Cybersecurity

Evidence continues to mount that Google's management and supervision of its Android operating system is out-of-control when it comes to protecting privacy and security.

• Google's corporate ethos that it is better to "ask for forgiveness than permission" increasingly means Android has no privacy by design and hence less security for users by default.
• Requiring and respecting the need for permission and authorization is a bedrock truism of IT security -- and the evidence below increasingly indicates that Google has a deep aversion to that IT security truism.

Consider the growing pattern of Google's default design and behavior that maximizes collection of private information, which inherently puts users at greater security risk.

First, and profoundly disturbing, is a new TechRepublic revelation in a post by security blogger Donovan Colbert.

In setting up his new Android-based tablet, Mr. Colbert discovered that the Android operating system by default, i.e. without permission, automatically collected and implemented encrytion key passcodes to automatically gain access to private networks without the permission of the user. In Mr. Colbert's own words:

Google's deep aversion to accountability was in full view in its blog response to the latest gmail security breach, in which Google placed most all of the blame on users and others, while largely trying to absolve Google of its responsibility and accountability in the matter as the world's largest source of private, sensitive and secret information.

Top 10 Reasons Google Has Culpability & Needs More Accountability:

My Network World interview with Ms. Smith, the Privacy and Security Fanatic, about: Search & Destroy Why you can't Trust Google, is here. The link to my book site is here.

I've long thought there was a big untold story about Google, essentially a book all about Google, but told from a user's perspective, rather than the well-worn path of Google books told largely from Google's own paternal perspective.

• (You can buy the book, Search & Destroy Why You Can't Trust Google Inc. at www.SearchAndDestroyBook.com, Telescope Books, Amazon, Kindle, Kindle Apps, Barnes & Noble, The Nook, and The Nook Apps.)

Given that Google is the most ubiquitous, powerful and disruptive company in the world, it seemed logical to me that users, and people affected by Google, had a lot of important and fundamental questions about Google that no book had ever tried to answer in a straightforward and well-defended manner.

In a remarkable admission for a senior public company executive, Google Chairman and longtime former CEO Eric Schmidt told Gigaom: "At Google, we give the impression of not managing the company, because we don't really. It sort of has its own borg-like quality if you will. It sort of just moves forward."

If the executives ultimately responsible for "managing the company" to ensure it proactively respects users' privacy, vigilantly guards against security and data breaches or property infringement, is not really "managing the company," it now makes sense why Google has so many privacy scandals, and security and property infringement problems.

Generally protecting privacy, security and property rights are not engineering goals unless company management and managers have internal control and management focus, systems, processes, and procedures to ensure they are a priority to engineering teams.

Google's lack of interest in management execution is evident in Google's:

The current media and Congressional interest in the new revelation that Google and Apple have collected WiFi location information has largely missed an exceptionally salient point -- Google and Apple have very different privacy track records stemming from their very different attitudes toward privacy.

Google Privacy Scandal #11:

Google's ignominious Federal rap sheet only grows longer.

• Friday the DOJ effectively charged Google with misrepresentation to the public.
  • Google represented that its cloud service for Government was certified under the Federal Information Security Management Act (FISMA) since last July, when in fact it was not FISMA-certified for the product that Google claimed it was.
• This latest Google misrepresentation revelation came in a DOJ filing to the Federal Court which is hearing Google's case against the Department of Interior of the U.S. Government:
  • "On December 16, 2010, counsel for the Government learned that, notwithstanding Google's representations to the public at large, its counsel, the GAO and this court... Google does not have FISMA certification for Google Apps for Government."

I.   What does this mean?

When the world's most powerful company gets a new CEO for the first time in a decade, everyone naturally has a lot of questions.

• When new Google CEO Larry Page decides to become accessible to people outside the insular Googleplex, here are some key questions to ask Mr. Page about: priorities, management philosophy, privacy, antitrust, intellectual property, and social responsibility.

Priorities:

Popular bipartisan interest in safeguarding consumers privacy in the U.S. and Europe confronts Google with a core strategic problem because Google's targeted advertising business model is no "privacy by design" and no "privacy by default."

• Google bet wrong and big in assuming that since technology made it so much easier to track and profile users for targeted advertising, users would just accept the new loss of privacy and users and governments would never enforce user demand for choice to protect their privacy.
• Google's all-in company bet on openness, transparency, and sharing, was also a strategic bet against robust privacy, security, and property protections.
• In choosing to brand itself as the penultimate "White Hat" player promoting "openness," Google has effectively designed its business, architecture, and brand to be the main "Black Hat" player on privacy.

Google's No Privacy By Design model is unique.

Google's deep aversion to securing the permission of others before doing something that affects them is central to Google's famed "innovation without permission" ethos. Sadly, it is also the wellspring of Google's infamous privacy and security problems.

Where does Google's deep aversion to permission come from? From Google's founders, Larry Page and Sergey Brin, according to their mentor Terry Winograd, in Ken Auletta's book "Googled."

• "Winograd describes his former students as impatient: 'Larry and Sergey believe if you try and get everybody on board, it will prevent things from happening. If you just do it, others will come around to realize they were attached to the old ways that were not as good.' The attitude, he said 'is a form of arrogance.'"

This week we witnessed the latest high profile example of Google's deep aversion to getting the permission of others.

A few days ago, Google announced that it remotely disabled malware-infected Android applications without the permission of 260,000 Android users who bought or downloaded infected applications from Google's app store.