designed so that access to the data is logged and the logs have various alerts / auditing procedures to catch exfiltration attempts. SREs will periodically create user data and try out clever ways of destroying or exfiltrating it to test that these controls work. The Snowden leaks also cast a long shadow over work at Google, and since then, basically, all the traffic and data in storage has been encrypted in ways that make it difficult for state level actors to surreptitiously intercept it. These systems are a bit nightmarish to design, because there are competing legal/compliance reasons why data must be retained or must be purged. For example, certain data must be retained for SOX compliance, data may be flagged as part of an ongoing investigation, data may be selected for deletion for GDPR compliance, etc.
Obviously, it is POSSIBLE that someone is still exfiltrating data, but you have hundreds or thousands of smart engineers who are trying to prevent "insider risk" and "state level actors". People within the company are a big part of the threat model, and agencies like the CIA, Mossad, KGB, etc. are also part of the threat model.
The stack may be complicated, but it's also designed with defense-in-depth to prevent people at lower levels in the stack from subverting controls at higher levels in the stack. For example, people who work on storage systems may be completely unable to decrypt the data that their storage systems contain.
If you're going to get pissy about it, it's obviously true that we are not 100% certain that data is destroyed when we say it is. But this invokes a standard for "knowing" that precludes knowing the truth of any statement which is not an analytic statement.
You don't have to believe, even for a second, if you didn't work with the wipeout systems. That's fine. I'm not trying to convince that wipeout works as intended, because I know that I can't provide the evidence to you.
However, you seem to be arguing that other people don't know that the wipeout systems work--that it's somehow impossible to know.
The cloud documentation suggests a deletion period of 180 days; so for cloud data, at least, when it says it is "deleted" it seems to mean it will be [fully] deleted within half-a-year. https://cloud.google.com/docs/security/deletion
Why would the Google Cloud data deletion policy for 1/ paying 2/ enterprise customers deleting their own data that they 3/ opted in to store, and then 4/ opted in to delete have anything to do with the retention policy for Google Maps' 1/ free 2/ consumer customers having data deleted by Google that the customer 3/ did not choose to store, and then 4/ did not choose to delete?
At least 4 meaningfully different qualifiers about the situation for entirely separate parts of Google.
Former google employee, no knowledge of current situation, not involved in any of this stuff even when I worked there: different types of data get handled differently. If material is important enough then it's going to be backed up onto tape for disaster recovery purposes. If a user then requests it be deleted, that's a huge pain - the easiest thing to do is just wait until that tape has rotated out of backup, which may take a while.
More sensitive user data is likely to be handled differently - both for privacy reasons and because it's honestly just not as important to keep hold of it (a user's cloud data gets lost? That's a big deal. A user's location history data gets lost? Meh), so it's unlikely to end up in long-term backup storage.
Let me ask you about an edge case: someone carries out an arson attack against a clinic providing abortion services and inadvertently leaks clues to their identity when gloating about it on social media, which information finds its way into the hands of law enforcement.
(to downvoters, that's something that happens and I have a specific and recent case in mind)
I think the downvotes are because your description doesn't make any sense. Can you rephrase the scenario to better describe what you mean?
Are you saying "Someone carries out an arson attack, they (the attacker) leaks clues to their (the attacker's) identity when gloating about it on social media, and those gloat-posts find their way to law enforcement?"
How does that scenario relate to Google data retention? Google data retention has nothing to do with Twitter policies.
It relates to Google data retention because law enforcement's next move might be to ask Google for geofenced location data from the 72 hours preceding the attack in hopes of confirming the arsonist's identity.
This would run afoul with data retention laws, which Google strongly adheres to. So it can't be true. It might be true for some definition of it, but not materially when it comes to records access.
So that includes all online and offline + offsite backup systems, presumably? And hopefully any such data is "de-trained" from all applicable ml models and systems, of course.
Without going into too many details, yes. The trick is that you can key sensitive data, encrypt it, and delete it by throwing away the key.
I don't know if Google can do de-training (depends on how the training data is generated), but generally if the trained data can't be tagged for removal it also can't be reversed from the output of the training.
You can go haha all you want but the only thing it accomplishes is intentionally misunderstanding what they’re saying and then calling them hypocritical for something they didn’t say.
Google’s whole thing is “better living through data organization.” You can criticize that mission up and down but it doesn’t change that for Google protecting privacy and the security of user data means protecting it from access by other people.
You made my own point back to me but in a tone that makes it sound like a refutation.
Expecting Google to frame their mission of protecting user data in terms of someone who considers Google themselves a threat is uncharitable to the point of just wanting to be mad.
Your stance makes no distinction between Google collecting data and keeping it between you two and just publishing it publicly.
They're not just framing their mission - they're redefining privacy. And there are plenty of companies that minimize the data they gather for exactly this reason ("considering themselves a threat", as you put it). Signal, Red Hat, Canonical, Duck Duck Go...
Yea Google is protecting me from state sponsored hackers but they can't protect me from scammers trying to sell me fake medications or from scareware ads that are trying to lure me into buying their fake software or downloading their malware/spyware.
How about stop colleting data and change the business model? But ads are very lucrative business. Tbh at least they offer YouTube Premium subscription which is YouTube but ad-free.
How about just implementing it properly: _reasonably_ as opposed to "are you insane?", _effectively_ as opposed to "If I see this again I swear..", and with "win-win" _satisfaction of both parts_, as in "I am glad I was notified this opportunity: I will take it into consideration".
Only a small fraction of people even know they are logged. Only a tiny fraction of people would know how to logout first. It would essentially render their phone unusable.
what about cell phone data? The cell providers don't seem to intend to follow, and that data is extremely telling.
The abortion clinics would need their own GPS spoofers and Stingrays, so the data at all levels - Google's, cell providers', etc. - would clearly be showing location other the the clinic.
This comment shouldn't be at the bottom, they're right. An alternate read of these articles is that Google's building an automated system to identify abortion seekers, and you should ask yourself exactly how much you trust Google now and in the future. There are also other sources of location data which will not be following suit: AT&T's funding is the reason OANN exists at all (Google it if you're not already familiar).
If certain justifications are motivated to prosecute this as some form of murder (which is certainly within the realm of possibility now), Google's location history having holes in it when other data sources indicate that someone's phone traveled to an abortion clinic may not work in their favor. They might be better off perturbing the precise location to something else nearby.
This is basically trying to solve the fugitive state act with technology. Nice idea, but seems to seriously underestimate its adversaries
This could start an interesting precedent of "protected locations" and hopefully lead to the abolishment of location history tracking that isn't managed by the user.
As long as they keep blocking 99% of searches coming from TOR, any announcements about how much they protect privacy are a farce at best, deception at worst. They do their very best to leave us no place to hide, then carve out a few exceptions of their choosing for what they deem should be permitted activities.
>> Today, we’re announcing that if our systems identify that someone has visited one of these places, we will delete these entries from Location History soon after they visit. This change will take effect in the coming weeks.
Wonderfully vague. Should be obvious to anyone that deleting merely the track within the parking lot isn't enough. Needs to be unwound far enough to give no clues. Which might be all the way back to home, both outbound and return.
Your Honor, the person in question never visited Location History, so we never deleted the data. That's exactly how we said we would operate.
Oops, sorry Your Honor, scratch what I just said. That was a mistake. I meant to say that our systems never identified the person as having visited any of those places, so we never deleted anything. That's exactly how we said we would operate.
The fact that they STILL don't see how this constant surveillance could backfire any day is beyond me!
What if a country like the UAE or Hungary start asking for location data matching LGBTQ events or locations? How about political/media headquarters location data?
At what point will they realize that surveillance data is radioactive, and manually patching categories will leave people at risk?
Honestly, Google doesn't have the luxury of that shortcut thinking. It's very "if man were meant to fly he'd have been born with wings" reasoning.
The amount of good enabled by data collection far often outweighs the bad. Better to collect, use for benefit, and protect than to just say "This area of technology is forbidden to mankind."
Besides, it doesn't solve the problem; countries can do their own data collection without Google.
Good for whom?
It has surely been good for those who are collecting and distilling the data, but we can say the same for those being watched, manipulated, and worse.
Here's a small set of technologies that benefit the end user that are powered by data aggregation:
Gmail spam filtering, Maps business data, Maps traffic signal, Google voice recognition (basically the entire technology stack, which was piggybacked off of analysis of samples from Google 411 and continues to be refined by analysis of audio snippets from corner cases where the technology fails), search (obviously, it is just a scraper pointed at the web), Google voice spam number identification (crowdsourced signal), Google Translate, Google image search, and of course the ad products that pay for a not-insignificant portion of the sites available on the internet, without which a significant chunk of the internet would go dark unless it was beholden to other monied interests.
Big Data from large user numbers enabled the creation of technologies that had not been possible before at the level of quality that they are now possible. I don't think a lot of people fully wrap their heads around how big data analysis enabled the internet that we know today.
Agreed that big data aggregation can do quite a bit and aid some features. I work with it myself except in operational rather than personal data. Some benefits accrue to consumers, but most go to the holders of the data. Most if not all of these features you mention are accomplished by other companies without the collection of personal data and the many accompanying problems such as creating this surveillance state.
People are making decisions about the products they buy and use based on how they are made and choosing the ethically produced products. If I have a choice in buying something that was produced ethically or not, I almost always buy the one made ethically even if it might cost a little more or be of lower quality.
> Most if not all of these features you mention are accomplished by other companies without the collection of personal data and the many accompanying problems such as creating this surveillance state.
How many are as good, and how many are boot-strapped or piggybacked off of datasets that started as big data analysis and were eventually published? I'm not personally of the opinion that big data analysis is unethical; I think broadly speaking, it's been win-win. Companies collecting the data obviously benefit, and users also benefit because their data, aggregated with the data of others, enables utility for them that they would not have gotten alone.
Was a time we called collective action where people generally benefited a good thing, and novel analysis of available data to draw new conclusions "research," not "unethical."
I have found great alternatives to all of these. They are great to me based on factors I consider important.
I did not say that big data analysis is unethical. It is that which relies on surveilling and manipulating people/cyborgs which is unethical. I work on big data that surveils and manipulates robots, but they are not sentient and have no rights.
For text to speech, there are a locally processed options from providers such as RH Voice and Mycroft AI. For voice recognition, I am not aware of any local processing options. Of course Apple, MS, and Amazon have ones that process on their computers. I personally don't have a need for voice recognition and have not researched.
It's pretty key for my use case. And the absolute revolution in that space came from Big Data analysis on hours upon hours of voice samples from people asking real world questions.
Well if it gets to the point that the government is going after basic human rights then I think we're already past the point of avoiding a world of trouble.
But for the specific scenarios you mentioned, I don't see what the Hungarian government for example can do beyond just ban Google's services.
That point is reached far more often than many people imagine, and often far closer to home than they imagine, because human rights abuses are typically incremental and selective rather than universal and ubiquitous.
If you look book at the the canonical bad exemplar of nazi Germany, hindsight leads people to conceive of it as a juggernaut-like attack on all jews, communists, homosexuals etc., but in reality it was a scattered and uneven aggression over a 12 year period whose aggregate effect was massively genocidal.
Huge unstoppable genocidal actions that are highly coordinated and happen over a very short timeframe do exist, eg the Turkish genocide of Armenians or the Hutu genocide of Tutsi people in Rwanda. But I believe they're atypical in modern history compared to incremental genocides. The latter can end up being worse because they're easier to deny, dismiss, or ignore as abuses accumulate.
In the specific example, an authoritarian government could not only ban the product but arrest corporate officers/employees; if there are none in that country, it could arrest people attempting to use the prohibited product, or create fake access portals that were actually honey traps.
Do you realize that they don’t need Google? Your phone operator can get precise location data all the time even with the dumbest phone. If you don’t want to be tracked don’t use a phone.
> What if a country like the UAE or Hungary start asking for location data matching LGBTQ events or locations?
Then as an American company, Google will generally tell them to pound sand unless the country invokes right to do business, at which point Google gets to do a fun calculus on whether that country's business is worth compliance.
Why would they intentionally sabotage their profits? They're acting in the interest of the company. Any concern for the user stops at the doors of the PR department.
They're doing their best to fight off governments from snooping around in their business, but ultimately this will require regulation if we ever want it to stop.
It's just a shame that governments are kind of interested in the same data these companies have, so there's really no incentive for anyone to change things.
I wonder how hard it would be to have my personal residence classified as one of these protected places. Incorporate some kind of business or non-profit, make sure it shows up the right way in Google Maps, then enjoy freedom from Google surveillance.
On one hand, the deletion net is wide enough that it isn't just about abortion. On the other, the timing is suspect (visits to domestic violence shelters weren't sensitive last week?!), and it leaves out sensitive, legally similar (legality varies by jurisdiction) locations like brothels.
If location history is an important piece of evidence used by law enforcement, then this is tantamount to selective enforcement of law by the mercy of gargantuan corporations. Another step in the direction of anarcho-tyranny.
141 comments
[ 3.1 ms ] story [ 220 ms ] threadhttps://support.google.com/maps/answer/3093979?hl=en&co=GENI...
Fix problems with home and work in Maps
To use home and work when you search or use directions, you must turn on Web & App Activity. If you can't find home and work in Maps, learn how to turn on Web & App Activity.
...I wish you could delete YouTube history on a 1-week basis, yet Google only allows you to delete it after 3 months at minimum. More tying.
Another creepy incident that's happened with me is, with Location History off, the Maps app would prompt me to leave a review for a restaurant I visited and left. So Google (either the app locally, or the servers) is stalking you even with Location History disabled.
https://futurism.com/google-admitted-tracking-location-when-...
The interesting part here is about which cases intrinsically mandate a prohibition.
That's not true at all. Things like FISA gag orders are relatively rare (and maybe phased out now? Haven't followed that super closely). For a typical search warrant or subpoena, the person being targeted gets an email about it. If you're familiar with "warrant canaries", they're an interesting way to track the relative frequency of unspeakable law enforcement actions.
Please give a source for this. The huge range is suspect, and 702 orders aren't identical to the PRISIM program.
Your second assertion is false.
And you're incorrect - Section 702 of the FISA amendments act of 2008 applies to surveillance programs besides PRISM. Go read about it.
so, they're working exactly as designed, then?
In comparison, how is Google defending China's citizens from undue "judicial process"?
Google has no presence in China and so is not subject to China's judicial process.
see also https://about.google/intl/en_us/locations/?region=asia-pacif... for the actual office locations
https://www.theverge.com/2020/5/26/21270290/youtube-deleting...
Or, go to https://careers.google.com/locations/ and click on Asia-Pacific to see both a listing and a map of the offices in Asia.
Guangzhou Taikoo Hui Tower 1, No.383 Tianhe Road Guangzhou, 510620 China
Shanghai 100 Century Avenue, Pudong Shanghai 200120 China Phone: +86-21-6133-7666
Look, I agree Google has tons of flaws, but these types of conspiracy theory "bet they're not going to really delete it" missives don't even make sense if you consider Google's incentives. It would be a gigantic, massive blow to Google if they said they were deleting data and they didn't. There is literally 0 reason for Google to do this. When Snowden's revelations came out, Google was furious and they rearchitected basically all of their systems to encrypt everything at rest and in transit.
I don't think the competency of any organization of people is ever assured and beyond reproach, but you're welcome to disagree.
And while I agree that all organizations can make mistakes, I think it's more important to look at the structure and incentives of any company to see how reasonable those risks are:
1. Google knows they collect a ton of data on people, and they have giant, giant financial incentives to keep that data secure.
2. Google is profitable enough that they can have huge teams focused on data security and integrity (a smaller company may have the same financial incentives to keep data secure, but not the resources to back it up)
3. Google is large and established enough that they can ensure real rigor in their processes (again, as opposed to some rando company that did just enough to pass their SOC 2 audit).
Again, mistakes can be made but we all pretty much take risks every day (banking, getting in a car, getting on a plane, getting in an elevator, etc. etc.), and I think the risk of Google fucking this up is lower than failure of a lot of those other systems.
Because that's what we're talking about here in some instances. You're asking people to bet their life on the fact that a theocratic government won't be able to compel Google to give up location data for the purposes of punishing people for what the state says is murder.
So would you bet your life on it?
You have to opt-in to location history, and it seems to me Google is trying to act in good faith by automatically deleting information that might be sensitive. Who are we asking to bet their lives? People who don't feel like turning off their phone before going to the clinic and have opted-in to location history?
And I just accepted a software update on my Pixel phone a couple of days ago and found that it had reset my default apps for browsing and music playing -- what are the odds that Google will surreptitiously do the same to my location tracking consent?
I think the real risk to my life is about 1000 times worse in a car than some diaphanous threat of a future evil government, and I trust Google about 1000 times more than I trust some Uber (or Lyft or taxi) driver.
They might be deleting the data but are they deleting the metadata? There are always some bread crumbs left.
Source: I've worked on many large storage systems, including the largest (by bytes at rest) at Facebook. They were subject to the exact same kinds of requirements as Google, and as the code continued to evolve gaps would still appear from time to time.
We have very strict and very well engineered data retention systems. When we say data is deleted, we mean it. Various levels of automation ensure the data is purged, and all data is tracked meticulously for violations across every datastore.
It's one of those systems I wish we talked about more -- it's a marvel to behold just how much work goes into retention policies and the automation that drives it.
It does NOT say that every copy Google has is deleted. It just says that the user-visible copy is gone.
What about, say, Sensorvault? Or whatever other internal systems I don't know about?
... in response, Google took measures to prevent that category of insider-knowledge attack. With audited builds, zero-trust internal model (xref BeyondCorp), and infrastructure cross-checked by multiple human beings to guard against hardware-level attacks, such an insider attack is infinitesimally probable now.
Ok, how would you know that is true?
How many ways can you think of would there be for your statement to be false?
If someone "higher clearance" than you decided to make you believe the above, but actually retain it somewhere in someway you weren't allowed to see. Are the number of ways more than one? How valuable could deleted data be in the case of blackmail or espionage? Can you actually be confident that someone above or before you didn't write a false delete function?
I'm not implying, I'm suggesting that "things we know to be true" is a smaller list than people think.
You suspect WIPEOUT is real, but can't actually know, and you are inside. Why would I believe for even a second?
Also all the source code (for all systems) is visible to all googlers.
This kind of conspiracy theory is really boring.
"NSA taps into Google, Yahoo clouds, can collect data 'at will,' says Post"
https://www.cnet.com/tech/tech-industry/nsa-taps-into-google...
"National Security Letters"
https://www.eff.org/issues/national-security-letters
There is a reason behind the usual in court phrase of "..tell the truth, the whole truth, and nothing but the truth...". So, if a third party would get copies of the data, it would be true Google deleted it...It just not be "the whole truth".
Not as many as you might think.
The systems at Google may seem incredibly complicated--and they are--but when I worked there, the scenarios where somebody intercepts and exfiltrates data without your knowledge are extreme.
> If someone "higher clearance" than you decided to make you believe the above, but actually retain it somewhere in someway you weren't allowed to see.
The way this data is stored, it is designed so that access to the data is logged and the logs have various alerts / auditing procedures to catch exfiltration attempts. SREs will periodically create user data and try out clever ways of destroying or exfiltrating it to test that these controls work. The Snowden leaks also cast a long shadow over work at Google, and since then, basically, all the traffic and data in storage has been encrypted in ways that make it difficult for state level actors to surreptitiously intercept it. These systems are a bit nightmarish to design, because there are competing legal/compliance reasons why data must be retained or must be purged. For example, certain data must be retained for SOX compliance, data may be flagged as part of an ongoing investigation, data may be selected for deletion for GDPR compliance, etc.
Obviously, it is POSSIBLE that someone is still exfiltrating data, but you have hundreds or thousands of smart engineers who are trying to prevent "insider risk" and "state level actors". People within the company are a big part of the threat model, and agencies like the CIA, Mossad, KGB, etc. are also part of the threat model.
The stack may be complicated, but it's also designed with defense-in-depth to prevent people at lower levels in the stack from subverting controls at higher levels in the stack. For example, people who work on storage systems may be completely unable to decrypt the data that their storage systems contain.
If you're going to get pissy about it, it's obviously true that we are not 100% certain that data is destroyed when we say it is. But this invokes a standard for "knowing" that precludes knowing the truth of any statement which is not an analytic statement.
You don't have to believe, even for a second, if you didn't work with the wipeout systems. That's fine. I'm not trying to convince that wipeout works as intended, because I know that I can't provide the evidence to you.
However, you seem to be arguing that other people don't know that the wipeout systems work--that it's somehow impossible to know.
I can't know, lots of people have opinions, so I should just side with the one (avoid Google) that gives me the highest likelyhood of happiness.
The cloud documentation suggests a deletion period of 180 days; so for cloud data, at least, when it says it is "deleted" it seems to mean it will be [fully] deleted within half-a-year. https://cloud.google.com/docs/security/deletion
At least 4 meaningfully different qualifiers about the situation for entirely separate parts of Google.
I was only suggesting that it might be indicative of the period deleted data ordinarily takes to leave the backup cycle.
More sensitive user data is likely to be handled differently - both for privacy reasons and because it's honestly just not as important to keep hold of it (a user's cloud data gets lost? That's a big deal. A user's location history data gets lost? Meh), so it's unlikely to end up in long-term backup storage.
(to downvoters, that's something that happens and I have a specific and recent case in mind)
Are you saying "Someone carries out an arson attack, they (the attacker) leaks clues to their (the attacker's) identity when gloating about it on social media, and those gloat-posts find their way to law enforcement?"
How does that scenario relate to Google data retention? Google data retention has nothing to do with Twitter policies.
It relates to Google data retention because law enforcement's next move might be to ask Google for geofenced location data from the 72 hours preceding the attack in hopes of confirming the arsonist's identity.
i guess we’ll take your word for it. after all, you have no motivation to lie.
So that includes all online and offline + offsite backup systems, presumably? And hopefully any such data is "de-trained" from all applicable ml models and systems, of course.
I don't know if Google can do de-training (depends on how the training data is generated), but generally if the trained data can't be tagged for removal it also can't be reversed from the output of the training.
haha
Google’s whole thing is “better living through data organization.” You can criticize that mission up and down but it doesn’t change that for Google protecting privacy and the security of user data means protecting it from access by other people.
And that's a very cute perspective - for Google, privacy means protecting my data from access by not-Google. But that's not what it means for me.
You made my own point back to me but in a tone that makes it sound like a refutation.
Expecting Google to frame their mission of protecting user data in terms of someone who considers Google themselves a threat is uncharitable to the point of just wanting to be mad.
Your stance makes no distinction between Google collecting data and keeping it between you two and just publishing it publicly.
They're not just framing their mission - they're redefining privacy. And there are plenty of companies that minimize the data they gather for exactly this reason ("considering themselves a threat", as you put it). Signal, Red Hat, Canonical, Duck Duck Go...
It's closer to propaganda if it serves to keep the rank and file in check.
This are YouTube Ads that I see:
https://i.imgur.com/11J8Jq4.png
https://i.imgur.com/73C7abY.png
https://i.imgur.com/gdg0bqH.png
How about just implementing it properly: _reasonably_ as opposed to "are you insane?", _effectively_ as opposed to "If I see this again I swear..", and with "win-win" _satisfaction of both parts_, as in "I am glad I was notified this opportunity: I will take it into consideration".
The abortion clinics would need their own GPS spoofers and Stingrays, so the data at all levels - Google's, cell providers', etc. - would clearly be showing location other the the clinic.
If certain justifications are motivated to prosecute this as some form of murder (which is certainly within the realm of possibility now), Google's location history having holes in it when other data sources indicate that someone's phone traveled to an abortion clinic may not work in their favor. They might be better off perturbing the precise location to something else nearby.
This is basically trying to solve the fugitive state act with technology. Nice idea, but seems to seriously underestimate its adversaries
Wonderfully vague. Should be obvious to anyone that deleting merely the track within the parking lot isn't enough. Needs to be unwound far enough to give no clues. Which might be all the way back to home, both outbound and return.
Oops, sorry Your Honor, scratch what I just said. That was a mistake. I meant to say that our systems never identified the person as having visited any of those places, so we never deleted anything. That's exactly how we said we would operate.
What if a country like the UAE or Hungary start asking for location data matching LGBTQ events or locations? How about political/media headquarters location data?
At what point will they realize that surveillance data is radioactive, and manually patching categories will leave people at risk?
The fact that this data COULD be asked for should be enough to stop collecting it.
The amount of good enabled by data collection far often outweighs the bad. Better to collect, use for benefit, and protect than to just say "This area of technology is forbidden to mankind."
Besides, it doesn't solve the problem; countries can do their own data collection without Google.
Especially given that in all likelihood Google is much better at it than them.
Gmail spam filtering, Maps business data, Maps traffic signal, Google voice recognition (basically the entire technology stack, which was piggybacked off of analysis of samples from Google 411 and continues to be refined by analysis of audio snippets from corner cases where the technology fails), search (obviously, it is just a scraper pointed at the web), Google voice spam number identification (crowdsourced signal), Google Translate, Google image search, and of course the ad products that pay for a not-insignificant portion of the sites available on the internet, without which a significant chunk of the internet would go dark unless it was beholden to other monied interests.
Big Data from large user numbers enabled the creation of technologies that had not been possible before at the level of quality that they are now possible. I don't think a lot of people fully wrap their heads around how big data analysis enabled the internet that we know today.
People are making decisions about the products they buy and use based on how they are made and choosing the ethically produced products. If I have a choice in buying something that was produced ethically or not, I almost always buy the one made ethically even if it might cost a little more or be of lower quality.
How many are as good, and how many are boot-strapped or piggybacked off of datasets that started as big data analysis and were eventually published? I'm not personally of the opinion that big data analysis is unethical; I think broadly speaking, it's been win-win. Companies collecting the data obviously benefit, and users also benefit because their data, aggregated with the data of others, enables utility for them that they would not have gotten alone.
Was a time we called collective action where people generally benefited a good thing, and novel analysis of available data to draw new conclusions "research," not "unethical."
I did not say that big data analysis is unethical. It is that which relies on surveilling and manipulating people/cyborgs which is unethical. I work on big data that surveils and manipulates robots, but they are not sentient and have no rights.
I guess you could close shop and leave that specific market, but that's not feasible everywhere.
But for the specific scenarios you mentioned, I don't see what the Hungarian government for example can do beyond just ban Google's services.
If you look book at the the canonical bad exemplar of nazi Germany, hindsight leads people to conceive of it as a juggernaut-like attack on all jews, communists, homosexuals etc., but in reality it was a scattered and uneven aggression over a 12 year period whose aggregate effect was massively genocidal.
Huge unstoppable genocidal actions that are highly coordinated and happen over a very short timeframe do exist, eg the Turkish genocide of Armenians or the Hutu genocide of Tutsi people in Rwanda. But I believe they're atypical in modern history compared to incremental genocides. The latter can end up being worse because they're easier to deny, dismiss, or ignore as abuses accumulate.
In the specific example, an authoritarian government could not only ban the product but arrest corporate officers/employees; if there are none in that country, it could arrest people attempting to use the prohibited product, or create fake access portals that were actually honey traps.
Thats old school. You don't not need a phone to be tracked.
If you don't want to be tracked don't go out in public.
Please clarify.
Then as an American company, Google will generally tell them to pound sand unless the country invokes right to do business, at which point Google gets to do a fun calculus on whether that country's business is worth compliance.
They pulled out of China once over such calculus.
They're doing their best to fight off governments from snooping around in their business, but ultimately this will require regulation if we ever want it to stop.
It's just a shame that governments are kind of interested in the same data these companies have, so there's really no incentive for anyone to change things.
We're living in Orwellian times.
lol talk about hyperbole. Please actually read 1984 and get back to me
Recent related article: https://news.ycombinator.com/item?id=31910724
Fuck Google. You are not the government yet you act like one, and one we didn't vote for.
Google will delete location history data for abortion clinic visits - https://news.ycombinator.com/item?id=31956944 - July 2022 (28 comments)
Google will remove user location history for abortion clinic visits - https://news.ycombinator.com/item?id=31954401 - July 2022 (158 comments)
Google will start auto-deleting abortion clinic visits from location history - https://news.ycombinator.com/item?id=31953171 - July 2022 (6 comments)
Google urged to stop collecting phone location data before Roe vs. Wade reversal - https://news.ycombinator.com/item?id=31509772 - May 2022 (8 comments)
Democrats urge Google to limit geo tracking to protect people seeking abortions - https://news.ycombinator.com/item?id=31507351 - May 2022 (6 comments)
Lawmakers ask Google to stop collecting data before reversal of abortion rights - https://news.ycombinator.com/item?id=31501871 - May 2022 (12 comments)