Online Privacy and the Business User

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Since Google announced earlier this month that it would be changing its user privacy/anonymity policies, many have wondered if those policies are actually accomplishing what they were intended to do. Some observers have gone so far as to call them "smoke and mirrors," or, essentially, a joke.


ITNews.com.au writer Egan Orion quotes a Google response to requests for more information this way:

"After nine months, we will change some of the bits in the IP address in the logs; after 18 months we remove the last eight bits in the IP address and change the cookie information. It is difficult to guarantee complete anonymisation, but we believe these changes will make it very unlikely users could be identified."

I agree with Orion's conclusion that the explanation is not exactly comforting to individuals out there.


But what does Google's new policy mean for business users? How concerned should corporate executives be about company information maintained in Google's archives? This week I had a chance to speak with Hal Roberts via e-mail about these very issues. Roberts studies privacy and surveillance for Harvard University's Berkman Center for Internet and Society.


He echoed many other observers who said it was rather unclear what Google will do under its new policy.

My best guess is that Google is hashing the last few bits of the IP address, meaning it is transforming the last few bits into some unique number. This process would prevent the use of the IP address to request the identity of a user from an ISP, but it would maintain the use of the IP address as a unique identifier (and a connector to personally identifying information in search terms).

Roberts also explained how Google's use of cookies can lead to indentifying information about users -- individual and business alike:

The use of cookies allows Google to connect a current request (which includes the full IP address) with a log entry of an anonymized address, thereby associating all of the requests, anonymized or not, with the user identified by the cookie. So as long as a user keeps the same cookie, Google can associate the anonymized requests with the current requests (and IP address) of that user.

To increase your anonymity, then -- like Robert Cringely mentioned in his InfoWorld blog -- delete your cookies!


The use of third-party services to protect your information is also an option, but as Roberts points out, using such a service only transfers your trust from Google to the other company. If you can't trust Google, who's to say you can trust the other guy?