While a well-positioned façade of a castle can create the illusion of a fully-fortified castle, real people’s data requires more than the illusion of security; it requires real data-protection-security.
Google’s outsize ability to create the illusion of data-protection-security is particularly apt given that Eran Feigenbaum is Google Apps Security Director by day, and also a professional magician/illusionist by night.
Consider two public additions to Google’s security façade and well-crafted illusion of data-protection-security. First, Google’s announcement of two Google-paid security audits designed to “show its cloud, business and education customers that data protection are its top priority.”And second, a recent Google decision to make a website’s use of data-encryption a ranking signal in its search algorithm, in order to signal that Google takes security and data protection seriously.
Why are these security announcements more about illusion than reality?
Consider the new evidence of Google’s data-protection failures from just the last few weeks.
1) Google thwarts users from protecting their privacy/security.
Last week, Google banned the privacy/security app “Disconnect Mobile” from the Google Play store per the WSJ. EFF, a leading privacy and civil liberties watchdog explained “By doing so, Google has shown once again that it cares more about allowing third-parties to monetize the tracking of its users than about allowing those users to ensure their own security and privacy. The banned app, Disconnect Mobile, is designed to stop non-consensual third party trackers on Android…”
This Google effective override of a user’s right to opt-out of Android tracking of their behavior, is eerily similar to Google’s 2012 illegal hacking of the iPhone to bypass Apple users’ privacy and security settings to deliver Google ads to Apple’s customers.
The FTC fined Google $22m for breaking the FTC-Google-Buzz enforcement decree that legally requires Google to live up to its public privacy promises that allow users to opt-out of tracking. (If the FTC does not look into this latest Google privacy misrepresentation, it would be the seventh enforcement issue where the FTC is AWOL on Google.)
2) Federal law enforcement warned businesses that “malicious cyber actors” are using Google’s advanced search techniques to efficiently discover hidden business-site vulnerabilities to hack.
The Department of Homeland Security and the FBI have put out a warning to businesses that are being hacked that a hacker-practice dubbed “Google Dorking,” uses Google advanced search techniques to efficiently find vulnerabilities in their sites that many hackers would never be able to find on their own without the powerful combination Google advanced search techniques and Google’s maximal search engine that crawls 60 trillion unique URLs.
3) Gmail can be hacked with 92% success.
Since Google is a “mobile first” company commanding the world’s dominant ecosystem, it is telling that security researchers announced a couple of weeks ago that 7 popular Android apps were very easy to hack. For example they could hack into Gmail with a 92% success rate and Android apps for Chase Bank 83%; WebMD 85%; and H&R Block 92% -- per CNBC.
This suggests that the mobile side of the supposed Google fortified-castle is made of screen doors and paper-mache. Tellingly, Google’s Android Chief Sundar Pichai told a French audience earlier this year, that: "We do not guarantee that Android is designed to be safe; its format was designed to give more freedom.”
4) DOD won’t certify Android for security.
It is also telling that the U.S. Department of Defense has authorized Bring Your Own Device (BYOD) for devices using Blackberry, Windows, and iPhone operating systems but not for Android per The Hill.
5) “A Google site meant to protect you is helping hackers attack you”per Wired.
Brandon Dixon, an independent security researcher, has caught hackers and nation-state-spies using Google’s free online anti-virus tool, VirusTotal, which “aggregates three dozen antivirus scanners.” Wired reports the scary irony that “the site, meant to protect us from hackers, also inadvertently provides hackers the opportunity to tweak and test their code until it bypasses the site’s suite of antivirus tools.”
Google’s lax security policy is effectively “trust and don’t verify” because it delegates responsibility to others to discover Google’s security problems, rather than Google taking responsibility to try and proactively find them before others do. Thus it is not surprising that Google’s lax security approach has perversely enabled bad actors to use Google’s mission to “organize the world’s information and make it universally accessible and useful,” to more efficiently and effectively attack more Internet users with more pernicious malware than they ever could do by themselves.
6) Android is ransom ware’s favorite fraud target. Last month the NY Times spotlighted that Android phones are the primary target for ransom ware where hackers take over your device and hold your data hostage until you pay to get it back.
7) There are sadly many more examples of Google’s data-protection failures.
These latest six instances above, from just the last few weeks, are just a recent glimpse of a consistent and long established pattern of Google-Android data protection failures. Please see Precursor’s Google-Android’s Data Protection Failures report from last month, which shows 16 failures in the first half of 2014, after 23 in all of 2013. It includes security research findings from Cisco, Symantec, Juniper, EFF, F-Secure, BlueBox Security, Zscaler, FireEye, Lookout, Info Security, among others.
In sum, the only thing worse than the most dominant Internet Company having an irresponsibly-lax approach to security, is that company knowingly creating the deceptive public illusion that it is secure and responsible about data protection when it knows full well that it is not.
***
Security is Google's Achilles Heel Research Series
Part 1: Why security is Google's Achilles heel [7-8-09]
Part 2: Google values security much less than others do [7-16-09]
Part 3: Google: "Security is part of our DNA" (Do Not Ask) [7-28-09]
Part 4: Why Security is Google's Achilles Heel [8-12-09]
Part 5: Google Apps Security Chief is a magician/mentalist [1-5-10]
Part 6: Google-China: Implications for Cybersecurity [1-13-10]
Part 7: Did Google Over-React to China Cybersecurity Breach? [3-3-10]
Part 8: Google's Titanic Security Flaws [4-22-10]
Part 9: A Google Android Botnet Problem [11-12-10]
Part 10: Google's Deep Aversion to Permission [3-10-11]
Part 11: Top Ten Reasons Google Has Culpability in the Gmail Data Breach [6-3-11]
Part 12: Google's Culture of Unaccountability in its Own Words [8-1-12]
Part 13: Google's Privacy Rap Sheet: Fact-Checking Google's Claims on Privacy [3-13-13]
Part 14: Why Google is America's Cyber-Security Achilles Heel [5-29-13]
Part 15: Google-Android Dominates by Cheating Data Protection [8-4-14]
