Google Building Privacy Red Team 92
Trailrunner7 writes "Google, which has come under fire for years for its privacy practices and recently settled a privacy related case with the Federal Trade Commission that resulted in a $22.5 million fine, is building out a privacy 'red team,' a group of people charged with finding and resolving privacy risks in the company's products. The concept of a red team is one that's been used in security for decades, with small teams of experts trying to break a given software application, get into a network or circumvent a security system as part of a penetration test or a similar engagement. The idea is sometimes applied in the real world as well, in the form of people attempting to gain entry to a secure facility or other restricted area."
Netflix has ChaosMonkey (Score:3)
Re: (Score:3)
But doesn't ChaosMonkey [informationweek.com] concentrate on trying to break content delivery rather than security breaches?
After all Netflix record isn't exactly stellar [proskauer.com] on privacy issues.
Re:Netflix has ChaosMonkey (Score:5, Funny)
Re: (Score:1)
Ambulance driving gets drunk-tested all the time. It's called a "use-case".
Re:Oh god... make them stop, please. (Score:5, Insightful)
There is, you just have to take steps to preserve yours, which most people don't do.
And the rampant privacy violations that happen by default exist because people don't care about their privacy. If they did, engaging in such practices would put companies out of business. But people actively support this world, where everything they do is tracked. Such drastic measures to preserve privacy would not be necessary if more people cared about not living in a Panopticon.
Re:Oh god... make them stop, please. (Score:5, Insightful)
I agree, and think Google is on the right track here.
I suspect they are starting to see the backlash against easily broken security, and are starting to do something about it.
This is really amazing when you stop and think that they have most to gain by learning all your habits (or at least the "Hate Google First" rabble would have you believe.
The iCloud meltdown preceded by the never ending follies of facebook probably told Google it was time to test their own stuff rather than wait for the storm to hit home. They are well ahead of the game with two factor authentication. Now if they could just add Zero Knowledge encryption techniques to their Google Drive they could be giving even more assurance they weren't out to market anything more about you than what is already public record.
I would love to have stuff backed up in the cloud, but as it is, the only cloud I trust is SpiderOak.
Re:Oh god... make them stop, please. (Score:4, Insightful)
I think the ridiculous thing is that my email and phone account is orders of magnitude safer than my bank account.
Google's security is already miles beyond the average website, it's banks I want to see get into the 21st century. I should be able to use top-notch encryption techniques if I so desired, instead of an 8-character password coupled with questions for which anybody could find answers if they even vaguely knew me.
Re: (Score:3)
Re: (Score:1)
Strings of characters? Hahahahahahah. At my bank, the questions are chosen from a drop-down box, and the answers are chosen from a drop-down box. So if the question is "What model year was your first car", the answer choices are "2000-2010", "1990-2000", "1980-1990", "1970-1980", "1960-1970", "1950-1960", "1940-1950", or "1930-1940". That's a real example; I'm not making that shit up. Even if I pick randomly, there's, what, three bits of entropy there? It's goddamn embarassing; I'm thinking of switching ban
Re: (Score:2)
This is a CYA case, done for liability-- not for love of privacy. If they envisioned respect for privacy, they wouldn't have their draconian Terms of Service, which gives them the right to read your mail, watch where you go, and otherwise digest and analyze all facets of your interaction with them.
Make no mistake about apparent altruism. This is their legal department saying: seal up the holes, then twisted by PR to make them look like good guys. Right track? Any organization should have systems security an
Re: (Score:2)
Re: (Score:2)
Voting with your wallet only works in a competitive environment.
There's probably also that violating your privacy is worth it in terms of higher premiums commanded on ad dollars.
Protecting a walled garden isn't easy when there's oil under it.
Re: (Score:2)
Google pissed off the politicians.
That is why everyone does it but only google gets in trouble.
Re: (Score:1)
When their entire business model involves a suite of free services and applications that filter down and commoditize users' viewing habits and usage metrics, information security becomes even more important. As much as I don't really appreciate Google having this information themselves (and obviously sharing with vetted partners I might
Comment removed (Score:4, Insightful)
Re: (Score:3, Informative)
And that is exactly what I wanted to say. I'm more worried about Google than anyone else.
Long live Adblock and Ghostery.
Re: (Score:3)
Re:I think... (Score:4, Insightful)
Re: (Score:2)
Re: (Score:3)
That's entirely false actually. It's not only doable, but fairly simple not to use Google if you're more paranoid about them than about the alternatives, which is the statement being made here.
Instead of Google, use something like DuckDuckGo. Instead of Gmail, use Thunderbird with a private mail server. Go to YouTube with private browsing through a proxy and don't comment, or use something like Vimeo/DailyMotion/whatever. Use Android without connecting a Google account, or get an iPhone.
Nah, the thing is th
Re: (Score:2)
Re: (Score:2)
Ads? Oh you mean those things most people who care about Google's intrusive practices have already blocked, alongside all scripts from blacklisted domains?
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Unfortunately Ghostery and/or Adblock are not always an option.
My bank (ABN-AMRO) has recently updated their website and with that added Omniture tracking to all pages. If you use Ghostery (as I do) the site just stops functioning entirely and the entire Internet banking system doesn't work anymore.
So unless I permit Omniture to see everything what I am doing and effectively giving them access to my bank account including transferring money to other accounts... I cannot access my Internet banking system any
Hyperbole (Score:5, Insightful)
Yes, because it is much worse for Google to know I prefer a BMW to a Toyota and serve me ads appropriately, vs. having someone use the same information to steal my identity, take out a second mortgage on my home, and leave me destitute.
You can take my house, but PLEASE don't ask me what my car preference is!
Can we tone down the hyperbole please? Comparing using personal data for marketing vs. using it to steal from innocents is just stupid.
Re: (Score:2)
Re: (Score:3, Insightful)
You shouldn't be concerned about Google. This data is Google's most valuable possession, and the company's entire value is dependent upon that data staying in the company. Google is the producer and consumer of the data, and they're not going to let it out. Google (and everyone in charge there) also has a strong sense of ethics, and while some things have gone wrong, their record is still pretty stellar.
Who you SHOULD be worried about are the companies that exist solely to collect and sell information. They
Re: (Score:1)
Re: (Score:2)
"...the concerns about Google and privacy have next to nothing to do with what hackers might do with the data Google collects on you, rather than what Google will do with it."
Yes. It isn't privacy "vulnerabilities" we should care about so much with Google, but the privacy losses that are inherent in their business model.
Re: (Score:1)
No, we need more vespene gas.
I'll settle for gold pressed latinum.
Re: (Score:2)
to hell with the latinum, I want "Q" to loan me his powers for an hour
Re: (Score:3)
He did, but the continuum set it right again. He's currently being punished by having his powers suspended, and being forced to work at the DMV.
(It was the less horrible punishment they offered. The other was signing autographs at a startrek convention.)
And I thought it was the EU and Canada fines (Score:2, Insightful)
And here I thought, silly me, that it was the massive fines by the EU and Canadian regulators as to their practices that caused this change.
Never mind.
I'm sure they're doing it for the reason you say.
Intentional vs. Unintentional (Score:4, Interesting)
The fine referenced in the summary was an intentional violation of privacy, at least from what I understand. It sounds like the point of the red team is to find unintentional security flaws that may cause privacy risks. That's good and all, but it really doesn't address the issue that the article and summary are pretending to address.
Re:Intentional vs. Unintentional (Score:5, Insightful)
Google is big. It's also a way to find ways the left hand is intentionally violating privacy, that the right hand doesn't know about. In big companies, decisions that could potentially impact privacy are made by people who don't necessarily have the awareness of legislation that lets them know they're opening the company to liability by doing what they're doing - they're just trying to get their project off the ground. The potential privacy violation doesn't percolate up to the top where people who know the sort of poo the company could get into by doing it actually hear of it.
Re:Intentional vs. Unintentional (Score:5, Insightful)
The violation may have been intentional, but the malice may still not have been there.
Re:Intentional vs. Unintentional (Score:4, Informative)
c.f. the wifi sniffing debacle. I'm pretty sure that what transpired was the developers of the product downloaded a public source program, like AirSnort. And then used it, probably with the intention of just collecting unencrypted SSIDs, but accidentally left on the more intrusive features as well.
They should have noticed that it was collecting data at a rate greater than SSIDs would indicate, but I can see overlooking that as well.
Re: (Score:3)
Re: (Score:2)
Re:Intentional vs. Unintentional (Score:5, Informative)
No, it wasn't intentional. A workaround was intentionally used to make a particular non-tracking cookie work on Safari (it was a simple preference cookie used for user functionality). However, the browser reacted to the workaround by allowing *all* third-party cookies involved, including the DoubleClick cookie. That was unexpected and unintentional. Nobody realized it was going to happen, and the team responsible for the workaround had nothing to do with the advertising cookie.
Posting anonymously because I work for Google.
Re:Intentional vs. Unintentional (Score:5, Informative)
And if you need a reference, read the original [webpolicy.org] analysis that spawned this entire debacle. It makes it very clear that one cookie, "_drt_" (which is fairly innocuous), is the only one that is deliberately set using the workaround. The unintended side-effect is that on future page loads, the "id" cookie (and others) can be directly set (no workaround needed) because Safari considers a domain whitelisted if it has *any* cookies set, and allows all further cookies.
Best bit - it has a cool name (Score:2)
Re: (Score:2)
yea Red Shirts. Thanks for taking one for the Team
They are lead by... (Score:5, Funny)
...a grizzled old Google veteran, brought out of retirement. He has a rag-tag team consisting of an arrogant young prodigy, a burnt out developer with a death wish, a hard-as-nails female programmer and a sassy ex-con who learned all his coding on the street.
They are PRIVACY RED TEAM!
Re: (Score:2)
Apparently they never watched Star Trek TOS (Score:2)
Re: (Score:3)
There's also a Privacy Blue Team (Score:2)
Sounds familiar (Score:1)
So QA teams are called 'Red Teams' now? So sexy.
Re: (Score:2)
I'm sure Microsoft had a security team (Score:3)
Back in the days when ActiveX was first created, I mean. But simply having a team doesn't mean that team will be allowed by the powers-that-be to make any meaningful difference.
Here, for example - according to the linked article, this team is all about external penetration and threat testing. I don't know anyone whose primary concern regarding Google's data collection is about what an external attacker could do with that information. And the $22.5 million fine was about Google's own internal decisions and behavior, not about what some hacker pulled off because of poor security on Google's part.
This just smells like theater. Much like Microsoft's statements about security a decade or so ago.
SETEC ASTRONOMY (Score:1)
Meanwhile on Facebook... (Score:1)
this is useless (Score:2)
This is useless unless google builds a privacy culture within itself and also lobbies the government to respect individual liberty and rights again.
Re: (Score:1)
Lets face the facts: That privacy culture is exactly why they are the target of these investigations.
I agree, it is unfair that Google is being held to such a higher standard. However, I also think with their privacy culture, they SHOULD be putting their money where their mouth is, like this, and hire a team of specialists to address privacy issues with their products.
The fact that other companies sweep their problems under the rug and that we instead complain about Google for the problems we admit, only p
A lot of companies have worse privacy practices. (Score:1)
I don't know why people focus so much on Google. A lot of other companies have far worse privacy practices, and many of those companies make absolutely no attempt to provide proper privacy or user data security.
Just take Facebook for example.
Secret to Google's continued success... (Score:1)
... ensuring security and privacy of customer data is.
I always thought that the stupidest things that Eric Schmidt ever did were all those blase comments about how we had to learn to live without privacy, etc. (check google for eric schmidt quotes).
I'm not saying that they don't care about these issues, but in the past they have sounded like they don't care.
I reckon that they should instead make security and privacy of data their top priority, and let their customers know about it too (instead of the opposi