Google Building Privacy Red Team

Trailrunner7 writes "Google, which has come under fire for years for its privacy practices and recently settled a privacy related case with the Federal Trade Commission that resulted in a $22.5 million fine, is building out a privacy 'red team,' a group of people charged with finding and resolving privacy risks in the company's products. The concept of a red team is one that's been used in security for decades, with small teams of experts trying to break a given software application, get into a network or circumvent a security system as part of a penetration test or a similar engagement. The idea is sometimes applied in the real world as well, in the form of people attempting to gain entry to a secure facility or other restricted area."

Netflix has ChaosMonkey

[symbolset]

It's a good idea too. Deliberately cause mayhem to encourage and test true redundancy.

Re:

[icebike]

But doesn't ChaosMonkey [informationweek.com] concentrate on trying to break content delivery rather than security breaches?

After all Netflix record isn't exactly stellar [proskauer.com] on privacy issues.

Re:Netflix has ChaosMonkey

[interkin3tic]

I don't know if it's ALWAYS a good idea. My boss really didn't like "Show up drunk" Mondays. I guess ambulance driving isn't important enough to stress test in such a rigorous manner. Fuckers.

Re:

[davester666]

Ambulance driving gets drunk-tested all the time. It's called a "use-case".

Re:Oh god... make them stop, please.

[Anonymous Coward]

There is, you just have to take steps to preserve yours, which most people don't do.

And the rampant privacy violations that happen by default exist because people don't care about their privacy. If they did, engaging in such practices would put companies out of business. But people actively support this world, where everything they do is tracked. Such drastic measures to preserve privacy would not be necessary if more people cared about not living in a Panopticon.

Re:Oh god... make them stop, please.

[trikes57]

I agree, and think Google is on the right track here.

I suspect they are starting to see the backlash against easily broken security, and are starting to do something about it.

This is really amazing when you stop and think that they have most to gain by learning all your habits (or at least the "Hate Google First" rabble would have you believe.

The iCloud meltdown preceded by the never ending follies of facebook probably told Google it was time to test their own stuff rather than wait for the storm to hit home. They are well ahead of the game with two factor authentication. Now if they could just add Zero Knowledge encryption techniques to their Google Drive they could be giving even more assurance they weren't out to market anything more about you than what is already public record.

I would love to have stuff backed up in the cloud, but as it is, the only cloud I trust is SpiderOak.

Re:Oh god... make them stop, please.

[Nemyst]

I think the ridiculous thing is that my email and phone account is orders of magnitude safer than my bank account.

Google's security is already miles beyond the average website, it's banks I want to see get into the 21st century. I should be able to use top-notch encryption techniques if I so desired, instead of an 8-character password coupled with questions for which anybody could find answers if they even vaguely knew me.

Re:

[TheRaven64]

My US bank gave me my Internet banking password, from a VoIP call from overseas, knowing nothing more than my name, address, and date of birth. Apparently this is roughly the same set of security as iCloud.

Re:

[Anonymous Coward]

Strings of characters? Hahahahahahah. At my bank, the questions are chosen from a drop-down box, and the answers are chosen from a drop-down box. So if the question is "What model year was your first car", the answer choices are "2000-2010", "1990-2000", "1980-1990", "1970-1980", "1960-1970", "1950-1960", "1940-1950", or "1930-1940". That's a real example; I'm not making that shit up. Even if I pick randomly, there's, what, three bits of entropy there? It's goddamn embarassing; I'm thinking of switching ban

Re:

[postbigbang]

This is a CYA case, done for liability-- not for love of privacy. If they envisioned respect for privacy, they wouldn't have their draconian Terms of Service, which gives them the right to read your mail, watch where you go, and otherwise digest and analyze all facets of your interaction with them.

Make no mistake about apparent altruism. This is their legal department saying: seal up the holes, then twisted by PR to make them look like good guys. Right track? Any organization should have systems security an

Re:

[TheRealMindChild]

People care about privacy as much as they care about their wallet. They just have no idea how valuable their privacy is

Re:

[shentino]

Voting with your wallet only works in a competitive environment.

There's probably also that violating your privacy is worth it in terms of higher premiums commanded on ad dollars.

Protecting a walled garden isn't easy when there's oil under it.

Re:

[shentino]

Google pissed off the politicians.

That is why everyone does it but only google gets in trouble.

Re:

[klingers48]

All cynicism aside, I can understand and get behind this initative. This is actually a contemporarily rare example of Google adhering to their old "Don't be evil" mantra.

When their entire business model involves a suite of free services and applications that filter down and commoditize users' viewing habits and usage metrics, information security becomes even more important. As much as I don't really appreciate Google having this information themselves (and obviously sharing with vetted partners I might

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[desertfool]

And that is exactly what I wanted to say. I'm more worried about Google than anyone else.

Long live Adblock and Ghostery.

Re:

[bhagwad]

Than ANYONE else? Really? So if you had to choose an ISP, you would rather use a corporation like say AT&T or Time Warner rather than Google?

Re:I think...

[oakgrove]

You do know you can just not use Google, right? No, seriously. You can run your own mail server even. As a matter of fact if you're really worried, you can use tor or Freenet and be completely anonymous. Just make sure you have https everywhere, and noscript running and you're golden. As far as street view goes, secure your wi-fi and plant some trees in front of the house.

Re:

[TheRealMindChild]

Saying you "can not just use google" is like saying you don't have to buy your produce at a grocery store. Sure, it could be done, but in the cost/benefit analysis of is all, you are going to live a better life shopping at walmart

Re:

[Nemyst]

That's entirely false actually. It's not only doable, but fairly simple not to use Google if you're more paranoid about them than about the alternatives, which is the statement being made here.

Instead of Google, use something like DuckDuckGo. Instead of Gmail, use Thunderbird with a private mail server. Go to YouTube with private browsing through a proxy and don't comment, or use something like Vimeo/DailyMotion/whatever. Use Android without connecting a Google account, or get an iPhone.

Nah, the thing is th

Re:

[tlhIngan]

That's entirely false actually. It's not only doable, but fairly simple not to use Google if you're more paranoid about them than about the alternatives, which is the statement being made here.

Instead of Google, use something like DuckDuckGo. Instead of Gmail, use Thunderbird with a private mail server. Go to YouTube with private browsing through a proxy and don't comment, or use something like Vimeo/DailyMotion/whatever. Use Android without connecting a Google account, or get an iPhone.

Nah, the thing is th

Re:

[Nemyst]

Ads? Oh you mean those things most people who care about Google's intrusive practices have already blocked, alongside all scripts from blacklisted domains?

Re:

[oakgrove]

I happen to agree. I use Google because I like it and nothing I've seen so far can get me the answers for so many different things at a moments notice. That said, it's funny seeing people rail against Google when all they have to do is use something else. Hell, get a fat enough Internet pipe and index the entire web yourself if you're that paranoid.

Re:

[Johnny Mnemonic]

If you were a Chinese dissident using gmail to communicate and collaborate, you might have different priorities.

Re:

[WoLpH]

Unfortunately Ghostery and/or Adblock are not always an option.

My bank (ABN-AMRO) has recently updated their website and with that added Omniture tracking to all pages. If you use Ghostery (as I do) the site just stops functioning entirely and the entire Internet banking system doesn't work anymore.

So unless I permit Omniture to see everything what I am doing and effectively giving them access to my bank account including transferring money to other accounts... I cannot access my Internet banking system any

Hyperbole

[brunes69]

Yes, because it is much worse for Google to know I prefer a BMW to a Toyota and serve me ads appropriately, vs. having someone use the same information to steal my identity, take out a second mortgage on my home, and leave me destitute.

You can take my house, but PLEASE don't ask me what my car preference is!

Can we tone down the hyperbole please? Comparing using personal data for marketing vs. using it to steal from innocents is just stupid.

Re:

[Yvanhoe]

I still like that Google are making sure that no one can get data from them without their accord. It is a separate issue.

Re:

[Anonymous Coward]

You shouldn't be concerned about Google. This data is Google's most valuable possession, and the company's entire value is dependent upon that data staying in the company. Google is the producer and consumer of the data, and they're not going to let it out. Google (and everyone in charge there) also has a strong sense of ethics, and while some things have gone wrong, their record is still pretty stellar.

Who you SHOULD be worried about are the companies that exist solely to collect and sell information. They

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Jane Q. Public]

"...the concerns about Google and privacy have next to nothing to do with what hackers might do with the data Google collects on you, rather than what Google will do with it."

Yes. It isn't privacy "vulnerabilities" we should care about so much with Google, but the privacy losses that are inherent in their business model.

Re:

[WillAffleckUW]

No, we need more vespene gas.

I'll settle for gold pressed latinum.

Re:

[fast turtle]

to hell with the latinum, I want "Q" to loan me his powers for an hour

Re:

[wierd_w]

He did, but the continuum set it right again. He's currently being punished by having his powers suspended, and being forced to work at the DMV.

(It was the less horrible punishment they offered. The other was signing autographs at a startrek convention.)

And I thought it was the EU and Canada fines

[WillAffleckUW]

And here I thought, silly me, that it was the massive fines by the EU and Canadian regulators as to their practices that caused this change.

Never mind.

I'm sure they're doing it for the reason you say.

Intentional vs. Unintentional

[NoKaOi]

The fine referenced in the summary was an intentional violation of privacy, at least from what I understand. It sounds like the point of the red team is to find unintentional security flaws that may cause privacy risks. That's good and all, but it really doesn't address the issue that the article and summary are pretending to address.

Re:Intentional vs. Unintentional

[LordLucless]

Google is big. It's also a way to find ways the left hand is intentionally violating privacy, that the right hand doesn't know about. In big companies, decisions that could potentially impact privacy are made by people who don't necessarily have the awareness of legislation that lets them know they're opening the company to liability by doing what they're doing - they're just trying to get their project off the ground. The potential privacy violation doesn't percolate up to the top where people who know the sort of poo the company could get into by doing it actually hear of it.

Re:Intentional vs. Unintentional

[shentino]

The violation may have been intentional, but the malice may still not have been there.

Re:Intentional vs. Unintentional

[Johnny Mnemonic]

c.f. the wifi sniffing debacle. I'm pretty sure that what transpired was the developers of the product downloaded a public source program, like AirSnort. And then used it, probably with the intention of just collecting unencrypted SSIDs, but accidentally left on the more intrusive features as well.

They should have noticed that it was collecting data at a rate greater than SSIDs would indicate, but I can see overlooking that as well.

Re:

[arose]

Hell, the developers might have even done it intentionally, either to collect debbuging data and switch it off later or because they could or whatnot. Hell, maybe their managers knew two (and didn't grok what it was about). That still wouldn't make it the company wide effort to harvest wifi trafic data for mining purposes that some poeple are convinced it was. It definitely though Google a lesson about transparency though (i.e. delete the data, code, documents and memories in question next tim). :-/

Re:

[arose]

See, if they can convince Apple that it is a good idea to look for that kind of thing they might bother fixing their browser.

Re:Intentional vs. Unintentional

[Anonymous Coward]

No, it wasn't intentional. A workaround was intentionally used to make a particular non-tracking cookie work on Safari (it was a simple preference cookie used for user functionality). However, the browser reacted to the workaround by allowing *all* third-party cookies involved, including the DoubleClick cookie. That was unexpected and unintentional. Nobody realized it was going to happen, and the team responsible for the workaround had nothing to do with the advertising cookie.

Posting anonymously because I work for Google.

Re:Intentional vs. Unintentional

[Anonymous Coward]

And if you need a reference, read the original [webpolicy.org] analysis that spawned this entire debacle. It makes it very clear that one cookie, "_drt_" (which is fairly innocuous), is the only one that is deliberately set using the workaround. The unintended side-effect is that on future page loads, the "id" cookie (and others) can be directly set (no workaround needed) because Safari considers a domain whitelisted if it has *any* cookies set, and allows all further cookies.

Best bit - it has a cool name

[Kittenman]

I mean, "Privacy Red" - that will go well on the t-shirts, baseball hats and pens. And sound impressive to vacuous blondes at parties; "Hey, is this guy boring you? I'm on a Privacy Red team!".

Re:

[fast turtle]

yea Red Shirts. Thanks for taking one for the Team

They are lead by...

[Lord_of_the_nerf]

...a grizzled old Google veteran, brought out of retirement. He has a rag-tag team consisting of an arrogant young prodigy, a burnt out developer with a death wish, a hard-as-nails female programmer and a sassy ex-con who learned all his coding on the street.

They are PRIVACY RED TEAM!

Re:

[Lord_of_the_nerf]

Then mod me Insightful? ;)

Apparently they never watched Star Trek TOS

[Proudrooster]

If you beamed down with Captain Kirk and were on the "red team" wearing a "red shirt" it wasn't going to end well for you [memory-alpha.org]. I wonder if the same will be true at Google as they bring daylight into the dark corners of Google.

Re:

[Lord_of_the_nerf]

Passive-aggressive?

There's also a Privacy Blue Team

[Lord_of_the_nerf]

It charges $4.95 a minute.

Sounds familiar

[ctnp]

So QA teams are called 'Red Teams' now? So sexy.

Re:

[santax]

Ok I know we may not do football or rugby in here, but we are not THAT gay! Sjeez, these damn spambots get more stupid everyday.

I'm sure Microsoft had a security team

[93 Escort Wagon]

Back in the days when ActiveX was first created, I mean. But simply having a team doesn't mean that team will be allowed by the powers-that-be to make any meaningful difference.

Here, for example - according to the linked article, this team is all about external penetration and threat testing. I don't know anyone whose primary concern regarding Google's data collection is about what an external attacker could do with that information. And the $22.5 million fine was about Google's own internal decisions and behavior, not about what some hacker pulled off because of poor security on Google's part.

This just smells like theater. Much like Microsoft's statements about security a decade or so ago.

SETEC ASTRONOMY

[almightyorb]

Am I really the first to make that reference?

Meanwhile on Facebook...

[doubleplusungodly]

the entire userbase constitutes Facebook's privacy 'red team'.

this is useless

[epyT-R]

This is useless unless google builds a privacy culture within itself and also lobbies the government to respect individual liberty and rights again.

Re:

[Ruedii]

Lets face the facts: That privacy culture is exactly why they are the target of these investigations.

I agree, it is unfair that Google is being held to such a higher standard. However, I also think with their privacy culture, they SHOULD be putting their money where their mouth is, like this, and hire a team of specialists to address privacy issues with their products.

The fact that other companies sweep their problems under the rug and that we instead complain about Google for the problems we admit, only p

A lot of companies have worse privacy practices.

[Ruedii]

I don't know why people focus so much on Google. A lot of other companies have far worse privacy practices, and many of those companies make absolutely no attempt to provide proper privacy or user data security.

Just take Facebook for example.

Secret to Google's continued success...

[hbr]

... ensuring security and privacy of customer data is.

I always thought that the stupidest things that Eric Schmidt ever did were all those blase comments about how we had to learn to live without privacy, etc. (check google for eric schmidt quotes).

I'm not saying that they don't care about these issues, but in the past they have sounded like they don't care.

I reckon that they should instead make security and privacy of data their top priority, and let their customers know about it too (instead of the opposi