Google advisers: Limit ‘right to be forgotten’ to Europe

The recommendation isn’t likely to please the European Union, which has argued that user takedown requests should be applied by Google globally.

An advisory group set up by Google is backing the search engine’s belief that so-called “right to be forgotten” requests should be restricted to Europe.

Google has been complying with a May ruling from the European Union that requires it to honor requests from users in Europe asking that search engines remove specific results that may no longer be relevant or may infringe upon that person’s privacy. But Google has restricted the takedown requests to its European domains, such as Google.fr in France, and not to its global domain. That means people across the world, including those in Europe, can still access those disputed links via Google.com. The European Union believes those requests should be applied worldwide.

But a report released on Friday by Google’s eight-member Advisory Council found that confining the requests just to the European Union follows the intent of the ruling. The members acknowledged that expanding the requests globally might ensure the “more absolute protection of a data subject’s rights.” But the group also cited two arguments against such a move.

First, users outside of Europe may need to search for information whose links have been removed across the European Union. In that case, the needs of citizens in other countries would come into conflict with any takedown requests applied globally. Second, users within Europe may need to access versions of Google’s search engine beyond the ones available in their own countries. Though it would be technically possible to block European users from accessing a site such as Google.com, the council expressing concerns about the ramifications of implementing such a block.

“The Council supports effective measures to protect the rights of data subjects,” the group said in its report. “Given concerns of proportionality and practical effectiveness, it concludes that removal from nationally directed versions of Google’s search services within the EU is the appropriate means to implement the Ruling at this stage.”

The recommendation from the council is just that — a recommendation. It has no legal bearing on Google, which must decide on its own how to implement the EU’s ruling in general and case by case.

The council does include Google insiders, such as Executive Chairman Eric Schmidt and the company’s chief legal officer, David Drummond. But it mostly consists of third parties, including Wikipedia founder James Wales, Oxford University professor of philosophy Luciano Floridi and a former director of the Spanish Data Protection Agency, José-Luis Piñar. Some of these people have been more in line with Google’s interpretation of the overall ruling, while others have been more concerned about the privacy of the people submitting takedown requests.

Though the group as a whole sided with Google in limiting the removal of search results to Europe, not all members were on the same page, according to The New York Times.

Wales voiced his resistance to expanding the takedown requests globally and to the ruling in general, saying that “I completely oppose the legal situation in which a commercial company is forced to become the judge of our most fundamental rights of expression and privacy.”

But Sabine Leutheusser-Schnarrenberger, a former German federal justice minister, sided with the European Union, saying that “since EU residents are able to research globally, the EU is authorized to decide that the search engine has to delete all the links globally.”

Google did not immediately respond to CNET’s request for comment.

37.362517 -122.034760

Google breaks old promise by working on search banner ads

Google is testing banner ads in search results, apparently reneging on a 2005 promise by Marissa Mayer to never run them.

Nearly eight years ago, Google’s then-vice president of search products and user experience, Marissa Mayer, wrote a blog post saying that the company would never run banner ads in search results or on the Google home page.

That promise appears to be in the process of being broken, reported SearchEngineLand, as a screenshot by Dallas-based Web marketing app maker Synrgy shows an experimental, enormous banner ad at the top of search results for “Southwest Airlines.”

“There will be no banner ads on the Google homepage or Web search results pages. There will not be crazy, flashy, graphical doodads flying and popping up all over the Google site. Ever,” Mayer wrote, as part of a response to a search deal with AOL.

A Google spokesperson said the experiment was running only in the US market, and described it to CNET as “very limited.”

It is possible that Google sees the test not as contravening that 2005 promise, but as an expansion of the image sizes available to advertisers that it began to run in search ads over the summer. The practice could call into question what constitutes a banner ad: Are banner ads any ad that stretches the width of the Web site, or are they limited to short, wide ads that contain “crazy, flashy, graphical doodads”?

Whatever Google’s intentions with the ads, its lack of a forthright answer about what it is doing with them won’t win the company any brownie points.

Protests follow Google ‘endorsed advert’ change

Google is facing a backlash over plans to put people’s faces and comments about products and places into adverts.

The “shared endorsements” policy change starts on 11 November and covers the comments, “follows” and other actions people do on Google+.

One protest involves people swapping their profile pictures for that of Google boss Eric Schmidt so his image rather than their own appears on ads.

Google said it had made it easy for people to opt out of the system.

The search giant started alerting people about the upcoming policy change via banners on its main webpage and in a page explaining the change to its “policies and principles”.

Google also gave examples of how the “shared endorsement” system might work. This showed people’s faces and comments appearing below Street View images of a bagel shop and search results for products and places.

Many people protested about the change to Google, and some altered their image profiles on the Google+ social network in response.

So far, Google has not issued an official comment about the protests over “shared endorsements”. However, in its explanatory pages it said it was easy to opt out of the system by clicking a box on the Google+ account settings page.

It warned that if people did not want to be part of the programme some of their comments and follows may no longer be visible to others they know on Google+.

Social network Facebook faced strong criticism over a similar system called “sponsored stories” it rolled out in 2011.

Legal action following the criticism eventually led to Facebook paying out $20m to compensate people whose images it used without permission.

NSA tracks Google ads to find Tor users

The National Security Agency uses a bit of jiu-jitsu to turn the structure of Web ad networks against people who run Tor to remain anonymous.

Just because the National Security Agency hasn’t cracked the anonymizing service Tordoesn’t mean that people who use the service are free from surveillance.

The NSA has been able to use ad networks like Google’s, and The Onion Router’s own entry and exit nodes on the Internet, to follow some Tor users, according to a new report based on documents leaked by whistleblower Edward Snowden and obtained by security researcher Bruce Schneier with the Guardian. Tor is primarily funded by the US State Department and the Department of Defense, home of the NSA.

Tor promotes itself as helping people “defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.”

Robert Hansen, a browser specialist at the security firm White Hat Security, said that Tor access node tracking is not new.

“A couple of years ago a hacking group published exactly 100 embassy passwords from Tor exit nodes. One hundred is too round of a number,” he said. “Just logically there must be more. If you get enough exit nodes and entrance nodes, they can be correlated together.”

Director of National Intelligence James Clapper criticized reporters and denied that his office was doing anything illegal, citing the threat of “adversaries.”

 The articles fail to mention that the Intelligence Community is only interested in communication related to valid foreign intelligence and counterintelligence purposes and that we operate within a strict legal framework that prohibits accessing information related to the innocent online activities of US citizens.

 

The system that the NSA uses to locate and identify Tor users begins, at least sometimes, with the buying of ads on networks like Google’s AdSense.

“Just because you’re using Tor doesn’t mean that your browser isn’t storing cookies,” said Jeremiah Grossman, a colleague of Hansen’s who also specializes in browser vulnerabilities.

As Grossman described the procedure to CNET, the NSA is aware of Tor’s entry and exit nodes because of its Internet-wide surveillance.

“The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the Internet, makes it easy to differentiate Tor users from other Web users,” he wrote.

The NSA buys ads from ad display companies like Google and seeds them around Tor’s access points.

“The NSA then cookies that ad, so that every time you go to a site, the cookie identifies you. Even though your IP address changed [because of Tor], the cookies gave you away,” he said.

This is not some complicated or even an unusual trick, Grossman said. It’s how tracking ads were intended to function.

“That’s the Web by design, not a hack,” he said.

The NSA, he said, is not spending much money on it since Internet ads are so cheap. Grossman speculated that an ad campaign would only cost around $1,000 to seed ads with the NSA’s cookies around the Web.

“$50,000 would be overkill,” he said.

Because the NSA is essentially using how the Web functions to spy on its users, tools like Tortilla that take the burden of Tor usage away from Firefox wouldn’t prevent the NSA’s tracking ads from finding people.

It wouldn’t be feasible for Google to block ad buys from the NSA, and if the company did, he said, “they could just buy through a proxy.”

Google did not respond to a request for comment.

Both Tor itself and Schneier noted that the NSA has not been able to track every Tor user this way. “They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the Internet backbone,” Schneier said.

Grossman speculated that the NSA could be using spam e-mail campaigns as it’s been using display ads, though he cautioned that he didn’t have evidence that this was actually happening.

“On the off chance that [the spam recipient] renders the HTML or clicks a link, [the NSA] can connect your e-mail address to your browser,” he explained, which the NSA would have already connected to an IP address. “Using Tor or any proxy wouldn’t prevent it.”

Not all Tor installations are created equal, added Hansen, who has an unusual pedigree in the browser vulnerability field because he’s also a veteran of the ValueClick ad network, which was later bought by DoubleClick, which subsequently was purchased by Google.

“It depends on whether you’re using Tor Button or Tor Browser,” he said. “The Tor Button tends to be more secure because as you jump in and out of the Tor Browser, it tracks cache and cookies.”

However, since the Tor Project now includes a patched version of Firefox, it recommends not using the Tor Button and only using the standard Tor Browser Bundle instead.

More secure than either, Hansen said, was to run Tor on a virtual machine so that cookies and cache are dumped when the machine is closed, and the kind of man-in-the-middle and man-on-the-side attacks described by Schneier are avoided.

“If you don’t take the critical steps to protect your privacy, you will be de-cloaked if you’re doing something interesting,” Hansen said.