Tag Archives: safety and security

Expediting changes to Google+

In October, weannounced that we’d be sunsetting the consumer version of Google+ and its APIs because of the significant challenges involved in maintaining a successful product that meets consumers’ expectations, as well as the platform’s low usage.

We’ve recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API. We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.

With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs; this will occur within the next 90 days. In addition, we have also decided to accelerate the sunsetting of consumer Google+ from August 2019 to April 2019. While we recognize there are implications for developers, we want to ensure the protection of our users.

Details about the bug and our investigation

Our testing revealed that a Google+ API was not operating as intended. We fixed the bug promptly and began an investigation into the issue.

Our investigation into the impact of the bug is ongoing, but here is what we have learned so far:

  • We have confirmed that the bug impacted approximately 52.5 million users in connection with a Google+ API.
  • With respect to this API, apps that requested permission to view profile information that a user had added to their Google+ profile—like their name, email address, occupation, age (full list here)—were granted permission to view profile information about that user even when set to not-public.
  • In addition, apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.
  • The bug did not give developers access to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft.
  • No third party compromised our systems, and we have no evidence that the developers who inadvertently had this access for six days were aware of it or misused it in any way.

We have begun the process of notifying consumer users and enterprise customers that were impacted by this bug. Our investigation is ongoing as to any potential impact to other Google+ APIs.

Next steps for Consumer Google+

We will sunset all Google+ APIs in the next 90 days.  Developers can expect to hear more from us on this topic in the coming days, and can stay informed by continuing to check the Google+ developer page.

We have also decided to accelerate sunsetting consumer Google+, bringing it forward from August 2019 to April 2019.  We want to give users ample opportunity to transition off of consumer Google+, and over the coming months, we will continue to provide users with additional information, including ways they can safely and securely download and migrate their data.

A note for our enterprise customers

We are in the process of notifying any enterprise customers that were impacted by this bug. A list of impacted users in those domains is being sent to system administrators, and we will reach out again if any additional impacted users or issues are discovered.

G Suite administrators are always in control of their users’ apps. This ensures that G Suite users can give access only to apps that have been vetted and are trusted by their organization. In addition, we want to reiterate that we will continue to invest in Google+ for enterprise. More details were announced in October.

We understand that our ability to build reliable products that protect your data drives user trust. We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls, and engage with users, researchers, and policymakers to get their feedback and improve our programs. We will never stop our work to build privacy protections that work for everyone.


Continuing the fight against child sexual abuse online

We can all agree that content that exploits or endangers children is abhorrent and unacceptable. Google has a zero tolerance approach to child sexual abuse material (CSAM) and we are committed to stopping any attempt to use our platforms to spread this kind of abuse.

So this week our experts and engineers are taking part in an industry “hackathon” where technology companies and NGOs are coming together to collaborate and create new ways to tackle child sexual abuse online. This hackathon marks the latest milestone in our effort to fight this issue through technology, teams and partnerships over two decades.

In 2006, we joined the Technology Coalition, partnering with other technology companies on technical solutions to tackle the proliferation of images of child exploitation. Since then, we’ve developed and shared new technologies to help organizations globally root out and stop child abuse material being shared.

In 2008, we began using “hashes,” or unique digital fingerprints, to identify, remove and report copies of known images automatically, without humans having to review them again. In addition to receiving hashes from organizations like the Internet Watch Foundationand the National Center for Missing and Exploited Children, we also add hashes of newly discovered content to a shared industry database so that other organizations can collaborate on detecting and removing these images.

In 2013, we made changes to the Google Search algorithm to further prevent images, videos and links to child abuse material from appearing in our search results. We’ve implemented this change around the world in 40 languages. We’ve launched deterrence campaigns, including a partnership with the Lucy Faithfull Foundation in the UK, to show warning messages in response to search terms associated with child sexual abuse terms. As a result of these efforts, we’ve seen a thirteen-fold reduction in the number of child sexual abuse image-related queries in Google Search.

In 2015, we expanded our work on hashes by introducing first-of-its-kind fingerprinting and matching technology for videos on YouTube, to scan and identify uploaded videos that contain known child sexual abuse material. This technology, CSAI Match, is unique in its resistance to manipulation and obfuscation of content, and it dramatically increases the number of violative videos that can be detected compared to previous methods. As with many of the new technologies we develop to tackle this kind of harm, we shared this technology with industry free of charge.  

This work has been effective in stopping the spread of known CSAM content online over the years. In 2018, we announced new AI technology which steps up the fight against abusers by identifying potential new CSAM content for the first time. Our new image classifierassists human reviewers sorting through images by prioritizing the most likely CSAM content for review. It already enables us to find and report almost 100 percent more CSAM than was possible using hash matching alone, and helps reviewers to find CSAM content seven times faster.

Since we made the new technology available for free via our Content Safety API in September, more than 200 organizations have requested to access it to support their work to protect children. Identifying and removing new images more quickly—often before they have even been viewed—means children who are being sexually abused today are more likely to be identified and protected from further abuse. It also reduces the toll on reviewers by requiring fewer people to be exposed to CSAM content.

Because this kind of abuse can manifest through text as well as images, we recently made substantial changes to tackle predatory behavior in YouTube comments using a classifier, which surfaces for review inappropriate sexual or predatory comments on videos featuring minors. This has led to a significant reduction in violative comments this year.

Underpinning all of this work is a deep collaboration with partners. As well as the Technology Coalition, we’re members of the Internet Watch Foundation and the WePROTECT Global Alliance, and we report any CSAM content we find to the National Center for Missing and Exploited Children who in turn report to law enforcement.

Technology, and the methods used by those who seek to exploit it, are constantly evolving and there will always be more to do to tackle this heinous crime. We are crystal clear about our responsibility to ensure our products and services offer safe experiences, and we are fully committed to protecting children from sexual exploitation.

Making it easier to control your data, directly in Google products

We’re always working on making it easier for you to understand and control your data so you can make privacy choices that are right for you. Earlier this year, we launched a new Google Account experience that puts your privacy and security front and center, and we updated our Privacy Policy with videos and clearer language to better describe the information we collect, why we collect it, and how you can control it.


Today, we’re making it easier for you to make decisions about your data directly within the Google products you use every day, starting with Search. Without ever leaving Search, you can now review and delete your recent Search activity, get quick access to the most relevant privacy controls in your Google Account, and learn more about how Search works with your data.

Control your data, directly in the Google products

Control your data, directly in the Google products you use every day


When you use Google products, you generate data about your activity. For Search, this data includes the terms you search for, links you interact with and other information like your current location when you search.

Before today, if you were searching on Google and wanted to review or manage this data, the best way for you to do that would have been to visit your Google Account. Now, we’re bringing these controls to you – from directly within Search, you can review or delete your Search activity and quickly get back to finding what you were searching for.     

We’re also providing quick access to the privacy controls in your Google Account that are most relevant as you use Search. For example, to control the ads you see when you search, we give you access to your Ad Settings. Additionally, you can access your Activity Controls to decide what information Google saves to your account and uses to make Search and other Google services faster, smarter and more useful.

Your data in search

If you want to learn more about what data is being generated as you use Google services and how we use data to improve your experience, you can now find a short video that helps explain this information.

Google Privacy Advisor

We’re launching this improvement in Google Search on desktop and mobile web today, and in the Google app for iOS and Android in the coming weeks. Next year, we’ll expand this to Maps, followed by many other Google products. Having access to relevant and actionable privacy controls directly from the Google products you use every day is just one way that we are continuously working to build privacy that works for everyone. 

Source: Search


Titan M makes Pixel 3 our most secure phone yet


Security has always been a top priority for Pixel, spanning both the hardware and software of our devices. This includes monthly security updates and yearly OS updates, so Pixel always has the most secure version of Android, as well as Google Play Protect to help safeguard your phone from malware. Last year on Pixel 2, we also included a dedicated tamper-resistant hardware security module to protect your lock screen and strengthen disk encryption.

This year, with Pixel 3, we’re advancing our investment in secure hardware with Titan M, an enterprise-grade security chip custom built for Pixel 3 to secure your most sensitive on-device data and operating system. With Titan M, we took the best features from the Titan chip used in Google Cloud data centers and tailored it for mobile.



Here are a few ways Titan M protects your phone.

Security in the Bootloader

First, to protect Android from outside tampering, we’ve integrated Titan M into Verified Boot, our secure boot process.

Titan M helps the bootloader—the program that validates and loads Android when the phone turns on—make sure that you’re running the right version of Android. Specifically, Titan M stores the last known safe Android version and prevents “bad actors” from moving your device back to run on an older, potentially vulnerable, version of Android behind your back. Titan M also prevents attackers running in Android attempting to unlock the bootloader.

Lock Screen Protection & Disk Encryption On-Device

Pixel 3 also uses Titan M to verify your lock screen passcode. It makes the process of guessing multiple  password combinations harder by limiting the amount of logon attempts, making it difficult for bad actors to unlock your phone. Only upon successful verification of your passcode will Titan M allow for decryption.

In addition, the secure flash and fully independent computation of Titan M makes it harder for an attacker to tamper with this process to gain the secrets to decrypt your data.

Secure Transactions in Third-Party Apps

Third, Titan M is used not only to protect Android and its functionality, but also to protect third-party apps and secure sensitive transactions. With Android 9, apps can now take advantage of StrongBox KeyStore APIs to generate and store their private keys in Titan M. The Google Pay team is actively testing out these new APIs to secure transactions.

For apps that rely on user interaction to confirm a transaction, Titan M also enables Android 9 Protected Confirmation, an API for protecting the most security-critical operations. As more processes come online and go mobile—like e-voting, and P2P money transfers—these APIs can help to ensure that the user (not malware) has confirmed the transaction. Pixel 3 is the first device to ship with this protection.

Insider Attack Resistance

Last, but not least, to prevent tampering, Titan M is built with insider attack resistance. The firmware on Titan M will never be updated unless you have entered your passcode, meaning bad actors cannot bypass your lock screen to update the firmware to a malicious version.

With the Pixel 3, we’ve increased our investment in security and put industry-leading hardware features into the device, so you can rest assured that your security and privacy are well protected. In the coming months, the security community will be able to audit Titan through its open-source firmware. In the meantime, you can test out Titan M and all of the smarts Pixel 3 brings, when it goes on sale on Thursday, October 18 in the U.S.

Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+

Many third-party apps, services and websites build on top of our various services to improve everyone’s phones, working life, and online experience. We strongly support this active ecosystem. But increasingly, its success depends on users knowing that their data is secure, and on developers having clear rules of the road.

Over the years we’ve continually strengthened our controls and policies in response to regular internal reviews, user feedback and evolving expectations about data privacy and security.

At the beginning of this year, we started an effort called Project Strobe—a root-and-branch review of third-party developer access to Google account and Android device data and of our philosophy around apps’ data access. This project looked at the operation of our privacy controls, platforms where users were not engaging with our APIs because of concerns around data privacy, areas where developers may have been granted overly broad access, and other areas in which our policies should be tightened.  

We’re announcing the first four findings and actions from this review today.

Finding 1: There are significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations.

Action 1: We are shutting down Google+ for consumers.

Over the years we’ve received feedback that people want to better understand how to control the data they choose to share with apps on Google+. So as part of Project Strobe, one of our first priorities was to closely review all the APIs associated with Google+.  

This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.

Our review showed that our Google+ APIs, and the associated controls for consumers, are challenging to develop and maintain. Underlining this, as part of our Project Strobe audit, we discovered a bug in one of the Google+ People APIs:

  • Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.

  • The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.  

  • This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. (See the full list on our developer site.) It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.

  • We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.

  • We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.

  • We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.

Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.

Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.

The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.

To give people a full opportunity to transition, we will implement this wind-down over a 10-month period, slated for completion by the end of next August. Over the coming months, we will provide consumers with additional information, including ways they can download and migrate their data.

At the same time, we have many enterprise customers who are finding great value in using Google+ within their companies. Our review showed that Google+ is better suited as an enterprise product where co-workers can engage in internal discussions on a secure corporate social network. Enterprise customers can set common access rules, and use central controls, for their entire organization. We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses. We will share more information in the coming days.  

Finding 2: People want fine-grained controls over the data they share with apps.

Action 2: We are launching more granular Google Account permissions that will show in individual dialog boxes.

When an app prompts you for access to your Google account data, we always require that you see what data it has asked for, and you must grant it explicit permission.

Going forward, consumers will get more fine-grained control over what account data they choose to share with each app. Instead of seeing all requested permissions in a single screen, apps will have to show you each requested permission, one at a time, within its own dialog box.  For example, if a developer requests access to both calendar entries and Drive documents, you will be able to choose to share one but not the other. Developers can read more on the Google Developer Blog.

This is what the process looks like today when an app requests access to any data in your consumer Google account (you've always been able to choose whether to grant that permission request):

bundled-calendar-drive.png

This is what it will look like:

unbundled-calendar-drive-taps.png

Finding 3: When users grant apps access to their Gmail, they do so with certain use cases in mind.   

Action 3: We are limiting the types of use cases that are permitted.

We are updating our User Data Policy for the consumer Gmail API to limit the apps that may seek permission to access your consumer Gmail data. Only apps directly enhancing email functionality—such as email clients, email backup services and productivity services (e.g., CRM and mail merge services)—will be authorized to access this data. Moreover, these apps will need to agree to new rules on handling Gmail data and will be subject to security assessments. Developers can read more details on the Gmail Developer Blog. (As always, G Suite administrators are in control of their users’ apps.)

You can always review and control which apps have access to your Google account data (including Gmail) within our Security Checkup tool.

Finding 4: When users grant SMS, Contacts and Phone permissions to Android apps, they do so with certain use cases in mind.   

Action 4: We are limiting apps’ ability to receive Call Log and SMS permissions on Android devices, and are no longer making contact interaction data available via the Android Contacts API.

Some Android apps ask for permission to access a user’s phone (including call logs) and SMS data. Going forward, Google Play will limit which apps are allowed to ask for these permissions.  Only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests. (There are some exceptions—e.g., voicemail and backup apps.) Developers can find more details in the Google Play Developer Policy Center and in the Help Center.

Additionally, as part of the Android Contacts permission, we had provided basic interaction data  so, for example, a messaging app could show you your most recent contacts. We will remove access to contact interaction data from the Android Contacts API within the next few months.


In the coming months, we’ll roll out additional controls and updating policies across more of our APIs. As we do so, we’ll work with our developer partners to give them appropriate time to adjust and update their apps and services.

Our goal is to support a wide range of useful apps, while ensuring that everyone is confident that their data is secure. By giving developers more explicit rules of the road, and helping users control your data, we can ensure that we keep doing just that.

The new Google Safety Centre comes to Europe: Helping you stay safe online

Starting today, we’re rolling out our newly expanded Safety Centre in six countries across Europe (Belgium, France, Germany, Italy, the Netherlands and the U.K.). You'll now be able to find even more tools, easy tips, and information about data security, privacy controls and how to use technology in a way that is right for your family, just in time for European Cyber Security Month. More countries and languages will be available in the coming weeks.

Helping people manage their privacy and security is integral to everything we do. Over the years we’ve created many tools and are always improving them so you’re in control: Google Account gives you access to all the settings to safeguard your data and privacy; Privacy Checkup helps you quickly review and adjust what data Google uses to personalize your experience; and My Activity helps you review the activity data connected to your account.

safety center - europe

Parents can also find information in the Safety Centre about how to use tools like Family Link and YouTube Kids to set digital ground rules, and get tips on how to talk with their children and teens about being considerate, setting boundaries, and staying safe online. You can also find links and advice on important issues like cyberbullying, screen time and oversharing from child online safety experts from organizations like FSM and fragFINN in Germany, e-Enfance and Génération Numérique in France, Parent Zone and Internet Matters in the United Kingdom, and Expertisebureau Online Kindermisbruik in the Netherlands.

The Google Safety Centre is part of our ongoing commitment to give you tools and information to control how your data is used in Google services. As technology keeps changing the way we live and work, you can expect our tools to continually evolve to fit your needs.

Introducing .app, a more secure home for apps on the web

Posted By Ben Fried, VP, CIO, & Chief Domains Enthusiast

Today we're announcing .app, the newest top-level domain (TLD) from Google Registry.

A TLD is the last part of a domain name, like .com in “www.google.com” or .google in “blog.google”. We created the .app TLD specifically for apps and app developers, with added security to help you showcase your apps to the world.

Even if you spend your days working in the world of mobile apps, you can still benefit from a home on the web. With a memorable .app domain name, it's easy for people to find and learn more about your app. You can use your new domain as a landing page to share trustworthy download links, keep users up to date, and deep link to in-app content.

A key benefit of the .app domain is that security is built in—for you and your users. The big difference is that HTTPS is required to connect to all .app websites, helping protect against ad malware and tracking injection by ISPs, in addition to safeguarding against spying on open WiFi networks. Because .app will be the first TLD with enforced security made available for general registration, it's helping move the web to an HTTPS-everywhere future in a big way.

Starting today at 9:00am PDT and through May 7, .app domains are available to register as part of our Early Access Program, where, for an additional fee, you can secure your desired domains ahead of general availability. And then beginning on May 8, .app domains will be available to the general public through your registrar of choice.

Just visit get.app to see who's already on .app and choose a registrar partner to begin registering your domain. We look forward to seeing where your new .app domain takes you!

Let your loved ones know you’re safe with our new personal safety app

Whether it’s hiking alone or walking down a street after dark — sometimes you want to know someone's got your back. To help you feel safe and give your friends and family peace of mind, today we're launching Trusted Contacts. This new personal safety app lets you share your location with loved ones in everyday situations and when emergencies arise — even if your phone is offline or you can’t get to it. 

Here’s how it works: Once you install the Android app, you can assign “trusted” status to your closest friends and family. Your trusted contacts will be able to see your activity status — whether you’ve moved around recently and are online — to quickly know if you're OK. If you find yourself in a situation where you feel unsafe, you can share your actual location with your trusted contacts. And if your trusted contacts are really worried about you, they can request to see your location. If everything’s fine, you can deny the request. But if you’re unable to respond within a reasonable timeframe, your location is shared automatically and your loved ones can determine the best way to help you out. Of course, you can stop sharing your location or change your trusted contacts whenever you want.

TrustedContactsGIF

Here’s a little more detail on how Trusted Contacts might work, starring Elliot and Thelma:

personalsafety app_contacts.png

Get help even if your phone’s offline

Elliot heads out for a hike on his own, telling Thelma he’ll meet her for coffee later. About an hour in, Elliot realizes he’s strayed off the path and lost service. When Elliot doesn’t show up at the coffee shop, Thelma starts to worry. Because Trusted Contacts works even if a phone is offline, Thelma requests Elliot’s location and in five minutes can see that his last known location was in the middle of the canyon. Thelma calls the nearest ranger station, they send out a rescue party, and find Elliot in a few hours.

personalsafety app_2.png

Invite a trusted friend to virtually walk you home if you feel unsafe

Elliot stayed at the office later than normal and notices it’s awfully dark out. He opens Trusted Contacts and shares his location with Thelma. Now Thelma can walk him home — virtually. When Elliot gets home, he simply taps the banner at the top of the screen or from the lockscreen and stops sharing his location.


screen_sharing_notif.height_800.png

Whether you just need a little reassurance or you’re actually in an emergency, Trusted Contacts helps connect you with the people you care about most — at the times you need them most. Download Trusted Contacts today from the Play Store and visit the help center for more info. If you're an iOS user, click here to get notified when the iOS app is available

Source: Google LatLong