Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Google Privacy Director Alma Whitten Leaving

Unknown Lamer posted about a year and a half ago | from the do-no-evil dept.

Google 73

Gunkerty Jeb writes "Alma Whitten, the director of privacy at Google, is stepping down from that role and leaves behind her a complicated legacy in regards to user privacy. ... Whitten has been at Google for about 10 years, and while she has been the main public face of the company's product privacy efforts in the last couple of years, she has been involved in engineering privacy initiatives for even longer. Before becoming the privacy lead for products and engineering in 2010 in the aftermath of the Google Street View WiFi controversy, Whitten had been in charge of privacy for the company's engineering teams. During that time, she was involved in the company's public effort to fight the idea that IP addresses can be considered personally identifiable information."

Sorry! There are no comments related to the filter you selected.

her motto (-1)

Anonymous Coward | about a year and a half ago | (#43335341)

Do no privacy.

FEAR Alma? (0)

Anonymous Coward | about a year and a half ago | (#43335345)

FEAR Alma?

Re:FEAR Alma? (1)

greenfruitsalad (2008354) | about a year and a half ago | (#43335855)

scarier. way scarier... Oxymoron Incarnate kind of scary

easiest job ever (0)

Redmancometh (2676319) | about a year and a half ago | (#43335347)

Being the director of google must be the easiest job ever. That 8 second workweek must be great. Brb applying to facebook's privacy team. Bet I can hold 5 positions.

Re:easiest job ever (0)

Anonymous Coward | about a year and a half ago | (#43335387)

5 positions? You mean the Preacher, Praying Mantis, The Kneel, The Bendy, The Choirboy?

Re:easiest job ever (1)

mwvdlee (775178) | about a year and a half ago | (#43335897)

Aren't the Preacher and The Choirboy essentially the same position?

Re:easiest job ever (3, Funny)

Opportunist (166417) | about a year and a half ago | (#43335999)

Not really. It's one of the things where it's probably better to be the one who is behind.

Re:easiest job ever (0)

Anonymous Coward | about a year and a half ago | (#43335427)

8 seconds every week? More like 8 seconds when you get hired.

1. Write "Yes" on a post-it
2. Put the post-it on the door to your office
3. Spend the rest of your employment watching ted.com

Google + Privacy? (2, Insightful)

peppepz (1311345) | about a year and a half ago | (#43335367)

When we talk about the company's "privacy efforts", we're talking about them fighting privacy?

Re:Google + Privacy? (0, Interesting)

Anonymous Coward | about a year and a half ago | (#43335431)

Obviously, yes.

During that time, she was involved in the company's public effort to fight the idea that IP addresses can be considered personally identifiable information.

This is retarded (to put it nicely). Is your home address "personally identifiable information"? Of course it is: even if it doesn't UNIQUELY identify you, it does narrow it down by a lot. Same as with an IP address: although it doesn't UNIQUELY identify a person, it's still "personally identifiable information".

So, basically, they are trying to fight an idea that's obvious and self-evident. Way to go, Google! Just waiting for you to start trying to convince us that "War is Peace", "Freedom is Slavery", "Ignorance is Strength" and (obviously) "Privacy is Unnecessary".

Re:Google + Privacy? (0, Redundant)

Gaygirlie (1657131) | about a year and a half ago | (#43335469)

Don't be ridiculous, a street address and an IP-address are nothing alike. You can easily go and use someone else's IP-address, hiding your person behind that of an other, but just try and go live at someone else's home and see how well it goes. You know, the obvious difference comes from the fact that one is a virtual construct that can be utilized from anywhere in the world and the other one is a physical construct that can only be used on that one, specific spot.

Re:Google + Privacy? (1)

Anonymous Coward | about a year and a half ago | (#43335499)

"You can easily go and use someone else's IP-address."

And it's somehow impossible to use someone else's home/mailing address? The point is: you probably can only use someone else's IP address or home/mailing address if they (in some way) consent to it (e.g. providing proxy/VPN services, providing Tor services, etc.). No, IP spoofing doesn't count... you can spoof TCP SYN packets, but you won't be able to actually establish any connection (obviously, ICMP and UDP are different, since they're stateless protocols).

"You know, the obvious difference comes from the fact that one is a virtual construct that can be utilized from anywhere in the world and the other one is a physical construct that can only be used on that one, specific spot."

You do have a point, in the sense that they are not exactly the same. On the other hand, claiming that an "IP address" is not "personally identifiable information" is simply wrong. In fact, Google DOES use your IP address (along with user agent string) as surrogate for (hopefully) uniquely identifying the user (assuming you're not logged in to Google to begin with).

The fact that GOOGLE ITSELF uses IP addresses as "personally identifiable information" (i.e. as a way of assigning persistent identities to HTTP agents) tells me that they're not just full of bullshit, they're bald-faced hypocrites too.

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43335859)

IP is not personally identifiable information. It changes too often, does not ID you behind a NAT etc.

The point being, that you can't use just an IP to prosecute you on pirating stuff or for anything else. There needs to be more proof than an IP.

Re:Google + Privacy? (3, Insightful)

JWSmythe (446288) | about a year and a half ago | (#43335917)

    No, just like a street address, it does not identify you. It does lead straight to your home though. One requires someone to drive to your house. The other requires a LEO call to the ISP to ask for the address to drive to your house.

    It doesn't identify *you*. Just like you can have your mail delivered to a friend, neighbor or PO box, *you* are linked to it. It still leads back to you, no matter how many layers of distractions are involved.

  Your IP or mailing address cannot be used to prosecute. They can be used to point investigators towards who to prosecute.

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43336015)

The point being, that you can't use just an IP to prosecute you on pirating stuff or for anything else. There needs to be more proof than an IP.

That's NOT the point at all. You're TRYING to make that the point.

The question is whether an IP address is "personally identifying information", NOT if an IP address is sufficient evidence for a copyright troll to sue someone.

Re:Google + Privacy? (2)

Opportunist (166417) | about a year and a half ago | (#43336033)

Same with street addresses. I'd have to start digging in the court files, but I distinctly remember a case where someone was charged with drug manufacturing and was acquitted because the only thing they could field against him was that chemicals for manufacturing were delivered to his address but they couldn't prove that it was actually him ordering or receiving the items in question.

It's fairly trivial to "abuse" someone else's address. All you have to do is intercept the delivery guy and tell him that you're you, but your ID is upstairs and if he waits here you'll go and get it. Given their rather tight schedule, they'd gladly simply accept that you're the authorized recipient... hell, as long as you scribble something on their ledger they're happy. You don't even want to know where I had to retrieve my UPS packs from...

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43335553)

a virtual construct that can be utilized from anywhere in the world and the other one is a physical construct that can only be used on that one, specific spot.

You don't understand how IP addresses work, do you now ? For the majority of internet users their IP address can be traced to the city they live in by anybody, while law enforcement can extract their physical address. There's no such thing as "utilized from anywhere in the world". Yes, you can take elaborate steps to obscure your IP address, but then again you can do that with physical addresses too: remailers, PO-Boxes, etc. The success of your obfuscation is entirely dependent on the behavior of others.

The IP address and the query stream are the most private things most people give to Google. Google's position that such data is not personally identifiable. The corollary of that claim is that Google has no privacy obligations for the plain vanilla service, since even the most sensitive information is still not private. I understand Google's position, respectfully disagree and take my searches to privacy respecting services such as StartPage or DuckDuckGo.

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43335569)

Exactly.

Even "IP spoofing" can be done with snail mail (nothing prevents you from putting someone else's home address as the "sender", it will just make it harder for the other person to reply to YOU, as it happens with IP spoofing).

Even though it's possible to send a TCP/UDP/ICMP packet (i.e. postcard) with someone else's IP (i.e. home) address as sender, that doesn't mean that your IP (i.e home) address isn't personally identifying information. On the other hand, if you want to establish a full TCP connection (i.e. a full conversation over snail mail), you won't be able to use someone else's IP (i.e. home) address without their prior consent.

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43335583)

Step 1) Go to cafe with public wi-fi
Step 2) Establish full TCP connection with someone else's IP

Or, say, if your ISP uses dynamic IPs (like most mobile):
Step 1) Reboot your modem
Step 2) Establish full TCP connection with someone else's IP

Or, say:
Step 1) Get on TOR
Step 2) Establish full TCP connection with someone else's IP

Or, say:
Step 1) Buy a proxy for $5/mo
Step 2) Establish full TCP connection with someone else's IP

Enough?

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43335607)

I wouldn't have to do this elaborate setup if Google just respected my privacy.

Re:Google + Privacy? (1)

LordLimecat (1103839) | about a year and a half ago | (#43337233)

Google is a company that makes money by offering services in return for advertising.

If you dont like their terms, there are options for that. [youtube.com]

Re:Google + Privacy? (1)

HappyPsycho (1724746) | about a year and a half ago | (#43365841)

Google is the only company that violates your privacy?

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43335689)

"Step 1) Go to cafe with public wi-fi"

So, the cafe is consenting you to use their IP address. You're using their identity. Still doesn't make IP addresses not "personally identifiable information". Under your own logic, a home address isn't personally identifiable information either, since I can send a letter with YOUR mailing/home address on it. And can even establish full conversations over snail mail using YOUR mailing/home address (as long as you consent to that).

"Step 1) Reboot your modem"

And...? You'll still get an IP from a limited pool of addresses that, in any case, can be traced back to you (as long as your ISP wants).

"Step 1) Get on TOR"

Same as in the first case: someone is allowing you to use their identity for the purpose of establishing a TCP connection. As already pointed out, if this makes it "not personally identifiable information", then neither is a home address (since I can use remailers, PO boxes to achieve the same type of indirection).

"Step 1) Buy a proxy for $5/mo"

Same as in the first and the TOR case: someone is allowing you to use their identity for the purpose of establishing a TCP connection.

"Enough?"

Nope. Keep those invalid examples coming...

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43335721)

--> My point

--> Your head

Who does your current (yes, the one you posted this comment from) IP address identify, when you might be running a public WiFi spot, come here from one of a hundred reusable addresses in a pool, or when you might be a bot in a botnet?

Do you even understand what _personally_ _identifiable_ means, or do you only understand it when RIAA tries to sue someone based on "personally identifiable" IP?

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43335843)

Just because something doesn't uniquely identify you, doesn't mean it's not "personally identifying information". Your personal name might not be unique and, still... it's considered "personally identifiable information".

The point is... an IP address can usually be assigned to a specific person (or, at least, a specific entity which can point out the person responsible for said IP). The fact that it doesn't _uniquely_ identify the person behind the user-agent BY ITSELF, doesn't mean it's not "personally identifying information".

Who does your current (yes, the one you posted this comment from) IP address identify, when you might be running a public WiFi spot, come here from one of a hundred reusable addresses in a pool, or when you might be a bot in a botnet?

My current IP address (if you really need to know) actually identifies someone I live with (rather than myself). STILL, if Google has my IP address AND my user-agent string, they CAN uniquely identify me and track me across websites. Even worse... if I DO use a public WiFi spot or a botnet IP to connect to Google, and use my login, they will not only know it's me, they'll know I'm connecting from a specific place (WiFi spot) or through a specific illegal means (botnets). And, yes, Google does track which IPs belong to known botnets.

And, still... those IP addresses WILL identify someone. It just might not be the "sender". The same way a home address WILL identify someone. It just might not be the "sender" of that specific letter.

Do you even understand what _personally_ _identifiable_ means, or do you only understand it when RIAA tries to sue someone based on "personally identifiable" IP?

I understand. I think it's you who fails to understand that an IP address IS usually assigned to a single person/entity. The fact that RIAA/MPAA/whoever claims that this (by itself) is enough to prove that the OWNER of the IP address is somehow responsible for all connections coming from it, is the problem: that's where their fallacy lies, not on the fact that IP addresses ARE personally identifying information.

Under your own logic, not even my name is "personally identifying information", since it's very likely to not constitute an unique identifier of myself (just by itself).

TL;DR: You can keep pretending it isn't so, but an IP address DOES identify a person; it just might not be the person behind a specific TCP connection that comes from said IP. FURTHERMORE, IP addresses CAN be used to uniquely identify someone (or, at least, a specific browser or computer) behind a specific HTTP connection, if you can obtain further information (e.g. via javascript) about the user-agent (e.g. its MAC address, user-agent string, installed plugins), which Google ACTIVELY DOES.

I mean... seriously... if IP addresses are not "personally identifiable information", why would people go to great lengths to hide their own public IP address using indirection (e.g. proxies, VPNs, TOR, etc.)? It doesn't identify you, right?

Re:Google + Privacy? (1)

HappyPsycho (1724746) | about a year and a half ago | (#43366003)

Just so I understand your point, which person is being identified by the wifi cafe's public ip address? Assuming the ISP keeps those type of logs, which person is being identified by the public address given by your ISP?

"Personally Identifiable Information (PII), as used in information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context" - This is the definition from wikipedia, if you are happy with this definition then all of the above case are quite valid as they fail to identify a single person.

I am aware that the wikipedia page points to a NIST document that identifies ip addresses as PII but a read of the actual NIST document shows the circumstances under which such an conclusion is reached (example 2 on page 22). It revolves around having the equivalent of a domain access system (or at the very least 802.1x) which keeps track of all ips and which users were logged into them at the times which allow ip data to be co-related (typical of an enterprise network). Both NAT and an unlogged DHCP server break those assumptions (even if the DHCP server is logged the mac can still be spoofed, something not easily doable in an enterprise environment).

Re:Google + Privacy? (1)

JWSmythe (446288) | about a year and a half ago | (#43335923)

Get a PO box, a remailer service, a hotel room (yes, you can have mail sent to your hotel), and a cheap apartment in a different town. You can send mail from, and receive mail to, it.

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43335571)

I'm sorry, but you're giving this "private and personally identifiable information" everywhere, and you don't understand what it entails with all the privacy laws everywhere.

Did you leave comments on any site? Moderators probably know your IP. Do you use IRC? Most IRC don't mask IPs for regular users. Do you host a website? Well, you're gonna need a privacy officer to use fail2ban against chinese botnets, because - OMG! - you're storing and processing personally identifiable information. By the way, same applies if you have the logs from IRC, see above. Random game server? Personally identifiable information!!11 Your firewall? Personally identifiable information!!11

I'm all for better privacy, but this is just stupid.

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43335681)

I'm sorry, but you're giving this "private and personally identifiable information" everywhere, and you don't understand what it entails with all the privacy laws everywhere.

It's my choice to give out personally identifiable information to receive a service. I'm not saying Google should be banned by law to find my IP address, it's clearly needed to provide services, ditto for your other examples. What I'm asking is that everybody treat that data as what it is, personally identifiable information. They should not store it forever(*) without my informed consent. They should not correlate the multiple IPs my laptop uses with their cookie and they should not link the IPs to my search history, again using the cookie. They should not go full Orwell and tell my a unique identifier pointing to my house is not personally identifiable information.

(*) They keep the IPs for 9 months and then ditch the least significant byte i.e. 192.168.1.xxx That's not anonymization in my book, the recent Petraeus case showed what fragments of correlated data can be used for.

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43335885)

What I'm asking is that everybody treat that data as what it is, personally identifiable information. They should not store it forever(*) without my informed consent. They should not correlate the multiple IPs my laptop uses with their cookie and they should not link the IPs to my search history, again using the cookie. They should not go full Orwell and tell my a unique identifier pointing to my house is not personally identifiable information.

(*) They keep the IPs for 9 months and then ditch the least significant byte i.e. 192.168.1.xxx That's not anonymization in my book, the recent Petraeus case showed what fragments of correlated data can be used for.

Why?
You don't demand that the clerk forget your face between trips to the grocery store. You don't demand that your neibors not keep track of the last time you talked to them and what you said.

Why would you expect a number that is used to rout information to you to be private? And why would you expect the people who you give that number to not keep track of what they send to it?

I understand that most people grew up with the illusion of privacy because people couldn't be arsed to store and manage nontrivial amounts if data before computers, but this claim that somehow computers are suddenly destroying privacy, is the same sort of crap that companies who insist that blowing the whistle on their security holes is making things less secure.

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43335737)

I'm sorry, but you're giving this "private and personally identifiable information" everywhere.

And...? It still does not make it "not personally identifiable information". People give out their Social Security Numbers (even more private and uniquely identifying information than IP addresses) with equal disregard all the time: does that make SSN not "personally identifiable information"? Does that automatically give everyone the right to compile databases of SSN associated with other information?

LOL. Right...

Protip: Just because something isn't secret, doesn't mean it's not private. Just because something doesn't uniquely identify you, doesn't mean it's not "personally identifying information".

Also, you think comparing some random IRC server (which has no other information on you other than some IP address and a nickname) with to Google, which ASSOCIATES IP address information with your user-agent string, your emails and your searches and your social network, etc. etc. is even VAGUELY valid? A random IRC server can _hardly_ infringe on my privacy, if they only have my IP address... the same does not apply to Google.

Besides, the fact that I'm giving out this information doesn't necessarily give Google the right to compile that information and store it. In fact, the laws of my country (and the EU) EXPLICITLY forbid it, in some situations. Google doesn't think that's fair or doesn't like it? That's fine... they're free to not do business here.

If they want to do business here, follow the rules.

Note that (regardless of your strawmen), the problem is not storing IP addresses by itself, the problem is associating IP addresses with other information and using those to track you across websites, even if you opt-out of Google spying by not having an account (i.e. your fail2ban example is fail, since you're not associating those chinese IP addresses to other information and compiling it in databases).

TL;DR: Even if people don't necessarily keep their IP addresses "private", it still doesn't mean that IP addresses are "not personally identifiable information" (just because I don't keep my SSN or home address a secret, doesn't mean that they're "not personally identifiable information").

Re:Google + Privacy? (1)

whosdat (2551450) | about a year and a half ago | (#43335755)

You CAN'T keep your IP address private - that's how Internet works, dummy! - and it ISN'T personally identifiable information thanks to all variables like dynamic IPs, public WiFi spots, TOR exit nodes, running proxies and everything else.

You seemingly want to argue that Google shouldn't be able to personally identify you without your consent - that one's good point and I doubt many would argue with that - but for some reason you're arguing a moronic and wrong point that "IP (that you're broadcasting for everyone to know) is personally identifiable and private". The fuck? Do you work for **AA or something? I think only they were so idiotic to argue that when they were hunting pirates. I believe courts not quite agreed with them, thankfully.

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43336347)

You CAN'T keep your IP address private - that's how Internet works, dummy! - and it ISN'T personally identifiable information thanks to...

Ok, so if an IP address is not "personally identifiable information", why would people even bother to use proxies, VPNs or TOR? Your IP address doesn't identify you, or anyone else, right? So why bother hiding it?

I think you confuse "secret" with "private". Maybe a dictionary would help?

(Note that my SSN should be private, although it's not exactly secret. Same with my home address, my personal name, my phone number, my email address, etc. All of them are "private, personally identifiable information" and none of them are particularly "secret".)

"IP (that you're broadcasting for everyone to know) is personally identifiable and private".

1) I'm not broadcasting my IP address to everyone I know. Don't make shit up, please... it only makes your argument seem worse;

2) I AM implicitly telling somone my IP address if I want to establish a TCP connection, sure; but I'm also giving out my phone number (personally identifiable information), if I call someone. It still doesn't make it "not personally identifiable information". Even if I'm "broadcasting" my SSN by writing it down on my t-shirt in HUGE BOLD NUMBERS, it's still "personally identifiable information", sorry. Again, just because something isn't secret, doesn't mean it's not private (i.e. doesn't mean any company can just collect that data on me, compile it, cross-reference it, give it out to third-parties, etc.).

The fuck? Do you work for **AA or something?

No, I don't. Their fallacy is not based on the assumption that "IP addresses are associated to specific people/entities" (that much should be BLINDINGLY obvious to anyone), but on the (unproven) assumption that the owner of a specific IP address (or, the entity associated to a specific IP address) IS somehow personally responsible for a specific TCP connection.

The truth is... if RIAA/MPAA detect someone, under a specific IP address, commiting copyright infringement, if we assume that their methodology is flawless (a big assumption, but still..), you can be pretty sure that SOMEONE behind that IP address engaged in copyright infringement. What they fail to (and probably can't easily) prove is that the SOMEONE is the same person that is legally associated to that IP address. (And, yeah... another of their problems is their shitty methodology, that apparently nets them shitloads of false positives, but that's another question.)

You see, unlike you, I'm not arguing this based on whatever it is that MPAA/RIAA thinks/wants, but on this small and irrelevant thing called "Reality".

TL;DR: Even if we assume that IP's are not secret or even not deserving of protection under privacy laws, it still does NOT make it "not personally identifiable information". If that was the case, there would be no point for people to use proxies, VPNs or TOR.

Please, do tell... what's the point of hiding your IP address, if it doesn't identify you anyway?

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43335925)

Any system based on keeping personal identifiers secret is asinine.

The whole point of an identification number is to be given out to identify you. Keeping track of an ID number and the activities associated with it is the equivilent of the bartender at you favorite place knowing what the hell you mean when you say "I'll have the usual", because he recognizes your face and remebers your previous orders.

The whole "keep your SSN secret" crap is people who don't know a damn thing about information security using the same level of thought that brought us 4 didget PINs, putting all the info necessary to charge a credit card on the card itself, and using biometrics for a password, trying to solve the problem that intelligent people solved by with two factor authentication.

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43337495)

Again, you confuse "secret" with "private" (understandable, since they are often interchangeable in the context of _cryptography_; on the other hand, these two terms are NOT _legally_ equivalent).

Your SSN, phone number, email address, home address, personal name are not secret, but they are still private AND personally identifiable information (and there are laws in place, at least in the EU, to ensure that companies respect people's privacy, as it comes to collecting "personally identifiable information", cross-referencing it, compiling it in databases and sharing it with third-parties).

The whole point of an identification number is to be given out to identify you.

Sure. That still doesn't automatically give any commercial entity the right to collect information on me, cross-reference it and/or giving it out to third parties. There are actual laws in place that are SPECIFICALLY directed at such behaviours.

Keeping track of an ID number and the activities associated with it is the equivilent of the bartender at you favorite place knowing what the hell you mean when you say "I'll have the usual", because he recognizes your face and remebers your previous orders.

I thought that was the whole point of using cookies (i.e. a way for the user-agent to VOLUNTARILY store its preferences regarding the website in question or achieve stateful (i.e. session-based) apps).

If you knew anything about the Internet, you'd know that the point of an IP address is ROUTING purposes, not identification purposes. Nonetheless, like a "mailing address" (which purpose is to ensure proper ROUTING of mail, rather than identification), it CAN be used for identification purposes EXACTLY because it IS "personally identifiable information". That still doesn't mean that the point of an IP address is to identify a person to a website: we have sessions/cookies/login+password systems for that, you know?

So, you see, it is totally possible for a website to "recognize you" across sessions, without having to actually store "personally identifiable information about you" (just use a cookie or a login+password). The issue here is that Google doesn't want to have to require your cooperation to identify you, so it can continue collect, compile and share your personally identifiable information with third parties. If they wanted, they COULD use just a simple cookie system to keep track of users... but they don't WANT that, because it would require cooperation from people: much better to track people against their will.

The whole "keep your SSN secret" crap is people who don't know a damn thing about information security using the same level of thought that brought us 4 didget PINs, putting all the info necessary to charge a credit card on the card itself, and using biometrics for a password, trying to solve the problem that intelligent people solved by with two factor authentication.

That's totally beyond the point. The point is: regardless of whether you keep your SSN secret or not, it is still "personally identifiable information" AND (at least in the EU) "private information" as well, so a company shouldn't be able to collect and use/sell that data without your prior consent (even if it's not particularly secret).

Again, I think your problem is confusing "secret" with "private". It's obvious that it's easier to keep stuff private if you keep it a secret. They're still not the same thing, though.

TL;DR: Sure, there's no expectation of being able to keep your IP address secret from people you directly communicate with, over the Internet; that still doesn't mean it's "not private information" or "not personally identifiable information".

Re:Google + Privacy? (2)

Gaygirlie (1657131) | about a year and a half ago | (#43335575)

There's no such thing as "utilized from anywhere in the world".

Tor, botnets, proxies, VPN et.al. would like to disagree with you.

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43335647)

Your initial point was that IPs are not personally identifiable, you can change them as you like and they can't be traced back at you. This is patently false. Indeed, you can go through elaborate steps and arrange that your public IP no longer identifies yourself, and instead identifies somebody else who is willing to lend you their real world identity. As I've said, your privacy is then entirely dependent on the behavior of others. You have no way to know if that your favorite proxy or VPN is not logging extensively. I'm posting through TOR right now and it probably offers the best IP privacy possible, but the TOR network is built entirely on the idea that IPs are personally identifiable information. Why else would you go to such lengths to obscure it ?

I know I can obtain privacy illegally, by renting an infected machine. The whole point is that I want privacy legally and that we should setup our society so that privacy is the default.

Re:Google + Privacy? (1)

LordLimecat (1103839) | about a year and a half ago | (#43337179)

If you use a VPN to a diskless box that keeps no logs, certainly you can untraceably (at least to local enforcement) use another's IP.

Re:Google + Privacy? (1)

Opportunist (166417) | about a year and a half ago | (#43336007)

The flaw here is that the average person is quite able to tell whether someone is living under their roof. Now imagine the average person being as "observant" offline as they are online. They wouldn't even notice someone sitting on their couch switching over to football every time they want to watch their soaps.

Re:Google + Privacy? (1)

LordLimecat (1103839) | about a year and a half ago | (#43337151)

Interestingly, when the discussion comes around to MPAA using IP to identify, many on slashdot would claim that IP is in no way evidence of anything for a wide number of reasons-- insecure Wifi, multiple household users, DHCP, etc.

Obviously the two arent exactly the same, and obviously I cant accuse YOU of a double standard, but slashdot as a community certainly seems to have a double standard.

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43337699)

Nope. No double standard required.

The fact that an IP address is "personally identifiable information" doesn't mean that, if some troll detects an IP address under your name in a BT swarm, copyright infringement was necessarily commited by you. The fallacy of the MPAA/RIAA is there, not on the fact that you can associate a person to a specific IP address (that much should be obvious to everyone).

In fact, it's SPECIFICALLY the fact that an IP address is "personally identifiable information" that makes it illegal in some jurisdictions for copyright trolls to even collect/compile databases of IP addresses.

TL;DR: The fact than an IP address doesn't UNIQUELY identify a person, doesn't mean it's not "personally identifiable information". The same reason why your landline phone number and even your name are considered "personally identifiable information", even though there is NO guarantee that they are unique and uniquely identify YOU.

Re:Google + Privacy? (0)

Anonymous Coward | about a year and a half ago | (#43335533)

What did you expect when a corp names itself goOgle [wiktionary.org] ...

Re:Google + Privacy? (2)

Spy Handler (822350) | about a year and a half ago | (#43335559)

Tobacco companies have a Health director, so Google having a Privacy Director shouldn't seem so strange...

Re:Google + Privacy? (1)

dkleinsc (563838) | about a year and a half ago | (#43335911)

It goes along with the US government having a Department of Justice.

Google Privacy Director's job spec (0, Funny)

Anonymous Coward | about a year and a half ago | (#43335395)

The Google Privacy Director's job spec is something like:

Design ways to squeeze the last drop of privacy blood out of users without actually killing them.

And the footnote in the job spec says:

It's OK to leave them so weak and helpless that they can't leave. Bonus points if they don't even realize that it's happening to them.

I think the Privacy Director has been quite successful. Not ethical, but successful.

Unclear On The Concept (1, Interesting)

Anonymous Coward | about a year and a half ago | (#43335413)

The last two companies I worked at had officers sending stern warnings about how important corporate privacy was in one gmail while in another gmail saying how they expected employees to all be on google docs for sharing corporate spreadsheets and product planning, etc.

It must be nice being google. It's like having thousands of US corporations all volunteering to install your listening devices throughout their offices.

Re:Unclear On The Concept (0)

Nerdfest (867930) | about a year and a half ago | (#43335705)

Does the same apply to printer manufacturers, lawyers and accountants, etc? Doing anything remotely inappropriate with corporate (or personal for that matter) information would destroy their business model. Stop watching Microsoft advertisements.

Re:Unclear On The Concept (1)

Opportunist (166417) | about a year and a half ago | (#43336045)

Erh... forward those mails to the CISO and ask him for his input. Should be fun.

What's an Oxymoron? (2)

Taantric (2587965) | about a year and a half ago | (#43335423)

Kids, this is what an oxymoron is - "The Director of Privacy for Google". Another example - "Military Intelligence"

Re:What's an Oxymoron? (-1)

Anonymous Coward | about a year and a half ago | (#43335513)

I agree with this statement.

floor spring [bangliwj.net]
glass door lock [bangliwj.net]
shower hinge [bangliwj.net]

Panopticlick / Google can track you quite well. (4, Insightful)

girlinatrainingbra (2738457) | about a year and a half ago | (#43335429)

Re:
Whitten had been in charge of privacy for the company's engineering teams. During that time, she was involved in the company's public effort to fight the idea that IP addresses can be considered personally identifiable information

Well, on the one hand, the idea that IP addresses are not personally identifiable information is of benefit to the masses when arguing against RIAA/MPAA attacks saying "this IP address downloaded XYZ, thus the current user of said IP address is responsible", because an IP address is not a personal identifier.
.
On the other hand, google can then say that they keep track of IP addresses and other information which combine to become personally identifying information.
.
See the EFF's site Panopticlick [eff.org] to see the huge amount of identifiable information your web-browsing leaves behind, especially if you have javascript enabled. If google argues that your IP addy isn't personally identifiable info, then they can't get in any trouble for keeping track of it, even though in combination with your "user agent string" and the leaked browser information, they certainly can keep track of you.

Re:Panopticlick / Google can track you quite well. (0)

Anonymous Coward | about a year and a half ago | (#43335525)

Switch off JS and spoof your user agent as IE8.

Only people happy to classify IP as "personally identifiable" outside of MAFIAA are spammers/trolls/etc. (well, and privacy nuts, ok) - if it was to be successfully argued, then, for example, keeping IP with anonymous comments for moderation purposes would require all the motions required for storing and processing personally identifiable information by local laws, and even HTTP server's access.log would be a liability - even though it would be mostly "personally identifying" chinese proxies probing for vulnerabilities, web crawlers, NATs and ever changing DHCP addresses

Re:Panopticlick / Google can track you quite well. (0)

Anonymous Coward | about a year and a half ago | (#43335529)

Exactly. The issue is that IP addresses ARE personally identifying information... the other issue is that they ARE NOT _uniquely_ personally identifying information.

Besides, in the case of MPAA/RIAA (and other copyright trolls), having the IP address still does not tell them WHO engaged in copyright infringement, even though they can know the "owner" of the IP address.

The fact that, as you pointed out, Google DOES use both IP address and other info (user-agent and other juicy info obtained via javascript) as a way of uniquely identifying HTTP agents just shows that they are full of bullshit.

Google: If IP addresses are NOT "personally identifiable information", why do you use them as such?

Re:Panopticlick / Google can track you quite well. (1)

DarkOx (621550) | about a year and a half ago | (#43335653)

Personally identifiable facts separated from there other facts my be PI without actually being enough to identify on there own. Knowing only your birth date I can't do much but if I have your birthday and full name I can come up with a much smaller list of candidate people who might be you.

There need not be a direct connection between some datum being characterized as PI and using it as a unique and reliable identifier. That said, I don't disagree with googles position; having to treat IP addresses as PI while might be a great privacy protection, would completely impair Internet as it exists today, operationally, and commercially

Google has your real name (0)

Anonymous Coward | about a year and a half ago | (#43335753)

Do you remember G+'s real name policy? Or that Gmail login wants your telephone number. That your Android phone has your location for Google maps?
That they know what you search for, who your friends are, the texts of your emails, the text of your messages.

Google has all of that and your IP too.

In the list of WHO WHAT WHERE WHEN, it has ALL of these together with a long history of these.

So it's a bit disingenuous of Whitten, given one of the main components of the user profiling is the IP address.

I can see that if I block their cookies/hide behind NAT, have same computer as wife, they can still profile, until I replaced my wife's screen with the same resolution, at that point the adverts seems to be generic between up. So they're profiling users behind their NAT even.

Re:Google has your real name (1)

whosdat (2551450) | about a year and a half ago | (#43335769)

If they'd require your real shoe size - would that make it personally identifiable as well?

What's needed is laws against tracking, not redefinition of "personally identifiable" that'll bite you in the ass later.

PS: By the way, I can see how your shoe size'd be a nice data point for marketeers: "Someone with his shoe size and user agent bought sport shoes today, mark him for Nike and Reebok ads in 6 months"

Logging (0)

Anonymous Coward | about a year and a half ago | (#43336883)

Personally, I'd define it as 'logging'. Knowing you are fred when you are logged in as fred is one thing. Keeping the IP address, and the browser profile, logging every search you do against it, logging every site you visit (by adwords + analytics), where you were when you visited (you did give Android permission to tell Google your location when you clicked that button labelled 'tell Google maps your location?'...)

But EU Privacy right already defines this nicely, it forbids you linking information beyond necessary for the provided service. It's just that that privacy right was never enforced since Barosso came along.

How many hours a week? (1)

JabrTheHut (640719) | about a year and a half ago | (#43335461)

I'm assuming this is a part-time position and she's the only one in her team...

Re:How many hours a week? (0)

Anonymous Coward | about a year and a half ago | (#43336201)

You misunderstand. She had a huge team and they worked around the clock to erode our privacy.

Queue tupe666 & co to defend Google our friend.

Surely it's not still April 1st somewhere? (3, Insightful)

tehcyder (746570) | about a year and a half ago | (#43335463)

"Director of privacy at Google" is the only funny April Fool's joke on slashdot this year.

OXYMORON (1)

oldhack (1037484) | about a year and a half ago | (#43335537)

"Alma Whitten, the director of privacy at Google"

...

Privacy invasion coordinator? (0)

Anonymous Coward | about a year and a half ago | (#43335557)

Did they mean privacy invasion coordinator?

Well.. (1)

Michael Voss (2883793) | about a year and a half ago | (#43335633)

I have a feeling I'm going to get flamed for this, but given that Google has been giving out free cloud storage, free word processing (on the cloud) and other nice things to have, is it an issue (Right now?) I mean, if Google actually uses my information for anything more than advertising, I would be kind of pissed, but I have yet to hear of anything like that.

Re:Well.. (0)

Anonymous Coward | about a year and a half ago | (#43335677)

>is it an issue

Yes.

Re:Well.. (1)

Michael Voss (2883793) | about a year and a half ago | (#43335803)

I'm curious, how is it an issue?

Re:Well.. (1)

Anonymous Coward | about a year and a half ago | (#43335985)

Google goes to extraordinary lengths to anonymize usage data. There are only like 4 people in the whole Google that have access to the RAW logs, other people get them only after anonymization and any attempt to gain an access to RAW data ends up with immediate termination.

The question is if this practice would continue after Alma's departure, or she left because there was something being cooked she disagreed with.

What about IPv6? (1)

ravenlord_hun (2715033) | about a year and a half ago | (#43335777)

I understand IPv4 might not be personally identifiable, but you are supposed to keep your IPv6 subnet forever. Sure, there's some privacy extension which is supposed to help, but IIRC that only assigns randomized addresses in your own /64 subnet - not helping much in this case...

So, not privacy oriented then ... (1)

gstoddart (321705) | about a year and a half ago | (#43336305)

During that time, she was involved in the company's public effort to fight the idea that IP addresses can be considered personally identifiable information.

So she led the charge to try to make as much stuff declared not private as possible, and wasn't ever actually a privacy advocate. Did she try to argue that the wi-fi information they scraped wasn't private either?

She'll no doubt be replaced with someone who cares even less about privacy.

Sadly, Google is evolving into a douchebag corporation like every other multi-billion dollar organization. My trust in them has been waning the last few years.

Good riddance to her then.

Google Privacy Director? (1)

organgtool (966989) | about a year and a half ago | (#43336507)

I'm sure she will enjoy her new position at Fox Hen-House Security Services.

Google Privacy Director (1)

JDG1980 (2438906) | about a year and a half ago | (#43336823)

Was this one of those "no-show jobs" we sometimes hear about?

GOOGLE GLASS (0)

Anonymous Coward | about a year and a half ago | (#43339199)

Wouldn't it be a hoot if someone wearing the Google Glass SpyEye wear were to follow this person around for the rest of their life. That would be the beginning of justice for this spy company..

film izle (0)

Anonymous Coward | about a year and a half ago | (#43346399)

full hd [sinemafullhd.com] google crazy ^^

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?