Be the internet police, not an internet dictator: Google

Users could be saved from a lot of pain if information security professionals acted like dictators and forced them to patch, update and take precautions, but Google's chief technology advocate has called for a less totalitarian scheme.

Google's chief technology advocate Michael T Jones has called on information security professionals to band together to better protect the internet, and follow its own example of "policing" it.

Michael T Jones. Photo by Michael Lee/ZDNet

Speaking at AusCERT 2013 at the Gold Coast, Queensland on Wednesday, Jones said that information security professionals could protect others by first ensuring that there are never security problems in the first place, but failing that, they needed to either tell their users what to do, or do it for them.

He pointed to the example of the organisation rolling out two-factor authentication, saying that the company almost "badgers" users to implement the additional security measure. The results haven't been particularly promising — 20 to 30 percent of users have activated the measure — but given the amount of Google account holders, Jones said that is still a large number of people.

When asked why Google doesn't simply make two-factor authentication mandatory, Jones said that he feared Google would lose too many customers and it was better to start doing things for its more insecure users, rather than telling them what to do.

"If you didn't want to use two-factor authentication and we said you must use two-factor authentication, you'd just go somewhere else. We don't want you to go away. If you're not going to use it, you might as well still stick with us and we'll do other things for you."

This is apparent in it implementing HTTPS by default and attempting to prevent users from being harmed by sites hosting malicious content. Recognising that it is a significant entry point for websites from its search results, the web giant informs users if the site they are trying to access could harm their computer.

Jones called for more information security professionals to interact this way, even if it meant getting in the way of the user experience with warning screens, if they absolutely knew that the resulting action would be catastrophic.

"We take to you to a full-red screen with a dialog in the middle ... and it says, 'Look, don't go here. It's a mistake! Whatever you think is there, it's not worth it. You think it's a ringtone? It's going to rape you!"

But Jones acknowledged that Google isn't meant to be a web dictator and it can't get in the way of people who intentionally want to harm themselves.

"You can still go there, but we beseech you not to go there."

"We can be like a policeman in the intersection saying, 'Drive nicely. Let her go through.'"

Jones said that even though information security professionals may not have authority, they could still interject themselves at certain points to protect users.