I would really like someone to tell me where to start this little story, but since there is no one to do that I'll start it somewhere..
intro (kind of)Once upon a time, there were 2 guys who said: "Hey, let's do a web search engine!", so the google.com was born. As google was growing he realized that just searching stupid stuff for people is too small for him. He began expanding, offering people more services, telling people that web is good, web is best. In his still immature mind a great idea was born, he knew, there must be one day when people, without realizing that, won't be able to exist without him.
next the story follows from the point of a paranoid mind (or simply part I)I don't know anyone that doesn't use google. The least, everybody does googling (this term is already added to some important dictionaries). Most of my friends have gmail accounts, and most colleagues at work use gtalk.
When saying google, first thing that comes in mind is the page where you enter the words for your search.
But what is "google"? Did you ever thought about google as a threat? I bet not.. Still when gmail was just at it's start there were concerned voices talking about privacy, the fact that google will use content from the mails to show targeted ads (some of you may remember that there were ads in the gmail).
So lets start expanding the understanding of google. Yes, it is a search engine; yes, it also has a mail service; yes, it helps you post ads all over the internet; yes, it shows you ads when you are not in the mood for them. But hey, that's no secret, just about everyone knows that. But have you heard about Google Analytics?
Google Analytics is no intelligence agency (or is it?), just a service for tracking statistics for your site, like from what geographic region are the most of your visitors, the language they speak, time zone and other stuff like that. It is supposed to help you know better your target audience. Do you see any evil in that? I think i might like that kind of statistics on my site. Still, there is one little thing that bothers me.. When someone enters a site with GA, he can be easily tracked on all other sites with GA. I mean, that GA will know that a user that entered a site about cars, also visited a site about motorcycles and also a store with sport equipment. But hey, that's not a problem right? The most they got is an IP, which can change. Hm.. on a second thought, it's enough that you log into your google account (it can be Gmail, or blogspot), you will be identified in the GA, and all your browsing history will be assigned to your account. To make it short, YOU'VE BEEN TRACKED DOWN!
Just to add a little bit of salt and pepper, every time you visit a web site with AdSense ads on it, you are also tracked. There is nowhere you can hide (actualy there is but it's not in the scope of this little post).
Almost forgot.. Google also offers a service called Web History. It is supposed to help you track the sites you visit, to get statistics about your web activities. But once again, it will help track even your slightest move. I think my paranoia is getting worse..
What should I continue my story with? May be AdSense? I don't think there is one man on this planet that is using internet, that hasn't seen the Google AdSense ads. One thing that makes it one step ahead others is that these ads are targeted by the contents of the site they are placed on, ads related to cars on a site about cars, etc. What evil is in that? None I say. None till you read what I've wrote about Google Analytics. When talking about ads, there must be lots of analytics! First step in AdSense was to relate the ads to the sites they were placed on, next one is to relate the ads to your personal preferences.
Here is a scenario: you google around for the new BMW X5. Find websites with reviews and start reading, watching galleries. The websites you entered on have GA, and all your moves are tracked and registered, attached to your personal record. Next site you'll visit will have ads with a local BMW dealer offering the best prices around for the model you've been investigating. (didn't i tell you that by your IP it's easy to know in what town you are? But there is no need for that, you've probably entered your location in your gmail account).
But that was a very simplified scenario, I'm afraid I don't have enough imagination to figure out all the possible ways to use the analytics in more efficient advertising and not only..
With the resources that google has, it is possible to create engines that will analyze and identify the general sense in a web page, not just the most repeated words and words related by meaning or domain. It's scaring what potential it has if applied with bad intention..
I said nothing about the privacy of your information.. till now.
Are you using gmail? How about Google Calendar? Picasa may be? Have you set info about your credit card for a fast Google Checkout? Whell.. can you at least imagine how much information google has about you? They've got your credit card that ensures your real identity. All your e-mails, and id's of the friends you are mailing with. They've even got your foto, and fotos of your friends. And your callendar, and your Google Notepad with all your private notes.. That's what any inteligence agency allways dreamed of (and is ready to kill for)..
part IIEnough with bad guys, let's assume (completly theoretical), that google is no evil corporation. Let's assume that there work only nice guys, that really care about you, your privacy and not the bilions they earn.
In that case the whorld is still full with people willing to get access to your account and to the information you have there.
As threat number 1 I'd call the social networks, dating sites and all the crap of this kind. Scenario: the bad guy (it's not necessarily a bad guy, may be it's me doing a PoC), creates rapidly a dating site (it's quite easy you know, with all these templates and ready made scrips), then sends spam to about 1M addresses of gmail offering to join the dating site for free. A innocent victim enters on the site and begins registration. At one step, he/she is asked to enter the gmail/yahoo/hotmail account so the system will synchronize with his/her contacts automatically. Got it? Once gaining the account and the password the attacker has control to all data not just contacts and e-mails. If the info for credit card is set, the attacker can change the default shipping address and make orders online.
In this kind of attack once it's started the number of victims raises exponentially (until one point), because having access to the contacts, the system without asking the victim will send invites from the victims name to all the addresses in it, asking to join the dating site. What will you do if you get such an invitation from one of your friends?
So for the sake of the God of computers, DO NOT EVER GIVE THE PASSWORD FROM YOUR GMAIL ACCOUNT! Not to me, not to any site that asks for it!
outroAfter all said and done.. The problem is that with one name and password you can access a lot of services, and all provided by one company. If password to your e-mail has been found you're in trouble. Google promises to protect your data, but..
Quis custodiet ipsos custodes?
