21
votes
How important is protecting our data from companies like Google?
I was a supporter of Andrew Yang while he was running for president. His policies appealed to me a lot. One I supported because it made sense to me; personal data as a property right. I’ve thought about it more and I don’t see how a company like Google using my data negatively affects me. What are the negative repercussions I experience when a company uses my information like that? Are there alternatives that would protect my data more that are actually decent? I’d love to receive some explanation for this!
You raise important points. I self-host some services, such as Nextcloud (which gives storage, calendar, contacts, and more), Matrix/Synapse (just for fun tbh), and a bunch of media stuff (for Linux ISOs) but for other services I would rather it be with someone else. Some things, like email (ProtonMail) and my password manager (Bitwarden) I would simply have someone else manage it. For one, I am just a hobbyist and in no way a security expert. Even if I was, I am not working full time to make sure those two things, which are absolutely critical, have constant uptime and are secure.
On the Google note, that is a common misconception. Google has absolutely stellar security imo (and from others), but pretty bad privacy. If I had to use some big-tech "suite" provider, it would be Google. For instance, Google Voice handles the 2FA codes for services that only have SMS as an option. For one, I am not dealing with a SIM phone number. But also I can protect my Google account with a strong password and good 2FA (hardware key).
I do self host this, and do find peace of mind in it. I think it's the single most important one to self-host, because if you can't trust the providers (or their providers), you have no other options. If a bad breach happens, every password is one of the worst possible outcomes.
That said, it definitely needs to be robustly backed up, included some periodic plain text backups sores offline in a secure place.
I definitely understand what you mean. I am conflicted inside about it, actually. Self-hosting BitWarden would be an ideal for me, but I cannot trust myself. Sure, I can back it up, that is not too hard, but I could leave the server insecure and I might not even know. Bitwarden has gone through independent security audits and have full-time engineers to make sure everything is up and running and secure. I see the flaws though, anyone can make mistakes, but I simple believe they would be less likely.
Of course, I still securely backup my Vault to different locations, no excuse for not doing that.
Here's some pointers for anyone considering self hosting. This will keep you almost entirely protected outside of a sophisticated, dedicated attack...which as a self-hosted service is unlikely.
Man that first bullet point is so common. Also when people do not change their wifi admin password! I think with Bitwarden, it is just some security paranoia I have, but then again there is the paranoia of Bitwarden hosting it. Anyways, those are all important steps!
One question, why did you say for the SSH keys to not replace password authentication? I have usually heard/read to replace it.
I largely agree, but there are a few sticky points which keep me locked in.
I would not say Google has a good security.
In November 2019 they shared your private videos with random people
I personally found too many usability issues in their Drive, one of the reasons I switched to Nextcloud.
/u/Crocodile
To be fair, that was one incident, and when you have so many moving parts and so many users, a mistake might happen. Still no excuse to use Google, use Nextcloud like you said ;)
One thing that hasn't been mentioned is the chilling effect ... people automatically self-censor when they know/suspect that unknown 3rd parties might be accessing their nominally-private notes and communications. Google is not the Stasi, but broadly speaking, that is the direction we're headed, and Google is playing a leading role.
But perhaps you're asking the wrong question. Why have we accepted the idea that Google has a right to access our personal data in the first place? The Post Office does not read our letters, the phone companies do not listen in on our phone conversations (at least, not generally, not w/o cause) ... why did we ever buy into the idea that, on the Internet, the companies that facilitate our communication online are somehow entitled to scrape that data for who-knows-what purposes?
Another point I'd like to push back on is the idea that personalized advertising is harmless. It's not. Advertising is all about convincing you that you need something, that you don't need. There are many well-documented negative side-effects of advertising on people's mental health and well-being ... targeted, personalized advertising is like weaponizing those effects.
It's never been a right. There are agreements. Businesses don't normally provide long-term services to anonymous customers. You have to sign up and people do it routinely and willingly. (Though, usually they don't entirely understand the consequences.)
There's also gossip, and this is ancient and uncontrollable. Other people can talk about you and they can spread rumors. Nowadays they can spread truth or lies about you on Twitter.
Merchants you deal with can remember who you are and talk about you to others, and that's ancient. Among businesses, phone companies and utilities are something of a special case. I think it's reasonable to say that Google and other large tech firms should be in that category, where special government regulations apply.
In Europe the GDPR is an attempt to restrict all business use of customer information, and that also seems like a worthy effort. Maybe the US will do something similar someday?
In most cases, it's probably harmless, and all that happens is they attempt to show you advertisements that will match your preferences. But there are a number of things that can happen with it if you're unlucky:
A government may decide they want to track certain sets of people they deem undesirable (this is currently happening in China and (I think) India). They could either covertly or overtly take data you gave to companies for this purpose.
A hacker (possibly another government, possibly organized criminals, possibly script kiddies) could obtain information you gave to another party and use it to know when you're at home or not or where you are. They could use this to steal packages or physically attack you. They could use it to send the SWAT team to your house under false pretenses and potentially get you or someone else murdered. As good as Google is at protecting their data, they have been successfully hacked numerous times. (And all other companies that are well known have been, too.)
Hackers that obtain your information could use the information to impersonate you to social engineer access to your money or services and lock you out of access to those things.
Google could sell the information to other companies that are unethical. (They don't currently do this as I understand it, but that could always change.) This is currently happening in the US with location data from the major mobile characters. It's only supposed to be available to law enforcement but the extent of the protections to ensure that were just a single sentence saying, "You must have a warrant to access this information," printed on one of the screens when running the software. It was being sold to private detectives so they could spy on people for money.
Your information could get mixed up with someone else's if they have a similar name, social security number, or random unique ID in a company's database. You may not have any undesirable information, but you could get linked to someone who does. This happened to a friend of mine. He was assigned the former phone number of a known drug dealer by the phone company. The phone company failed to tell the FBI the number had been reassigned. My friend then called his other friend in Pakistan to say he was excited to be traveling there for his friend's upcoming wedding. Luckily, the phone was a company phone (he works for a cell phone manufacturer), and someone at the company tipped him off that they were required to share his data with the government. (His response was, "Well I hope they like gay porn!")
Employees at Google (or any other company that collects personal data) could access the data for their own purposes. Despite the fact that most companies have policies against this and even take precautions, there are many stories of employees spying on exes, harassing people they don't like, etc.
Nobody else can tell you how worried you should be about each of these things. But the less info you put out there, the less likely it can be used against you. On the one hand Google's got a lot of smart people working on protecting your data because it's valuable to them. On the other hand, they have so much of it that they attract the best hackers and foreign governments to try to steal it. Personally, I just hate ads, so I avoid their products like the plague.
Maybe clarify what you mean by "successfully hacked" in point 2? Individual Google accounts get broken into all time due to bad password practices and so on, but maybe that's not what you meant?
I mean the typical stuff that all companies have to face. Things like China successfully breaching Google's security, for example.
Yes, the China hack in 2009 and the US government tapping submarine cables (revealed by Snowden in 2013) are the two major security breaches I remember. Both of them resulted in major overhauls of Google's security.
Sorry for reviving a dead thread, but I was reminded of this last week when the Twitter hack occurred. That hack is an example of #6 above - employees at the company do something they have permissions to do, but aren't supposed to do.
A reader on HackerNews pointed out an older example of this, when an engineer at Google used his access to Gmail and Google Voice to harass teenagers. (Warning - it's on Gawker which is a pretty trashy site, but I believe the facts are correct.)
I don't think anyone can protect your data as well as you can. Framing it as giving your data to Google wholesale, or giving it to someone else wholesale is often not the answer. Google is often a worse player than most given that in their business model, you are the product sold to advertisers, rather than the customer sold a product, but you needn't be a customer of anyone at all.
If you are looking to roll back your reliance on big corps to power your technological life, the github selfhosted project can be extremely helpful:
https://github.com/awesome-selfhosted/awesome-selfhosted
I do most of my stuff selfhosted, except for automated backups, which I store locally, but ultimately encrypt and push copies of to AWS's simple storage service.
This isn't how Googlers talk about it, and I think it's a rather disingenuous way to describe their business model. Google talk about having two products, and two customers. One product is their web services (search, email, etc) and the other is advert delivery. Their two customers are users and advertisers. Advertisers buy delivery for their adverts with money, users buy web services with eyeballs. Google converts money into eyeballs on ads - and the targeting of eyeballs is where they add value. Facebook uses similar language internally, and I'm sure Twitter and all the rest do as well.
You are not getting "sold" to anyone. Allowing access to your eyeballs is how you pay for your email. Of course if that's not a price someone wants to pay, that's totally understandable although I've run more than enough email servers in my time to be perfectly happy to have Google handle mine in return for some eyeball time.
It isn't a given that "anyone" would be better off with self-hosting, since many people are bad at computer stuff or just careless. Many people couldn't do it without lots of hand-holding.
In practice, a lot of people are dependent on advice and help from people who know more about computers than them, so they're dependent on someone else no matter what. If there is someone in your family like that and they turn to you for help, you could do worse than getting them a Chromebook and a Google account. Maybe two Chromebooks since they do break.
If you want to play in hard mode, think about what advice you'd give to someone who gets confused by accidentally touching something on a touch screen, and how much time you're willing to devote to doing stuff for them. For added difficulty, consider how you'd support them if you can't visit due to the pandemic and there's a hardware problem.
The anyone comment isn't quite flippant, but I figure most people can source either open source alternatives for most applications, while a smaller portion can self-host web enabled services.
re: hard mode:
My solution to that problem these days is to just provide folks with the information to help them get the answers they need. Teach them to fish rather than giving them the fish. Here's some links to PC parts picker, these warnings can be ignored, these warnings will absolutely ruin you, etc.
Anyone I've run into who is less inclined to technology than being able to use a self service website to problem solve only wants a cell phone, or is debating between iPad sizes, or an iPad versus a kindle.
I'm not a fan of chromebooks personally, but I've actually had good recent success with dropping unity based ubuntu on people, using the defaults that install stuff like libre office suite. To be honest I think unity provides a more intuitive UX than both win10 and MacOS 10.13. Autocontexted global search is very convenient for folks. It's easier to click any non active window then search, versus hitting windows key or cmd+space.
Could you elaborate on what you mean by self hosted? I’m sure you’ve noticed that I’m not the most knowledgeable person when it comes to this.
Self hosted in this case means you own the hardware that the software you use is running on. Now I'm not suggesting you do this, but I bought a pretty good little blade server for pennies on the dollar ($165 for a PC that is $2000 or so new) on ebay about 2 years back, and now I run most of my "service" type software off of it, and access it from wherever in the world I want. It sits in a closet in my house. You can run replacements for things like spotify with little to no setup, since there are precompiled projects that are pretty much copy and paste. For applications, Instead of google docs or office, I remote into the machine to use libreoffice stuff, so that my server serves as my single atomic source of data.
That said, you don't really have to do any of this, and you don't even need a physical dedicated machine to do most of it these days.. There are a ton of open source projects which let you run stand alone applications wherever, that aren't phoning home to some company at the end of the day. Here's another list of open source software that fits a lot of needs typically met by commercial or 'free in exchange for your data' software: https://github.com/sindresorhus/awesome
I think it depends on the data and how it's used. As an individual I'm not sure it's all that important to avoid targeted advertising, but then again I don't trust advertising and I think I'm pretty savvy about it.
I think it's important to crack down on deceptive and fraudulent business practices but online advertising is only a small part of that. The elderly are targeted via TV ads and phone calls and the mail, not just online ads. I would like to see much more done here but I don't think it's going to happen until we have a better and more trusted justice system.
I mostly trust Google not to leak, other than to the government via warrants, etc. It's too late for me anyway since I'm an ex-Googler and they already know all about me via employment, but still, I think their security is good, they have the best security experts, and they have a process of continual improvement. That's no reason to get cocky but I would be surprised by a major security leak.
But if you're an activist I would be cautious, at least for the parts of your life that are "interesting."
It's a matter of how many layers removed you want your society be from oppression. 10 layers? 2 layers? It's (luckily) a rather abstract thought in most Western countries, but that doesn't make it any less important. Data is very powerful and there's countless examples of oppressive regimes using it to control people. It might not matter right now, but one day you might not want there to be a company who owns a database of all your social network interactions or your GPS positions at any minute over the past year. It definitely doesn't matter that google has it, but as soon as google has it, the government has it.
The cynical reply is that the NSA can already do all of this, anyway, but it's also a symbolical step. There's a difference between a law having to be changed (or broken) or all of the infrastructure already being there and it just taking a quiet click with nobody being held accountable.
Basically, look at the worst case scenarios in other countries (and history) and ask yourself: How well defended are we against them?