Thursday 7 March 2013

Google privacy? Only if you're extremely careful

Some weeks ago I have noticed that the targeted advertising became more and more accurate in targeting me: few days after I researched the web for something, other pages I browsed started to display banners with ads for that something, "by happening".

Surely, they are not that intelligent to decide that sometimes they should simply stop, like: if I buy, let's say, a car over the net, then it's quite pointless to keep flooding me with car deals afterwards, because the probability to buy another one is quite small; I have no money left and I will be forced to live with my choice no matter what super deals they're presenting me now.

The climax was reached one day when on youtube logged in with a nickname I keep only for youtube. Suddenly a pop-up appeared on screen saying something like:

You're logged in using this nickname 'Xxx'. Wouldn't you like to use you real name 'Yyy Zzz' instead? 

And it was indeed my real name! Really scary.
So, I tried to find out to see where is the leak.

I am using Firefox and I have looked over the extensions and found a great one named Ghostery that eliminates all the trackers on the visited websites. I have also installed AdBlock Plus that does some advertising filtering. Nice start!

Then I have noticed (few good months maybe even years ago actually) that google is behaving differently when it returns the results of a search: if you think that clicking on one of the results will get you directly to the particular website, this is not true: it gets you back to google in the first instance and only from there you'll be redirected to the original website. Hover the mouse over the links and look in the status bar to see what I mean.
This crap was built to let Google know what page you chose from the list of possible search results it returned. Happily this behaviour is easily reduced to silence by installing the google-no-tracking-url extension in firefox.

Now to the real problem: I have noticed that each time I open Firefox I am already logged into google and, no matter what I tried, deleting cookies, configuring not to accept 3rd party cookies, logging-out, checking on google preferences that I don't want to be kept logged in, clearing the cache, etc, etc, etc, it still happen.

It was so annoying that I chose to do a manual log-out procedure (followed by changing https to http, see below) each time I opened Firefox, that you can imagine is time consuming and not completely safe as sometimes I simply forget and start searching things as soon as Firefox opens.
 
Then I found and install the Self Destructing Cookies add-on in Firefox that deletes the cookies few seconds (10 by default but configurable) after being created and tells you what it deleted.
With its help I have noticed that each time I start Firefox in few (10) seconds it says that it destroyed the cookies for gmail.com and google.com. But then if restarting the browser I am again already logged in google and the Self Destructing Cookies again it deletes the cookies.

So what created the initial cookies??

I found that the main culprit for this behaviour is another otherwise very useful extension I have installed in Firefox: X-notifier. I use it to get notified about new mails on my gmail, yahoo, etc accounts and it is configured that checks for new emails at each Firefox start-up.
What happens in a matter of 1-2 seconds when I start Firefox is:
  • Firefox starts and launches the X-notifier add-on; nothing is loaded for the user to view on screen yet.
  • Immediately X-notifier logs-in gmail and by doing so it accepts the cookies for the domain. Gmail, in its mean wisdom doesn't send you back only a cookie for gmail but for also for google.com (see Self Destructing Cookies documentation, about the 3rd party cookies, for more)
  • Then, Firefox loads the default page I have configured (http://www.google.com not https!) and sends the cookie to google because it finds it already created.
  • Google logs you in according to the cookie and also redirects from http to https.
  • Self Destructing Cookies does its job 10 seconds later but a bit too late. You are already logged in. 
Luckily X-notifier has an on/off switch in 'about:config'option that makes it not to accept/store cookies anymore and the problem was solved. This should be a default option in this nice module and I have notified the add-on creator; maybe he wants to change the default behaviour.

Another word of warning: the https:// version of google is the default these days and it is promoted as it is safer and is done for your own good (!). Like somebody is eavesdropping and I need protection for my searches that are performed on an otherwise public search engine...

Anyway, as you may know SSL uses a unique id token for the whole session which means that actually they can link together all your searches performed in one session, without needing any cookie.
So assume the following scenario: You're not accepting cookies, you're not logged into your gmail/google account and you do 30 searches using the https google. In this moment, using SSL session id google knows that all 30 searches are from the same person, just don't know who this is. (The same scenario can obviously happen if you're using cookies, with or without https.)

Then, in the same browser you log on into gmail to check your emails. All your previous 30 searches are linked to your account now!
So it is not for us, the users, it is just for them again. That's why I prefer to use the http version of google and all cookies disabled by default (and enabled case by case if necessary).



Finally, a bit about the auto-completion feature of google, or the "display-the-results-before-I-even-asked" feature. Using Ajax has this advantage: things happen behind the scene and gives the overall impression that it looks better and it is faster. However, be aware that the downside of it is that, as soon as you type a letter, google already knows you have typed it and it is recorded into your account (assuming that you're logged in or using cookies, http, etc. see above), no matter if you clicked the "Search" button at all.
As an example, think about an embarrassing condition you might have and an attempt to find a cure for it. Let's say you start typing: "I have a nasty fungus on my pen...". Then you realize that you might be too exposed if you write this and delete everything and search instead for: "Dermatology practice in London".
Well... it is too late if you're logged in (or using cookies, https, see above).
Google knows already about your real problem and you might see banners about some special anti-fungal cream on your next visit to a bakery's website if they do advertising with google.

No comments:

Post a Comment