Be the internet police, not an internet dictator: Google

Be the internet police, not an internet dictator: Google

Summary: Users could be saved from a lot of pain if information security professionals acted like dictators and forced them to patch, update and take precautions, but Google's chief technology advocate has called for a less totalitarian scheme.

SHARE:
TOPICS: AUSCERT, Google, Security
7

Google's chief technology advocate Michael T Jones has called on information security professionals to band together to better protect the internet, and follow its own example of "policing" it.

googlejones
Michael T Jones. Photo by Michael Lee/ZDNet

Speaking at AusCERT 2013 at the Gold Coast, Queensland on Wednesday, Jones said that information security professionals could protect others by first ensuring that there are never security problems in the first place, but failing that, they needed to either tell their users what to do, or do it for them.

He pointed to the example of the organisation rolling out two-factor authentication, saying that the company almost "badgers" users to implement the additional security measure. The results haven't been particularly promising — 20 to 30 percent of users have activated the measure — but given the amount of Google account holders, Jones said that is still a large number of people.

When asked why Google doesn't simply make two-factor authentication mandatory, Jones said that he feared Google would lose too many customers and it was better to start doing things for its more insecure users, rather than telling them what to do.

"If you didn't want to use two-factor authentication and we said you must use two-factor authentication, you'd just go somewhere else. We don't want you to go away. If you're not going to use it, you might as well still stick with us and we'll do other things for you."

This is apparent in it implementing HTTPS by default and attempting to prevent users from being harmed by sites hosting malicious content. Recognising that it is a significant entry point for websites from its search results, the web giant informs users if the site they are trying to access could harm their computer.

Jones called for more information security professionals to interact this way, even if it meant getting in the way of the user experience with warning screens, if they absolutely knew that the resulting action would be catastrophic.

"We take to you to a full-red screen with a dialog in the middle ... and it says, 'Look, don't go here. It's a mistake! Whatever you think is there, it's not worth it. You think it's a ringtone? It's going to rape you!"

But Jones acknowledged that Google isn't meant to be a web dictator and it can't get in the way of people who intentionally want to harm themselves.

"You can still go there, but we beseech you not to go there."

"We can be like a policeman in the intersection saying, 'Drive nicely. Let her go through.'"

Jones said that even though information security professionals may not have authority, they could still interject themselves at certain points to protect users.

Topics: AUSCERT, Google, Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • The Best Security Advice Would be Not to Use Google Services

    Even with 2 factor authentication Google will still index your personal information and sell it.
    Patrickgood1
    • Google does not sell your information.

      And "Patrickgood1", you are either mistaken, or lying, to say they do.

      What Google does is use information about you to display ads that are relevant to you. Google doesn't even give your information to the advertisers.
      torreyh
      • A reference for that: http://www.google.com/policies/technologies/

        Search for the word "sell" on http://www.google.com/policies/technologies/

        Or better yet read the whole thing. But you'll find this very clear statement: "We don’t sell users’ personal information."
        torreyh
      • You Fell for Their Deception

        http://www.google.com/policies/technologies/ is not their Privacy Statement or Terms of Service. It is one of many smoke screens.

        Selling you personal info is not the worst. For example they define how they require your opt-in consent to distribute to 3rd parties your sensitive personal information.

        So you cannot deny the collect sensitive personal information. All it takes is a subpena for someone to get access to your sensitive personal information.


        On http://www.google.com/policies/privacy/
        They say:

        With your consent
        We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so. We require opt-in consent for the sharing of any sensitive personal information.

        Take note of in the above, the phrase "when we have your consent to do so"

        They define Sensitive personal information

        Sensitive personal information
        This is a particular category of personal information relating to confidential medical facts, racial or ethnic origins, political or religious beliefs or sexuality.

        Google is a master of deception. You have to read multiple documents to put it all together. There are many layers to their policies requi8red to connect the dots. They make navigation between the documents containing the dots difficult.

        How does Google get your consent? By you using any Google product or service.

        Example from: http://www.google.com/policies/terms/

        When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.

        They saved distribute for last hoping you will not make it to the end.


        Example Chrome Terms,
        2.1 (B) shows how you consent. By using the service.

        http://www.google.com/chrome/intl/en/eula_text.html

        2.1 In order to use the Services, you must first agree to the Terms. You may not use the Services if you do not accept the Terms.

        2.2 You can accept the Terms by:

        (A) clicking to accept or agree to the Terms, where this option is made available to you by Google in the user interface for any Service; or

        (B) by actually using the Services. In this case, you understand and agree that Google will treat your use of the Services as acceptance of the Terms from that point onwards.

        6.2 You agree to the use of your data in accordance with Google’s privacy policies.

        In what ways do you submit content?

        In yet another document:
        https://www.google.com/intl/en/chrome/browser/privacy/

        If you use the Translate feature of Chrome, it will send the text you choose to be translated to Google for translation.

        send = submit

        If you use the Spellcheck feature of Chrome, which lets you use the same technology used in Google search to check your spelling, it will send the text you type to Google for spelling and grammar suggestions.

        Chrome tries to avoid sending information that identifies you personally.

        When ever someone says to me they will try. I know they are lying. Otherwise they would have left out the word try.

        I could go on an on and on.
        Patrickgood1
  • Bad on Patrick

    Lengthy misleading spins are unlikely to be read. Try a jingle.
    jnffarrell
    • @jnffarrell Guess You Will Never Know If You Do Not Read It

      If you didn't read it, how do you conclude misleading spins?
      Patrickgood1
      • I havent tried crack

        But i know its bad.
        Funkmonkey