How to Foil Search Engine Snoops http://www.wired.com/news/technology/1,70051-0.html
By Ryan Singel | Also by this reporter On Thursday, The Mercury News reported that the Justice Department has subpoenaed search-engine records in its defense of the Child Online Protection Act, or COPA. Google, whose corporate credo famously includes the admonishment "Don't Be Evil," is fighting the request for a week's worth of search engine queries. Other search engines have already complied. The government isn't asking for search engine users' identifying data -- at least not yet. But for those worried about what companies or federal investigators might do with such records in the future, here's a primer on how search logs work, and how to avoid being writ large within them. Why do search engines save logs of search terms? Search companies use logs and data-mining techniques to tune their engines and deliver focused advertising, as well to create cool features such as Google Zeitgeist. They also use them to help with local searches and return more relevant, personalized search results. How does a search engine tie a search to a user? If you have never logged in to search engine's site, or a partner service like Google's Gmail offering, the company probably doesn't know your name. But it connects your searches through a cookie, which has a unique identifying number. Using its cookies, Google will remember all searches from your browser. It might also link searches by a user's IP address. How long do cookies last? It varies. Yahoo sets a cookie that expires in June 2006. A new cookie from Google expires in 2036. What if you sign in to a service? If you sign in on Google's personalized homepage or Yahoo's homepage, the companies can then correlate your search history with any other information, such as your name, that you give them. Why should anyone worry about the government requesting search logs or bother to disguise their search history? Some people simply don't like the idea of their search history being tied to their personal lives. Others don't know what the information could be used for, but worry that the search companies could find surprising uses for that data that may invade privacy in the future. For example, if you use Google's Gmail and web optimizing software, the company could correlate everyone you've e-mailed, all the websites you've visited after a search and even all the words you misspell in queries. What's the first thing people should do who worry about their search history? Cookie management helps. Those who want to avoid a permanent record should delete their cookies at least once a week. Other options might be to obliterate certain cookies when a browser is closed and avoid logging in to other services, such as web mail, offered by a search engine. How do you do that with your browser? In Firefox, you can go into the privacy preference dialog and open Cookies. >From there you can remove your search engine cookies and click the box that says: "Don't allow sites that set removed cookies to set future cookies." In Safari, try the free and versatile PithHelmet plug-in. You can let some cookies in temporarily, decide that some can last longer or prohibit some sites, including third-party advertisers, from setting cookies at all. While Internet Explorer's tools are not quite as flexible, you can manage your cookies through the Tools menu by following these instructions. Have search histories ever been used to prosecute someone? Robert Petrick was convicted in November 2005 of murdering his wife, in part based on evidence that he had googled the words "neck," "snap" and "break." But police obtained his search history from an examination of his computer, not from Google. Can I see mine? Usually, no. But if you want to trace your own Google search histories and see trends, and you don't mind if the company uses the information to personalize search results, you can sign up for Google's beta search history service. Could search histories be used in civil cases? Certainly. Google may well be fighting the government simply on principle -- or, as court papers suggest, to keep outsiders from using Google's proprietary database for free. But a business case can also be made that if users knew the company regularly turned over their records wholesale to the government, they might curtail their use of the site. A related question is whether Google or any other search engine would fight a subpoena from a divorce attorney, or protest a more focused subpoena from local police who want information on someone they say is making methamphetamines. What if I want more anonymity than simply deleting my cookie when I'm searching? If you are doing any search you wouldn't print on a T-shirt, consider using Tor, The Onion Router. An EFF-sponsored service, Tor helps anonymize your web traffic by bouncing it between volunteer servers. It masks the origins and makes it easier to evade filters, such as those installed by schools or repressive regimes. The service has its drawbacks. While it can be very useful for a journalist in China, data services can be slower or have greater latency due to the extra stops the data makes, and a general dearth of servers. Is Tor perfectly anonymous? No. Computers leak data. Tor, combined with the Privoxy proxy server (which comes bundled with Tor), reduces some of that leakage, but still isn't foolproof. But when used with Firefox, Tor and Privoxy can provide a mostly-anonymous web browsing experience. Are there other options? Anonymizer offers a limited free browsing service and sells software, both of which are supposed to protect your anonymity, but have had serious performance issues. There are other proxy servers on the internet, but you have to judge for yourself whether you trust them, and some websites actively block anonymous browsing. Answers were compiled with the generous assistance of security consultant Adam Shostack and hacker Jacob Applebaum. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
