Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Building Privacy Red Team

Posted by samzenpus on from the first-responders dept.

Trailrunner7 writes "Google, which has come under fire for years for its privacy practices and recently settled a privacy related case with the Federal Trade Commission that resulted in a $22.5 million fine, is building out a privacy 'red team,' a group of people charged with finding and resolving privacy risks in the company's products. The concept of a red team is one that's been used in security for decades, with small teams of experts trying to break a given software application, get into a network or circumvent a security system as part of a penetration test or a similar engagement. The idea is sometimes applied in the real world as well, in the form of people attempting to gain entry to a secure facility or other restricted area."

27 of 92 comments (clear)

  1. Netflix has ChaosMonkey by symbolset · · Score: 2

    It's a good idea too. Deliberately cause mayhem to encourage and test true redundancy.

    --
    Help stamp out iliturcy.
    1. Re:Netflix has ChaosMonkey by icebike · · Score: 2

      But doesn't ChaosMonkey concentrate on trying to break content delivery rather than security breaches?

      After all Netflix record isn't exactly stellar on privacy issues.

      --
      Sig Battery depleted. Reverting to safe mode.
    2. Re:Netflix has ChaosMonkey by interkin3tic · · Score: 4, Funny

      I don't know if it's ALWAYS a good idea. My boss really didn't like "Show up drunk" Mondays. I guess ambulance driving isn't important enough to stress test in such a rigorous manner. Fuckers.

  2. I think... by Jafafa+Hots · · Score: 3, Insightful

    ...the concerns about Google and privacy have next to nothing to do with what hackers might do with the data Google collects on you, rather than what Google will do with it.

    --
    This space available.
    1. Re:I think... by desertfool · · Score: 2, Informative

      And that is exactly what I wanted to say. I'm more worried about Google than anyone else.

      Long live Adblock and Ghostery.

      --
      Just a dude. Stuck in IT.
    2. Re:I think... by bhagwad · · Score: 2

      Than ANYONE else? Really? So if you had to choose an ISP, you would rather use a corporation like say AT&T or Time Warner rather than Google?

    3. Re:I think... by oakgrove · · Score: 3, Insightful

      You do know you can just not use Google, right? No, seriously. You can run your own mail server even. As a matter of fact if you're really worried, you can use tor or Freenet and be completely anonymous. Just make sure you have https everywhere, and noscript running and you're golden. As far as street view goes, secure your wi-fi and plant some trees in front of the house.

      --
      The soylentnews experiment has been a dismal failure.
    4. Re:I think... by Anonymous Coward · · Score: 3, Insightful

      You shouldn't be concerned about Google. This data is Google's most valuable possession, and the company's entire value is dependent upon that data staying in the company. Google is the producer and consumer of the data, and they're not going to let it out. Google (and everyone in charge there) also has a strong sense of ethics, and while some things have gone wrong, their record is still pretty stellar.

      Who you SHOULD be worried about are the companies that exist solely to collect and sell information. They don't play by the rules, they don't try to be ethical, and their entire business plan is to grab as much information about you as possible and sell it to the highest bidder.

    5. Re:I think... by Nemyst · · Score: 2

      That's entirely false actually. It's not only doable, but fairly simple not to use Google if you're more paranoid about them than about the alternatives, which is the statement being made here.

      Instead of Google, use something like DuckDuckGo. Instead of Gmail, use Thunderbird with a private mail server. Go to YouTube with private browsing through a proxy and don't comment, or use something like Vimeo/DailyMotion/whatever. Use Android without connecting a Google account, or get an iPhone.

      Nah, the thing is that it's much easier to whine about things than to do something about it.

    6. Re:I think... by oakgrove · · Score: 2

      I happen to agree. I use Google because I like it and nothing I've seen so far can get me the answers for so many different things at a moments notice. That said, it's funny seeing people rail against Google when all they have to do is use something else. Hell, get a fat enough Internet pipe and index the entire web yourself if you're that paranoid.

      --
      The soylentnews experiment has been a dismal failure.
  3. And I thought it was the EU and Canada fines by WillAffleckUW · · Score: 2, Insightful

    And here I thought, silly me, that it was the massive fines by the EU and Canadian regulators as to their practices that caused this change.

    Never mind.

    I'm sure they're doing it for the reason you say.

    --
    -- Tigger warning: This post may contain tiggers! --
  4. Re:Oh god... make them stop, please. by Anonymous Coward · · Score: 5, Insightful

    There is, you just have to take steps to preserve yours, which most people don't do.

    And the rampant privacy violations that happen by default exist because people don't care about their privacy. If they did, engaging in such practices would put companies out of business. But people actively support this world, where everything they do is tracked. Such drastic measures to preserve privacy would not be necessary if more people cared about not living in a Panopticon.

  5. Intentional vs. Unintentional by NoKaOi · · Score: 3, Interesting

    The fine referenced in the summary was an intentional violation of privacy, at least from what I understand. It sounds like the point of the red team is to find unintentional security flaws that may cause privacy risks. That's good and all, but it really doesn't address the issue that the article and summary are pretending to address.

    1. Re:Intentional vs. Unintentional by LordLucless · · Score: 4, Insightful

      Google is big. It's also a way to find ways the left hand is intentionally violating privacy, that the right hand doesn't know about. In big companies, decisions that could potentially impact privacy are made by people who don't necessarily have the awareness of legislation that lets them know they're opening the company to liability by doing what they're doing - they're just trying to get their project off the ground. The potential privacy violation doesn't percolate up to the top where people who know the sort of poo the company could get into by doing it actually hear of it.

      --
      Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
    2. Re:Intentional vs. Unintentional by Anonymous Coward · · Score: 5, Informative

      No, it wasn't intentional. A workaround was intentionally used to make a particular non-tracking cookie work on Safari (it was a simple preference cookie used for user functionality). However, the browser reacted to the workaround by allowing *all* third-party cookies involved, including the DoubleClick cookie. That was unexpected and unintentional. Nobody realized it was going to happen, and the team responsible for the workaround had nothing to do with the advertising cookie.

      Posting anonymously because I work for Google.

    3. Re:Intentional vs. Unintentional by Anonymous Coward · · Score: 5, Informative

      And if you need a reference, read the original analysis that spawned this entire debacle. It makes it very clear that one cookie, "_drt_" (which is fairly innocuous), is the only one that is deliberately set using the workaround. The unintended side-effect is that on future page loads, the "id" cookie (and others) can be directly set (no workaround needed) because Safari considers a domain whitelisted if it has *any* cookies set, and allows all further cookies.

    4. Re:Intentional vs. Unintentional by shentino · · Score: 4, Insightful

      The violation may have been intentional, but the malice may still not have been there.

    5. Re:Intentional vs. Unintentional by Johnny+Mnemonic · · Score: 3, Informative

      c.f. the wifi sniffing debacle. I'm pretty sure that what transpired was the developers of the product downloaded a public source program, like AirSnort. And then used it, probably with the intention of just collecting unencrypted SSIDs, but accidentally left on the more intrusive features as well.

      They should have noticed that it was collecting data at a rate greater than SSIDs would indicate, but I can see overlooking that as well.

      --

      --
      $tar -xvf .sig.tar
    6. Re:Intentional vs. Unintentional by arose · · Score: 2

      Hell, the developers might have even done it intentionally, either to collect debbuging data and switch it off later or because they could or whatnot. Hell, maybe their managers knew two (and didn't grok what it was about). That still wouldn't make it the company wide effort to harvest wifi trafic data for mining purposes that some poeple are convinced it was. It definitely though Google a lesson about transparency though (i.e. delete the data, code, documents and memories in question next tim). :-/

      --
      Analogies don't equal equalities, they are merely somewhat analogous.
  6. They are lead by... by Lord_of_the_nerf · · Score: 5, Funny

    ...a grizzled old Google veteran, brought out of retirement. He has a rag-tag team consisting of an arrogant young prodigy, a burnt out developer with a death wish, a hard-as-nails female programmer and a sassy ex-con who learned all his coding on the street.

    They are PRIVACY RED TEAM!

  7. Re:Oh god... make them stop, please. by trikes57+ · · Score: 5, Insightful

    I agree, and think Google is on the right track here.

    I suspect they are starting to see the backlash against easily broken security, and are starting to do something about it.

    This is really amazing when you stop and think that they have most to gain by learning all your habits (or at least the "Hate Google First" rabble would have you believe.

    The iCloud meltdown preceded by the never ending follies of facebook probably told Google it was time to test their own stuff rather than wait for the storm to hit home. They are well ahead of the game with two factor authentication. Now if they could just add Zero Knowledge encryption techniques to their Google Drive they could be giving even more assurance they weren't out to market anything more about you than what is already public record.

    I would love to have stuff backed up in the cloud, but as it is, the only cloud I trust is SpiderOak.

  8. Re:Oxymoron by Lord_of_the_nerf · · Score: 2

    Passive-aggressive?

  9. Re:Google, boogle, buggle oh bye by wierd_w · · Score: 2

    He did, but the continuum set it right again. He's currently being punished by having his powers suspended, and being forced to work at the DMV.

    (It was the less horrible punishment they offered. The other was signing autographs at a startrek convention.)

  10. I'm sure Microsoft had a security team by 93+Escort+Wagon · · Score: 2

    Back in the days when ActiveX was first created, I mean. But simply having a team doesn't mean that team will be allowed by the powers-that-be to make any meaningful difference.

    Here, for example - according to the linked article, this team is all about external penetration and threat testing. I don't know anyone whose primary concern regarding Google's data collection is about what an external attacker could do with that information. And the $22.5 million fine was about Google's own internal decisions and behavior, not about what some hacker pulled off because of poor security on Google's part.

    This just smells like theater. Much like Microsoft's statements about security a decade or so ago.

    --
    #DeleteChrome
  11. Re:Oh god... make them stop, please. by Nemyst · · Score: 3, Insightful

    I think the ridiculous thing is that my email and phone account is orders of magnitude safer than my bank account.

    Google's security is already miles beyond the average website, it's banks I want to see get into the 21st century. I should be able to use top-notch encryption techniques if I so desired, instead of an 8-character password coupled with questions for which anybody could find answers if they even vaguely knew me.

  12. Re:Oh god... make them stop, please. by TheRaven64 · · Score: 2

    My US bank gave me my Internet banking password, from a VoIP call from overseas, knowing nothing more than my name, address, and date of birth. Apparently this is roughly the same set of security as iCloud.

    --
    I am TheRaven on Soylent News
  13. Hyperbole by brunes69 · · Score: 4, Insightful

    Yes, because it is much worse for Google to know I prefer a BMW to a Toyota and serve me ads appropriately, vs. having someone use the same information to steal my identity, take out a second mortgage on my home, and leave me destitute.

    You can take my house, but PLEASE don't ask me what my car preference is!

    Can we tone down the hyperbole please? Comparing using personal data for marketing vs. using it to steal from innocents is just stupid.