[TriLUG] Hit me with your best shot

Igor Partola igor at igorpartola.com
Thu Mar 13 14:10:00 EDT 2014 

Let's be clear here. Normally, most Google users link their online identity
with some identifying real-life information. For example, by default when
you sign up for a new GMail account, you have to provide a cell phone
number.

Second, most Google users have a primary Google account. I think of it in
terms of the email address you put on your business cards. Personally, I
took the first step and stopped using my @gmail.com as my public address.
Instead I pay $9/year for my own domain and use GMail to handle my email
behind the scenes. This way I feel like I at least somewhat reduce the risk
of GMail deciding to stop providing its services, or implementing some
crazy policy that prevents me from using it. Sure, moving all my archived
mail to a different provider would be a pain, but at least I won't have to
tell everyone that I have a new address.

Finally, there are different kinds of spying. The most common and the most
accepted is where you use your primary, real-world name linked Google
account. Here, Google can track what you do, who you communicate with, etc.
This is easy and almost necessary with things like GMail and GChat: they
are keeping all your data for you, using their servers to search for it,
etc. If you handle, say, a client's sensitive info and your get subpoenaed
for an unrelated matter, the client's info will be exposed to the world.
That's no good.

However, there is also another kind of spying that could be done on a
Chromebook that you'd have no idea about. Google could have put a rootkit
at basically any level of the stack, from the hardware itself, to the
kernel, to a separate "usage stats service" to the browser. And the worst
thing is that they might have done that on their own, or against their will
under an NSA order, with an additional gag order to never disclose this.
Then all you have to do is enter your real name just once into the browser,
etc. and they've got you.

Does all of this matter? Who's to say that Canonical has not been compelled
by the NSA to do the same? Or if the microcode on your Haswell chip doesn't
already track everything you do? I am no expert there. All I am saying is
that using or not using your "primary" Google account with your Chromebook
might not have the same effect on your privacy as you expect.

Igor

More information about the TriLUG mailing list