On Sun, 25 Mar 2012 14:23:52 +0100 Robert Waldie robert.waldie@opengear.com allegedly wrote:

Otherwise it works well enough, if you don't mind telling Google your plans for the weekend. :)

I want google to know as little as is technically possible about me. This is becoming increasingly difficult - particularly as I use an android phone.

I have to spend a ridiculous amount of time trying to ensure that /my/ data doesn't leak to the google behemoth. Frankly, I find the idea of voluntarily synching any of my contacts/mail/calendar/whatever with a google "service" horrifying.

Mick --------------------------------------------------------------------- blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 ---------------------------------------------------------------------

On Mon, Mar 26, 2012 at 10:24:59AM +0100, Mark Rogers wrote:

On 25/03/12 15:03, mick wrote:

...

Frankly, I find the idea of voluntarily synching any of my contacts/mail/calendar/whatever with a google "service" horrifying.

Why?

Don't get me wrong, plenty of people find this anything from "uncomfortable" to "horrifying", and no doubt with good reasons. However I've just not managed to find a good reason beyond "gut instinct" why I should care what Googles computers know about me, and my gut is wrong far too frequently to be trustworthy (I'd rather trust Google :-)

I agree with you to an extent but when a business is involved there are extra worries - e.g. how does this affect one's Data Protection responsibilities?

E.g. I don't think I'm supposed to let 'the world' know what someone has bought from me unless I ask them and they say it's alright. But if the E-Mails discussing and confirming the purchase are on GMail have I revealed the information illegally?

More relevant to our situation is that there is always going to be a certain amount of confidential information about people flowing back and forth in our E-Mails, this too should be protected by Data Protection.

On Mon, 26 Mar 2012, Mark Rogers wrote:

I am not at all convinced that were Google['s servers] based in the UK that they would be in breach of any UK law, and assuming they could come up with a service that kept within the law here I'm sure most of the people who don't trust them now still wouldn't then!

Not only _could_ they come up with a service that kept within the law as it would apply to servers in the UK, they _do_ come up with such a service for some of their corporate customers, under "safe harbour agreements". See, for example, paragraphs 1.6-1.10 of http://www.ucs.cam.ac.uk/googleapps/google-apps-cambridge-contract.pdf. But AIUI, you don't get protections like that with a standard personal gmail account.

On 27 March 2012 16:20, mick mbm@rlogin.net wrote:

Interesting analogy. If I give my money to a bank, it is safe from loss (which is what I care most about here). Whilst the bank has my money, it can use it as it sees fit (it is supposed to use it to lend to others to help them, but things seem to have become much more complex of late.)

Like all analogies, it has holes in it :-)

However, the "don't give your data to Google, they're an obvious target for hackers" and "put your money under a mattress, don't put it in the bank" analogy holds pretty well.

However, if I remove my money, the bank no longer has it and can no

longer use it.

Yes, data isn't like money in that respect. Which is a good point because all my data that Google holds I also have copies of, and so that's just two places someone could hack it from instead of one. But really the analogy was between Google running my email service or me running it myself, so either way data would be in two places but my homespun email service is the more insecure.

If I give google my data it may be (theoretically) safer against loss, but I no longer have the right to remove that data.

True. This is something that would make me more comfortable.

Try the UK Information Commissioner at www.ico.gov.uk

Will do, thanks.

On Mon, 26 Mar 2012 10:24:59 +0100 Mark Rogers mark@quarella.co.uk allegedly wrote:

On 25/03/12 15:03, mick wrote:

...

Frankly, I find the idea of voluntarily synching any of my contacts/mail/calendar/whatever with a google "service" horrifying.

Why?

Mark

Why? Good question, and I'll try to answer without sounding too strident. Unfortunately privacy advocacy can sound all too paranoid to people who take a more relaxed view of intrusions - after all, what have I got to hide?

I have commented on google before, most recently in reply to a couple of emails from James Freer back in October last year. That conversation is attached below for ease of reference, but you can skip it if you like.

Firstly I must say that it is not just google which bothers me here. I am equally disturbed by what Facebook does in particular, and social networking sites do in general. Any system which allows easy aggregation of private data is open to abuse. Facebook probably takes more liberties with personal data than does google (partly because it has more in the first place - witness google desperately trying to get into the same space through google+) but then I don't use facebook either. There is a wonderful story about how the two wives of a bigamist found out about each other by being introduced through facebook (you both know this guy, you must want to know each other.....).

You may like the idea of well targeted ads, but Amazon have long irritated me with their habit of telling me about products based solely upon the fact that I bought a similar product in the past. I put up with it because they seemed pretty inept about it. Of late, however, they seem to be getting better (if that is the right word) and they seem to be taking tips from google. Consider the amazon wish list. I use this as a handy aide-memoire during the year so that come christmas/birthday when my wife/kids/siblings etc ask what I want I can simply lift references from the list (I don't share the list). But amazon have a firefox add-on which allows you to add any product from any site to your wish list. Now that /is/ smart. It tells Amazon where you have been and what you are genuinely interested in buying. Absolute gold to the company. Not so good for you if you happen to be browsing sites you would rather keep private. Not quite as sneaky and abusive as the google toolbar, but getting close.

But that is a digression. The question is about google.

My biggest problem with google is that it treats me as the product it can milk to sell to others. It is solely interested in monetising something I personally value highly - my privacy. And it is completely cavalier about how it does that. The recent furore around the change in its "privacy policy" is a case in point. That change is designed to allow google to aggregate data from disparate services in a way that was not possible (or not as easy) before the change. Both the UK Information Commissioner and the French Commission National de l'informatique et des Libertes (CNIL) have objected to the way this has been done. CNIL have even pointed out that Google's antics are probably illegal in Europe. Google doesn't care though. It ignored CNIL's request not to introduce the change.

I don't often find myself agreeing with a Tory MP, but David Davies said recently something like "if the state did what google does, there would be uproar" (though as an aside I'd be a bit more relaxed if HMG was doing this because at least there would be appropriate legal checks and balances in place - something which is impossible with google).

Consider: google has all your email, it knows all your browsing history (including that embarassing episode when you searched for the symptoms of an STD), it knows where you do your on-line shopping, it knows where you live (and probably has a picture of your house), it knows who your friends and main contacts are (and where they live). It even knows the dates of your family and friends birthdays (and, of course, the date you went to that STD clinic). If you have an android device it also knows where you are (in near real time) and where you have been. It has a log of all your phone calls (something that previously only the telcos had). All this was bad enough before the new policy, but now google can "join the dots" in a way very like that used by intelligence or police agencies. And they are a private US corporation over which you have no legal control.

And of course, ever since the passing of the US patriot act after the 9/11 incident, US authorities can subpoena any company like google to hand over everything it has on a particular subject - and you would never know. So if you applied for a US visa and there was any suspicion that you had ever been anything other than the absolute upright model of citizenship that the US so loves and requires, you might find yourself in some difficulty if google's data on you were in any way unhelpful. (I've been through US immigration many times, its bad enough if you are a good guy....)

You compare google's activity to advertising funded television and magazines and seem content that google should use all its considerable knoweldge of you to give you "better" advertising. Forgive me if I worry about a company which (unsolicited) can send me a reminder to buy my wife a present from her favourite shoe shop on her birthday next week, particularly if I happen to be walking past that same shop at that moment.

Even if you find google's current activities acceptable, consider where this is going. Google does things incrementally. Given their current stance (and the lunacy of Eric Schmidt's view that "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place") their impulse to gather even more data about the product (you) is not going to change.

Now ignore google and its motivations, ignore also the motivations of the US state (because you are not going there anyway and don't care), but consider others of malicious intent. Google is a big, fat, juicy target for anyone (including large competing corporates or foreign states) wanting to get hold of its data (sorry, your data). If google lost any of your data, what could you do? Nothing. And if you believe google is currently a warm, cuddly, friendly, trustworthy company (you said you trust them) what happens if they are subject to a hostile take over by a much less friendly and cuddly company sometime in the future?

And even if you accept that all of that is perfectly OK - please believe that for me it is completely unacceptable.

Best

Mick

(Oh by way of example of what can be done quite legitimately at the moment with publicly available data published on social networking sites, take a look at the appropriately named tool "creepy" at http://ilektrojohn.github.com/creepy. I worry about the way my kids use social networking sites. But then I'm just an old fart.)

--------------------------------------------------------------------

Extracts of previous emails attached for ease of reference

(1)-----------------------------------------------------------------

On Mon, 17 Oct 2011 23:21:55 +0100 James Freer jessejazza3.uk@gmail.com allegedly wrote:

[running Xubuntu]

Just wondering if anyone uses it and what their thoughts are!

That depends upon your attitude to privacy.

I decided to have a change from Firefox. I liked Chrome and didn't find any problems - except for the bookmarks. In FF i installed the google toolbar and had all my bookmarks stored in my gmail account. Useful while i was teaching and using lots of different machines...(no longer) but i've got into the habit so i wanted to do that with Chrome. Setting up Sync and logging in to gmail i don't find it syncing at all. Having installed Chrome i then found that FF google toolbar bookmarks didn't work. Assuming there was conflict between the browsers i removed FF and google toolbar - problem remains.

I think i've found a glitch somehow and will only know when i install the new Xubuntu release.

I have a real problem with google. Their business model (funded by advertising) is inconsistent with my concept of personal privacy rights. If you find it OK to let google know everything about your browsing habits (and the fact that you have stored your bookmarks in a google service suggests that you do find it OK), then I'd say go ahead and use chrome.

Personally I wouldn't use chrome (which calls home to a variety of google networks in an interesting fashion) do that. Nor would I ever use the google toolbar which also reports back to google in a way that many may find disturbing. For example, I recall a while back some security researchers reporting that they had found that google had indexed pages which were supposedly "orphaned" (i.e they did not have links from anywhere on the web) and so should have been invisible. It turned out that google toolbar reported visited pages so the advertising giant "discovered" them.

Now "security through obscurity" is not necessarily a good idea, but I'd bet that many people have created "private" web pages which have no external inward links in the belief that no search engine could then would find them. If they have google toolbar installed (or anyone they send the link to has that installed, then this is not true.

The fact that chrome doesn't support the nascent "do not follow" standard and that google is fighting hard against any legislative attempt to enforce the standard is also indicative of their stance.

Mick

(2) -------------------------------------------------------------------

On Fri, 21 Oct 2011 23:22:03 +0100 James Freer jessejazza3.uk@gmail.com allegedly wrote:

I wonder what you'd have written if i said i'd installed Chromium!

<tinfoil beanie hat>

Much the same. Chromium, or any OS which relies primarily on web (or "cloud") based storage and applications, has the same implications for reductions in privacy. Any use model which stores my data (in the broadest possible sense) on someone else's systems, particularly where those systems may be in a country where UK laws on data privacy do not apply, bothers me. When that system is owned by a company which explicitly makes money by aggregation of personal data and whose CEO has the ludicously cavalier attitude towards personal privacy demonstrated by Eric Schmidt (c.f. wonderful remark: "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place" [1]) I get even more bothered.

Installing Chrome was part of my hunt to find a better browser. I find Firefox 'hangs' after any lengthy browsing... it always seems to have done, i recall switching to Netscape back in about 2004/2005 because it was so bad and hasn't improved much in many ways. Seamonkey seems to have inherited some of that. I started looking for something better and wasn't too impressed by Epiphany which is supposed to be Debian's default browser [i think].

You could try opera. It isn't open source, or truly free in the "freedom" sense, but it is free of cost and it works well under linux. But beware here too of opera's ability to track your usage through its "opera turbo" option. This can be a useful option for speeding web browsing on a slow link, but it does this by pulling the data from opera's own caching proxy service. You pays your money....

It seems google have taken the OS code and made their own - with it perhaps some of their "sinful additions". I thought it was easier to reply by numbering the paragraphs.

1] In my mind is do they really collect data about individuals? One can suspect them of doing such things but why would they do it. They are a business focussed on developing search on the internet. I see no reason to believe they actually do anything with that data other than pursuing that objective. Would they take passwords and look in detail at what individuals access? The security risk is far too high. Someone would have got into the google complex and splashed it across the world by now - google would be dead within a couple of days. I'm sure the google complex security is ten times that of Fort Knox but even so.

Yes they do. In the name of "personalising your experience" they will do all that they can to get as close to you as an individual as is possible. Consider how you are "encouraged" to sign up to google services "for a richer experience". And it matters not at all whether google itself uses that data, the very fact that it has that much data aggregated makes it an attractive target for those of malign intent (or governments armed with warrants).

2] I don't find it ok but... i recognise that for them to provide an excellent service finance has got to come into the picture somehow. The fact that the advertising means that an organisation for a high fee gets pole position on page one of a google search compared with that pays less. BUT if one compares with other search engines it's surprising how much they vary... but then only some of the time. So how are Altavista, Ask.com etc getting funds to pay staff. I haven't done any comparisons for a few years now i admit. I've just used google as i've felt they were more ahead in research than others. Google are very smart i must say... the features they provide for free are excellent - they wouldn't be able to do that without finance somehow. What have i browsed today; Spaceship Galactica, ebay, solid fuel stoves - so what. In summary perhaps it's appropriate to say one should be WARY of google recording visits. But then again one can search 'death camps'... and all these places spring up across a certain country - no one knows why/what purpose they are for [gosh what have i written perhaps i'll get 'neutralised' next week by men in black... google might be studying this email].

Google are not in business for my benefit, they do it to make money. I have no problem with any company making money (it's what makes the western world work (or not, depending upon your perspective) but I do have a problem when their primary mechanism of funding leads them to a position where taking liberties with personal privacy becomes the norm.

I have not found any evidence that google has blocked information or in effect provides contrived searches.>

Ummm proving a negative is difficult. How exactly would you know with any certainty that search results had not been tampered with? And in fact, "tampering" with search results is exactly what google is offering you in the name of "personalised experiences".

3] You raise an good point here. I had a website that i used to test out some mindmapping. I was chuffed that google had found it... maybe it was from google toolbar - but i also tried a search at school and it found it (no google toolbar used). I merely used google toolbar to stop me deleting my valuable bookmarks when i did a reinstall [but that was a while back and i'm rather better now at backups! I'd remember everything apart from bookmarks]. Google is for finding info and that's what it did - just because there were no links... doesn't necessarily mean that google toolbar was reporting pages - it found them. Since using bookmarks (html stored in home directory) over the last few weeks i must say it's quicker than using google bookmarks via the toolbar so i doubt if i'll be using it again. I should try Chromium... but i've read a load of bugs and yet to see many for Chrome.

With respect, I think you missed a point here. The issue is that google toolbar reports searches to google. Once google has then indexed the pages (if they are not already public) they become available to anyone, regardless of whether that later searcher has the toolbar installed. So your finding the pages from a search at school is not surprising.

No search engine can discover truly "orphaned" web pages unless the engine is pointed to those pages in some way. So google cannot just "find" web pages, they have to have an external link. That is one reason that google toolbar is sneaky.

4] You could well be right. But they want to stop that legislation as it would limit their scope for a search engine. Stuff shouldn't be on the web if it's not to be found and read. I've been surprised at what google's found when i've posted on various forums on topics of gardening, dogs and classic cars.

(Minor correction here. I meant "do not track" not "do not follow", but the issue is the same.)

Implying a motive here is difficult I agree. But consider the track record. I tend to agree with the author of an article in wired [2] when he said "it’s about money that Google stands to lose if users of its browser get an easy way to opt out of its advertising tracking."

Perhaps i'm naive but i think google are very smart and deserve their success. The World watches them but i think they're clean. As for gmail; there are some things that irritate me but AOL and other's nothing like as good. The 'conversations' make list replies very easy, one can set an email client but i find them far too slow for my amount of mail - only one i've found useable is Alpine but for 'conversations' far too slow. Star important emails i don't want to delete and when it comes to 'clearing', search the 'unstarred' and then delete.

Sure, I agree that they are smart. But I don't agree that they are clean.

---------------------------------------------------------------------

--------------------------------------------------------------------- blog: baldric.net fingerprint: E8D2 8882 F7AE DEB7 B2AA 9407 B9EA 82CC 1092 7423 ---------------------------------------------------------------------

As a similar old fart, I put forward similar arguments on another mail list and somebody responded with the question 'What's different between e.g. Amazon remembering your recent purchases and a shopkeeper (of old, people nowadays don't often do it) remembering your purchases and buying stuff in on the off-chance you might like it?'

But your shopkeeper can't disseminate the information round the web can he/she? (Or couldn't then.) You know what they're using it for too.

Bev.

On 27 March 2012 15:27, mick mbm@rlogin.net wrote:

<Some big snips here, but all digested and a useful read, thanks>

There is a wonderful story about how the two wives of a bigamist found out about each other by being introduced through facebook (you both know this guy, you must want to know each other.....).

There are similar stories about people getting caught out because of mutual friends in the "Real World", in this respect Facebook is just an extension. But I'm not getting into defending Facebook :-)

You may like the idea of well targeted ads, but Amazon have long

irritated me with their habit of telling me about products based solely upon the fact that I bought a similar product in the past.

Like I said up front, this stuff makes me uneasy but I don't know why it should. I don't like ads at all, but if they have to be there I don't see why I should object more to ones that may be of interest (as long as I understand how the system generating them knew my interests). And by increasing the value of an ad by making it targeted, there is the real possibility of reducing the volume of ads in exchange. Google have always managed to be more discrete at advertising than the "old way" of web "portal" search engines like MSN/Yahoo etc.

My biggest problem with google is that it treats me as the product it can milk to sell to others.

The implication of this comment is that Google is selling my data to third parties, which as far as I know it isn't (unlike all the junk mail providers). It has a pool of possible ads and selects ones based on what "it" (their computer system) knows about me. So rather than saying "ah, this bloke has some embarrassing STD, lets send his name and address to loads of STD clinics", it says "this STD clinic is paying me to promote its services, so I'll promote them to people who've searched for something related". This to me is way better than the alternative (you know the score: you donate some money to a charity then find they've sold your address details to other charities so you get bombarded with begging letters). The start and end points are basically the same (express an interest in something, get ads for that something) but the difference is that the merchant doesn't get my details unless I click through on the ad. This is also in Google's interest (what they know about me is what they can monetise, so why give the raw data away?)

Would I prefer none of this to happen? Yes, of-course. But I'd have to pay a *lot* for a similar service that wasn't advertising funded.

The recent furore around the change in its "privacy policy" is a case in point.

To be honest I was a little surprised that they couldn't already aggregate the info so it didn't worry me too much. Again, not saying I like it, but I'm still yet to see a really good reason why it should bother me.

I don't often find myself agreeing with a Tory MP, but David Davies said recently something like "if the state did what google does, there would be uproar" (though as an aside I'd be a bit more relaxed if HMG was doing this because at least there would be appropriate legal checks and balances in place - something which is impossible with google).

Appropriate legal checks and balances maybe, but not implemented by competent people....

And of course, ever since the passing of the US patriot act after the

9/11 incident, US authorities can subpoena any company like google to hand over everything it has on a particular subject - and you would never know.

Indeed, although such are the attitudes of British governments that I wouldn't put them past granting access to UK data in the same way. I am very much one who sees governments (UK and US) and incompetent rather than malicious though. Google actually have a lot more to lose in letting my data escape (on the assumption that it was part of a major leak) than a government does, so I may even suggest they'll protect it better.

You compare google's activity to advertising funded television and magazines and seem content that google should use all its considerable knoweldge of you to give you "better" advertising.

Content? Maybe that's too string, but unconcerned? Probably.

I have a Tesco Clubcard in full knowledge that they track what I buy and target advertising accordingly too, although of-course just by using a credit/debit card they can "track" you. This I am similarly unconcerned (if not actually content) with.

Forgive me if I worry about a company which (unsolicited) can send me a reminder to buy my wife a present from her favourite shoe shop on her birthday next week, particularly if I happen to be walking past that same shop at that moment.

I still don't see why this harms my privacy. If they sent my details to the shoe shop then yes, but if an automated system sends me a message based on the data it has about me, which I am free to ignore, then I don't see the *privacy* issue here. It might be annoying being bombarded with ads, but again Google do seem pretty good at getting the balance right between "in your face" and "out of the way".

Even if you find google's current activities acceptable, consider where this is going. Google does things incrementally.

Thin end of the wedge, etc. Yes, this is a concern. But as long as they keep the data rather than selling it, I don't see a privacy issue, and given that the data loses its value if sold then I don't see why the thicker end of the wedge will be heading in that direction.

Google is a big, fat, juicy target for anyone (including large competing corporates or foreign states) wanting to get hold of its data (sorry, your data).

Agreed. On the other hand they're better at looking after it than I am, which was where the bank analogy came in. Why would anyone rob me rather than a bank? Because it's easier.

what happens if they are subject to a hostile take over by a much less friendly and cuddly company sometime in the future?

Honestly: I don't know. This is one thing that does really bother me. Although the options for avoiding this problem are pretty limiting: running all your own services yourself. Google would be a pretty big target for a takeover - my data is probably therefore safer with them than with a lot of smaller companies who would otherwise be easier to "trust".

(Oh by way of example of what can be done quite legitimately at the

moment with publicly available data published on social networking sites, take a look at the appropriately named tool "creepy" at http://ilektrojohn.github.com/creepy. I worry about the way my kids use social networking sites. But then I'm just an old fart.)

Note that there is a big difference between Google and Facebook (/Google+). With one we're talking about data it collects about me that I am trusting to it. With the other we're talking about data that I am giving it with the express purpose of sharing it with friends, family, colleagues, etc - ie if I post to Facebook/G+ I am publishing. True, a lot of people have no idea just how much they're publishing, and tools like Creepy are great for helping people learn. Anything you find out about me from FB/G+ I take full credit (blame) for making available. Anything you can find out about me from Google (G+ excepted) is a different thing entirely.

On Mon, Mar 26, 2012 at 12:50:55AM +0100, steve-ALUG@hst.me.uk wrote:

On 25/03/12 14:23, Robert Waldie wrote:

...

On 03/25/2012 12:55 PM, Chris Green wrote:

...

We defnitely *do* need it to be easy/transparent to keep Evolution (or Lightning) calendar in sync with phone calendar. If this goes via the cloud then so be it but the cloud bit will only be used as a sort of server.

Hi Chris,

This is the setup I use - HTC Desire Z Android, Evolution on my Linux box and Thunderbird & Lightning on Mac, all syncing with Google Calendar in the cloud.

Both email clients have support for Google Calendar's native API, although I initially had to use CalDAV to get writing from Lightning to work. Appears to be fixed in Lightning 1.3.

I use Thunderbird & Lightning Calender add-on. Also add on "Provider for Google Calender", though you can access your calender via CalDav apparently - see

https://wiki.mozilla.org/Calendar:Using_Lightning_with_Google_Calendars

For syncing contacts, I use add-on gContactSync which is working well for me. There are other add-ons that do the same thing. I used Zindus for a while and it worked well, then went horribly wrong for some reason.

OK, thanks for all the information.

You might be able to cut Google out of the loop by running your own CalDav server (or iCal server?), but I dunno if you could easily do the same with contacts - could you run an ldap server and get the android to synch to it? I've tried several times in the past to configure an ldap server & to get thunderbird to read its contacts form it, but I got nowhere fast. Syncing via is way easier, BUT, if you don't want Google to know, then you have some work to do!

Yes, I've played with CalDav servers and so on before when trying to work with my Nokia E71 but there really doesn't seem to be a clean and simple solution. I got things working but it was always a hassle and never very 'transparent'. Since this is going to be for my wife (who relies on her Palm/Evolution calendar a *lot*) I want it to be reliable and trouble free.