Google 21st Century Robber Baron
September 19, 2011
See my Forbes post “Google 21st Century Robber Baron” which briefly tells the story of Google’s Robber Baron rap sheet, in advance of Google’s Wednesday Senate antitrust hearing.
The post is documented with 79 links to the supporting evidence.
The post also explains why Google’s Board of Directors have been AWOL while all this scofflaw behavior has been going on.
Google’s Rogue WiSpy Invasive Behavior Proliferates — Security is Google’s Achilles Heel — Part XIII
June 17, 2011
Evidence continues to mount that Google’s management and supervision of its Android operating system is out-of-control when it comes to protecting privacy and security.
- Google’s corporate ethos that it is better to “ask for forgiveness than permission” increasingly means Android has no privacy by design and hence less security for users by default.
- Requiring and respecting the need for permission and authorization is a bedrock truism of IT security — and the evidence below increasingly indicates that Google has a deep aversion to that IT security truism.
Consider the growing pattern of Google’s default design and behavior that maximizes collection of private information, which inherently puts users at greater security risk.
First, and profoundly disturbing, is a new TechRepublic revelation in a post by security blogger Donovan Colbert.
In setting up his new Android-based tablet, Mr. Colbert discovered that the Android operating system by default, i.e. without permission, automatically collected and implemented encrytion key passcodes to automatically gain access to private networks without the permission of the user. In Mr. Colbert’s own words:
- “Google is not only storing a list of what hotspots you have visited, but any private encryption keys necessary to connect to those hotspots in the cloud.”
- “The idea that every Android device connects with that access point shares our private corporate access keys with Google is pretty unacceptable.”
- “Honestly if there is any data that shouldn’t be harvested, stored and synched automatically between devices, it is encryption keys, passcodes and passwords.”
Second, we learned from WSJ privacy reporting that Google Android tracked users location a thousand times a day without the users’ meaningful permission.
- This Google no privacy by design revelation prompted congressional hearings, the scandal moniker “locationgate,” and new legislation from Senators Franken and Blumenthal.
Finally, how does this pattern involve the WiSpy scandal of Google being caught wardriving tens of millions of homes, in over thirty countries, for over three years, eavesdropping on unencrypted home WiFi routers and recording all signals including emails, and passwords.
As you may remember, Google said that systematic eavesdropping on citizens, was the mistake of one engineer, and not at all sanctioned by the company at large.
Here is Google’s 5-14-10 official story:
- “So how did this happen? Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data.“
However if Google was being forthright that it’s Android effort indeed did not want to by default to collect the maximum private information possible, why did Google mobile engineering manager Dave Burke tell the Guardian 1-29-08, the following that shows it was obviously Google’s policy to collect the most WiFi information possible…
- “If you’re going to concentrate on location you want every bit of data you can…”
- “…Cell ID is one location, the address of your Wi-Fi access point is another. The end result is that we want the user to have the best possible experience, and we’ll do whatever it takes to get it … to us they’re just network signals and we’re interested in all of them.
- The big takeaway here is that Google’s corporate priority is to collect the maximum amount of information by most any means, without meaningful permission or authorization, as fast as possible.
- This means that Google effectively has a “no privacy by design” approach to privacy, and that security is a lesser priority at Google
***
Previous parts of the “Security is Google’s Achilles Heel” Series:
- Part I: “Why security is Google’s Achilles heel”
- Part II: “Google values security much less than others do”
- Part III: “Google: “Security is part of our DNA” (Do Not Ask)
- Part IV: “Why Security is Google’s Achilles Heel”
- Part V: “Google Apps Security Chief is a magician/mentalist”
- Part VI: “Google-China: Implications for Cybersecurity”
- Part VII: “Did Google Over-React to China Cybersecurity Breach?”
- Part IX: “Google’s Titanic Security Flaws”
- Part X: : “A Google Android Botnet Problem”:
- Part XI: “Google’s Deep Aversion to Permission”
- Part XII: “Top Ten Reasons Google Has Culpability in the Gmail Data Breach”
For even more information, see the Security section of PrecursorBlog’s sister site: www.GoogleMonitor.com; or read the “Security is Google’s Achilles Heel chapter of my Book: Search & Destroy Why You Can’t Trust Google Inc. at www.SearchAndDestroyBook.com.
Top 10 Reasons Google Has Culpability in Gmail Security Breach — Security is Google Achilles Heel Part XII
June 3, 2011
Google’s deep aversion to accountability was in full view in its blog response to the latest gmail security breach, in which Google placed most all of the blame on users and others, while largely trying to absolve Google of its responsibility and accountability in the matter as the world’s largest source of private, sensitive and secret information.
Top 10 Reasons Google Has Culpability & Needs More Accountability:
- No other entity has a mission to “organize the world’s information and make it universally accessible and useful.” This gives Google a unique responsibility to aspire to be the world’s leader in information security.
- No other entity actually collects all the world’s information, making mirror copies of the entire Internet many times daily involving 5 exabytes of data every two days, the amount of information created from the beginning of time and 2003.
- No other entity stores all of its information in one unified “BigTable” database eschewing the normal security protocol of compartmentalizing information to prevent catastrophic universal data breaches.
- No other entity so plainly and corporately prioritizes speed and efficiencyof accessing data over the security, privacy, and other internal controls of data.
- No other Fortune 500 company so officially relieson the crowd sourcing of their non-expert users and others to be their primary line of security defense, rather than taking corporate responsibility for maximizing the security of the information and people entrusted to safekeeping and protection at Google.
- No other entity universalizes its password access to more products and services (more that 500) than Google, a practice Google Security expert Greg Conti describes as a “single point of failure” problem.
- No other entity that we know of has had their entire password security code stolen wholesale by hackers like Google has — per John Markoff’s front page expose in the New York Times. This is relevant given Google’s representations to the public that “it is important to stress that our internal systems have not been affected — these account hijackings were not the result of a security problem with gmail itself.”
- No other entity has made more personal profiles (35 million Google Profiles) publicly accessible for easy downloading by hackers to effectively aid and abet spearfishers than Google per a recent studyby a University of Amsterdam PHD student Matthijs R. Koot. This is relevant to this latest gmail security breach because it was spear-fishing-driven.
- No other entity has been accused by the U.S. Department of Justice in court documentsof publicly misrepresenting that a suite of Google software that is related to gmail was FISMA certified. This is relevant here because Google misled that it was security-compliant with the Federal Information Security Management Act when it was not, which could have led Government employees who used gmail, and were compromised by the latest gmail breach, to believe they were secure in using gmail when they were not.
- And the most disturbing reason of all, Google is the only entity in the world to decide at the highest executive levels to index Julian Assange’s Wikileaks stolen cables and make them universally accessible and useful to bad actors, terrorists, crooks and hackers like the ones in the latest gmail breach of senior U.S. Government officials.
- (This is highly relevant in this case because spear fishing depends on learning intimate accurate details of groups and their communications about secret information that would enable a hacker to successfully fraudulently misrepresent themselves to gain officials trust, that would not have happened but for the hackers knowledge of secret Wikileaks documents made available by Google search.)
In sum, not only is Google not taking responsibility and accountability for its users security like one would expect any top brand and purported good corporate citizen to do, Google has made a series of strategic and tactical corporate decisions that have systematically and materially facilitated the success of security breaches like occurred this week with gmail.
- Most troubling of all is the fact that Google’s willful disregard for national security secrets, confidential sensitive government communications, and privacy, in deciding at the highest levels to make Julian Assange’s Wikileaks stolen cables universally accessible and useful to hackers like the ones that hacked Google’s gmail, appears to potentially have aided and abetted our Nation’s enemies in compromising our national security.
- At a minimum, appropriate oversight by inspector generals and Congressional Oversight Committees should want to investigate the connection between this latest gmail spear-fishing attack and the stolen government cables released by WikiLeaks and publicly indexed by Google’s search engine.
- The purpose of this oversight would be to bring accountability to the situation, and to help prevent future gmail or other data breaches in the future to the best extent possible.
***
Previous parts of the “Security is Google’s Achilles Heel” Series:
- Part I: “Why security is Google’s Achilles heel”
- Part II: “Google values security much less than others do”
- Part III: “Google: “Security is part of our DNA” (Do Not Ask)
- Part IV: “Why Security is Google’s Achilles Heel”
- Part V: “Google Apps Security Chief is a magician/mentalist”
- Part VI: “Google-China: Implications for Cybersecurity”
- Part VII: “Did Google Over-React to China Cybersecurity Breach?”
- Part IX: “Google’s Titanic Security Flaws”
- Part X: : “A Google Android Botnet Problem”:
- Part XI: “Google’s Deep Aversion to Permission”
For even more information, see the Security section of PrecursorBlog’s sister site: www.GoogleMonitor.com; or read the “Security is Google’s Achilles Heel chapter of my Book: Search & Destroy Why You Can’t Trust Google Inc. at www.SearchAndDestroyBook.com.
I’ve long thought there was a big untold story about Google, essentially a book all about Google, but told from a user’s perspective, rather than the well-worn path of Google books told largely from Google’s own paternal perspective.
(You can buy the book, Search & Destroy Why You Can’t Trust Google Inc. at www.SearchAndDestroyBook.com, Telescope Books, Amazon, Kindle, Kindle Apps, Barnes & Noble, The Nook, and The Nook Apps.)
Given that Google is the most ubiquitous, powerful and disruptive company in the world, it seemed logical to me that users, and people affected by Google, had a lot of important and fundamental questions about Google that no book had ever tried to answer in a straightforward and well-defended manner.
- Questions like:
- Can I trust Google with my information?
- Does Google respect my privacy?
- Does Google respect others’ property?
- Is security a priority for Google?
- Is Google as ethical as it claims to be?
- Is Google dominating what information people access?
- Does Google have a hidden political agenda?
- Where is the Google juggernaut taking us?
- Do we want to go there? and if not,
- What can be done about it?
- Search & Destroy Why You Can’t Trust Google Inc. answers these questions based on the facts.
- I believe anyone who reads the book won’t be able to look at Google Inc. the same way again.
- I also believe the book stands on its own.
- After four years of research, 726 endnotes, and over 150 quotes from Google executives, the evidence and case is overwhelming that most people’s trust in Google Inc. is seriously misplaced.
You can find out more about the book, what people are saying about it, news and interviews about the book, and all the places you can buy it, at www.SearchAndDestroyBook.com.
- My outstanding co-author and publisher is Ira Brodsky of Telescope Books.
Below is a summary of the book from the book jacket to give you a better sense of what the book is all about.
“This is the other side of the Google story—the unauthorized book that Google does not want you to read. In Search & Destroy, Google expert Scott Cleland, shows that the world’s most powerful company is not who it pretends to be.
Google pretends to be a harmless lamb, but chose a full-size model of a Tyrannosaurus Rex as its mascot. Beware the T-Rex in sheep’s clothing.
Google has acquired far more information, both public and private, and has invented more ways to use it, than anyone in history. Information is power, and in Google’s case, it’s the power to influence and control virtually everything the Internet touches. Google’s power is largely unchecked, unaccountable—and grossly underestimated. Google is the Internet’s lone superpower—the new master of the digital information universe. And Google’s power depends almost entirely on the blind trust it has gained through masterful duplicity. Google routinely says one thing and does another.
Cleland proves the world’s #1 brand untrustworthy. He exposes the unethical company hiding behind a “don’t be evil” slogan. He uncovers Google’s hidden political agenda. And he reveals how Google’s famed mission to organize the world’s information is destructive and wrong. Cleland is the first to critically examine where Google is leading us, explain why we don’t want to go there, and propose straightforward solutions.
Google’s unprecedented centralization of power over the world’s information is corrupting both Google and the Internet—a natural result of unchecked power. Google is evolving from an information servant to master—from working for users, to making users work for the Internet behemoth.
Search & Destroy conclusively demonstrates that Google’s goal is to change the world by influencing and controlling information access. Ultimately, Google’s immense unchecked power is destructive precisely because Google is so shockingly-political, unethical and untrustworthy.”
I look forward to your feedback on my new book: Search & Destroy Why you Can’t Trust Google Inc., and would greatly appreciate you sharing this link with your friends and colleagues. Thank you!
How business models are aligned or not with users’ privacy interests, will be spotlighted at the Senate Judiciary hearing Tuesday on “Protecting Mobile Privacy” featuring Google and Apple officials as witnesses.
- Expect the term “privacy conflict of interest” to become more common and important as companies who don’t work for users, hurtle into the future increasingly tracking, analyzing and using users’ private information and behavior without users’ meaningful consent.
While the Senate Subcommittee on Privacy will hear from both Google and Apple witnesses on how their companies handle users’ WiFi location data, their testimony will provide stark contrast in the companies’ privacy conflicts of interests.
Google vs Apple concerning alignment with users’ interests:
First, 97% of Google’s ~$30b in annual revenues comes from advertisers, whereas ~99% of Apple’s ~$87b in annual revenue comes directly from customers who buy and use Apple’s products and services.
- Simply Google works for advertisers whose business interest is to exploit users’ privacy to create more effective ads, while Apple’s business interest is to best serve their customers so their paying customers remain their paying customers.
- Google’s business model has a massive inherent privacy conflict of interest, while Apple’s business model is aligned with customers.
Second, Google has no customer service or retail outlets to serve users because they don’t work for users, whereas Apple has a large customer service operation and hundreds of consumer-friendly retail stores.
Third, concerning the WiFi location information at question in the hearing, Google Android devices send location information on users back to Google’s data centers roughly a thousand times a day, where it is integrated with other private information as part of an extensive user advertising profile.
- On the other hand, Apple stored the location information on the user’s device not back at Apple’s data centers.
Fourth, concerning the propriety of tracking mobile device users without their meaningful permission, Google’s position communicated by spokespeople is that Google does not track individuals (because it anonymizes the data), and Google allows users to opt out.
- In stark contrast, Apple’s CEO Steve Jobs explicitly asserted “we don’t track anyone” and that Apple has no intention to track users, and that they will quickly issue a software update to fix “the bug” that had created and saved location data on users’ devices.
- Simply, Google’s response is we have done nothing wrong and are not doing anything about it, while Apple readily acknowledged they screwed up and were fully committed to fixing it as rapidly as possible.
Lastly, Google is the only major browser provider that opposes Do Not Track legislation — like has been passed in the California Senate Committee, like Senate Commerce Chairman Rockefeller is introducing next week, and like Congressmen Barton and Markey plan to introduce in the House — whereas Apple offers a Do Not track capability on its Safari browser like all other major browser providers do.
In sum, this latest Google privacy scandal, WiSpy II, and the Senate hearing that will spotlight it for the public, puts the concept of “privacy conflict of interest” at center stage of the privacy debate.
The starkly different Google and Apple business model examples show that who a company works for drives whether it is in that company’s business interest to disrespect or respect users’ privacy.
- At a minimum, companies like Google, which have inherent privacy conflicts of interest, have a much greater responsibility to fairly represent their business interests and privacy conflicts to consumers.
- Tellingly, Google’s privacy conflicts of interest appear to be part of the reason the FTC charged Google with “deceptive privacy practices” in March.
In a word, who would you more likely trust with your privacy? A company you don’t pay at all, or a company that you pay a lot?
