Reads very propagandy esp considering the timing. The fb drama is justcooling off, what better way to promote an fb competitor than talking about this.
Interesting, I noticed as well that Alex Stamos has a record of data breaches that he leaves behind. What's his next gig? Does anyone know? Will be curious to follow.
> The fundamental challenge... is making computing systems that people feel comfortable using. “They don’t feel safe, they don’t feel trust... Does this company have my best interests at heart at all?..”
Making users feel good about surrendering data, defined as “protecting privacy”.
Google’s positioning on the current furor is pretty interesting.
Specifically the preferred corporate definition of ‘privacy’ to mean...
> Being respectful of a user can be as simple as giving her a way to respond to a product that bothers her, whether its an ad for a chicken recipe that’s not relevant for her because she’s a vegetarian or an abusive message that she wants to report.
... Funnel-optimization (“user trust”), and enhanced personal data collection.
I find the [x] button on Google's ads annoying. I click the [x] to mean "remove this ad" but that is not one of the options presented. Wouldn't it be better for users and Google if clicking [x] actually removed the ad from the page?
It's interesting to me that the article mentions Yonatan Zunger, since he left Google in July 2017. Before working in the Privacy team (as a Distinguished Engineer), he was Chief Architect for G+.
His short stint in Privacy (8 months) before quitting Google for a startup makes me nervous. But maybe I'm reading too much and he just needed to move on from Google after 14 years.
Well, they definitely do fail at the very core. For the non-enterprise Gmail accounts, there is basically no way for account owners to reattain control over an account if it was hijacked. Google product forums full of people blocked from the recovery of their account by sudo-AI recovery form and all the support they get is repeated "use recovery form" from some kind of "google community volunteers" (or something like that).
E-mail account is basically a concentration of personal data and doing so little to protect that negates everything else.
You make an excellent point, but I’d say the bigger problem with Gmail from a privacy stand-point is that your contacts and email contents are surrendered to an ad-surveillance company, and deliberately stored in plain-text, for any international government that fancies a look.
Even if you accept that that’s a price worth paying for the service, you’re “snitching” on all your friends you exchange numbers/emails with. If you avoid Gmail, they still have all your email, just from the other end.
Whenever you make the recovery process easier, you make it easier for attackers to "recover" victims' accounts.
Switching from pseudo-AI to humans isn't necessarily better. I had an attacker successfully social engineer a support person into changing the email associated with one of my videogame accounts which had some valuable items.
Preventing attackers from getting my password is something I can do myself. Preventing attackers from "recovering" my account is not something I can do myself. So I prefer services to have difficult recovery.
Well, I've actually faced an opposite situation. I have two Gmail accounts, main one gathers mail from the secondary, and I'm pretty sure that main address is set up as "recovery e-mail" in the secondary account. I've registered them more than 10 years ago, and since I have no need to login into secondary account - I forgot my password. But recently I've received e-mail from Gmail saying "we've prevented login into your account from unusual place" which usually means - somebody has your password.
And now I have no way to change a password for my secondary account meaning bad guys still have a valid password. And since some services don't allow you to change e-mail you've used during registration (usually when your e-mail is your login) - I'm basically hostage to Google's login security system and have to rely on it preventing bad guys from logging in into my account while I can not do so myself.
>Whenever you make the recovery process easier, you make it easier for attackers to "recover" victims' accounts.
Only if you define easier as 'badly designed process'.
> I had an attacker successfully social engineer a support person into changing the email associated with one of my videogame accounts which had some valuable items.
That is unfortunate, but why do you believe this will always be the case?
>So I prefer services to have difficult recovery.
Maybe this can be an opt-in for the more 'security-minded' minority. There is no reason to have the same process for every user. Both of the positions "Preventing attackers from getting my password is something I can do myself." and ". Preventing attackers from "recovering" my account is not something I can do myself." rely on humans not making mistakes. We can improve on both (service & user) sides to reduce mistakes.
>Only if you define easier as 'badly designed process'.
I'd be interested to know what a good process is.
>That is unfortunate, but why do you believe this will always be the case?
I don't believe most (if any) online accounts that I have provide enough profit to the service owner to hire and train employees with enough expertise, time, and resources to properly determine a valid recovery attempt from a fake one.
Social engineering employees just seems so easy from what I've seen. It's so reliable it can be done on stage:
But that implementation isn't perfect, it requires giving up some features and buying U2F keys. Preferably you could opt into exactly the protection you want, so you could get the recovery security without having to buy security keys for example.
I agree there could be better implementations, but they would cost more. I think it's a three way tradeoff between cost, easy recover, and security. When I hear someone advocating for easier recovery without advocating for higher cost, then I immediately think there will be a lowering of security.
>I'd be interested to know what a good process is.
IMHO, A good process would have several tiers, each being more manual, less automated, and more time consuming. The basic tier would be security questions, alternate email, SMS, 2FA, etc. The next tier could be establishing identity and would mean communicating with a real person. You can send a signed affidavit along with a government issued ID and the person would verify it. Then they would have to establish that the account itself belongs a specific person, and that that person is you. This can be done in various ways - billing address, CC info (if applicable to that service), etc, etc. A more real answer would be dependent on the actual service and what information the service captures at signup, etc.
>I don't believe most (if any) online accounts that I have provide enough profit to the service owner to hire and train employees with enough expertise, time, and resources to properly determine a valid recovery attempt from a fake one.
Well, then that is a different argument and I'd agree that it takes time and money to get a good process in place.
But if you think about it your logic can be applied to anything right?? I don't believe most (if any) software companies have enough profit motive to test their software for security bugs or hire people who have expertise in security.
>Social engineering employees just seems so easy from what I've seen. It's so reliable it can be done on stage:
The cost of hiring security engineers and testing for security bugs is constant with regard to number of users. Whether you have 1000 users or 1 billion users, your service has the same security if you spend the same amount on testing an engineers.
But the cost of human intervention in recovery increases linearly with the number of users.
I agree with your ideas for automation. But human intervention has problems.
One solution for human intervention is to charge a non-refundable fee for recovery. This has the advantage of discouraging attackers from trying to recover. The problem is I think this would cause bad PR for the companies. Now instead of blog posts saying "Google locked me out of my account" there would be blog posts saying "Google is charging me $20 to access my own account" or "Google is holding my account hostage for cash".
So no PRISM ? And analytics and google font don't collect my data when I'm not on a google site ? And no scanning of my gmail messages ? And I can install updates for my Android apps easily without linking my personal email to my phone ( and risking cloud contact/photo sync if I didn't do this right) ? And ads don't get personalized to my profile according to all those data ?
I logged into "my activity" on Google recently for the first time. I was pretty annoyed to see they have tracked all my Duck Duck Go searches made through chrome.
I think it's fairly standard that larger tech companies have privacy teams. Apple has one, facebook has one, google has one. If I bothered to search for more, you probably can find a news article about that company's privacy team.
Google could easily protect the privacy of their users but it would need to be a directive from the top down and they would have to actually mean it.
All this is is an attempt to show themselves as the good guys relative to Facebook whereas Google is in many ways just as bad, just along different axis. At heart both Facebook and Google are advertising scum of the very worst kind that hold the world hostage with some free functionality.
The problem with Google is that that functionality is of a grade that it is hard to get around them, Facebook you can do without just fine.
I couple of years ago I went to bed with the computer on. I woke up in the middle of the night with hard drives in full rage. My first thought was that Vista is probably doing a defrag, but I was pretty sure I had turned that feature off. So I ran perfmon to see what was going on: googleupdate.exe was scanning all drives, not only the system drive, but all of them. I purged all Google software from the computer (Google Chrome, Earth).
Where is the opt-out for reading GMail content? Or better written: why is the scanning of emails activated by default and not as opt-in? What about the preinstalled Android Google Services, which upload data continuously on Googles' Servers?
This article is entirely about security and Google's attempts to make sure user data never leaks outside the company.
While you can't have privacy without security, security by itself does not equal privacy. Not once does this article talk about how Google tracks and records user behaviour on an industrial scale.
When you create a Google account, you're asked to provide your name, your
gender, your date of birth, your location and your mobile phone number.
Some of your most personal and private details, all of which will now be tied to your online behaviour.
That data capture starts right from school, where millions of students use
a cloud-based OS called ChromeOS that records everything they do. It's
quite horrible that this is happening - the kids don't even get a say,
it's the adults who've decided this.
The G Suite for Education Privacy Notice [1] clearly states that Google collects device information, unique device identifiers, mobile network
information (including phone number of the user). Also logged are IP
addresses, location information, and app usage using unique application numbers.
Even if this information is detached from individual accounts and
aggregated, it equals a phenomenal amount of data captured by Google on millions of students in the US.
And we've seen from Spotify and Netflix how even aggregated data can
reveal very private and personal user behaviour.
It's baffling how little scrutiny the company faces, least of all from the tech community who, more often than not, rush to it's defence.
Isn't this just about who 'other than google' can access your data? Its sort of like creating an API and allowing only one person to use that API. The API itself is the problem, not the fact that only one person can access it. But I don't get the pressure on Google here. What do people expect them to do if their entire business model is based on data harvesting. The only way to fix this would be to have a legally mandated opt-in policy on data collection. This will let Google charge money from end users, and maybe make them feel much better about it too.
57 comments
[ 3.7 ms ] story [ 135 ms ] threadMaking users feel good about surrendering data, defined as “protecting privacy”.
Google’s positioning on the current furor is pretty interesting.
Specifically the preferred corporate definition of ‘privacy’ to mean...
> Being respectful of a user can be as simple as giving her a way to respond to a product that bothers her, whether its an ad for a chicken recipe that’s not relevant for her because she’s a vegetarian or an abusive message that she wants to report.
... Funnel-optimization (“user trust”), and enhanced personal data collection.
Very Googley.
#changetheworld
His short stint in Privacy (8 months) before quitting Google for a startup makes me nervous. But maybe I'm reading too much and he just needed to move on from Google after 14 years.
https://plus.google.com/+YonatanZunger
https://www.linkedin.com/in/yonatanzunger/
https://twitter.com/yonatanzunger
Having read many of his internal rants at Google that’s not the epithet I would use. He certainly is a solid engineer though.
He has a lot of professional incentive not to disclose privacy problems at Google...
He is approachable on G+ and Twitter, but plain game theory means I'd doubt any reassuring answer.
E-mail account is basically a concentration of personal data and doing so little to protect that negates everything else.
Even if you accept that that’s a price worth paying for the service, you’re “snitching” on all your friends you exchange numbers/emails with. If you avoid Gmail, they still have all your email, just from the other end.
Switching from pseudo-AI to humans isn't necessarily better. I had an attacker successfully social engineer a support person into changing the email associated with one of my videogame accounts which had some valuable items.
Preventing attackers from getting my password is something I can do myself. Preventing attackers from "recovering" my account is not something I can do myself. So I prefer services to have difficult recovery.
And now I have no way to change a password for my secondary account meaning bad guys still have a valid password. And since some services don't allow you to change e-mail you've used during registration (usually when your e-mail is your login) - I'm basically hostage to Google's login security system and have to rely on it preventing bad guys from logging in into my account while I can not do so myself.
Only if you define easier as 'badly designed process'.
> I had an attacker successfully social engineer a support person into changing the email associated with one of my videogame accounts which had some valuable items.
That is unfortunate, but why do you believe this will always be the case?
>So I prefer services to have difficult recovery.
Maybe this can be an opt-in for the more 'security-minded' minority. There is no reason to have the same process for every user. Both of the positions "Preventing attackers from getting my password is something I can do myself." and ". Preventing attackers from "recovering" my account is not something I can do myself." rely on humans not making mistakes. We can improve on both (service & user) sides to reduce mistakes.
I'd be interested to know what a good process is.
>That is unfortunate, but why do you believe this will always be the case?
I don't believe most (if any) online accounts that I have provide enough profit to the service owner to hire and train employees with enough expertise, time, and resources to properly determine a valid recovery attempt from a fake one.
Social engineering employees just seems so easy from what I've seen. It's so reliable it can be done on stage:
https://www.youtube.com/watch?v=SstZAIxl8wk
https://www.youtube.com/watch?v=lc7scxvKQOo
It just takes a single slip up and you lose. Whereas attackers can just keep trying.
>Maybe this can be an opt-in for the more 'security-minded' minority.
Yeah I agree it's a good idea. In fact that's what I've done on my primary google account
https://landing.google.com/advancedprotection/
But that implementation isn't perfect, it requires giving up some features and buying U2F keys. Preferably you could opt into exactly the protection you want, so you could get the recovery security without having to buy security keys for example.
I agree there could be better implementations, but they would cost more. I think it's a three way tradeoff between cost, easy recover, and security. When I hear someone advocating for easier recovery without advocating for higher cost, then I immediately think there will be a lowering of security.
IMHO, A good process would have several tiers, each being more manual, less automated, and more time consuming. The basic tier would be security questions, alternate email, SMS, 2FA, etc. The next tier could be establishing identity and would mean communicating with a real person. You can send a signed affidavit along with a government issued ID and the person would verify it. Then they would have to establish that the account itself belongs a specific person, and that that person is you. This can be done in various ways - billing address, CC info (if applicable to that service), etc, etc. A more real answer would be dependent on the actual service and what information the service captures at signup, etc.
>I don't believe most (if any) online accounts that I have provide enough profit to the service owner to hire and train employees with enough expertise, time, and resources to properly determine a valid recovery attempt from a fake one.
Well, then that is a different argument and I'd agree that it takes time and money to get a good process in place.
But if you think about it your logic can be applied to anything right?? I don't believe most (if any) software companies have enough profit motive to test their software for security bugs or hire people who have expertise in security.
>Social engineering employees just seems so easy from what I've seen. It's so reliable it can be done on stage:
Yeah, that is an example of a bad process.
But the cost of human intervention in recovery increases linearly with the number of users.
I agree with your ideas for automation. But human intervention has problems.
One solution for human intervention is to charge a non-refundable fee for recovery. This has the advantage of discouraging attackers from trying to recover. The problem is I think this would cause bad PR for the companies. Now instead of blog posts saying "Google locked me out of my account" there would be blog posts saying "Google is charging me $20 to access my own account" or "Google is holding my account hostage for cash".
DDG does use Google search for a lot of things.
Many don’t realise they are still getting tracked as long as they use Chrome (with default settings).
Source? They use Yahoo/Bing in the backend, but Google?
All this is is an attempt to show themselves as the good guys relative to Facebook whereas Google is in many ways just as bad, just along different axis. At heart both Facebook and Google are advertising scum of the very worst kind that hold the world hostage with some free functionality.
The problem with Google is that that functionality is of a grade that it is hard to get around them, Facebook you can do without just fine.
If you care about user privacy, you don't deliberately build a panopticon.
Where is the opt-out for reading GMail content? Or better written: why is the scanning of emails activated by default and not as opt-in? What about the preinstalled Android Google Services, which upload data continuously on Googles' Servers?
While you can't have privacy without security, security by itself does not equal privacy. Not once does this article talk about how Google tracks and records user behaviour on an industrial scale.
When you create a Google account, you're asked to provide your name, your gender, your date of birth, your location and your mobile phone number. Some of your most personal and private details, all of which will now be tied to your online behaviour.
That data capture starts right from school, where millions of students use a cloud-based OS called ChromeOS that records everything they do. It's quite horrible that this is happening - the kids don't even get a say, it's the adults who've decided this.
The G Suite for Education Privacy Notice [1] clearly states that Google collects device information, unique device identifiers, mobile network information (including phone number of the user). Also logged are IP addresses, location information, and app usage using unique application numbers.
Even if this information is detached from individual accounts and aggregated, it equals a phenomenal amount of data captured by Google on millions of students in the US.
And we've seen from Spotify and Netflix how even aggregated data can reveal very private and personal user behaviour.
It's baffling how little scrutiny the company faces, least of all from the tech community who, more often than not, rush to it's defence.
[1] https://gsuite.google.com/terms/education_privacy.html