Judge's Order For Google To Hand Over YouTube Usage Morphs Into Google Backlash On Storing IPs

from the backlash-everywhere dept

Fri, Jul 11th 2008 3:50am — Mike Masnick

There was plenty of attention given to the judge's order that Google hand over log files to Viacom's lawyers in the Viacom/YouTube lawsuit, with much of it focused on what an awful ruling this was. Now it appears that some are trying to use this bad ruling to actually focus negative attention on Google instead. A lawyer who is also suing YouTube over copyright issues mistakenly claims that Google has tricked the press into making Viacom the enemy here. That's not quite true, though. Most of the anger was focused on the judge's decision, not on Viacom. However, he does make another, related point that is getting picked up by others as well: "How else do you explain why they have been collecting and using IP addresses to monetize their site (for a while now), yet only now, with great self righteousness, claim to be concerned about producing IP addresses?"

Of course, that's not quite an accurate portrayal of the situation either. It's one thing to store your own log files -- it's quite another to be asked to hand them over to a random third party. Louis Solomon's statement above is like saying "how can a doctor store your medical info and then, with great self righteousness, claim to be concerned about protecting your medical info." It's rather easy: the doctor has a right to the medical info, while a third party does not.

However, that hasn't stopped some privacy advocates from asking why Google has kept the log files in the first place. This doesn't strike me as being that big a deal, to be honest. There are plenty of reasons why Google should be able to control its own log files. I can understand questions concerning what it does with the log files should those actions violate user privacy -- but merely tracking how people use their websites hardly seems like a privacy violation.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backlash, ip addresses, privacy
Companies: google, viacom, youtube

34 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

inc, 11 Jul 2008 @ 4:29am

if your IP address is hitting my server using my bandwidth, I sure as hell have a right to record and store that IP address. While I don't think Google should give out their logs and it's no ones business who visits their servers and IP address is far from private information. This is like saying your license plate is private. At the same time I don't want my Sunpass logs revealed to everyone.
[ link to this | view in chronology ]
- JS Beckerist, 11 Jul 2008 @ 9:17am
  
  Re:
  Sunpass == EZPass? Interstate IR transmitter so you can drive right through the booths?
  [ link to this | view in chronology ]
eh, 11 Jul 2008 @ 5:01am

Unless I'm totally missing something here, I don't think a "Judge's Order" really counts as a "random third party". This isn't just another company saying "hey, can I get that?". It's a judge. And I'm pretty sure we have to listen to those guys. You know, the law thing. :-P
[ link to this | view in chronology ]
- Anonymous Coward, 11 Jul 2008 @ 5:47am
  
  Re:
  It's still giving it to a random* third party. Viacom said, "Hey, can I get that?" Good said no. Viacom ran to the judge and said, "Mommy, he's being mean." So the judge ruled against Google. Still a random* third party.
  
  *for certain values of random
  [ link to this | view in chronology ]
- Anonymous Coward, 11 Jul 2008 @ 6:50am
  
  Re:
  your missing the point. the third party is viacom
  [ link to this | view in chronology ]
- xs, 11 Jul 2008 @ 7:04am
  
  Re:
  Judges are known to be wrong all the time, and plenty of their orders gets reversed or even chastized by other judges. Otherwise, what's the use of appeal courts, state superem courts and the US superem court?
  
  Even if this judge interpreted the law correctly, it doesn't mean the law itself is correct. Remeber, the whole civil disobedience thing was directed at laws that was wrong?
  [ link to this | view in chronology ]
vic, 11 Jul 2008 @ 5:06am

IP Logs vs. Medical Log
That's just a terrible argument from analogy. Not too many lives depend on keeping track of which IP hits your site.
[ link to this | view in chronology ]
- Anonymous Coward, 11 Jul 2008 @ 5:45am
  
  Re: IP Logs vs. Medical Log
  What about the people using browsers with a "prefetch" feature that may have been on a page that links to a Viacom video on YouTube?
  
  What about anyone with something like AvG 8's "pre-scan" feature that crawls the web page of EVERY LINK you see to see if its a virus (works similar to the "prefetch)?
  
  Or how about a struggling single parent who's kids used YouTube to watch a Viacom video?
  
  People's lives CAN be ruined by this, just financially instead of medically. With the economy as it is that amplify's the damage.
  
  Sure, Viacom could be only going after the people who UPLOADED the content (which are the ONLY people they should be trying to go after) but I'm skeptical that will be the case.
  
  Thanks to the shambles of a system we have for copyright, Viacom sees it as having been given a money train.
  
  Expect lawsuits, and lots of them.
  [ link to this | view in chronology ]
  - Anonymous Coward, 11 Jul 2008 @ 5:58am
    
    Re: Re: IP Logs vs. Medical Log
    No. The Judge has specifically told them they may not use the logs for any other lawsuit, just the one between Google and Viacom.
    [ link to this | view in chronology ]
- Anonymous Coward, 11 Jul 2008 @ 5:50am
  
  Re: IP Logs vs. Medical Log
  No, you're right, but the argument was how you can store records and then be self-righteous when someone else wants to see them. Most disclosures of medical information don't threaten people's lives, either, but both are a violation of privacy. Google has a right to keep records and a duty to not let those records fall into just anyone's hands.
  [ link to this | view in chronology ]
Jim Harper, 11 Jul 2008 @ 5:14am

Google Created an Attractive Nuisance
I think the knock on Google is well-placed. The best notion I can come up with is to equate Google's data collection practices with the creation of an attractive nuisance. I've written about it here, though imperfectly. Read the comments for interesting challenges. Google absolutely has a right to collect IP information and whatever else users share with them. The more subtle question is what they should collect, and it's a bit less than "everything they can." Yes, Google uses data to improve their services, as they should - and users benefit from that. But they should really be cutting the edge on things like synthesized data - data that is developed from real data, that is statistically relevant for the purpose of an inquiry, but that is not actually real. This would allow Google its research capabilities (yes, slightly degraded and slightly more costly) without the attractive nuisance of huge swaths of personal data about users for litigants and governments to try to grab. So long as the Fourth Amendment's third-party doctrine exists, our protection must rely on preventing accumulations of data anywhere and everywhere, even with companies that have fully adequate privacy policies. They can't make good on their promises.
[ link to this | view in chronology ]
- moe, 11 Jul 2008 @ 6:13am
  
  Re: Google Created an Attractive Nuisance
  "slightly degraded (research capabilities) and slightly more costly"
  
  So, a company whose main advantage is the quality of their research should use less reliable data that costs them more to produce and analyze?
  
  And they should do this because a judge made a ruling that is very likely in opposition to an existing law.
  
  Not to mention they are a publicly-traded company who has a duty to its shareholders.
  
  Sorry, I'm not buying that argument.
  [ link to this | view in chronology ]
simon, 11 Jul 2008 @ 5:24am

is not about privacy only
google as a company that sales advertising, ip's are ways to control that the company from aloaska doesn't have its adds in filippines, or such, ip's are just scores for most of the job, and to be sure that your adds have been seen, and u have payed for a delivered product, you can say, this and this ip has seen the ad, ip pointing mostly to a region than to an house address in most of the cases of internet connection ...

so , yes i belive for google is important to store the ip tracks...

what should viacom get access in the extreme case is the statistics, of the parts they claim copyright infringement, but they should prove that google knew that those are copyrighted material and didn't remove them or that google didn't took them down after a DMCA claim... that if the DMCA still works...

anyway... useless hot water here... 2cents wasted
[ link to this | view in chronology ]
- Shuryno, 11 Jul 2008 @ 5:37am
  
  Re: is not about privacy only
  + how can Google prevents fraudulent clicks from advertizer's competitor , if it can't log IP usage?
  
  Almost all website in the world record IP, it would be foolish not too...
  [ link to this | view in chronology ]
John, 11 Jul 2008 @ 5:43am

Google is right...
Storing log files is essential to creating trending data and trending data is essential to improve service. They want to know which of their services are being hit the most and by whom. Not neccessarily WHO IN PARTICULAR, but IPs can show providers and providers show regions so they can see more people from the east coast hit this portion of the site and more people from the west coast hit this portion. This allows them to tailor their services to us.

There is nothing sinister here. That's just the way logs are kept. Department stores, grocery stores and even amusement parks have been tracking usuage for years.
[ link to this | view in chronology ]
- Abdul, 11 Jul 2008 @ 7:28am
  
  Re: Google is right...
  I do agree with you that there is nothing sinister about Google making and storing log files.Most analysis on this Google/Youtube/Viacom saga has been very partial. I came across this expert's analysis and to me it was well researched: Viacom, Google/YouTube Flap Hits Slippery Slope(http://www.internetevolution.com/author.asp?section_id=565&doc_id=158450&F_src=flftwo)
  [ link to this | view in chronology ]
Shane C, 11 Jul 2008 @ 6:01am

Legalities
All of the research, and market study viewpoints aside, Google has an ethical responsibility to store IP addresses.

YouTube has numerous times been used to exhibit illegal activities. In a purely ethical situation, Google should have in place the ability to provide (after a court order) any and all information leading back to the person posting the infringing video.

In a hypothetical situation; If someone was to post a video of an unsolved murder being committed. How would you prefer Google to respond to law enforcement trying to investigate?

A: Please provide us with a court order, and we will provide you with a possible step towards tracking the person who posted this video.

B: We're sorry. We don't store any information about who accesses our systems for fear that said information may be abused.

Obviously an extreme case, however it is a valid case.

Now, as for handing over all logs to Viacom, I'm surprised that someone hasn't stepped in and sued to block the court order. If the VPPA actually does apply in this situation, then can't someone declare that their rights under this law are being abused by this court order?
[ link to this | view in chronology ]
- Anonymous Coward, 11 Jul 2008 @ 6:13am
  
  Re: Legalities
  You must've missed the memo, it's illegal to post evidence of illegal activity on a video website like YouTube.
  
  (Suddenly has the brilliant idea of posting a video of himself posting a video of himself committing some other crime...)
  [ link to this | view in chronology ]
- Beta, 11 Jul 2008 @ 7:21am
  
  Re: Legalities
  In a hypothetical situation; If someone was to post a video of an unsolved murder being committed. How would you prefer Google to respond to law enforcement trying to investigate?
  
  A: Please provide us with a court order, and we will provide you with a possible step towards tracking the person who posted this video.
  
  B: We're sorry. We don't store any information about who accesses our systems for fear that said information may be abused.
  
  Obviously an extreme case, however it is a valid case.
  
  It is a highly contrived case (I'm not sure what you mean by "valid"), and it could quite easily (and more plausibly) go the other way: a man is divorcing his wife, accusing her of infidelity, and she may have sent email to another man who uses a gmail account.
  
  A. Here's his IP address, it looks as if he was using his home computer although his wife and kids have different email accounts.
  
  B. Sorry, we don't retain those records for fear that something like this will happen.
  
  Now here's one that comes up in the news much more often: a large company has a data breach. Maybe an employee leaves a laptop on the train, maybe their web server is laughably insecure, maybe a bull-headed judge orders them to reveal everything to a hostile lawyer.
  
  A. Oops. There go half a million SS numbers, a few gigabytes of private email, some sealed adoption records and the files on that *ahem* medical exam you had a few years back.
  
  B. Don't worry, we delete personal information as soon as we satisfy the specific reason we collected it.
  [ link to this | view in chronology ]
eh, 11 Jul 2008 @ 6:21am

I know I'm just repeating myself here, but the issue is no longer between Viacom and Google. It's between a judge and Google. What are they supposed to do? Refuse to surrender the information? And then fines or jail time? They have to comply. It's the law. Viacom was just the complainer. The judge thought it was worthy of a court order. Google complies (as it should). And, yes, of course they should be storing this info.
[ link to this | view in chronology ]
Anonymous Coward, 11 Jul 2008 @ 6:36am

The analogy works like this. This situation would be like me suing for your medical files and the judge complying. It's not an issue between you and the judge, it's between you and me, the judge just thought it was a good idea. It's not the "law" either. His ruling can be over turned.
[ link to this | view in chronology ]
Shohat, 11 Jul 2008 @ 6:36am

Ahem
What is the difference between an super-evil, omnipresent corporation such as Google having your logs, and some other, far less technologically capable company such as Viacom having it ?
If you had to choose between the two, wouldn't a reasonable person prefer having the data stored by Viacom ?
[ link to this | view in chronology ]
- Anonymous Coward, 11 Jul 2008 @ 6:37am
  
  Re: Ahem
  I've never heard of Google suing its own YouTube users.
  [ link to this | view in chronology ]
- PaulT (profile), 11 Jul 2008 @ 6:59am
  
  Re: Ahem
  "other, far less technologically capable company such as Viacom having it"
  
  I'd rather have a company that knows what it's doing in charge of the data, thanks very much. "Super-evil"? Google? Compared to Viacom? Really?
  
  Here's the situation: Google stores data on its own users - no problem there in principle. It's never intended to be seen anywhere outside of Google. Then, Viacom sue and demand to see these logs. A judge agrees. Now, Viacom have the log data without any real reason to do so - that's the problem.
  
  If you don't see the problem, consider this: Viacom is a media conglomerate that's suing for a ridiculous amount of damages. Now that Viacom has user data, do you honestly think that they'll stop at suing YouTube if that lawsuit is successful?
  [ link to this | view in chronology ]
- Turd Nugent, 12 Jul 2008 @ 11:43am
  
  Re: Ahem
  You're an idiot.
  
  What's at risk here is that anyone can now get all your surfing habits. While I may not like the fact that Google has IP addresses, if I use their site, I'm making the choice to go there. Any third party such as Viacom is thus invading my right to privacy.
  [ link to this | view in chronology ]
bobbknight, 11 Jul 2008 @ 7:46am

I'm Just Pissed Because
That Viacom now knows that I watch Lesbians Kissing?
[ link to this | view in chronology ]
Benjamin Wright, 11 Jul 2008 @ 7:57am

IP privacy
If Google can assert its legal terms just by publishing them (on something less than its homepage), then a user can assert her own terms of privacy protection just by publishing them! The terms could say that search engines are not allowed to store the user's IP address. What do you think? --Ben http://hack-igations.blogspot.com/2008/05/google-privacy-policy-terms-of-service.html
[ link to this | view in chronology ]
Peet McKimmie (profile), 11 Jul 2008 @ 11:55am

OK, here's what Google *should* do in future...
1) Fit all their logging machines with state-of-the-art public key/private key encryption in hardware.

2) Generate a key pair and *destroy* the private key so that no-one knows it.

3) When logging, concatenate the IP address with the browser ID string and then *encrypt* it before logging it.

Thus:

They have a trail of user ID that works for their purposes just as well as the unencrypted stuff would, in that the same unique user generates the same encrypted ID and thus can be used to pull up the same ads.

If the logs get out into the public domain, by lawsuit, accident or malice, there is no way to identify an individual user with a specific transaction unless you already know it was them - you can encrypt a user's IP and browser string to prove that it matches, but you can't look at a transaction and work backwards to the ID and browser string.

A decent bit of overkill, say a 512 byte key, and everybody's happy but Viacom. Result.
[ link to this | view in chronology ]
- Nasch, 12 Jul 2008 @ 11:04pm
  
  Re: OK, here's what Google *should* do in future...
  1) Fit all their logging machines with state-of-the-art public key/private key encryption in hardware.
  
  Software would be better, so if there's a vulnerability found or otherwise better encryption developed, they could upgrade.
  
  2) Generate a key pair and *destroy* the private key so that no-one knows it.
  
  It would be simpler to just generate a one-way hash of the value. Any string gets hashed to a string of always the same length, and there's no way to derive the original string from the hash value. There's not even a key to destroy. Add some "salt" to make it even harder to find out any information. That would end up the same as your solution, just a little easier and a little more secure. The problem is Google probably wants more than just a marker, they want information about where you are too.
  [ link to this | view in chronology ]
  - Beta, 14 Jul 2008 @ 1:54pm
    
    Re: Re: OK, here's what Google *should* do in future...
    It would be simpler to just generate a one-way hash of the value... Add some "salt" to make it even harder to find out any information. That would end up the same as your solution, just a little easier and a little more secure.
    
    No good. In Peet's solution a user will have the same alias every time, so that it is possible to see a user's history (without identity). In your scheme a user will show up as a different alias every time-- in fact, I see no point in generating these hashes at all. If you simply discard all user information, the result will be like your solution but much easier and more secure (and with 100% less storage cost).
    [ link to this | view in chronology ]
- Beta, 14 Jul 2008 @ 2:04pm
  
  Re: OK, here's what Google *should* do in future...
  [Hash the user's identity] They have a trail of user ID that works for their purposes just as well as the unencrypted stuff would, in that the same unique user generates the same encrypted ID and thus can be used to pull up the same ads... [Y]ou can encrypt a user's IP and browser string to prove that it matches, but you can't look at a transaction and work backwards to the ID and browser string.
  
  No good. There are only a few billion users at most, so a fast machine can hash them all and make a directory.
  
  There is no good and simple solution to this, but here's one that's interesting: use a public key system so that only someone with the secret key can see which actions really belong to the same user-- and who that is. Then split the key among several entities in different countries, so that statistical research or user exposure require the cooperation of all. This is complicated and cumbersome, but pretty secure against carelessness and legal attack.
  [ link to this | view in chronology ]
Anonymous Coward, 14 Jul 2008 @ 2:45am

Google keeps 18 months of search information with IP addresses, to be sold to interested parties, which is why I use Ixquick and others. Google was at least up-front about this after the AOL search data mess, where it was shown that a journalist could identify at least some people by name and address based solely off of their searches.
They could also see that someone was planning on divorcing their deployed military spouse and move to another state. Was she fleeing abuse, and this information would help him to track her down since it included her current city and cities of interest? We have no idea.

It sounds like YouTube has logs going back to it's beginnings. Most companies have learned not to keep too much data around, it's often damaging to the company when a litigant's attorney subpoenas it. Maybe they'll learn something here, but I doubt it.
[ link to this | view in chronology ]
Anonymous Coward, 14 Jul 2008 @ 2:53am

Use TOR, block all ads, stop all scripts, stop all flash, strip http-refers, and don't let the bastards grind you down.
[ link to this | view in chronology ]
George, 18 Jul 2008 @ 10:38pm

seriosuly...
Does anyone seriously believe that the judge's orders are thought out and unbiased? Come the f*ck on. This is all past and done people! If you don't think Viacom had anything to do with the order than go back to sleep right now.
[ link to this | view in chronology ]