Google – The Provider of Free Lunch for All?
When was the last time a company gave you something completely free of charge? Maybe it was a free food sample at a supermarket or a ‘free’ drink when purchasing a meal somewhere. The specifics don’t matter. The point is, if it did happen, the deal seems fair. In exchange for consuming something free and tasty, the company increases its chance of selling you that product in the future. We tend not to receive these ‘freebies’ everyday as it’s economically unwise for the company to do so.
With that in mind, how much did creating a Google account cost you? What do you pay each month to access: Google Maps, YouTube, Google Drive, Gmail, Google+, Keep, Hangouts, Contacts etc.? If you answered ‘£0’, obviously you are correct. ‘No-strings-attached’ 24/7 access to these services is what we are given, completely free of charge. So how can such a generous company, whose portfolio consists largely of free products, be worth almost £100,000,000,000 (yes, billion) as of 2018?  The answer is advertising.
Companies pay Google to put their adverts in front of potential customers. Google ensures these adverts are shown to the right people through data given to them by the majority of the Internet’s users. A single Google account conveniently give us access to all of their services, which allows them to collect our data and tie it back to a unique account.
What Data Does Google Collect?
- native language
- YouTube comments
- unique identifiers
- browser type and settings
- device type and settings
- operating system
- mobile carrier name (e.g. T-Mobile)
- mobile phone number
- app version number
- IP address
- crash reports
- system activity
- date and time of search request
- referrer URL (the previous website a user visited)
- search terms
- videos watched
- our interaction with adverts
- purchase activity (Google Pay)
- people who we communicate with or share content to
- browsing history (if using Chrome browser)
- if making a call using Google’s services:
- the caller’s number
- the receiving party’s number
- call duration
- call type
- routing information
- forwarding numbers
- time and date of calls
- location, by using:
- IP address
- sensor data (accelerometer and gyroscope)
- Wi-Fi access points
- nearby mobile cell towers
- nearby Bluetooth devices
As long as we remain signed-in to Google, the data gathered about us continues to grow and with their mobile operating system ‘Android’, our data can now be fed back to Google when we are on the move. Their policy also worryingly states:
When you’re not signed in to a Google Account, we store the information we collect with unique identifiers tied to the browser, application, or device you’re using.
Besides from conjuring up images of George Orwell’s omnipresent Thought Police, this means that regardless if we are actually signed-in to our Google account or not, our data is still being collected and attached to us.
It is important to note that the information we provide to Google is mostly through our own choice. I say mostly because much of the content we provide is indeed ours, (pictures, email etc.) but there is a lot of data on that list we have very little control over. For example I am not aware of a method of hiding your mobile carrier from Google. Whilst revealing this single piece of information alone is relatively harmless, when combined with the other information collected by Google it can be particularly revealing. (As explained in the previous post: Increase Your Privacy by Removing File Metadata)
From experience, I have noticed people do not always realize the breadth and depth of the information they provide to Google and the potential ramifications of doing so.
Google’s Privacy Track Record
Google+, Google’s social media offering, was recently discovered to have a vulnerability in its API. This left its users personal information, like email address, gender, and occupation, exposed for a period of three years . According to Ben Smith, Google’s Vice President of Engineering, there was no evidence of the vulnerability being exploited which is one of the reasons he gave as to why the public was not alerted upon its discovery.
The EU-wide GDPR legislation defines a data breach as:
a security incident resulting in a breach of confidentiality.
Organizations are required to notify the supervisory authority and the individual users implicated, if serious enough, within seventy two hours of a data breach. With these definitions in mind, it is difficult to argue that Google breached users confidential data since there was no evidence of their information being exploited. I.e. a bug existed that allowed for user data to be leaked, but there was no evidence to suggest that it was actually obtained by anyone.
Regardless, I think there is a clear conflict of interest at play here which must be rectified. Google is a for-profit company but this security incident was investigated in-house. Meaning, the company has motives for keeping discovered vulnerabilities private. For its size, track record and significance the company has in most peoples lives, having an independent security team investigate such issues could create a much more open and honest image for the company.
Another privacy concern regarding Google dates back to 2013. This involved American and British intelligence agencies (NSA and GCHQ) eavesdropping on Google’s private servers and communication infrastructure. The project was grandly titled ‘MUSCULAR’ . Here GCHQ created a duplicate of all Google’s traffic flowing over their private network cables and stored three to five days worth of this traffic at any one time. NSA’s custom-built algorithms would then filter the traffic for anything they saw as interesting and retained it for future analysis. Whilst not Google’s fault, these events were a by-product of being such a popular service.
Without getting too ideological about government’s role in intelligence gathering, I believe people should at least be aware of the actions they are performing and what can be done if they are deemed too invasive.
The Problems of Using Google
First, I believe Google’s large size has made it an appealing target for both government and private attackers to gather information from. Thus the promise that our data is ‘secure’ and ‘private’ should be questioned.
Secondly, a good computer security practice involves creating unique usernames and passwords for each account we create. Ensuring that if one set of login credentials are compromised, an attacker would not be able to reuse them to login to another site. Google’s ecosystem of products prevents us from having a unique username and password for each of their services. Instead our data is protected with only one set of credentials. In other words, ‘putting all your eggs in one basket’. They make it convenient for us as it supports their business model. Where convenience is involved, there is typically a trade off.
Lastly, the business model in use relies very heavily on advertising to generate income which Google does so by collecting, highly personal and excessive, information about us.
These combined factors make me uncomfortable at the thought of handing my data over to such a company. Personally I would be reluctant to share even with a close friend the wealth of data that Google collects about me.
I believe some people are not aware of alternative products outside of the Google ecosystem that are more privacy focused. People may already have their needs met by Google’s offerings or they may simply be unaware of the privacy implications. The technologically semi-illiterate also tend to choose the easiest solution. Which for all its faults, Google does make the World Wide Web incredibly accessible for those less ‘tech-savvy’.
By raising these privacy related points, I hope to motivate people to look into alternative privacy focused products that perform, for the most part, just as well as their Google counterparts.
Here I will recommend different services that I use and believe to be much more privacy focused than Google’s offerings. In essence, the best way to ditch Google is to do exactly that and close your account. However you can wean yourself off them by trying to replace each of their services one by one with my suggestions below. This is not a detailed tutorial on how to migrate away from Google. A great resource already exists for this: https://operational-security.com/complete-privacy-security-podcast-e056/. Instead I will present alternative services and their notable advantages or disadvantages when compared with Google’s counterpart.
- DuckDuckGo to replace Google Search
Search history is never saved so there is nothing that could be leaked even in the event of a data breach. No cookies or trackers following you from website to website. Since the search results are not tailored to you, it prevents the ‘echo chamber effect’ of only ever being presented with results an algorithm ‘thinks’ you like. On the flip side it means you occasionally have to do more scrolling to find the exact results you need. Advanced keyword search is not provided and no fancy reverse image lookup features either.
- invidio.us to replace YouTube
This is a tricky one as content-wise there is currently no realistic alternative to YouTube. The goal here was to get access to the YouTube catalogue whilst also reducing the tracking, analytics and advertising that YouTube undertakes. Invidious seems to fit the bill. No subscriptions, watched history or favorites. But also no adverts by default without even needing an ad-blocker installed. I used Pingdom to compare the load time of YouTube compared to Invidious. Invidious uses a quarter of the bandwidth to load its homepage and takes half the time to load when compared to YouTube’s, consider this a bonus. Content creators will not appreciate this as views are not counted and videos cannot be liked or subscribed to. For an Android app, there is SkyTube on the F-Droid store.
- Telegram to replace Hangouts / Allo
Open source, cross-platform, completely free and without adverts, plus end-to-end message encryption. A ‘secure chats’ feature means chats are not even stored in the cloud and can self destruct from the recipients phone.
- Tresorit to replace Google Drive
Having servers located in the EU benefit from much stricter privacy laws than Google’s US based ones. Zero-knowledge access means you are the only person that has the cryptographic keys to view your content. Major drawback of not having the ability to create documents, slideshows etc. as provided by Google. Audited by independent security testers.
- ProtonMail to replace Gmail
Your IP address remains private as no logs are kept of it. Emails are stored encrypted with zero-knowledge access. Increase your security with two-factor authentication and the option to prevent password reset attempts. No adverts. If creating multiple free accounts it isn’t possible to use both accounts at once on their Android app. I.e. you must log in and log out to switch between accounts. Upgrading to one of their paid plans will solve this.
- Standard Notes to replace Keep
Zero-knowledge access. Only you can access your encrypted notes, not even the company. Further protect the app with a passcode. Notes are synced across various platforms and can be accessed from the web. Simple no-nonsense note taking. Lacking the reminder / alarm features of Keep, which is a shame. Two-factor authentication offered on the premium version.
- OpenStreetMaps to replace Google Maps
Another tricky one as Google’s offering is so strong. OpenStreetMaps is an open source alternative that is free and has map ‘layers’ showing cycle routes, terrain and public transport links. Directions, ETA, places of interest are all present. Lacking live transport times, reviews, business opening times. Another worthy mention that exists only for mobile is MAPS.ME.
Minimalist Approach for Maximum Value
Finally it’s time for the usual summary section, where I give the main benefits of following the advice in this article in five points or less. This time I answer,
how quitting Google can add value to and simplify your life…
- Removing a wealth of your information from a company that treats you as the product, vote with your feet and choose a provider that respects your privacy.
- Broadening your horizons and awareness into different products that exist. Find what works better for you. “Complacency breeds failure. Only the paranoid survive”. Don’t accept what you are spoon-fed by Google.
- Creating a feel good factor by contributing to open source projects and people that share similar interests. What goes around comes around.
- Minimizing the exposure of your personally identifiable information, as less is collected, there is less to worry about.
 Badenhausen, K. (2018). The World’s Most Valuable Brands 2018: By the Numbers. [Online] Forbes. Available at: https://www.forbes.com/sites/kurtbadenhausen/2018/05/23/the-worlds-most-valuable-brands-2018-by-the-numbers/#2d91afb2eed3 [Accessed 10 Oct. 2018].
 O’Dowd, P. (2018). Google Latest To Admit Privacy Breach. [Podcast] Here & Now. Available at: http://www.wbur.org/hereandnow/2018/10/09/google-privacy-breach [Accessed 16 Oct. 2018].
 Gellman, B. & Soltani, A. (2013). NSA Infiltrates Links to Yahoo, Google Data Centers Worldwide. [Online] Washington Post. Available at: https://wapo.st/2yhSh8F [Accessed 13 Oct. 2018].
Photo courtesy of clapway.com