21 votes

How important is protecting our data from companies like Google?

I was a supporter of Andrew Yang while he was running for president. His policies appealed to me a lot. One I supported because it made sense to me; personal data as a property right. I’ve thought about it more and I don’t see how a company like Google using my data negatively affects me. What are the negative repercussions I experience when a company uses my information like that? Are there alternatives that would protect my data more that are actually decent? I’d love to receive some explanation for this!

27 comments

  1. [9]
    kimyon
    Link
    This is a question that requires a technical, nuanced, and personal answer. The answer to almost all your questions is it depends. Entrusting your most important and private data to a single...

    This is a question that requires a technical, nuanced, and personal answer. The answer to almost all your questions is it depends. Entrusting your most important and private data to a single entity is obviously not a good thing to do, but even an axiom like this shouldn't be taken as gospel without some caveats.

    Self-hosting is definitely one of the paths you can take, but if you're not technically inclined (and in some cases, even if you are), it will be more trouble than it's worth. If self-hosting is not viable for you, you can pay for the services you otherwise get for free. There are fine alternatives to Google products out there, depending on what you need the most. What makes the answer to this question difficult is that whatever choice you end up making, you have to think carefully about the short and long term trade-offs.

    On a more general note, I feel like there's a misconception about what Google does with your data. I don't mean to imply I condone their business practices -- not in the slightest, but Google does not sell your data. It sells access to your data. If Google were to actually sell your data, its market cap would take a big hit, because your data is the most valuable commodity they have. In that vein, there's probably no place on the internet where your data is more secure. That does not mean your data is private, but if you're worried about the security of your data, you're not gonna do better than Google.

    However, since Google is a company beholden to its shareholder's whims, there's no guarantee that they won't end up doing something with your data you may deem harmful to your personal privacy and/or security. Facebook's early intention of becoming a platform where it offered user data to attract developers is a good example of this. (They shifted their strategy but this shortsightedness came back to bite them with the Cambridge Analytica scandal later on.) Companies can drastically change their business strategy without much regard to user preference, so this is why it's important to own your data. But that brings me back to my earlier point. Are you ready to make the trade-offs, or do you even know what trade-offs you have to face?

    17 votes
    1. [5]
      Crocodile
      Link Parent
      You raise important points. I self-host some services, such as Nextcloud (which gives storage, calendar, contacts, and more), Matrix/Synapse (just for fun tbh), and a bunch of media stuff (for...

      You raise important points. I self-host some services, such as Nextcloud (which gives storage, calendar, contacts, and more), Matrix/Synapse (just for fun tbh), and a bunch of media stuff (for Linux ISOs) but for other services I would rather it be with someone else. Some things, like email (ProtonMail) and my password manager (Bitwarden) I would simply have someone else manage it. For one, I am just a hobbyist and in no way a security expert. Even if I was, I am not working full time to make sure those two things, which are absolutely critical, have constant uptime and are secure.

      On the Google note, that is a common misconception. Google has absolutely stellar security imo (and from others), but pretty bad privacy. If I had to use some big-tech "suite" provider, it would be Google. For instance, Google Voice handles the 2FA codes for services that only have SMS as an option. For one, I am not dealing with a SIM phone number. But also I can protect my Google account with a strong password and good 2FA (hardware key).

      3 votes
      1. [4]
        vord
        Link Parent
        I do self host this, and do find peace of mind in it. I think it's the single most important one to self-host, because if you can't trust the providers (or their providers), you have no other...

        Bitwarden

        I do self host this, and do find peace of mind in it. I think it's the single most important one to self-host, because if you can't trust the providers (or their providers), you have no other options. If a bad breach happens, every password is one of the worst possible outcomes.

        That said, it definitely needs to be robustly backed up, included some periodic plain text backups sores offline in a secure place.

        3 votes
        1. [3]
          Crocodile
          Link Parent
          I definitely understand what you mean. I am conflicted inside about it, actually. Self-hosting BitWarden would be an ideal for me, but I cannot trust myself. Sure, I can back it up, that is not...

          I definitely understand what you mean. I am conflicted inside about it, actually. Self-hosting BitWarden would be an ideal for me, but I cannot trust myself. Sure, I can back it up, that is not too hard, but I could leave the server insecure and I might not even know. Bitwarden has gone through independent security audits and have full-time engineers to make sure everything is up and running and secure. I see the flaws though, anyone can make mistakes, but I simple believe they would be less likely.

          Of course, I still securely backup my Vault to different locations, no excuse for not doing that.

          2 votes
          1. [2]
            vord
            Link Parent
            Here's some pointers for anyone considering self hosting. This will keep you almost entirely protected outside of a sophisticated, dedicated attack...which as a self-hosted service is unlikely....

            leave the server insecure and I might not even know

            Here's some pointers for anyone considering self hosting. This will keep you almost entirely protected outside of a sophisticated, dedicated attack...which as a self-hosted service is unlikely.

            • Keep your router patched and up to date. Seriously, so many people neglect this.
            • Only ever expose 80 and 443 to internet. Never SSH, and especially not VNC or RDP. Use a VPN for remote access.
            • Setup SSH key authorization, use in addition to (not replacing) password logins for best security. Bonus points for adding other two-factor.
            • Test SSH security internally.
            • Use a proxy to handle SSL. I prefer Apache or Traefik depending on cases, but everyone has different preferences.
            • After SSL is setup, run through SSL tests to insure good configuration.
            • Patch server and applications regularly. I run updates every 12 hours or less, rebooting in the wee hours. Docker makes this easy, but don't forget OS patches.
            • Insure all apps authenticating have really good passwords. Setting up something to lock out after failed attempts also highly recommended.
            • Setup backups, one on-site and another off-site. Periodic offline backups for important things into a safety deposit box or similar are also a real good idea.
            5 votes
            1. Crocodile
              Link Parent
              Man that first bullet point is so common. Also when people do not change their wifi admin password! I think with Bitwarden, it is just some security paranoia I have, but then again there is the...

              Man that first bullet point is so common. Also when people do not change their wifi admin password! I think with Bitwarden, it is just some security paranoia I have, but then again there is the paranoia of Bitwarden hosting it. Anyways, those are all important steps!

              One question, why did you say for the SSH keys to not replace password authentication? I have usually heard/read to replace it.

    2. vord
      Link Parent
      I largely agree, but there are a few sticky points which keep me locked in. Google's biggest strength is not just their offerings, but how well they're integrated. This is especially problematic...

      There are fine alternatives to Google products out there,

      I largely agree, but there are a few sticky points which keep me locked in.

      1. Google's biggest strength is not just their offerings, but how well they're integrated. This is especially problematic with:
      2. Best voice assistant on the market.
      3. The ever-present problem of dragging your social circle with you.
      3 votes
    3. [2]
      omicron-b
      Link Parent
      I would not say Google has a good security. In November 2019 they shared your private videos with random people I personally found too many usability issues in their Drive, one of the reasons I...

      I would not say Google has a good security.
      In November 2019 they shared your private videos with random people

      I personally found too many usability issues in their Drive, one of the reasons I switched to Nextcloud.

      /u/Crocodile

      3 votes
      1. Crocodile
        Link Parent
        To be fair, that was one incident, and when you have so many moving parts and so many users, a mistake might happen. Still no excuse to use Google, use Nextcloud like you said ;)

        To be fair, that was one incident, and when you have so many moving parts and so many users, a mistake might happen. Still no excuse to use Google, use Nextcloud like you said ;)

  2. [3]
    Eric_the_Cerise
    Link
    One thing that hasn't been mentioned is the chilling effect ... people automatically self-censor when they know/suspect that unknown 3rd parties might be accessing their nominally-private notes...

    One thing that hasn't been mentioned is the chilling effect ... people automatically self-censor when they know/suspect that unknown 3rd parties might be accessing their nominally-private notes and communications. Google is not the Stasi, but broadly speaking, that is the direction we're headed, and Google is playing a leading role.

    But perhaps you're asking the wrong question. Why have we accepted the idea that Google has a right to access our personal data in the first place? The Post Office does not read our letters, the phone companies do not listen in on our phone conversations (at least, not generally, not w/o cause) ... why did we ever buy into the idea that, on the Internet, the companies that facilitate our communication online are somehow entitled to scrape that data for who-knows-what purposes?

    Another point I'd like to push back on is the idea that personalized advertising is harmless. It's not. Advertising is all about convincing you that you need something, that you don't need. There are many well-documented negative side-effects of advertising on people's mental health and well-being ... targeted, personalized advertising is like weaponizing those effects.

    10 votes
    1. [2]
      skybrian
      Link Parent
      It's never been a right. There are agreements. Businesses don't normally provide long-term services to anonymous customers. You have to sign up and people do it routinely and willingly. (Though,...

      It's never been a right. There are agreements. Businesses don't normally provide long-term services to anonymous customers. You have to sign up and people do it routinely and willingly. (Though, usually they don't entirely understand the consequences.)

      There's also gossip, and this is ancient and uncontrollable. Other people can talk about you and they can spread rumors. Nowadays they can spread truth or lies about you on Twitter.

      Merchants you deal with can remember who you are and talk about you to others, and that's ancient. Among businesses, phone companies and utilities are something of a special case. I think it's reasonable to say that Google and other large tech firms should be in that category, where special government regulations apply.

      In Europe the GDPR is an attempt to restrict all business use of customer information, and that also seems like a worthy effort. Maybe the US will do something similar someday?

      3 votes
      1. tempestoftruth
        Link Parent
        There is something unique about the current moment though, in that the scale of the data that's being collected on/about you has no historical parallel. Sure, merchants you associated with in the...

        There is something unique about the current moment though, in that the scale of the data that's being collected on/about you has no historical parallel. Sure, merchants you associated with in the past knew certain things about your preferences and habits based on what you purchased, but they didn't necessarily know what you were thinking (search history), the other places you visit and your habits there (browsing history), nor did they have access to a huge network of merchants willing to pay large sums for that information (ad personalization) on the scale we're seeing today.

        5 votes
  3. [5]
    joplin
    Link
    In most cases, it's probably harmless, and all that happens is they attempt to show you advertisements that will match your preferences. But there are a number of things that can happen with it if...

    In most cases, it's probably harmless, and all that happens is they attempt to show you advertisements that will match your preferences. But there are a number of things that can happen with it if you're unlucky:

    1. A government may decide they want to track certain sets of people they deem undesirable (this is currently happening in China and (I think) India). They could either covertly or overtly take data you gave to companies for this purpose.

    2. A hacker (possibly another government, possibly organized criminals, possibly script kiddies) could obtain information you gave to another party and use it to know when you're at home or not or where you are. They could use this to steal packages or physically attack you. They could use it to send the SWAT team to your house under false pretenses and potentially get you or someone else murdered. As good as Google is at protecting their data, they have been successfully hacked numerous times. (And all other companies that are well known have been, too.)

    3. Hackers that obtain your information could use the information to impersonate you to social engineer access to your money or services and lock you out of access to those things.

    4. Google could sell the information to other companies that are unethical. (They don't currently do this as I understand it, but that could always change.) This is currently happening in the US with location data from the major mobile characters. It's only supposed to be available to law enforcement but the extent of the protections to ensure that were just a single sentence saying, "You must have a warrant to access this information," printed on one of the screens when running the software. It was being sold to private detectives so they could spy on people for money.

    5. Your information could get mixed up with someone else's if they have a similar name, social security number, or random unique ID in a company's database. You may not have any undesirable information, but you could get linked to someone who does. This happened to a friend of mine. He was assigned the former phone number of a known drug dealer by the phone company. The phone company failed to tell the FBI the number had been reassigned. My friend then called his other friend in Pakistan to say he was excited to be traveling there for his friend's upcoming wedding. Luckily, the phone was a company phone (he works for a cell phone manufacturer), and someone at the company tipped him off that they were required to share his data with the government. (His response was, "Well I hope they like gay porn!")

    6. Employees at Google (or any other company that collects personal data) could access the data for their own purposes. Despite the fact that most companies have policies against this and even take precautions, there are many stories of employees spying on exes, harassing people they don't like, etc.

    Nobody else can tell you how worried you should be about each of these things. But the less info you put out there, the less likely it can be used against you. On the one hand Google's got a lot of smart people working on protecting your data because it's valuable to them. On the other hand, they have so much of it that they attract the best hackers and foreign governments to try to steal it. Personally, I just hate ads, so I avoid their products like the plague.

    9 votes
    1. [4]
      skybrian
      Link Parent
      Maybe clarify what you mean by "successfully hacked" in point 2? Individual Google accounts get broken into all time due to bad password practices and so on, but maybe that's not what you meant?

      Maybe clarify what you mean by "successfully hacked" in point 2? Individual Google accounts get broken into all time due to bad password practices and so on, but maybe that's not what you meant?

      1 vote
      1. [3]
        joplin
        Link Parent
        I mean the typical stuff that all companies have to face. Things like China successfully breaching Google's security, for example.

        I mean the typical stuff that all companies have to face. Things like China successfully breaching Google's security, for example.

        2 votes
        1. skybrian
          Link Parent
          Yes, the China hack in 2009 and the US government tapping submarine cables (revealed by Snowden in 2013) are the two major security breaches I remember. Both of them resulted in major overhauls of...

          Yes, the China hack in 2009 and the US government tapping submarine cables (revealed by Snowden in 2013) are the two major security breaches I remember. Both of them resulted in major overhauls of Google's security.

          5 votes
        2. joplin
          Link Parent
          Sorry for reviving a dead thread, but I was reminded of this last week when the Twitter hack occurred. That hack is an example of #6 above - employees at the company do something they have...

          Sorry for reviving a dead thread, but I was reminded of this last week when the Twitter hack occurred. That hack is an example of #6 above - employees at the company do something they have permissions to do, but aren't supposed to do.

          A reader on HackerNews pointed out an older example of this, when an engineer at Google used his access to Gmail and Google Voice to harass teenagers. (Warning - it's on Gawker which is a pretty trashy site, but I believe the facts are correct.)

  4. [8]
    viridian
    Link
    I don't think anyone can protect your data as well as you can. Framing it as giving your data to Google wholesale, or giving it to someone else wholesale is often not the answer. Google is often a...

    I don't think anyone can protect your data as well as you can. Framing it as giving your data to Google wholesale, or giving it to someone else wholesale is often not the answer. Google is often a worse player than most given that in their business model, you are the product sold to advertisers, rather than the customer sold a product, but you needn't be a customer of anyone at all.

    If you are looking to roll back your reliance on big corps to power your technological life, the github selfhosted project can be extremely helpful:

    https://github.com/awesome-selfhosted/awesome-selfhosted

    I do most of my stuff selfhosted, except for automated backups, which I store locally, but ultimately encrypt and push copies of to AWS's simple storage service.

    6 votes
    1. Keegan
      Link Parent
      If you don't want the hassle of self-hosted, privacytools.io has friendly replacements for pretty much every service Google has. What I use: Search: DuckDuckGo and Searx Email: Tutanota and Migadu...

      If you don't want the hassle of self-hosted, privacytools.io has friendly replacements for pretty much every service Google has.

      What I use:

      • Search: DuckDuckGo and Searx
      • Email: Tutanota and Migadu (good for if you want to have email attached to your domain, if you have one)
      • Browser: Firefox

      These are the key components that I'd change away from Google, as they are able to get the most info about you.

      6 votes
    2. mat
      Link Parent
      This isn't how Googlers talk about it, and I think it's a rather disingenuous way to describe their business model. Google talk about having two products, and two customers. One product is their...

      you are the product sold to advertisers, rather than the customer sold a product,

      This isn't how Googlers talk about it, and I think it's a rather disingenuous way to describe their business model. Google talk about having two products, and two customers. One product is their web services (search, email, etc) and the other is advert delivery. Their two customers are users and advertisers. Advertisers buy delivery for their adverts with money, users buy web services with eyeballs. Google converts money into eyeballs on ads - and the targeting of eyeballs is where they add value. Facebook uses similar language internally, and I'm sure Twitter and all the rest do as well.

      You are not getting "sold" to anyone. Allowing access to your eyeballs is how you pay for your email. Of course if that's not a price someone wants to pay, that's totally understandable although I've run more than enough email servers in my time to be perfectly happy to have Google handle mine in return for some eyeball time.

      5 votes
    3. [2]
      skybrian
      (edited )
      Link Parent
      It isn't a given that "anyone" would be better off with self-hosting, since many people are bad at computer stuff or just careless. Many people couldn't do it without lots of hand-holding. In...

      It isn't a given that "anyone" would be better off with self-hosting, since many people are bad at computer stuff or just careless. Many people couldn't do it without lots of hand-holding.

      In practice, a lot of people are dependent on advice and help from people who know more about computers than them, so they're dependent on someone else no matter what. If there is someone in your family like that and they turn to you for help, you could do worse than getting them a Chromebook and a Google account. Maybe two Chromebooks since they do break.

      If you want to play in hard mode, think about what advice you'd give to someone who gets confused by accidentally touching something on a touch screen, and how much time you're willing to devote to doing stuff for them. For added difficulty, consider how you'd support them if you can't visit due to the pandemic and there's a hardware problem.

      2 votes
      1. viridian
        Link Parent
        The anyone comment isn't quite flippant, but I figure most people can source either open source alternatives for most applications, while a smaller portion can self-host web enabled services. re:...

        The anyone comment isn't quite flippant, but I figure most people can source either open source alternatives for most applications, while a smaller portion can self-host web enabled services.

        re: hard mode:

        My solution to that problem these days is to just provide folks with the information to help them get the answers they need. Teach them to fish rather than giving them the fish. Here's some links to PC parts picker, these warnings can be ignored, these warnings will absolutely ruin you, etc.

        Anyone I've run into who is less inclined to technology than being able to use a self service website to problem solve only wants a cell phone, or is debating between iPad sizes, or an iPad versus a kindle.

        I'm not a fan of chromebooks personally, but I've actually had good recent success with dropping unity based ubuntu on people, using the defaults that install stuff like libre office suite. To be honest I think unity provides a more intuitive UX than both win10 and MacOS 10.13. Autocontexted global search is very convenient for folks. It's easier to click any non active window then search, versus hitting windows key or cmd+space.

        1 vote
    4. [3]
      PelicanCultist
      Link Parent
      Could you elaborate on what you mean by self hosted? I’m sure you’ve noticed that I’m not the most knowledgeable person when it comes to this.

      Could you elaborate on what you mean by self hosted? I’m sure you’ve noticed that I’m not the most knowledgeable person when it comes to this.

      1 vote
      1. viridian
        Link Parent
        Self hosted in this case means you own the hardware that the software you use is running on. Now I'm not suggesting you do this, but I bought a pretty good little blade server for pennies on the...

        Self hosted in this case means you own the hardware that the software you use is running on. Now I'm not suggesting you do this, but I bought a pretty good little blade server for pennies on the dollar ($165 for a PC that is $2000 or so new) on ebay about 2 years back, and now I run most of my "service" type software off of it, and access it from wherever in the world I want. It sits in a closet in my house. You can run replacements for things like spotify with little to no setup, since there are precompiled projects that are pretty much copy and paste. For applications, Instead of google docs or office, I remote into the machine to use libreoffice stuff, so that my server serves as my single atomic source of data.

        That said, you don't really have to do any of this, and you don't even need a physical dedicated machine to do most of it these days.. There are a ton of open source projects which let you run stand alone applications wherever, that aren't phoning home to some company at the end of the day. Here's another list of open source software that fits a lot of needs typically met by commercial or 'free in exchange for your data' software: https://github.com/sindresorhus/awesome

        4 votes
      2. Keegan
        Link Parent
        Self hosted means that you run it off your own server/computer, either one on your local network in your home or off a server you rent in "the cloud". It gives much better control over your...

        Self hosted means that you run it off your own server/computer, either one on your local network in your home or off a server you rent in "the cloud".

        It gives much better control over your content, files, and data, but can be a hassle to set up and reliability is dependent on your hardware rather than that of a company that spends millions of dollars on redundancy.

        3 votes
  5. skybrian
    Link
    I think it depends on the data and how it's used. As an individual I'm not sure it's all that important to avoid targeted advertising, but then again I don't trust advertising and I think I'm...

    I think it depends on the data and how it's used. As an individual I'm not sure it's all that important to avoid targeted advertising, but then again I don't trust advertising and I think I'm pretty savvy about it.

    I think it's important to crack down on deceptive and fraudulent business practices but online advertising is only a small part of that. The elderly are targeted via TV ads and phone calls and the mail, not just online ads. I would like to see much more done here but I don't think it's going to happen until we have a better and more trusted justice system.

    I mostly trust Google not to leak, other than to the government via warrants, etc. It's too late for me anyway since I'm an ex-Googler and they already know all about me via employment, but still, I think their security is good, they have the best security experts, and they have a process of continual improvement. That's no reason to get cocky but I would be surprised by a major security leak.

    But if you're an activist I would be cautious, at least for the parts of your life that are "interesting."

    4 votes
  6. nothis
    Link
    It's a matter of how many layers removed you want your society be from oppression. 10 layers? 2 layers? It's (luckily) a rather abstract thought in most Western countries, but that doesn't make it...

    It's a matter of how many layers removed you want your society be from oppression. 10 layers? 2 layers? It's (luckily) a rather abstract thought in most Western countries, but that doesn't make it any less important. Data is very powerful and there's countless examples of oppressive regimes using it to control people. It might not matter right now, but one day you might not want there to be a company who owns a database of all your social network interactions or your GPS positions at any minute over the past year. It definitely doesn't matter that google has it, but as soon as google has it, the government has it.

    The cynical reply is that the NSA can already do all of this, anyway, but it's also a symbolical step. There's a difference between a law having to be changed (or broken) or all of the infrastructure already being there and it just taking a quiet click with nobody being held accountable.

    Basically, look at the worst case scenarios in other countries (and history) and ask yourself: How well defended are we against them?

    1 vote