Google has launched a new “Good to Know” campaign, offering simple tips on how users can maintain their online security and privacy and stay safe while they’re using Google services as well as the Internet in general. The Good to Know campaign spans both the online and traditional media world: Google has put up a website with its tips, but will also be running ads in newspapers and buying sign space in places like New York City. The idea is to educate even non-technical users on the basics of cyber-security, so they’re less likely to become victims of online scams, account hijacking, or other forms of fraud.
“Technology can be confusing, and the industry often fails to explain clearly enough why digital literacy matters,” wrote Google’s director of privacy Alma Whitten, in the company blog. “So today in the U.S. we’re kicking off Good to Know, our biggest-ever consumer education campaign focused on making the Web a safer, more comfortable place.
But…wait a second. Google develops and operates some of the Internet’s most-used online services: Google Web search, Google Maps, YouTube, Google Docs, the Chrome Web browser, and Gmail among them. It would be pretty easy to argue Google has done more to erode online privacy and security than perhaps any other company in the industry—and has been doing it for years.
Does Google’s “Good to Know” campaign amount to a band-aid on a gaping wound, designed to placate critics and policy makers concerned about Google’s reach? Or is it an honest and sincere effort to help people use the Internet and Google services more safely?
Or, more likely, is it both?
What does Google think is “good to know?”
Google has broken down its Good to Know offerings into four main categories: tips for Stay safe online, Your data on the Web, Your data on Google, and Manage your data. The last two are almost exclusive to using Google services, while the first two offer more-general information with links about how the concepts apply to Google offerings.
Each topic contains a range of short sub-topics (about two dozen in total) dealing with particular aspects, from how to manage and configure specific Google services (like Gmail, Google Latitude, and Chrome) to better meet your needs, to general topics like outlining how malware, phishing, and Wi-Fi security can impact Internet users.
Google has further simplified its message down to four top tips:
- Use two-factor authentication
- Lock your computer when you step away from it
- Use different, strong passwords for every site and service you use
- Make sure your connection to the Internet (especially Wi-Fi) is secure
Two-factor authentication has become perhaps Google’s primary message about security: Users who aren’t signed up to use it will be regularly nagged to opt in to two-factor authentication, and Google is making it less and less obvious how to avoid participating. In essence, Google’s two-step verification requires Google to also have your mobile phone number. When you sign into your Google account, Google will send a one-time passcode to your phone via SMS. Once users receive that code, they can then use it to sign in to Google services. The idea is that even if attackers, fraudsters, or other unsavory individuals somehow get ahold of your Google password, they would also have to have physical possession of your phone to get into your account.
Google is also increasingly fond of requiring users provide them with a mobile phone number for other things. Sometimes this is tied directly to fraud-prevention efforts, like trying to constrain easy creation of throwaway Google accounts used to spam or distribute pirated material.
Screen locking means more than just activating a screensaver or closing the lid on a notebook when you step away, it means requiring a password to start using a computer or phone. Although these kinds of precautions are commonplace in businesses, many everyday computer users have their devices configured to log them in automatically when they wake or boot up. Google (correctly) equates that to leaving the front door of your house wide open when you leave for a few hours. An unlocked device is just an invitation for someone to come along and read your email, steal your passwords, look for credit card information, install spyware, or otherwise take advantage. Requiring a password to wake or boot a computer (as well as deactivate a screensaver) is a good common-sense security precaution, so long as it’s a strong password.
Google’s advice on passwords is complex, involving no fewer than six separate sub-tips (one of which is two-factor authentication, above). First, Google recommends using a unique passwords for all important accounts: that means online banking would have a different password than a social networking account, and those in turn would be different from password you use for email services, online games, media services (iTunes, Netflix, etc.), as well as accounts you maintain with online retailers (like Amazon). Similarly, none of those passwords would match one for your computer or a Google account. The idea is simple: even if someone gets their hands on a password for one of your services, they don’t get passwords for all your services. You might have to reset one account and undo some damage, but you won’t have to redo everything at once.
Google also recommends long passwords, noting that a ten-character password is 4,000 times harder to guess than an eight-character password. Google also recommends using a mix of capital letters, numbers, symbols, and letters to make passwords even more complex, noting that a full range of symbols and numbers enables up to 6 quadrillion possible eight-character passwords, some 300,000 times more than using just lowercase letters. And it should go without saying that using passwords like “password,” “12345678” or “qwerty” are particularly bad ideas: so are the other 22 most-cracked passwords, according to SplashData.
Another solid Google recommendation is keeping passwords in a secure location. Google recommends keeping passwords out of sight in a non-obvious place, and if you keep them in a file on your computer don’t name the file something like “my passwords.” In fact, don’t have the term “password” in the file at all: full-disk search technologies (like Apple’s Spotlight and Windows Search) will turn it up instantly.
Using a secure Internet connection really applies to using any network, but Google focuses on Wi-Fi hotspots. It’s important to remember that whoever runs a Wi-Fi hotspot can theoretically monitor all communications on that hotspot, and that can include passwords, email messages, credit card numbers, images, and a myriad of other things you might not want to be public. And, if the hotspot isn’t secured (preferably using WPA2), then anyone using the network can monitor all the traffic. Internet power users can do a lot to protect themselves in situations like this; it usually involves using VPNs and secure HTTPS connections to encrypt all communication the conduct on an insecure network. For the most part, those techniques are too fiddly for everyday Internet users—particularly those using smartphones or other Wi-Fi enabled devices that might have very few (or no) additional security capabilities. Google’s advice on using Wi-Fi hotspots amounts to “be extra careful” with no specific recommendations on how to be careful. The bottom line: Always treat public Wi-Fi hotspots as if they were a public square, and assume anything you do on using an unsecured Wi-Fi network is being broadcast to the world.
“Technology can be confusing”
Google admits that the tech industry often doesn’t do a good job of communicating security and privacy concerns to Internet users. After all, most technology companies are in the business of selling a product or service, and they’d much rather get consumers excited about buying that product or service than potentially turn off buyers by warning of potential downsides.
Companies that offer free products and services — including Google — are often in the business of collecting information about their users to sell to advertisers and third parties. These companies are interested in helping users maintain their accounts securely, to avoid abuse and make sure that information they collect is accurate. However, they also often have a conflict of interest when it comes to telling users how to maintain their privacy. The less information they can collect about their users and their activities, the less valuable the information is to advertisers and others. These companies encourage their users to share, rather than encourage users to be safe.
That conflict of interest is just below the surface of Google’s Good to Know campaign. Although the basic information about passwords and security practices is reasonably solid, the rest of Google’s “Good to Know” campaign is mostly intended to make users feel comfortable sharing information with Google.
From Google’s point of view, the company uses information it collects about users (their profile info, their previous searches, their location data, and more) to do things like personalize search results and provide advertising that’s more likely to be relevant. For instance, if Google believes a users is in New York, it’s not going to offer up restaurant choices in San Francisco; similarly, if a user has a search history that includes lots of automotive terms, when a user searches for “Mercedes” Google is more likely to offer up links to Mercedes-Benz and local dealerships than to a famous Janis Joplin song or fantasy author Mercedes Lackey. To further personalize search results, Google recently started integrating data from its Google+ social networking service.
From the point of view of someone concerned about privacy and security, Google’s “Good to Know” campaign is a different kind of eye opener: It reveals a bit of what Google is tracking about its users, and how much of it is out of users’ control.
To Google’s credit, “Good to Know” highlights a few little-known Google services, including Google Takeout and Google Web History. Google Takeout enables users to get a copy of data Google has stored for a user—the idea is to both let users see what Google has stored about them, as well as assist with moving data into (and out of) Google services. Google Web History records all Google searches and pages visited while users are signed in to a Google account. Most people have no idea Web History exists, let alone that Google has been collecting that information, so it’s nice to see the company call it out — albeit as a brief item amid two dozen sub-points in the “Good to Know” materials.
However, Google makes a few other things painfully clear. Even if you’re not signed in to Google, the company uses a browser cookie in your Web browser to track your search history. Users can opt-out, but rather than offering actual privacy, the mechanism amounts to telling Google “don’t track this” for every search. Users just have to trust Google isn’t collecting the information — except, oops, Google admits they collect the information anyway, just that they don’t use it to personalize results for that non-signed-in search session.
Something that didn’t make Google’s “Good to Know” campaign: Google doesn’t allow anybody, signed-in or not, to opt out of location tracking, whether it be via services like Google Latitude or geo-location via IP address.
Good to Know = Lots to Know
Overall, Google deserves respect for going out of its way to highlight reasonable security and privacy practices for everyday Internet and mobile users, and trying to present that information in an unintimidating, accessible way. Although many of the tips are old hat to experienced Internet users, there are plenty of people using the Web and their smartphones who just go with the flow and hope for the best. If Google can convince a few of them to up their privacy and security game by a notch or two, that’s all to the good.
However, it’s perhaps just as telling that so much of Google’s simplified and streamlined guide to safe Internet use amounts to little more than a feel-good piece for Google’s most-used services. Further, even in this limited context, many everyday Internet users will find the array of information presented by Google to be confusing and bewildering. Four primary topics might seem comprehensible for non-technical folks, but when they crack open to some two dozen sub-topics (some with their own sub-sub-topics), a jargon dictionary, and an array of videos that are little more than marketing pieces, most folks are going to tune out.
Unfortunately, even with cute line drawings and straightforward, declarative prose, the bottom line is that safe Internet use and secure, informed use of Google services is a tremendously complicated topic. Google’s Good to Know campaign just scratches the surface, and much of that scratching is really just polishing Google’s own offerings to a nice friendly sheen. And that’s a pity.