Legal Drama For Google & Its Users

CBS News tech analyst Larry Magid reports on the government's attempt to obtain Google's search records and the state of Internet security.

Recent revelations that the Bush Administration is trying to get Google to turn over search records has sent chills down the spines of some Web surfers who worry whether what they search for in Google will stay with Google or wind up in government hands.

The case raises a number of privacy questions, including whether or not it's appropriate for search companies like Google to be storing this information in the first place.


Editor's note: Larry Magid comments on the controversy in on The Early Show.
To help answer that question, I interviewed Steve Gibson, the founder of Gibson Research and one of the leading authorities on privacy and Internet security.

But first, some background.

The Justice Department wants Google to turn over records of a million random Web searches during a one week period. Google has refused to comply so far and said in a statement that it will fight the government's efforts "vigorously."

The government subpoena is related to a case about the Children's Online Protection Act (COPA), a 1998 law that would require commercial Web sites with adult content to require visitors to prove that they are over 18 before they can access material that could be deemed "harmful to minors."

That law was challenged by the ACLU and a coalition of media companies and other organizations and was overturned by a federal judge. That judge's decision was upheld by an appeals court and the case eventually found its way to the Supreme Court. The Supreme Court didn't rule, but sent it back to the lower court for a rehearing.


Click here for Larry Magid's podcast interview
with computer security and Internet privacy expert Steve Gibson.

Before I go on, I need to disclose that I was an expert witness in that case. Long before I started working with CBS News, I started a Web site called SafeKids.com. My site deals with ways to protect children and the ACLU had me testify about how filters can be used by parents to keep their children away from pornography.

Government officials have reportedly said they are not looking for personally identifiable information, but trying to determine the extent to which Web surfers are searching for pornography. As an aside, I question why the government needs to prove that point. Isn't it obvious by the sheer number of porn sites and the billions of dollars spent that lots of people do look for porn?

The real question, in my mind, is not whether adults look for porn, but whether children find it and what are the best ways to keep kids away from porn. I don't see how Google's data will help answer that question.

Regardless of the merits of the COPA law, the issue regarding Google raises additional concerns about the privacy of our searches. Does Google have personally identifiable information about us in its databases and could someone – whether the government, another company or perhaps, a hacker – find out what we're searching for if it were able to gain access to Google's data?

The answer is a qualified yes.

As a feature, Google allows users to establish an account and sign into the service. If you have such an account and if you're signed in, then Google definitely tracks your searches and displays your search history for you to see. That can be convenient if you want to retrace your search history, but it requires that Google store this information and associate it with your account.

If you ever sign in, Google stores your sign-in information in a "cookie" on your PC so the next time you go to Google you may still be signed in. Even if you sign in to Gmail to check your mail or Google Groups to participate in a discussion, you may remain logged in when you do a subsequent search until you click the "sign out" option.

But even if you're not signed in, according to security expert Steve Gibson, Google may still be able to associate you with a particular search.

There are two reasons. First, Google plants cookies on your hard drive that can identify you, according to Gibson, "as an anonymous user with a sort of serial number identity, but they wouldn't know who you were in the physical world." In theory, however, it's possible to correlate data from different cookies on your machine to determine who you are, but Google says that's not something it does.

Second, Google, like all Web sites, is able to determine the IP (Internet Protocol) address of any computer that accesses its site. I can vouch for that. I have my own Web site and I can determine the IP addresses of my visitors.

In many cases, it is possible to associate an IP address with a user, but it is not necessarily easy. Most people who use the Web, access it through an Internet Service Provider which could be a dial-up service like AOL or EarthLink, or a broadband provider like a phone company or cable company. Regardless, each person is assigned an IP address by that company.

That IP address may change (AOL gives you a new one each time you sign on while DSL and cable companies may change yours on a periodic basis), but your ISP can certainly associate you with your IP address.

So, in most cases, for a Web site operator to know the actual identity of the person who visits their site, they would have to have the cooperation of that person's ISP. ISPs, of course, want to protect the privacy of their customers so no reputable ISP is going to turn over that information unless it is legally obligated to do so.

Still, if compelled by a court, ISPs and Web sites can and will cooperate to identify someone. Gibson tells of a time when his Web site was being plagued by a denial of service attack. He knew the IP addresses of the suspected attackers and was able to track them down on his own as belonging to customers of Cox Cable in Southern California.

Through the FBI, he was able to get a court order to compel Cox to turn over the names and addresses of the individuals. These and other techniques are used by law enforcement regularly to track down suspected criminals including people who are distributing child pornography, but they do require a court order or other legal justification. Gibson said that it's also "how the RIAA (Recording Industry Association of America) is able to sue all these people who are doing file sharing."

Google, whose privacy policy states what information it collects, clearly says "Google does comply with valid legal process, such as search warrants, court orders, or subpoenas seeking personal information."

Gibson added, "if the FBI (with proper court authority) wanted to know who it was in the physical world who went to a Web site, if they knew when they went to a Web site they would ask the ISP who had that IP at a certain period of time and they would know who you were."

Gibson, however, says that it's "improbable" that Google or other Web providers could go back, say, two years and find out who had been searching for what sites.

Gibson doesn't worry about his own privacy being at stake. "I figure I'm probably not on anyone's radar, but I recognize that there are people whose interests might put them on someone's radar so I respect people's concerns, but it's not something I worry about," he says.

He said that he is concerned "that a search engine is keeping these kinds of records. If I could push a button and have Google flush their records of any prior searches I've made, that's a button I would push."

While there is no button that automatically purges information from Web server there is a way to delete cookies from your PC or prevent your browser from accepting cookies. Before deleting cookies, realize that you may have to, once again, provide information to sites you visit such as your user name or password.

If you refuse to accept cookies, you may be denied access to some sites or services and will repeatedly have to enter information. You can delete cookies within Internet Explorer by selecting Internet Options from the Tools menu and clicking on the appropriate link in the General tab. There are further controls on the Privacy tab. Firefox privacy options are controlled: go to the Tools menu and select Options.

Of course, if you're really concerned about your privacy you have a lot more to worry about than your Web surfing. If you use a credit card, an ATM card, checks, a cell phone, a regular phone, a supermarket discount card or an automatic toll booth payment system, then you're already living in a fishbowl.

The companies that issue those cards can figure out where you've been, what you've bought and who you're talking to. Whether or not this data gets in the wrong hands, is not so much a technology issue as it is a public policy issue.

At the end of the day, I have to agree with a statement from Google's privacy policy: "As has always been the case, the primary protections you have against intrusions by the government are the laws that apply to where you live."

And, I would add, the way that political, legislative and legal authorities interpret those laws.