Google's Location Info Failure Might Interest The FTC

from the do-better dept

Earlier this week, the Associated Press did a story revealing that even for Google users (on both Android and iPhone) who turned off location tracking Google was still tracking their location in some cases.

Google says that will prevent the company from remembering where you’ve been. Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking. (It’s possible, although laborious, to delete it .)

For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are. And some searches that have nothing to do with location, like “chocolate chip cookies,” or “kids science kits,” pinpoint your precise latitude and longitude — accurate to the square foot — and save it to your Google account.

If you squint, you can kind of see why this might have happened. Apps like Maps and weather more or less need your location info to work well (though, the search part is a bit more baffling). But, even so, this seems like a huge blunder by Google, a company that should absolutely know better. The latest, of course, is that Google has quietly moved to update the language that users see to "clarify" that some location data may still be recorded:

But its help page for the Location History setting now states: “This setting does not affect other location services on your device.” It also acknowledges that “some location data may be saved as part of your activity on other services, like Search and Maps.”

Previously, the page stated: “With Location History off, the places you go are no longer stored.”

It's entirely possible, if not likely, that the location history feature is completely disconnected from the location specific data within these other apps. But, still, the average consumer is not going to realize that. Indeed, the tech savvy consumer is mostly unlikely to understand that. And Google's new "clarification" isn't really going to do a very good job actually clarifying this for people either. Google certainly has done a better job than a lot of other companies both in providing transparency about what data it collects on you and giving you controls to see that data, and delete some of it. But this was still a boneheaded move, and it's simply ridiculous that someone at the company didn't spot this issue and do something about it sooner.

As I've been pointing out for a while, a big part of why so many people are concerned about privacy on digital services is because those services have done a piss poor job of both informing users what's happening, and giving them more control over the usage of their data. This kind of situation is even worse, in that under the guise of giving users control (a good thing), Google appears to have muddied the waters over what information it was actually collecting.

I also wonder if this will make the FTC's ears perk up. There is still an FTC consent decree that binds the company with regards to certain privacy practices, and that includes that the company "shall not misrepresent in any manner, expressly or by implication... the extent to which consumers may exercise control over the collection, use, or disclosure of covered information." And "covered information" includes "physical location."

Would these practices count as misrepresenting the extent to which consumers could stop Google from collecting location info? It certainly seems like a case could be made that it does. There are many areas where it feels like people attack the big internet companies just because they're big and easy targets. Sometimes those attacks are made without understanding the underlying issues. But sometimes, I'm amazed at how these companies fail to take a thorough look at their own practices. And this is one of those cases.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ftc, google maps, location, location info, privacy, transparency
Companies: google


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    TKnarr (profile), 17 Aug 2018 @ 11:07am

    It's probably that the wording is controlled by the marketing and legal departments, who aren't intimately familiar with the internals of the various products. The engineers, who truly know what's going on under the hood, aren't consulted until after the fact (if then). There's also the disconnect in world-view: to the engineers the fact that Weather stores location data in it's own data storage for it's own purposes isn't relevant at all to whether that same data appears in the Location History storage. As long as Weather doesn't feed the data to Location History, the statement that turning off Location History makes Location History stop recording your location is correct even though Weather is still tracking your location so it can show you the weather in places you visit regularly. To make matters worse, I suspect the average smartphone user's understanding is closer to the engineers' than the lawyers' so you end up with not one but two layers of translation errors.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Aug 2018 @ 12:36pm

      Re:

      So, basically it is marketing bullshit.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Aug 2018 @ 1:00pm

        Re: Re:

        Not necessarily. It may be wrong, and it may be the marketers responsible for the text that is wrong, but it's not "marketing bullshit" if they genuinely don't understand that they're spreading damaging misinformation.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Aug 2018 @ 2:20pm

      You don’t win by doing things right

      The engineers all know KISS. Windows Phone/Mobile worked a lot better. Regardless of any permissions for individual apps, there was a single overriding toggle setting for location services. The location setting was either on or off. If it was off, the operation system would disable all location services, so no app and not even the operation system had access to new location data. You could immediately see whether location services were enabled from the status bar, and with Windows Phone 8.1, you could add a button to the Action Center to quickly turn it on and off.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Aug 2018 @ 4:30pm

        Re: You don’t win by doing things right

        To you, the user, that was a feature.
        To the Captains of Industry, that was a fault.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Aug 2018 @ 7:43pm

      Re:

      Where oh where do we sign up for the class action lawsuit we've been waiting for against the fucking beligerant spying monster of a corporation??

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Aug 2018 @ 9:04pm

      Re:

      There's also the disconnect in world-view: to the engineers the fact that Weather stores location data in it's own data storage for it's own purposes isn't relevant at all to whether that same data appears in the Location History storage.

      I really think most programmers just don't care about data leakage. When I install a new Linux system I have to disable .bash_history, .lesshst, and about 100 others. Our best solution to this problem is to put the home directory on a ramdisk and reboot frequently (i.e., TAILS).

      link to this | view in chronology ]

  • icon
    ArkieGuy (profile), 17 Aug 2018 @ 11:13am

    Android Apps ask permission

    Adding to what TKnarr said, you also have to keep in mind that Android apps ASK PERMISSION before they are able to access location information. If the user allows location information to be used by the app, then the USER ALLOWED IT (whether or not they understood that when they agreed to it or remember later that they did are different questions entirely).

    link to this | view in chronology ]

    • identicon
      Max, 17 Aug 2018 @ 12:09pm

      Re: Android Apps ask permission

      The slight problem with this is that location access is required by all advert libraries and therefore basically all ad-based apps (which is effectively the same thing as "all apps full stop"). It's not really optional to grant it if you want to install anything at all, unless you either use no free apps at all or you're willing to go "full vegan" with open source apps only - well good luck with that because you'll need it; I should know...

      link to this | view in chronology ]

      • icon
        Ninja (profile), 17 Aug 2018 @ 12:16pm

        Re: Re: Android Apps ask permission

        Not to mention that pre-installed apps (ie, a lot of google stuff) also come with pre-accepted permissions.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 17 Aug 2018 @ 12:38pm

          Re: Re: Re: Android Apps ask permission

          ... and here is a real problem with their product.
          What will they do about? Censor their critics of course.

          link to this | view in chronology ]

  • identicon
    Michael, 17 Aug 2018 @ 11:41am

    Another attempt for Mike Masnick, Google shill, to highlight how great Google is.

    When are you going to get out of their pocket and start talking about the things they do wrong?

    link to this | view in chronology ]

    • icon
      Ninja (profile), 17 Aug 2018 @ 12:15pm

      Re:

      lmao, the first thing that came to mind. Do you feel the smell of brains short circuiting?

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Aug 2018 @ 12:39pm

      Re:

      Did you read the post?

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Aug 2018 @ 5:04am

        Re: Re:

        I'm fairly certain this is satire aimed at certain frequent commenters who are convinced that Techdirt is funded by Google.

        link to this | view in chronology ]

  • identicon
    mcinsand, 17 Aug 2018 @ 12:00pm

    Thanks! Very informative!

    This is a good article not only for the information, but it would also be a nice bookmark for when some idiot calls you a Google shill.

    Concerns over privacy and security have turned my phone into a frenemy, and I'm hoping that the FTC does wake up. With the current administrations indifference to citizens' privacy (and therefore security), however, I'm not optimistic.

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 18 Aug 2018 @ 12:18am

      'No amount of evidence will change a mind already made up'

      This is a good article not only for the information, but it would also be a nice bookmark for when some idiot calls you a Google shill.

      You'd think so, but no, they just dismiss articles like this by either pretending that they don't exist, or claiming that they're not actually serious and are meant as distractions from the pro-Google stance they attribute to the strawmen TD/Mikes they have in their heads.

      link to this | view in chronology ]

      • icon
        The Wanderer (profile), 24 Aug 2018 @ 9:21am

        Re: 'No amount of evidence will change a mind already made up'

        Actually, I expect they'll dismiss this one as softballing the offense, being insufficiently negative about it and giving Google too much of the benefit of the doubt.

        (And, yes, as being written with the purpose of providing something to point to as being negative about Google. But that's not nearly as effective a point - even in a world where it's effective at all - if the article is actually clearly negative, so the dismissal as not-negative-enough comes first in the resolution order.)

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Aug 2018 @ 8:42am

      Re: Thanks! Very informative!

      Concerns over privacy and security have turned my phone into a frenemy

      Trains and buses have been interesting lately. I saw a sticker on someone's front-facing phone camera last week, and have been seeing stickers over laptop cameras frequently—like, 10 or 20 per cent of people have them.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Aug 2018 @ 1:13pm

    You appear to be writing about two distinct things here: location logging and location tracking.

    When you turn off location history, you're turning off location tracking -- you are no longer storing your location on Google servers.

    However, any app or feature that requires location information will cache and/or log the result locally so it can use it.

    From the article, it's unclear whether Google is still doing local logging when location tracking is disabled, or whether the information is being sent to Google and stored there for X amount of time.

    Do you have any clarifications on this?

    link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 17 Aug 2018 @ 1:46pm

    The FTC might care, the NSA cares much much more...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Aug 2018 @ 3:58pm

    Trusting Google with your privacy is like trusting banks with your money.

    link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Leigh Badone, 17 Aug 2018 @ 4:23pm

    GOOGLE Execs 'Misled Staff' On Censored Search...

    At The Intercept from internal meeting.

    Google-boy probably knew was more to come out and tries to deflect for his precious Google.

    And why is he ALWAYS promoting or protecting GOOGLE?

    https://copia.is/wp-content/uploads/2015/06/sponsors.png

    link to this | view in chronology ]

    • icon
      Stephen T. Stone (profile), 17 Aug 2018 @ 5:53pm

      With no respect to the writers of the Resident Evil films...

      BLUE: I told you I’d be bringing that one link as proof.

      ME: You should’ve brought more.

      link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Leigh Badone,, 17 Aug 2018 @ 4:45pm

    Well, turns out "academics" see everything GOOGLE does as good!

    From Breitbart ('dirters won't read it, so no link):

    An op-ed in The Washington Post on Friday made the ethical case for Google’s plans to create a censored search engine to meet the demands of the Chinese Communist Party.

    The piece, written by Thomas Jungbauer, an assistant professor of strategy and business economics at the Samuel Curtis Johnson Graduate School of Management at Cornell University, argues that Google’s plans may actually allow for the spread of free speech and democracy as it would serve as a reminder of what topics the regime wants censoring.

    link to this | view in chronology ]

    • icon
      Stephen T. Stone (profile), 17 Aug 2018 @ 5:47pm

      From Breitbart ('dirters won't read it

      For good reason: Breitbart is not only painfully partisan, it is rarely considered a trusted source for actual news/fact-based journalism. One blogger’s recounting of a week-long “Breitbart news diet” points out exactly why the site has no credibility as a mainstream journalistic outlet.

      The piece [...] argues that Google’s plans may actually allow for the spread of free speech and democracy as it would serve as a reminder of what topics the regime wants censoring.

      That plan would have little-to-no meaningful impact in China. A sizeable number of Chinese people need no reminders about what the government wants censored, given the way people try to route around that censorship.

      "academics" see everything GOOGLE does as good!

      One “academic” from one institution does not speak for everyone who works in an institution of higher learning.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Aug 2018 @ 6:57pm

      Re:

      out_of_the_blue just hates it when due process is enforced.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Aug 2018 @ 6:26pm

      Dead cokehead days what?

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Aug 2018 @ 8:45pm

    Google's business model is based on collecting as much personal data about people as possible and using it build profiles about them in order to sell things to them more effectively.

    The settings and "consent" dialogs are all about nudging people in the direction the company wants and establishing a defensible, but mostly empty, claim that users agreed to the data harvesting and were given meaningful choices.

    Compare Linux Mint to Windows 10. The former is built for users and the later is built for Microsoft.

    Mint doesn't need the 1001 "privacy" settings because users don't want most of the bullshit pretexts upon which data is collected.

    Mint doesn't force update on you or take personal data without notice or meaningful consent because those things are not required for it to function as an OS.

    Some App functions may need location data - but consenting for that data to be used temporarily by the app does not require consent for a company to store the data, re-purpose it for targeted advertising, or anything of the sort.

    The data harvesting business model is dangerous and offensive and needs to go.

    How about we just pay a few bucks a month for a quality app - and trust that our data will not be stored or sold or used for nefarious purposes - like getting Trump elected - because there are laws in place that are genuinely enforced to prevent that?

    Is that really such a radical proposition?

    link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 18 Aug 2018 @ 12:42am

      Re:

      Sure it's radical. You are asking the internet to go back to 1998 or pre-web, more or less, before businesses took everything over.

      Of course, you could be more radical and propose that actual human beings should be on equal footing any time they deal with a fictitious business person. Any form of contract may be negotiated, and data about you generated by yourself is yours to control (barter, offer, withdraw), which would be the relevant upshot here.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Aug 2018 @ 8:53am

      Re:

      Mint doesn't force update on you or take personal data without notice or meaningful consent because those things are not required for it to function as an OS.

      They may not exfiltrate it, but Linux programs will shit personal data all over your hard drive without consent or notice. Web browsers store history, cookies, and "new stuff" (HPKP, offline storage); history files and recent-file lists are everywhere and not always obvious. I want almost none of this and have to go to quite a lot of effort to disable it. And I've grown weary of prodding developers to disable it, because they almost always try to paint me as a crazy paranoiac (but it's only on your own computer! if your HDD isn't private you're screwed already! it's not that sensitive!—see the libvte fiasco).

      Web browsers at least have privacy modes now, which help with some of this, although Chrome makes it suspicously easy to go non-private by accident (ever press ctrl+n instead of ctrl+n instead of ctrl+shift+n? careful!) and SSL-only or CA-free-SSL setups are not so easy to create.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Aug 2018 @ 4:38pm

        Re: Re:

        "Linux programs will shit personal data all over your hard drive without consent or notice"
        - You can turn off logging, it's not that hard to do.


        "Web browsers at least have privacy modes now"
        - Heh - sure, their "privacy mode", not yours.


        Do you run a firewall?

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Aug 2018 @ 7:33am

          Re: Re: Re:

          "Linux programs will shit personal data all over your hard drive without consent or notice"

          • You can turn off logging, it's not that hard to do.

          Please, tell me how. I know I can set LESSHSTFILE=-, unset HISTFILE in .bashrc, link ~/.wget-hsts to /dev/null... but then there's .sqlite_history, .gnuplot_history, .w3m/history, .cache/awesome/history. And .config/libreoffice/4/user/registrymodifications.xcu, particularly pernicious because its MRU list is mixed with configuration data. Tomorrow I might install something else and later notice it's tracking me in some new location.

          Though you're ignoring the part about "consent or notice", I'll be happy if you tell me the name of the global control for all of that.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 19 Aug 2018 @ 8:20am

            Re: Re: Re: Re:

            There is a plethora of information, manual pages, howtos, walkthrus related to all operating systems linux being one of them.

            How did you acquire your linux system? If you built it yourself you would be aware of at least some of the available information which addresses your questions. This is not the forum for such assistance, please go do some research.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 19 Aug 2018 @ 1:06pm

              Re: Re: Re: Re: Re:

              I'm responding to the statement that it's "not that hard". The "plethora of information" is the problem, not the solution. I know how to mark files immutable, link history files to /dev/null, replace files with non-writable directories, create $LD_PRELOAD libraries to filter open() or openat() calls, and recompile programs. I know how to audit programs for history files, by using dummy $HOME directories, reviewing the code, or using strace. (Or on Windows: filemon and regmon to watch, directory and registry permissions to block.)

              You might say that's not "hard", but it's sure as hell time-consuming, and I know more than most "normal" users about this. That needs to be done for every program one might ever want to use. There's literally a whole Linux distribution (TAILS) with a team of people trying to keep this information from being recorded. For the most part, they're not even fixing the problem, they're just throwing away the home directory on every boot to work around it.

              I know how to send patches upstream too, which I might be doing if I didn't get so much fucking pushback every time. It's exhausting. I want a system-wide "do not track" option, ideally; I don't know that anyone else does, but perhaps developers will start to care after some FTC actions or lawsuits.

              link to this | view in chronology ]

              • identicon
                Anonymous Coward, 19 Aug 2018 @ 4:45pm

                Re: Re: Re: Re: Re: Re:

                It is only a problem if you let strangers have access to said machine. Logging has many uses, some of which one can not do much without.

                link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 19 Aug 2018 @ 10:12pm

                  Re: Re: Re: Re: Re: Re: Re:

                  It is only a problem if you let strangers have access to said machine.

                  You may have heard of this new thing people are trying, "unauthorized access".

                  Logging has many uses, some of which one can not do much without.

                  I'm aware some people find .bash_history useful, like Bradley Kuhn who's tracked every command since 2003. More commonly I've seen people surprised that ctrl+r can pull up a year-old command.

                  Some people rely on long-term browser cookies. I've never seen anyone use browser history, though such people must exist.

                  I've yet to see anything with "which one can not do much without." I'm not disputing usefulness anyway, I'm asking for notice and consent for the storage of tracking data, and a way to disable it by default.

                  link to this | view in chronology ]

                  • identicon
                    Anonymous Coward, 20 Aug 2018 @ 7:59am

                    Re: Re: Re: Re: Re: Re: Re: Re:

                    At first I thought you might be describing a home computer/lan setup, but 2nd thought it seemed to be more of an office - idk.

                    If you are developing, integrating, testing and/or deploying software it is a good idea to review all the relevant logs including some OS logs but the main focus is the software item being worked on.

                    But now I am convinced that you are not doing any development work so I guess you do not need any logs huh.

                    Ever experience a CPU panic? Have an application crash? Wonder why a device has stopped working? You probably then take the thing to Geek Squad because you have no logs to troubleshoot your issues. --- Brilliant!

                    link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Aug 2018 @ 7:39am

          Re: Re: Re:

          Do you run a firewall?

          No, I assume the LAN is compromised and run portscans to make sure nothing's accessible; I use no unencrypted services. Firewalls don't help much when programs can tunnel everything over ports 80 and 443, or DNS. I use Tor for almost everything, so I need those ports open (outbound).

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 19 Aug 2018 @ 8:21am

            Re: Re: Re: Re:

            Your ISP supplied "modem" probably has one, hopefully you did not disable it.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 19 Aug 2018 @ 1:11pm

              Re: Re: Re: Re: Re:

              My ISP-supplied equipment is a modem, not router. Full passthrough. I wouldn't trust an ISP-supplied firewall anyway—what helpful thing(s) might we expect it to do? Blocking inbound traffic is useless, because I have no undesired ports open (which is much better than enabling all kinds of shit and relying on another computer to block it). It doesn't have enough information to block outbound traffic in any useful way; it can't tell which user or which program is generating packets.

              Network-level firewalls basically don't work. They're effectively defeated as soon as you connect your device to coffee-shop wifi.

              link to this | view in chronology ]

              • identicon
                Anonymous Coward, 19 Aug 2018 @ 4:50pm

                Re: Re: Re: Re: Re: Re:

                I think I have read some of your posts in the past about this same issue and at the time I thought you were a bit off plumb.

                Why would one have a lan protected by a firewall and then plug in a box to that lan and open a wifi connection? This would bridge your lan to the wifi network thus allowing access to your lan bypassing the firewall. The firewall is defeated as you say because you defeated it when you bridged the networks.

                link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 19 Aug 2018 @ 5:43pm

                  Re: Re: Re: Re: Re: Re: Re:

                  I'm not talking about bridging, I mean that if your laptop/phone is insecure, it can be infected while on a public wifi network. You're likely to connect it to your home network later, and if that relies on perimeter security (rather than device security) the infection can spread. That's not hypothetical, it's a common attack vector.

                  Alternately, if your devices are secure, what's the perimeter firewall there for?

                  An on-device firewall is different—it could, for example, protect against rogue apps. But you need OS hooks to know which app is which; an external firewall box will just see some connection to port 80/443 with no way to know whether it's from an authorized app.

                  link to this | view in chronology ]

                  • identicon
                    Anonymous Coward, 19 Aug 2018 @ 6:01pm

                    Re: Re: Re: Re: Re: Re: Re: Re:

                    "if your devices are secure"

                    This is not something one should assume is possible.

                    link to this | view in chronology ]

                    • identicon
                      Anonymous Coward, 19 Aug 2018 @ 7:34pm

                      Re: Re: Re: Re: Re: Re: Re: Re: Re:

                      Fair enough, but a firewall blocks ports rather than attacks, so let's make that "if you don't have ports open, what's the perimeter firewall for?"

                      Home perimeter firewalls usually allow all outgoing traffic, and block new incoming connections. In effect, that only blocks certain worms. They're better blocked by disabling services that aren't required (services that are required would need to bypass the FW anyway).

                      link to this | view in chronology ]

                      • identicon
                        Anonymous Coward, 20 Aug 2018 @ 8:09am

                        Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

                        "a firewall blocks ports rather than attacks"

                        Firewalls are capable of much more than just that, the good ones anyway. I suggest some research in this field as you may find it enlightening. btw, one can setup a pretty decent firewall by themselves, no need for an expensive item in the home because you are not a high priority target.


                        "ome perimeter firewalls usually allow all outgoing traffic"

                        Depends upon how you, the user, sets it up.


                        What sort of "service" do you need which requires a bypass of the firewall? If you punch holes in a firewall it is a good idea to tie said hole to authorized MAC addresses. There is a lot of things a firewall may be capable of that apparently you are unaware of.

                        link to this | view in chronology ]

                        • identicon
                          Anonymous Coward, 20 Aug 2018 @ 8:36am

                          Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

                          Firewalls are capable of much more than just that, the good ones anyway.

                          We were talking about ISP-supplied ones, at least originally...

                          "ome perimeter firewalls usually allow all outgoing traffic" Depends upon how you, the user, sets it up.

                          Is there a reasonable way to set it up without allowing all outbound traffic to ports 80 and 443? Any well-written malware is going to use those ports.

                          What sort of "service" do you need which requires a bypass of the firewall?

                          If you mean inbound: ssh. But inbound doesn't make sense in the context of MAC filtering... outbound: web, ssh, ntp, email, tor, probably several others

                          link to this | view in chronology ]

                          • identicon
                            Anonymous Coward, 20 Aug 2018 @ 9:22am

                            Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

                            "If you mean inbound: ssh"

                            Why do you think SSH requires you to bypass the firewall?
                            "Opening a port", as you say, for an application is not the same as bypassing the firewall as there are many things one can do with those packets.


                            "inbound doesn't make sense in the context of MAC filtering."

                            Why does this not make sense to you?

                            link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Aug 2018 @ 9:49am

        Re: Re:

        Log Files on your own machine are not a particular risk, as they only becomes available outside your machine if it has been compromised. If your machine has been compromised, then everything has become available to whoever compromised it,and then even disk encryption and TOR will not protect you.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Aug 2018 @ 12:49pm

          Re: Re: Re:

          And here we go, "but it's only on your own computer! if your HDD isn't private you're screwed already!".

          One can be forced to decrypt one's machine at border checkpoints etc., or can be compromised in other ways (malware, subpoenas, ...). The log files then allow the intruders to look into the past, which would not otherwise be possible. Disabling them is similar to requiring perfect forward secrecy for encrypted connections. It doesn't protect against ongoing attacks, but can limit the damage. It shouldn't be so difficult.

          link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Aug 2018 @ 4:52pm

          Re: Re: Re:

          Exactly.

          If they are in your base killing yer dudes, yer already screwed.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 19 Aug 2018 @ 9:59pm

            Re: Re: Re: Re:

            "What all these data breaches are teaching us is that data is a toxic asset and saving it is dangerous."

            Data that doesn't exist can't be leaked. A compromise could enable logging and exfiltration of future data, but cannot reveal historical data that was never stored. If data isn't useful to you, you should not be storing it.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 20 Aug 2018 @ 8:12am

              Re: Re: Re: Re: Re:

              Off on a tangent and losing sight of the subject.

              link to this | view in chronology ]

  • identicon
    Anonymous Cowherd, 18 Aug 2018 @ 5:58am

    Google's activity page actually has very good controls for controlling what history they store as well as the ability to delete anything you want, even to the detail of single datapoints. These include a separate option for turning off the app history. That's not the problem.

    The problem is, news like these are about the only place the average person even hears about the existence of that page. I myself had forgotten I'd been there before to turn those settings off.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Aug 2018 @ 8:56am

      Re:

      Google's activity page actually has very good controls for controlling what history they store

      Is any of that available to people without Google accounts? I have do-not-track enabled, but I don't have or want a Google account so I can't see what they're collecting and am not aware of a way to limit it. Do they respect DNT? I have Google Analytics and Doubleclick blocked but I'm still worried. Some sites will embed Google maps or spreadsheets and I have no idea what Google records.

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.