image visualizing how google is spying on users

How is Google spying on us?

Please note: this article is a little bit outdated! In the light of the many data breaches, scandals and fines by authorities many details about the issues mentioned in this article have been published. While the facts  are still true many aspects now known are missing, so please see this article as a entry to the topic and enjoy reading…

Installing an new WordPress blog is interesting and fun, but you rarely find any cool an responsive themes which is NOT using Google Fonts API or Googles Hosted Libraries. I think this really is a big problem and I will explain in this article why I think so:

Which services could Google use to gather data about us?

While Google is claiming NOT to combine some data sources they collect on specific users, they at least doing it to serve personalized advertising and search results. On their privacy policy page they are stating:

We may combine personal information from one service with information, including personal information, from other Google services

There are many rumors out there which services and technologies Google could use to track us while surfing the net, but one thing is for certain: Google COULD join ALL the single hits and identifiers of all its “separate” services to build an global non ending and total session of almost everybody.

How could they achieve this?

Every time you are surfing a website which embedded some Google services like Google Ads, Fonts, Analytics etc. these services have to communicate with Googles servers to fulfill their purpose. All these “hits” to Google are done with the help of “temporarily” unique identifiers like cookies, url-parameters and others. The important aspect is that these “tokens” overlap within your browsing history. Even if you delete some, you rarely (could?) change all of them definitely and for ever:

  • you bookmark (and revisit) unique URLs with session IDs

  • you reopen saved tabs and browser sessions

  • you didn’t change your ISPs IP-address between cleaning your browser profile (eg. rebooting your surfing device)

  • you reenter your password for one Google service you are using at some point in an future session

  • etc…

Doing ONE of these gives Google the opportunity to rejoin your actual session with your past ones.

You even simplify this for them if:

  • you generally surfing while logged in some Google accounts (Google Mail, G+, Youtube etc) or using devices which usually require you are logged in like most android smart phones and tablets or chrome books

  • you don’t delete your cookies frequently

  • you use only one device to surf the net (like using one laptop for work and private usage)

Later in this blogpost I will list the most used services which all “phone home” to Googles server farms. Google is becoming more and more something like the Operating-System of the Internet and people rarely thinking about the personal consequences of that.

All the request of the many services could simply joined via Googles tremendous computation capacity. Every time (even in the future after changing some terms and conditions ore after changes in jurisdiction) these informations could be used to build an global never ending session of almost every click you had ever done! – This is possible because Google services are so widely used across websites (ignoring even better, simpler or different solutions by lazy web developers).

It should be noted that the outlined method could further optimized via a full spectrum of technologies like browser fingerprinting and many others just to refine its accuracy.

To get a feeling how real this is, you could install an browser ad-on like “Lightbeam for Firefox” and after some days of browsing you could explore the various inter-connections in a visual graph!

lightbeam

It is somehow unclear if Google actually is joining ALL these data. BUT from a technological point of view it is definitively possible. AND from an economically point of view its is definitively in their interest to further boost their earnings via serving more personalized ads (which get more clicks) and via serving more personalized search results (which get them loyal customers).

The following Google services could be combined to spy on us in a global view

  • Google-Search
    including Google Custom Search, integrated in websites

  • AdSense

  • Doubleclick
    Doubleclick tracking pixels are even still integrated in websites while they are not serving ad campaigns just because for most web administrators it is to laborious to change the html-code.

  • AdMob
    Network for mobile banner and text ads
  • Google Analytics

  • Google Plus
    Primarily via the G+ social sharing Buttons, embedded in many websites

  • YouTube
    embedded YouTube videos

  • RSS Feeds on blogger.com, Google-News
    Either via simply visiting them OR Weblogs and news sites provided syndication feeds (like RSS) which will then automatically requested from your RSS software of choice (like Firefox Dynamic-Bookmarks or Thunderbird etc.) and so the RSS tools at least are communicating on a regular basis your IP-address and perhaps cookies.

  • Google Mail
    Like Google News or RSS your Mail client is communicating your IP-address together with your log-in data which id directly connecting those two data points.
  • Google Maps
    embedded in many Websites and local services

  • Malware Protection in web browsers
    Chrome, Chromium and Firefox using Google safe-browsing-service, to every 30 minutes download some lists with dangerous sites and at least Firefox is actively sending information to Google’s Safe Browsing service by sending it some of the metadata of every download.

  • reCAPTCHA
    Used to spam-protect millons of comment forms around the globe (and by the way exploiting ordinary people as unpaid click-workers)

  • Font-API
    Used for example in most recent wordpress, jomla, drupal and other themes which serving millions of websites.

  • Google Hosted Libraries
    Also used by many free themes…

  • Google Chart API

  • Google App Engine

  • Google Translate API

  • Google DNS Services
    Google Cloud DNS and Google Public DNS

Additionally every not mentioned service which could be integrated in a webpage, listed in this document: https://developers.google.com/products/ Here could be found some more, but I already listed those which are, as far as I know, more widely used. So my list is not complete! Please use the comment form at the bottom if I have missed some important. I will add them to this list.

What could YOU do about that?

Unless you use services like TOR (which are unfortunately also not fool proof) you could not stop the data collectors like Google completely from spying on you. BUT you could at least hinder them! The most effective method is to start using browser plugins like Ghostery or NoScript to reduce the hits to data gathering servers.

Disclaimer: at the moment this blog is powered by a theme which also uses Google fonts. I want to change this in the future, when I could figure out how I can do this without destroying its layout. 😉

This post is Powered by a Visual from hoffmann-grafik.de