You are here

Google's Deep Aversion to Permission -- "Security is Google's Achilles Heel" -- Part XI

Google's deep aversion to securing the permission of others before doing something that affects them is central to Google's famed "innovation without permission" ethos. Sadly, it is also the wellspring of Google's infamous privacy and security problems.

Where does Google's deep aversion to permission come from? From Google's founders, Larry Page and Sergey Brin, according to their mentor Terry Winograd, in Ken Auletta's book "Googled."

  • "Winograd describes his former students as impatient: 'Larry and Sergey believe if you try and get everybody on board, it will prevent things from happening. If you just do it, others will come around to realize they were attached to the old ways that were not as good.' The attitude, he said 'is a form of arrogance.'"


This week we witnessed the latest high profile example of Google's deep aversion to getting the permission of others.

A few days ago, Google announced that it remotely disabled malware-infected Android applications without the permission of 260,000 Android users who bought or downloaded infected applications from Google's app store.


  • This is significant because Google is the only major company that remotely modifies its software on users devices without the affirmative permission of the user or owner of the device.
    • Other companies responsibly employ a permission-based protocol on a device as a necessary and responsible user security line of defense against malware and bad actors.


This lack of permission in remotely taking back what a user bought at ones store would be like if representatives of Best Buy walked into your house unannounced and without permission, rummaged around to find what they were looking for, and then took back some of the products you had bought from Best Buy.

  • It appears Google's definition of "openness" means Google need not respect any closed doors, or normal boundaries of others' privacy, property or sovereignty.
  • This Google assumption of no permission for entry is troublesome because what is to stop Google from remotely peeping on a person's device like the Google engineer did who stalked and taunted teenagers?
  • Google's first use of its remote snooping and retrieval open window into all Android devices begs the question, what information exactly does Google take and record from Android devices?
  • Simply, how "open" are Android devices to Google's remote intervention without a user's authorization?


Ironically, Google's aversion to permission was also a big cause of Google's security problem this week. Amazingly, Google's app store still does not review or approve applications before they are offered in the store to the public -- like Apple and others responsibly do.


  • Google's aversion to having developers ask Google for permission to offer apps to users that can be infected with dangerous and harmful malware, would be like an airport that did not believe that people should have to ask for permission to get on an airplane because requiring a passport/ID or a physical examination of their bags for bombs or weapons -- would not be "open."
    • Clearly openness comes before security for Google; and that may be good for Google but not good for Google users.


Interestingly, we learned something else this week from All things Digital that Google does without asking anyone's permission and that puts users in greater danger to identity theft or phishing fraud.

Google is now actively engaging in identity aggregation and creating "AuthorRanks" (Google's euphemism for a user profile/social graph) without permission -- in order to better compete with Facebook.


  • Remember in September when Google CEO Schmidt creepily warned that if Facebook did not give Google's search engines crawling access to the private Facebook data they wanted, they had other unmentioned means to get that social graph information on users?
  • Well now Google has told us how they are able to target users based on their social graph like Facebook does.
  • Please see Liz Gannes excellent piece in All Things Digital on this, where Google's rep said:
    • "We actually do try to map to one true person... the more we can do to associate content to one person, the better... ...we measure everything at Google."
  • The security implications of this are obvious. Google has long been the biggest target for hackers, phishers and fraudsters, and now Google has the best user profiles in the world to steal to use for fraud and other bad acts. (And per a front page New York Times story, we know that Google's entire password system of security was hacked and stolen in late 2009.)
    • Google now has probably the most complete and valuable user profiles on people in the world -- and all done without the users' permission.


There are other high-profile examples of how Google's aversion to permission has played out and has put users' at greater risk to harm.


  • Google's conscious decision to make all Wikileaks stolen documents available to the world via Google search without asking any of the owners of that private or secret information for permission put untold lives at risk around the world.
  • Google's Streetview videographing of peoples homes without permission has created privacy and security consternation in most all countries Google has videographed.
  • Google's WiSpy recording of everyones WiFi private communications without permission of the people affected, may be the most high profile example of what happens when Google puts others at risk for its gain without their permission.


In sum, there are obvious privacy and security reasons why societies expect that if one is going to negatively affect or endanger another by ones actions, one needs to get their permission first so that the person affected can decide if they are willing or able to accept the risk involved.

Google's business assumption and standard practice that they largely do not need the permission of others is reckless and irresponsible, and may make Google the  Internet's worst security menace.






Previous parts of the "Security is Google's Achilles Heel" Series:


  • Part I: "Why security is Google's Achilles heel"
  • Part II: "Google values security much less than others do"
  • Part III: "Google: "Security is part of our DNA" (Do Not Ask)
  • Part IV: "Why Security is Google's Achilles Heel"
  • Part V: "Google Apps Security Chief is a magician/mentalist"
  • Part VI: "Google-China: Implications for Cybersecurity"
  • Part VII: "Did Google Over-React to China Cybersecurity Breach?"
  • Part IX: "Google's Titanic Security Flaws"
  • Part X: : "A Google Android Botnet Problem"


For even more information, see the Security section of PrecursorBlog's sister site: