Internet Security

It is interesting that since I started this series spotlighting that security is and has been, for all practical and official purposes, a low corporate priority for Google, a Googler now publicly claims: "for Google, there is no higher priority than the safety and security of our users."

• This new public claim was made as part of a press release announcing that Google has joined the board of the National Cyber Security Alliance. 
• While I commend Google for joining the National Cyber Security Alliance, it is telling that none of the relevant official Google corporate links, indicate that security is a high priority for Google: check "Our Philosophy -- Ten Things," "Design Principles," or even "Google's Security Philosophy." 
• We will know when Google makes security a high priority when they actually walk the talk and when their official representation of their corporate priorities (in the main corporate links above) reflect that security has truly become a new higher priority for Google. 

This new claim and development presents a useful opportunity to evaluate Google's stated security philosophy.   

The U.S. Government is relatively quietly proposing a major change in its online privacy policy from a Government ban on Government using "cookies" to track citizens' use of U.S. Government websites to allowing the Government to track some citizen online behavior with some restrictions.

• A Washington Post article highlighted privacy groups concerns about the policy shift. Also see comments by EPIC, CDT/EFF, and ACLU.  

This policy shift is a quintessential example of the shift away from a default expectation of online privacy, to the default "publicacy" approach increasingly taken by many web 2.0 entities.

• ("Publicacy" is the opposite of privacy. "Publicacy" also describes the Web 2.0 movement that seeks to have transparency largely supplant privacy online.) 

I have written about the growing tension between privacy and publicacy thirteen times this year, because I believe it is one of the biggest changes that is occurring online that average users are not aware of, but should be. 

Evidence of the Open Internet's growing security problem only continues to mount. There also appears to be a growing and troubling disconnect between the seriousness of the actual problem and the seriousness of attention paid to the growing Internet security problem.  

• For example, despite President Obama making cybersecurity a national security priority in his cybersecurity address 5-29-09, none of the FCC's 18 currently planned public workshops designed to help develop a National Broadband Plan are on cybersecurity.   

"Twitter, Facebook Sites Disrupted by Web Attack"  WSJ

• "Multiple Internet sites, including popular hangouts Twitter and Facebook, were temporarily disrupted Thursday after they were struck by apparently coordinated computer attacks..."
• "The companies traced the problem to what the computer industry calls "denial-of-service" attacks, which are designed to make sites inaccessible by overwhelming them with a flood of traffic. Though such attacks are fairly routine, simultaneous action against multiple consumer Internet companies is rare."

"Most users clueless about cybersecurity, FBI says" PC World

"Security is part of Google's DNA" is Google's slogan to soothe security concerns about its services much like "competition is one click away" is Google's antitrust slogan to soothe antitrust concerns about its dominance. 

While Google claims security is metaphorically in the "DNA" or "genetic code" of their many cloud applications, "DNA" is also Google code for "Do Not Ask."

"Do Not Ask" is Google's unspoken MO -- method of operation.  

FCC Broadband Coordinator Blair Levin described the crux of the National Broadband Plan in testifying before the Commission 7-02 as "identifying where there are currently 'demonstrable public interest harms.'" That central task is essentially defining the problem(s) and is necessary to complete the last task of the plan: "identifying ways to lessen those public interest harms," or recommending solutions. Defining the problem largely defines the range of recommended solutions.

• The plural use of "harms" here suggests that the Plan could end up "identifying" more problems than the obvious core problem prompting the Plan -- that not "all people of the United States have access to broadband capability."

Levin's choice of a classic organizational structure, background-problem-solution, is a wise, useful, and simplifying approach for such an exceedingly complex endeavor.

Jonathan Zittrain's NYTimes Op-ed today, "Lost in the Clouds" ironically captured three of my big concerns/themes about the Internet and its natural outgrowth -- cloud computing.

• I recommend this op-ed because it pulls together a whole host of converging Internet issues that others generally treat separately.
• The problem with writing about these issues separately is that much of the richness of how these inter-related issues interact -- is lost.  

  Zittrain: "The cloud, however, comes with real dangers."

  • I agree. That has been much of the point of my 13 part series since the first of the year:
    • "The Open Internet's Growing Security Problem"

  Zittrain: "Worse, data stored online has less privacy protection both in practice and under the law."

"It’s not our fault that Google has a ridiculously easy way to get access to accounts via their password recovery question" said Michael Arrington of TechCrunch in a post defending his publishing of secret Twitter corporate information that was stolen from Twitter by "Hacker Croll" via Google's password system. See New York Times story.

Only last week I wrote a post "Why Security is Google's Achille's Heel."

My overall security thesis is simple.

Additional new evidence continues to spotlight the Open Internet's growing security problem, and underscore why President Obama effectively declared the lack of cybersecurity as the Internet's biggest problem in his cybersecurity address May 29th. 

• The growing catalogue of evidence from mainstream and official sources is getting harder and harder to ignore.

Google's launch of a new PC operating system on the heels of its announcement ending the "beta" phase for its popular gmail, Calendar, Docs and Talk applications, is happening in the midst of a new era where cyber-security has been made a new national priority and internet security breaches are increasingly serious and commonplace.

• All this naturally puts a spotlight on Google's approach to security, because Google is becoming increasingly central to so many people's Internet experience.

An examination of Google's own public representation of its corporate philosophy and design principles shows security/safety is simply not a priority for Google. In many respects, security is viewed as a hinderance to, or a drag on, Google's over-riding goal of speed-efficiency.

In Google's philosophy statement, "Ten things Google has found to be true" there is no mention of the importance of security/safety to Google or Google's users.

#3 point on the philosophy list says: "Fast is better than slow:"

The President's Cybersecurity announcement 5-29 was a game changer for the Internet. For the first time the U.S. Government officially declared the lack of cybersecurity as the Internet's biggest problem.

• It is interesting to note there was instant disagreement with the President's assessment from some in the Web 2.0 world. Speakers at the Computers, Freedom, and Privacy conference in Washington this week said (per Washington Internet Daily) that:
  • "Cybersecurity threats in general are wildly overstated or portrayed as malevolent acts when some of the best known incidents have come through accidents or simple security holes."
• I have been writing this now twelve-part series: "The open Internet's growing security problem" since the beginning of the year, precisely because many continue to deny the growing mountain of evidence from mainstream sources that the Internet security problem is getting worse not better. 
• Fortunately, President Obama gets it.

Here is the latest mainstream evidence of the open Internet's growing security problem.

"Mysterious virus strikes FBI" ZDNet