Vint Cerf: 'Google doesn't know who you are'

Identifiers don't identify


Interwebs founding father and Google evangelist Vint Cerf has insisted that when you search Google, the company doesn't know who you are.

Thursday morning, at a mini-conference in San Francisco, the always entertaining Cerf sat down with Wall Street Journal columnist Walt Mossberg and other tech luminaries to discuss "open" mobile networks. But at one point, the conversation turned to the epic amounts of user data pouring onto Google servers across the globe.

As Mossberg started to complain about Google using Gmail and other sign-in services to tie more and more search data to real live people, Cerf quickly interrupted. "We still don't know who you are," said the Google figurehead.

Mossberg begged to differ, pointing out that as netizens sign-in to their Google accounts in order to use other services, the company also ties those accounts to search data. "When I search Google, you can see - right up at the top of page - that I'm logged in. You can see my Gmail address," he told Cerf. "You know who I am."

But Cerf insisted that even in those situations, Google doesn't know you. "You are somehow conflating things that I think need to be disaggregated," Cerf told Mossberg. "A Gmail identifier doesn't tell us anything. It's just an identifier. We have no other thing to tie that to. It's just an identifier [You said that already. -Ed]. And by the way, you picked it. We didn't."

As ridiculous as that may sound, it's a common Google argument. When a federal court recently asked Google to divulge the identity of an innocent Gmail user - if the account was still active - the company told us that wasn't possible.

"It's...incorrect to say that we are able to disclose somebody's identity," Google told us. "We only have the information associated with the account, and federal law sets limits on what is discoverable." Never mind that when you sign up for Gmail, it asks for your name.

Google won't say whether the user's identity was divulged or not - and neither will the court. But for some reason, we expected a little, shall we say, openness from Vint Cerf.

The net's founding father went on argue that you don't have to be logged in to your Google account to use search. When Mossberg pointed out - once again - that his Gmail address appears at the top of his search page, Cerf said: "If you've logged in because you were using Gmail, the system tells you that you're logged in," he said. "You wouldn't want us to hide that?"

Sitting to Cerf's right, Adobe CTO Kevin Lynch piped up to say that users have the option of turning off Google's link between search and services like email. Then he pointed out that it's on by default.

The conference crowd chuckled. And Cerf hit Lynch in the head with something akin to a rolled newspaper.

It was a playful hit. But it was yet another way that Cerf - like his Google overlords - carefully steers clear of acknowledging exactly what personal data the company is collecting.

"We don't care who you are. We only care about the pattern of behavior you exhibit."

-Google's Vint Cerf

Yes, you can search Google without being logged into your Google account. But Lynch is correct when he says the two are linked by default. And at best, it's naive for Cerf to say that Google doesn't know who are when you're logged in. Vint Cerf may not know who you are. But Google's servers do - and when a subpoena or national security letter arrives on the doorstep, you can certainly be identified.

You can be identified even if you search while logged out. Google still tracks your IP address. And as much as the company likes to say that an IP address is not personal information, we can safely say that's nonsense.

Just before Cerf landed his Chewbacca defense on conference attendees in San Francisco, Google unveiled a new "Dashboard" that ostensibly explains what Google knows about you. But this is merely the latest example of Google Privacy Theatre.

The new dashboard shows you an (apparently random) collection of data associated with your Google account. But as the consumer watchdog known as Consumer Watchdog points out, it doesn't tell you what data is associated with your IP address. And there's no way de-linking data from your IP.

"This was a PR gimmick," Consumer Watchdog's John Simpson tells The Reg. "All it does it put in one place the info you've consciously given them."

Plus, we all know that relatively few people will actually visit the thing - just as relatively few will actually log out of their Google accounts when they start searching its search engine.

If you do log out, Google insists, it will "anonymize" your data after nine months. But this is the most amusing act of Google Privacy Theatre.

After nine months, Google scrubs out only the last eight bits of your IP address - and it leaves your cookie data untouched. It does scrub cookie after 18 months, though it won't say how.

Which means that restoring your IP data after nine months is trivial. Google may erase eight bits on your nine-month-old search queries, but those bits will remain intact on newer queries - and both sets of queries carry the same cookie info. Recovering the missing bits on older data is a one-step process.

Come to think of it: Restoring the missing bits is hardly beyond the realm of possibility after eighteen months. It's only eight bits.

The point here is that Google refuses to delete your IP outright - whether nine months have passed or 18. So-called efforts to protect your privacy don't go quite as far as Google would lead you to believe.

"We don't care who you are," Cerf told yesterday's conference. "We only care about the pattern of behavior you exhibit." Which is true. But that might be read in more ways than one. ®

Similar topics

Broader topics


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022