Slashdot Mirror
Google Building Privacy Red Team
Trailrunner7 writes "Google, which has come under fire for years for its privacy practices and recently settled a privacy related case with the Federal Trade Commission that resulted in a $22.5 million fine, is building out a privacy 'red team,' a group of people charged with finding and resolving privacy risks in the company's products. The concept of a red team is one that's been used in security for decades, with small teams of experts trying to break a given software application, get into a network or circumvent a security system as part of a penetration test or a similar engagement. The idea is sometimes applied in the real world as well, in the form of people attempting to gain entry to a secure facility or other restricted area."
It's a good idea too. Deliberately cause mayhem to encourage and test true redundancy.
Help stamp out iliturcy.
...the concerns about Google and privacy have next to nothing to do with what hackers might do with the data Google collects on you, rather than what Google will do with it.
This space available.
And here I thought, silly me, that it was the massive fines by the EU and Canadian regulators as to their practices that caused this change.
Never mind.
I'm sure they're doing it for the reason you say.
-- Tigger warning: This post may contain tiggers! --
Don't use google, block google-analytics and google-syndication at your firewall, and don't use services like gmail.
Otherwise, you have no privacy from Google, who knows everything you do on the internet.
You are a fucking idiot. Die.
There is, you just have to take steps to preserve yours, which most people don't do.
And the rampant privacy violations that happen by default exist because people don't care about their privacy. If they did, engaging in such practices would put companies out of business. But people actively support this world, where everything they do is tracked. Such drastic measures to preserve privacy would not be necessary if more people cared about not living in a Panopticon.
The fine referenced in the summary was an intentional violation of privacy, at least from what I understand. It sounds like the point of the red team is to find unintentional security flaws that may cause privacy risks. That's good and all, but it really doesn't address the issue that the article and summary are pretending to address.
No, we need more vespene gas.
They are NPCs so don't worry about it.
No, we need more vespene gas.
I'll settle for gold pressed latinum.
-- Tigger warning: This post may contain tiggers! --
I mean, "Privacy Red" - that will go well on the t-shirts, baseball hats and pens. And sound impressive to vacuous blondes at parties; "Hey, is this guy boring you? I'm on a Privacy Red team!".
"The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
...a grizzled old Google veteran, brought out of retirement. He has a rag-tag team consisting of an arrogant young prodigy, a burnt out developer with a death wish, a hard-as-nails female programmer and a sassy ex-con who learned all his coding on the street.
They are PRIVACY RED TEAM!
Google pissed off the politicians.
That is why everyone does it but only google gets in trouble.
Then you have been abusing yourself much too much
I got to the chocolate box before you, that's why the hard ones have teeth marks.
I agree, and think Google is on the right track here.
I suspect they are starting to see the backlash against easily broken security, and are starting to do something about it.
This is really amazing when you stop and think that they have most to gain by learning all your habits (or at least the "Hate Google First" rabble would have you believe.
The iCloud meltdown preceded by the never ending follies of facebook probably told Google it was time to test their own stuff rather than wait for the storm to hit home. They are well ahead of the game with two factor authentication. Now if they could just add Zero Knowledge encryption techniques to their Google Drive they could be giving even more assurance they weren't out to market anything more about you than what is already public record.
I would love to have stuff backed up in the cloud, but as it is, the only cloud I trust is SpiderOak.
If you beamed down with Captain Kirk and were on the "red team" wearing a "red shirt" it wasn't going to end well for you. I wonder if the same will be true at Google as they bring daylight into the dark corners of Google.
I disable Javascript sites don't work including hyperlinks that were made into JS instead of standard HTML. I disable cookies, the site either asks me to enable cookies to continue or just doesn't work right.
It's all due to shitty web design and implementation. Learn to run scripts and remember state on the server side only.
Google is to privacy, what Facebook is to friends.
It charges $4.95 a minute.
So QA teams are called 'Red Teams' now? So sexy.
to hell with the latinum, I want "Q" to loan me his powers for an hour
Mod me up/Mod me down: I wont frown as I've no crown
All cynicism aside, I can understand and get behind this initative. This is actually a contemporarily rare example of Google adhering to their old "Don't be evil" mantra.
When their entire business model involves a suite of free services and applications that filter down and commoditize users' viewing habits and usage metrics, information security becomes even more important. As much as I don't really appreciate Google having this information themselves (and obviously sharing with vetted partners I might not agree with), I'd be far more concerned about illicit third-parties gaining this information.
Google are worthy of at least some ackowledgment of them doing the right thing here.
The first rule of Privacy Red Team is you don't talk about Privacy Red Team. It's private.
He did, but the continuum set it right again. He's currently being punished by having his powers suspended, and being forced to work at the DMV.
(It was the less horrible punishment they offered. The other was signing autographs at a startrek convention.)
Ok I know we may not do football or rugby in here, but we are not THAT gay! Sjeez, these damn spambots get more stupid everyday.
People care about privacy as much as they care about their wallet. They just have no idea how valuable their privacy is
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Back in the days when ActiveX was first created, I mean. But simply having a team doesn't mean that team will be allowed by the powers-that-be to make any meaningful difference.
Here, for example - according to the linked article, this team is all about external penetration and threat testing. I don't know anyone whose primary concern regarding Google's data collection is about what an external attacker could do with that information. And the $22.5 million fine was about Google's own internal decisions and behavior, not about what some hacker pulled off because of poor security on Google's part.
This just smells like theater. Much like Microsoft's statements about security a decade or so ago.
#DeleteChrome
Am I really the first to make that reference?
the entire userbase constitutes Facebook's privacy 'red team'.
---
I think the ridiculous thing is that my email and phone account is orders of magnitude safer than my bank account.
Google's security is already miles beyond the average website, it's banks I want to see get into the 21st century. I should be able to use top-notch encryption techniques if I so desired, instead of an 8-character password coupled with questions for which anybody could find answers if they even vaguely knew me.
Voting with your wallet only works in a competitive environment.
There's probably also that violating your privacy is worth it in terms of higher premiums commanded on ad dollars.
Protecting a walled garden isn't easy when there's oil under it.
for a company that makes fistfuls of money collecting and correlating every behaviour they can record
really their whole reason to exist
coupled with questions for which anybody could find answers if they even vaguely knew me.
Huh? The bank didn't choose those answers. The bank doesn't care what strings of characters you entered, just so long as you can regurgitate them when required.
You chose crap, discoverable answers. Stop blaming others for your shortfall.
My US bank gave me my Internet banking password, from a VoIP call from overseas, knowing nothing more than my name, address, and date of birth. Apparently this is roughly the same set of security as iCloud.
I am TheRaven on Soylent News
This is useless unless google builds a privacy culture within itself and also lobbies the government to respect individual liberty and rights again.
Yes, because it is much worse for Google to know I prefer a BMW to a Toyota and serve me ads appropriately, vs. having someone use the same information to steal my identity, take out a second mortgage on my home, and leave me destitute.
You can take my house, but PLEASE don't ask me what my car preference is!
Can we tone down the hyperbole please? Comparing using personal data for marketing vs. using it to steal from innocents is just stupid.
[...] the idea is sometimes applied in the real world as well, in the form of people attempting to gain entry to a secure facility or other restricted area."
Everything is "real world".
I don't know why people focus so much on Google. A lot of other companies have far worse privacy practices, and many of those companies make absolutely no attempt to provide proper privacy or user data security.
Just take Facebook for example.
Strings of characters? Hahahahahahah. At my bank, the questions are chosen from a drop-down box, and the answers are chosen from a drop-down box. So if the question is "What model year was your first car", the answer choices are "2000-2010", "1990-2000", "1980-1990", "1970-1980", "1960-1970", "1950-1960", "1940-1950", or "1930-1940". That's a real example; I'm not making that shit up. Even if I pick randomly, there's, what, three bits of entropy there? It's goddamn embarassing; I'm thinking of switching banks.
...standing by.
... ensuring security and privacy of customer data is.
I always thought that the stupidest things that Eric Schmidt ever did were all those blase comments about how we had to learn to live without privacy, etc. (check google for eric schmidt quotes).
I'm not saying that they don't care about these issues, but in the past they have sounded like they don't care.
I reckon that they should instead make security and privacy of data their top priority, and let their customers know about it too (instead of the opposite) - so this "red team" sounds like a good idea.
They should write it into their company constitution and make it clear in their contract with their users.
We all know that google will track our internet use to improve our search results/target their ads, so we need to trust them that this data is not misused, right?
I'm surprised they don't push more that concept of "data untouched by human hand", as I think a lot of people are quite comfortable with that.
So I reckon they need to make sure that we know we can trust them, and people won't fully embrace their range of products unless there is trust there, but once you commit (yourself and your data) to the google product range you are likely to remain a loyal user/customer.
This is a CYA case, done for liability-- not for love of privacy. If they envisioned respect for privacy, they wouldn't have their draconian Terms of Service, which gives them the right to read your mail, watch where you go, and otherwise digest and analyze all facets of your interaction with them.
Make no mistake about apparent altruism. This is their legal department saying: seal up the holes, then twisted by PR to make them look like good guys. Right track? Any organization should have systems security and adherence to privacy regulations at the forefront of their best practices implementation. Why they haven't had such an initiative to this point is mind boggling.
---- Teach Peace. It's Cheaper Than War.
Is Google going to pay professionals to find problems? What happened to security on the cheap with contests and prizes?