Google being evil? [Matthew's Journal]

If people would stop running round like headless chickens and post the EULA's definition of Services as used in clause 11.1 then we could tell if it's heinous or not, but without that it's very hard to say.

[link] [reply]

I've posted the EULA URL (and the paragraph defining "Services") above.

[link] [parent] [reply]

Given the distributed nature of things like Google Docs I can see that they need the display and distribute clauses, but the promote doesn't seem to be necessary.

[link] [parent] [reply]

"Your use of Google’s products, software, services and websites (referred to collectively as the “Services” in this document and excluding any services provided to you by Google under a separate written agreement) is subject to the terms of a legal agreement between you and Google."

[link] [parent] [reply]

Hmm, I am now wondering if their other services like Gmail have similar things?

Given that it's open source, someone could presumably just rehost it somewhere without requiring you to accept those terms. (It's not clear to me how such an EULA is compatible with a BSD licence anyway - like surely the BSD licence it comes with grants me the right to use and distribute the product anyway, whether or not I've agreed with their EULA...)

[link] [reply]

Yes, I've seen almost exactly the same terms on several other Google products where I've looked at the Ts&Cs (not including gmail). Basically they want to own everything.

I don't see how the BSD license is remotely compatible with this either.

[link] [parent] [reply]

They're not stopping anyone downloading the source and building their own version (which you could then ship without the odious EULA); I think I'd be inclined to check the phoning-home bits of the code before doing so.

[link] [parent] [reply]

Given that the BSD license says "in source and binary forms", why is rebuilding necessary? It looks like if I download it from Google I have to accept the EULA, but if you download it and then hand me a copy I don't. Unless there's more clickwrap in the binary itself, I guess.

[link] [parent] [reply]

That is a bit suck-y (for a fairly large value of bit). I also think that it is a non-enforceable clause, at least in relation to such examples made in the 'blog you quote.

Other than that Chrome does appear to be pretty good, and damn fast.

[link] [reply]

These Terms of Service apply to the executable code version of Google Chrome. Source code for Google Chrome is available free of charge under open source software license agreements at http://code.google.com/chromium/terms.html.

Chrome licence is BSD, with dependencies on other things with a variety of other licenses. I forsee a big market in rolling-your-own with all reporting back to the big G code stripped out.

[link] [reply]

http://www.mattcutts.com/blog/google-chrome-communication/

There isn't much *to* strip out.

[link] [parent] [reply]

See this this blog entry . It's pretty clear they've screwed up and are working to remove the imputation that they want to own everything.

There's a real plus for bloggers: there's an in-line spell checker. It's red lining mistakes as I type this.

[link] [parent] [reply]

Something seems to have gone wrong in your href there; looks as if you meant this blog entry.

On the plus side, I got to see what LJ's 404 pages look like as a result, which was good because they're quite fun :-)

[link] [parent] [reply]

I like to write proper html so avoid autoformat an insert my links by hand and I screwed up. I meant this.

The 401 page is very Zen, isn't it?

The good news is that they've fixed Clause 11. There's now no reason for Windows early adopters to download Chrome and make it their default browser, IMHO.

[link] [parent] [reply]

If that's the case, they're missing out one honking great trick. Or they're holding it back until after Chrome's become well accepted.

[link] [parent] [reply]

It's simpler than that, I think. This is a play against Microsoft Office, and IE8 just doesn't cut it as a platform for Javascript-heavy applications. They've employed thirty or forty good people to write their browser, over three or four years (http://www.niallkennedy.com/blog/2008/09/google-chrome.html), so it's cost them maybe a quarter of a million dollars an employee over that period? Which works out at around $30m US, or to put it into perspective, about 0.5% of a Youtube. Google Chrome is cheap.

Anyway, the whole "don't be evil" thing is just economics and good business sense, isn't it? Google's entire business model depends on maintaining the trust of its users, just as a bank's does, or a telco, or a big food retailer. They're not going to be nice, sure, but they can't afford to be hated and mistrusted in the way Microsoft are hated and mistrusted, because the Google/GMail/Google Docs data lockin isn't nearly as strong as the Exchange/Outlook/Office format one. They can afford not to be the best, as long as they're close, but they can't afford to be untrustworthy.

[link] [parent] [reply]

That does seem ridiculous. BUT, would posting to LJ, where the info does not, presumably, go via Google's servers, constitute use of the "service", and if it does, how could they get the info except by screen scraping every blog site?

When they had screen scraped, how could they tell whether any posts had been sent from the Chrome browser?

[link] [reply]

I would assume something in chrome is capable of phoning home[1], but I've not had a chance to eyeball the source, and they might use a modified version to achieve this functionality. I doubt they screen-scrape the web.

[1] it already does this for crash reporting, and getting lists of malware sites

[link] [parent] [reply]

And, it is virtually impossible to stop a web browser from phoning home by blocking it in the firewall. It is a shame about the tos - Chrome looks good in other ways, and I would probably move to it instead of Firefox for most browsing it the tos were less onerous.

[link] [parent] [reply]

Remember that "services" includes products, and this is a product.

They could, hypothetically, make all forms posted with the browser go via a Google proxy which could capture any content. I can't imagine they're *that* evil though.

[link] [parent] [reply]

Hmm - if they did that it would seriously piss off online banking sites. Would the ssl encryption foil them, we wonders? (Posted via Firefox)

It is a shame. Chrome seems good in many ways - I like the feel of it, but I think the tos means I have to stick with Firefox - which, to be fair, I have long preferred to anything else I tried.

[link] [parent] [reply]

SSL would be no protection if the browser was programmed to divulge its secret key to the proxy. Even without that, SSL can be decrypted in real time if the proxy gets in at the start of the conversation and masquerades as the real server (a "man in the middle" attack). The hardware needed to do so on a global scale would be fearsomely expensive, however. Only a global corporation with vast amounts of cash could hope to do so!

[link] [parent] [reply]

A browser that wants to leak SSL-protected data back to its authors wouldn't need to do it by sending them the session key, it could just send them the data.

Secondly I'm sure a lot of people would be interested in your purported MitM attack on SSL; except in fact I suspect you've just misunderstood.

[link] [parent] [reply]

There's nothing "purported" about what I described, it's supported by commercially available products such as the Netronome SSL Inspector. If you think I've misunderstood do please explain.

[link] [parent] [reply]

How do you propose the intermediary fool the client into thinking it has the private key corresponding to the one in the certificate?

[link] [parent] [reply]

Netronome SSL Inspector appears to be something that the server operators would deliberately install and configure. That's not an attack at all, that's just separating SSL termination from the website.

[link] [parent] [reply]

It's an attack if the endpoints don't know whether or not it's happening, which is the case with a proxy. The web server doesn't know that its traffic isn't coming from the client, since it has no way of identifying the genuine client. The client has no way of knowing whether the private key it received during SSL handshake came from the original server, or was inserted by the proxy, so long as the proxy signs it with a CA root that is accepted by the browser.

[link] [parent] [reply]

The client has no way of knowing whether the private key it received during SSL handshake came from the original server, or was inserted by the proxy, so long as the proxy signs it with a CA root that is accepted by the browser

CAs don't just hand out their private keys to any idiot, you know.

[link] [parent] [reply]

That's entirely beside the point, because if you wrote the browser, it would be very easy to arrange for it to accept any CA you like.

[link] [parent] [reply]

If you control the browser then OBVIOUSLY you have access to the user's data. Like, duh. Still not an attack on SSL.

[link] [parent] [reply]

If an SSL connection can be decrypted without the user's knowledge (you can read the browser source code all you like, there's no code that says "give away the user's data here"), then that's an attack. You don't need to "control" the browser. You could even just rely on most users' behaviour of always accepting new certificates without looking at them.

You seem determined to patronise me. Being polite costs nothing, you know.

[link] [parent] [reply]

I don't understand why you're continuing to defend this ridiculous line of argument.

[link] [parent] [reply]

There's a lot you don't understand, including how to be civil, apparently.

[link] [parent] [reply]

So you're basically saying Google are trying to usurp M$ as the biggest, baddest bastards on the face of the planet, but everyone thinks they're really very nice?

[link] [reply]

They'd still have a long way to go to take M$'s crown as evil empire. Part of their evil is that I am still, for practical purposes, trapped into using their OS whether I want to or not.

With Google's tos, at least I can return to Firefox...

[link] [parent] [reply]

No, that's the USA ... ;-)

[link] [parent] [reply]

Once the Linux port is done (looking at the source, it's a work in progress) I expect it will be distributed in the normal way: the distros will build from source with their own patches. I believe Google's source is BSD-licensed? There won't be an EULA in that case.

[link] [reply]

I don't understand how 11.1 fits with 9.4:

9.4 Other than the limited licence set forth in Section 11, Google acknowledges and agrees that it obtains no right, title or interest from you (or your licensors) under these Terms in or to any Content that you submit, post, transmit or display on, or through, the Services, including any intellectual property rights that subsist in that Content (whether those rights happen to be registered or not, and wherever in the world those rights may exist).

If 11.1 means they own everything, does 9.4 mean that apart from owning everything they don't own anything? WTF?

[link] [reply]

The 'limit' referred to by 9.4 is the final sentence of 11.1. And it is a limit, just not as limiting as it ought to be under the circumstances.

[link] [parent] [reply]

They've changed it now. Looks like it was careless copying and pasting rather than evil:

11. Content licence from you
11.1 You retain copyright and any other rights that you already hold in Content that you submit, post or display on or through the Services.

[link] [reply]

Sun	Mon	Tue	Wed	Thu	Fri	Sat
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25 1
26	27	28	29	30	31

Matthew's Journal

October