Online Safety

Only Google would think it was a good idea to have a Director of Security for Google Apps, Eran Feigenbaum, who is also a professional magician/mentalist. A ValleyWag post first spotlighted this frightening irony/bad joke. 

Let's review what a magician and mentalist does:

• Per Dictionary.com:
  • A "magician" is: "an entertainer who is skilled in producing illusion by sleight of hand, deceptive devices." 
  • A "mentalist" is: "a mind reader, psychic, or fortuneteller." 

Security is very serious business. Given that Google arguably has collected and stored more recent private information... on more people without their meaningful permission... than any entity in the world... one would think that Google would treat security as very serious business too.    

People want real security, not the illusion of security. Security is deadly serious; its not for show.

What is most disturbing about Google's judgment here is that this is not an isolated issue undermining confidence in Google's committment to security; see the other parts of the series on "Why Security is Google's Achilles Heel," to learn how this is part of a broader disturbing pattern of Google not taking security seriously.  

As part of Google's previously announced plan to make the Web faster, Google announced yesterday a Google engineering alternative system to the Internet's current core, the Domain Name System or DNS. 

• Google believes that Google's new addressing system is faster and more secure than the current Internet addressing system, which is run by the independent Internet Corporation for Assigned Names & Numbers (ICANN) and which is essentially the Internet's de facto "phone book." 

This is a big deal. Google is essentially saying it can do a better faster job for the Internet than the current ICANN can. Listen to ICANN's self description:

In discussing Google's new "Privacy Dashboard," Fox Business' Neil Cavuto asked Google CEO Eric Schmidt about the ability to delete private information.

• Mr. Cavuto: "How do I know you are deleting it?
• Mr. Schmidt: "Because we say so."

Not being one to accept Google's legendary PR spin without a grain of skepticism, lets review the real significance of Google's new "Privacy Dashboard."

First, to be fair to Google, the privacy dashboard is indeed an incremental improvement over what Google users had before, because it aggregates what was in 21 different places before, into a single more convenient "dashboard." 

• However, Google overhyped the enhanced convenience and control of this single dashboard, because users still have to use the same 21 different steering wheels and brakes they had available before, in order to control Google's multi-directional invasion of their privacy.

Second, this "dashboard" was exceptionally easy for Google to produce. All it basically does is insert a new front-end web navigation page -- to more easily find other existing Google webpages -- much like any website home page offers navigation to pages behind it.

What an "Open Internet" does not mean is as important as what it does mean.

• Surely an "Open Internet" is not intended to mean what it certainly can mean: un-protected, unguarded, or vulnerable to attack. 


• Thus, it is essential for the FCC to be explicit in defining what the terms -- "Open Internet," "net neutrality," and Internet non-discrimination -- don't mean, as well as what they do mean.

The word "open" has 88 different definitions per Dictionary.com and the word "open" has even more different connotations depending on the context. While the term "open" generally has a positive connotation to mean un-restricted, accessible and available, it can also have a negative or problematic connotation if it means unprotected, unguarded or vulnerable to attack.  

The lead WSJ story today, "Arrest in Epic Cyber Swindle" covering the cybercrime ring theft of over 130 million credit/debit cards, is a stark high-profile reminder of the very real and pervasive Internet problem of lack of cybersecurity. 

• In the face of overwhelming mainstream evidence that lack of cybersecurity is the Internet's #1 problem (see links below), including President Obama's declaration that cybersecurity must be a new national security priority in his 5-29 cybersecurity address, it is perplexing that none of the FCC's National Broadband Plan workshops are on cybersecurity. 
• It is hard to see how the Open Internet's growing security problem can be addressed and mitigated over time, if the U.S. Government's main big picture policy effort addressing the broadband Internet, the National Broadband Plan, does not even collect input from the public or experts on the Internet's #1 problem -- lack of cybersecurity.
• The first step in solving a big problem is acknowledging there is one. 

While the latest net neutrality bill introduced in Congress has no chance of passage as drafted, it is a bay window view into how extreme the net neutrality movement has become and into what they are seeking from the FCC via backdoor regulation.

• The proposed Markey-Eshoo bill, HR 3458, which was drafted in close coordination with FreePress and the Open Internet Coalition, is much more extreme than previous bills in 2008 and 2006.

Why is this bill the most extreme version of net neutrality yet?

First, it is a completely unworkable framework.

• It imposes a beyond-all-reason, effective absolute ban on prioritization of data traffic, essentially eliminating current essential network management flexibility to: protect networks from attack or malware; ensure quality of service; manage congestion, latency, and jitter; and handle unforeseen or emergency situations. Sections: 12(b)(5), 12(b)(6)

• For all practical purposes, it destroys most any private sector incentive or benefit from competing or investing in broadband by outlawing any pricing/business model differentiation/innovation beyond commodity end user pricing. Section 12(b)(2)

It is interesting that since I started this series spotlighting that security is and has been, for all practical and official purposes, a low corporate priority for Google, a Googler now publicly claims: "for Google, there is no higher priority than the safety and security of our users."

• This new public claim was made as part of a press release announcing that Google has joined the board of the National Cyber Security Alliance. 
• While I commend Google for joining the National Cyber Security Alliance, it is telling that none of the relevant official Google corporate links, indicate that security is a high priority for Google: check "Our Philosophy -- Ten Things," "Design Principles," or even "Google's Security Philosophy." 
• We will know when Google makes security a high priority when they actually walk the talk and when their official representation of their corporate priorities (in the main corporate links above) reflect that security has truly become a new higher priority for Google. 

This new claim and development presents a useful opportunity to evaluate Google's stated security philosophy.   

The U.S. Government is relatively quietly proposing a major change in its online privacy policy from a Government ban on Government using "cookies" to track citizens' use of U.S. Government websites to allowing the Government to track some citizen online behavior with some restrictions.

• A Washington Post article highlighted privacy groups concerns about the policy shift. Also see comments by EPIC, CDT/EFF, and ACLU.  

This policy shift is a quintessential example of the shift away from a default expectation of online privacy, to the default "publicacy" approach increasingly taken by many web 2.0 entities.

• ("Publicacy" is the opposite of privacy. "Publicacy" also describes the Web 2.0 movement that seeks to have transparency largely supplant privacy online.) 

I have written about the growing tension between privacy and publicacy thirteen times this year, because I believe it is one of the biggest changes that is occurring online that average users are not aware of, but should be. 

A central policy question concerning the future of the Internet, cloud computing, and the National Broadband Plan is whether there should be Internet priorities or a priority-less Internet?

• The crux of the grand conflict over the direction of Internet policy is that proponents of a mandated a neutral/open Internet insist that only users can prioritize Internet traffic, not any other entity. 

To grasp the inherent problem and impracticality with a mandated neutral or priority-less Internet, it is helpful to ask if the Internet, which is comprised of hundreds of millions of individual users, has a mutual "hierarchy of needs" just like individuals have a "hierarchy of needs," per Maslow's famed, common sense "Hierarchy of Needs" theory.

New evidence of very serious Internet security problems sheds new light on why Senate Chairman Rockefeller has taken such a forceful leadership role on cybersecurity and why President Obama made increasing cybersecurity a national security priority in his 5-29 cybersecurity address.

• Computerworld reported testimony before a Congressional oversight panel that sensitive details about a Presidential safe house, Presidential motorcade routes, and every U.S. nuclear facility were leaked on the Internet via a LimeWire P2P application. 
• This serious Internet security problem with P2P applications was also the subject of a 2007 U.S. Patent and Trademark Office (PTO) report , which documented the severe security implications of P2P file-sharing programs that commonly have technological features that induce sharing of information that people did not want or expect to be shared.

The continued seriousness of P2P file-sharing breaches have prompted House Oversight Committee Chairman Edolphus Towns "to call for a ban on the use of peer-to-peer (P2P) software on all government and contractor computers and networks," per Computerworld.