Google and Privacy by Tim O'Reilly, on his O'Reilly Radar blog:
"...In short, it seems to me that Google is being held to a much higher standard than the rest of the world..."
Google and privacy by Matt Cutts (a Google employee), on his Gadgets, Google, and SEO blog.
"...First, I believe Google does more to protect our users’ privacy than any other major search engine. Second, I believe other companies such as ISPs have a superset of the data that Google has, plus they have verified payment/identity, plus they know which IP addresses you are on, even if you switch IP addresses..."
Both Tim and Matt make good points. I do believe that Google respects privacy more than most large companies, and I make moderate (though careful) use of a number of Google services.
The ISP privacy risks are significant, whether you care more about commercial or government invasions of privacy. See the Wired blog Threat Level (formerly 27B Stroke 6)'s ISP Privacy Survey. Ironic isn't it, that AT&T (along with Microsoft) is opposing Google's acquisition of DoubleClick on anti-trust grounds?Google's reach does give them great power and great liability ("with great power comes great responsibility"). I don't believe Google is evil today, and my privacy practices may seem paranoiac to some, but once the trust is breached or some database is hacked, the data is out there forever. I don't think I'm alone in not wanting to have a massive "digital dossier" on me accumulated in the first place without my knowledge, consent, and some control. So despite technology-enabled marketing and post-9/11 security theater, I take issue with Tim's assertion of the inevitability of "moving into a future where what we do, where we go, what we spend, what we pay attention to, will be mined constantly and by everyone."
OK, so what basic things can a savvy consumer do to minimize the accumulation of a digital dossier?
1. Practice diversification, just like with your investments, to avoid having all of your eggs in one basket. Use an email provider separate from your ISP. Don't put all of your online services into one account with a single provider. The telcos and cable companies love the triple-play (voice, data, video), but consider whether one company should know so much about you. The convenience may be tempting, but if you care about privacy, carefully weigh the risks and trade-offs. Change your IP address regularly (you can usually do this by briefly disconnecting from your ISP, then reconnecting).
2. Browsing: Block third-party cookies and delete unwanted cookies regularly. The only cookie I keep across sessions is for my primary bank because without it they require an extra step for login. If you regularly use multiple logins from the same provider, get used to using multiple browsers simultaneously; I often have three or four browsers running at a time. Don't provide your real identity information (full name, address, phone number, birthdate, credit card information, etc.) except to trusted entities, and then only when absolutely necessary and with great care. Never provide your social security number, unless required by law. Adapt readily available lists to block ad and malware servers that you consider offensive. I have mixed feelings about anonymizing proxies (Tor is a different story), as they simply shift the risk from your ISP to another (probably smaller) company.
3. Email: Use a provider besides your ISP. Make sure they offer encrypted POP/IMAP/SMTP/web, especially for the login. Keep multiple accounts for different purposes, preferably through multiple providers. Use variations of your email addresses. Use fully disposable email addresses (e.g., jetable.org, mailinator.com) for one-time or untrusted uses. Never reply to spam, phishing, or other scams. Set up your web and desktop email clients to not display images unless and until you say so. When the image is rendered, it is possible for a server to know that your email address is valid, and when you read the email.
4. Online backups: Store only encrypted files on third-party servers, unless it is public data.
5. Good security is essential to privacy: keep your OS up to date and operate a good NAT firewall with SPI that "stealths" all ports on the WAN side and ignores incoming pings. Be aware of (and block if necessary) any applications on your PC or LAN that needlessly "phone home". Keep critical information on your desktop and off of the web. Use good security practices to keep your local machine(s) safe (passwords, encryption, periodic cache and log cleaning, etc.)
6. Real world: Pay cash. Get an unlisted phone number and a PO Box. I'll leave it as an exercise for the reader to decide whether to get on the Do Not Call lists. If you're really paranoid, get a pay-as-you-go mobile phone; buy the phone and the minutes with cash and change the phone annually. Use Caller ID Blocking (*67). Avoid store loyalty cards and phone surveys. Vote with your dollars by patronizing establishments that have good privacy practices and don't ask for more information than necessary. Opt-out of the data sharing with your commercial accounts (read the fine print when the privacy policies come in the mail, and follow the directions; keep notes of what you've done). Opt out of direct marketing mailings. Some more detail is here (Chris Hoofnagle).
All of these things are easy and don't require great technical skill. In future posts, I'll be providing more detailed tips, and also exploring privacy and security issues with Flash, JavaScript, and Java.
Related Posts:
ISP Account Log File Analysis
ISPs Selling Clickstreams
Basic Browser Privacy
Geolocation
Are You Secure?
our productivity so much, we can now 
the world that security and privacy are not mutually exclusive.
aren't enough, surely his membership in the 
much-needed legal reform to balance risks and benefits in the age of digital dossiers.
). We need incentives for consumers. Maybe even some kind of disincentives for overconsumption of electricity. We need consumer education about mercury handling. And, we need pervasive local recycling of fluorescent bulbs.
