Lora Bentley spoke with Hal Roberts, who studies privacy and surveillance issues for Harvard's Berkman Center for Internet and Society.

Bentley: From everything I've seen about Google's changing privacy/anonymity policies recently, the company is going to make user data anonymous by deleting bits or changing bits of IP addresses? Can you explain what this means?
Roberts: It's not actually clear what Google is proposing to do with its new policy.  It says it is 'changing the bits' after 9 months and then 'removing the last 8 bits' after 18 months, without further explanation. My best guess is that Google is hashing the last few bits of the IP address, meaning it is transforming the last few bits into some unique number. This process would prevent the use of the IP address to request the identity of a user from an ISP, but it would maintain the use of the IP address as a unique identifier (and a connector to personally identifying information in search terms).

Bentley: What about cookies? Some observers have suggested that as long as
cookies remain intact, it doesn't really help keep user data private because it can be reconstructed. Can you explain how cookies work?
Roberts: Cookies allow Google (or anyone hosting a server) to identify a user between separate visits to the same site. The cookie mechanism itself does not directly provide any personal information — it only allows the server to know that a given request is coming from the same user. The use of cookies allows Google to connect a current request (which includes the full IP address) with a log entry of an anonymized address, thereby associating all of the requests, anonymized or not, with the user identified by the cookie.

So as long as a user keeps the same cookie, Google can associate the anonymized requests with the current requests (and IP address) of that user. Users do have the ability to delete the Google cookie and thereby break the connection with those old log entries. But the vast majority of users don't even know what a cookie is, let alone how to delete it.

Bentley: Should business users be as concerned about the privacy of their information as individual users seem to be?
Roberts: Businesses in this sense have the same problems as individual users. They can certainly try to hide the source of their queries by using some third party proxy, but then they are placing more trust in the proxy than they were placing in Google...  It just depends on how much the business wants to trust that proxy. I know from conversations with the founder of Anonymizer, the biggest such company in the U.S., that a majority of their business is now consulting with companies who want to maintain privacy (as opposed to their business selling retail software to individual users). My second hand understanding is that many or most business customers use Anonymizer (and presumably other such tools) to hide their research into competing companies, rather than to hide their queries to Google.

Ironically, maybe the best example of how Google browsing data can harm a company is probably the current Google / YouTube v. Viacom case, in which Viacom has successfully subpoenaed the entire log of who visited YouTube and which videos they watched. Viacom has been reported to be primarily interested in using this data to find out how many Google users have watched pirated Viacom videos on YouTube. So in this case, Google's data is being used to attack the privacy of Google itself in its role as a consumer of its own service.

Bentley: My coworkers and I have increasingly seen offers from third party proxies like TrilightZone since the whole Google privacy issue came to light. You also mentioned Anonymizer. Are such services the precursor to a viable new market?
Roberts: There's a possible market here, but the important thing to understand is that all you are doing by using a company like Trilight is transferring your trust from Google to Trilight. If you don't trust Google with your data, why should you trust Trlight? I know nothing about the company other than browsing their Web site for two minutes, but it's likely Trilight is just a guy or a small group of guys. I could literally set up such a service in a matter of hours.

By piping all of your traffic through these guys, you are actually investing a lot more trust in them than you invest in Google. And even though these services can encrypt data between you and them (and thereby protect you from snooping by your local ISP), they still have to send out requests from themselves to the end servers in clear text, making the traffic accessible to the intermediate network. And if they are in fact hosting their servers internationally, that intermediate network path is likely larger than the network path travelled without using them, since even local U.S. traffic has to leave and then re-enter the country. Finally, I'm highly skeptical of companies who claim to be untouchable by local laws.  Every server is located in some country and therefore subject to that country's laws.

For folks interested in using a third party privacy service, I would recommend either Tor, which uses a very well peer reviewed architecture for strongly anonymizing connections, greatly reducing the need to trust the service provider, or Anonymizer, which provides a set of tools like Trilight but is a well established company with an established reputation.