Googling Security: How Much Does Google Know About You?
by Greg Conti
ISBN 13-978-0-321-51866-8, Amazon.com USD 31.49 Bookpool.com USD 27.25
Reviewed by Richard Austin 3/13/2009
Although most security professionals have some awareness that we disclose information when we make use of "free" online services, I don't think we really realize many "micropayments of privacy" we make in order to fund their availability. Conti has written a profoundly disturbing book that explores this subject in detail. Though Google is highlighted both in the title and the text, he emphasizes that it is a convenient example and is careful to note that many other information-starved denizens lurk in the Internet landscape.
Chapter 1, "Googling" delves into just how dependent we have become on the idea of "just google it". Conti notes that he, like many of us, foregoes a large personal library in favor of the instant accessibility and organization offered by online resources. He then explores the darker side of this dependence and identifies how our use of these services discloses significant information to search engines, advertising providers, and even ISPs. He then reminds us that this information can be deliberately disclosed (sold, compelled by legal process) or revealed inadvertently through human error or deliberate attack (malware, information theft).
In chapter 2, "Information Flows and Leakage", he explores how information flows occur with the aid of an excellent "thought experiment" of drawing a chalk line around your PC and enumerating the myriad ways information flows into and out of the circle. I think that you will find some of these flows surprising.
Chapter 3, "Footprints, Fingerprints and Connections", is a frankly frightening look at how the traces left by interactions with online resource (server logs, cookies, etc) can be linked and cross-referenced to develop a surprisingly accurate view of identities, intentions and connections between identities.
The next five chapters explore the details of our interactions in the contexts of "Search", "Communications", "Mapping, Directions and Imagery", "Advertising and Embedded Content" and "Googlebot". In each case, he describes how the small "micro-leaks" of information provided in normal use of the service can be linked and analyzed to produce an individual picture that is much more revealing than the sum of its parts.
Chapter 9, "Countermeasures", explores what we can do to limit the amount of information we reveal when we're online. In describing the tactics and techniques, he gives the important caveat that it is a continual balancing act between desired privacy and functionality. For example, browsing the web through a cascade of 10 Tor nodes might assure we remain anonymous but at the expense of a frustratingly slow browsing experience.
In chapter 10, "Conclusions and a Look to the Future", he rounds out the book with some suggestions for action and a look at how the future of the online world could develop.
This book is a must-read for all types of information security professionals because it clearly identifies how use of ubiquitous information "utilities" can potentially leak copious amounts of information. It is also a book that should be read by general consumers of online services so they can begin to understand the "privacy economy" that economically supports those services and intelligently participate in the public policy debates that are sure to ensue as these services more deeply touch our lives. Bottom line: read this book and recommend it to your friends!
Before beginning life as an itinerant university instructor and cybersecurity consultant, Richard Austin was the storage network security architect for a Fortune 25 company. He welcomes your thoughts and comments at rausti19 at Kennesaw dot edu