Tag Archives: Public Policy

How Congress’ anti-tech bill undermines security

We’re concerned that Congress is considering legislation that would compromise Google's ability to keep users secure by default, as well as break popular features in products like Search and Maps. We’ve previously outlined how this proposal could make our services less helpful and less secure, while not addressing the issues Americans care about most — like privacy, child safety and inflation. As experts gather for the RSA Conference this week, I wanted to share my perspective as a security professional on the real risks that this legislation poses for US security.

Our security teams work around the clock, around the world, to identify and stay ahead of threats to our users and platforms. On a typical day, Google blocks more than 100 million phishing attempts across our platforms and tracks over 270 government-backed threat actors from more than 50 countries. This work requires us to make judgment calls quickly, based on indicators and alerts from a huge variety of sources. We don’t always find fire where there’s smoke. But we do prevent millions of attacks from succeeding — and responding to the smoke without hesitation is critical to protecting millions of internet users.

A bill introduced in the Senate (S. 2992) could hurt our ability to make quick decisions to keep our products secure, requiring us to ask: would thwarting a potential bad actor violate the law and open us up to legal liability? Even pausing to ask the question would leave millions of users vulnerable for precious minutes while a potential security threat persists. And when it comes to cybersecurity, every second counts.

Here are just a few ways the legislation would undermine our ability to keep people safe:

Harming a security-by-default approach

First, because the bill bans basic product integration, we might not be able to secure our products by default. This is problematic because modern threat actors don’t just seek to exploit one user, service or system in isolation. They look for weak links, and their behavior is harder to detect when their activities are spread across multiple providers. That’s why we build systems with integrated security defenses. For example, to counter a phishing attack, we rely on built-in spam filtering, malware scanning, link analysis, two-step verification for accounts, password alerts … the list goes on. Under the legislation, these seamless integrations could be prohibited simply because competitors offer their own versions of spam filtering, malware scanning and other security services. The bill could even require us to open our systems to untrusted and potentially vulnerable rival services.

Opening our products to bad actors

Second, the bill would require us to allow outside parties to “access or interoperate” with our “platform, operating system, hardware and software features.” This broad mandate to open our systems may have been written with domestic rivals in mind – but it would inevitably be exploited by foreign companies looking to understand US technical infrastructure, and access data from American businesses and citizens. As national security leaders have warned:“Unfettered access to software and hardware could result in major cyber threats, misinformation, access to data of U.S. persons, and intellectual property theft.”

Rolling back efforts to fight disinformation

Third, by prohibiting us from “discriminating” against competitors, the bill would prevent us from taking action against purveyors of malicious content. Since Russia invaded Ukraine, we have been able to move quickly to limit Russian propaganda and disinformation, even as that content has migrated to new channels. The proposed legislation could undermine this work.

Failing to address valid security concerns

Finally, this bill would create a legal environment that encourages companies to err on the side of not protecting users – and recent changes to the bill exacerbate these underlying security concerns. For example, the revised bill says that we don’t have to interoperate with or provide access to data to entities who pose “clear” and “significant” security risks. But this assumes that we know in real time which risks are significant, and could prohibit us from blocking moderate or emerging security risks that don’t obviously meet the bar of a “significant” threat. Another recent change says that we don’t have to open our platforms up to businesses backed by the Chinese government. But this ignores the fact that modern threat actors use compromised third-parties or shell companies to conduct operations, where attribution can be slow and difficult.

We understand there’s an appetite for global regulation, and we support balanced, thoughtful legislation to solve important issues such as consumer privacy and child safety online. But this legislation would fundamentally harm our ability to stay ahead of threats and keep the billions of people who use our products secure. We strongly urge Congress to consider these unintended consequences before moving forward.

Advancing security across Central and Eastern Europe

Since the start of the war in Ukraine, our teams have been working around the clock to support the humanitarian effort, provide trustworthy information and promote cybersecurity.

We were humbled to receive a special Peace Prize award from Ukraine's President Zelenskyy at Davos last week and we remain committed to doing everything we can to support Ukraine and the broader region as it navigates these challenging times.

To build on our efforts, we are expanding our cybersecurity partnerships and investment in Central and Eastern Europe. Last month, a delegation of our top security engineers and leaders met with organizations and individuals in Czechia, Poland, Lithuania and Latvia - they trained high risk groups, distributed security keys, engaged in technical discussions with government experts, and supported local businesses in shoring up their defenses.

Securing high-risk users

Throughout this war, there has been no shortage of news around targeted cyber attacks aimed at high profile individuals in this region. Our Threat Analysis Group has provided regular updates on this activity, and worked diligently to alert users, organizations and governments through our government-backed attacker warnings.

To help address these threats, our high-risk user team conducted workshops throughout the region for dozens of non-governmental organizations (NGOs), publishers and journalists, including groups and individuals sanctioned by the Kremlin. We distributed around 1,000 security keys - the strongest form of authentication - and trained over 30 high risk user groups on account security. We also launched, in collaboration with Jigsaw, the Protect Your Democracy Toolkit, which provides free tools and expertise to democratic institutions and civil society.

We heard directly from high-risk organizations like the Casimir Pulaski Foundation, the International Center for Ukrainian Victory, NGOs supporting refugees and exiled activists, and leading publishers across Europe who told us just how critical Google's no-cost security tools, like the Advanced Protection Program and Project Shield, are to keeping them safe online. We are grateful for their valuable insights to inform future product development.

Our High-Risk team meets with NGO representatives at Google Prague

Our High-Risk team meets with NGO representatives at Google Prague

Shoring up cyber defenses

As companies and government agencies grapple with the ever changing security landscape and the role that they find themselves in during this conflict, we wanted to showcase how Google’s enterprise security tools and advisory services can give them the confidence to pursue digital transformation on a secure foundation.

Our delegation of security experts included leaders from the Google Cybersecurity Action Team (GCAT). This team’s mission was to advise governments, critical infrastructure providers, enterprises, and small businesses on cloud security and IT modernization. We hosted round-table discussions with Chief Information Security Officers (CISOs) from around the region to learn about the challenges they face, and shared resources on how they can accelerate their response to threats, secure theiropen source software supply chains, and stay up-to-date with evolving regulations.

Google VP of Privacy, Safety & Security Royal Hansen meets with Polish minister Janusz Cieszyński at the CYBERSEC Forum in Katowice

Google VP of Privacy, Safety & Security Royal Hansen meets with Polish minister Janusz Cieszyński at the CYBERSEC Forum in Katowice

Building stronger partnerships

While observers speculate about whether the war in Ukraine will lead to broader cyber escalation, government cybersecurity organizations in Central and Eastern Europe are contending with cyber conflict on a daily basis. That’s why Google experts regularly meet with national cyber emergency response teams (CERTs), cybersecurity agencies, and digital ministries to promote the exchange of knowledge and build partnerships to advance shared goals.

What we heard across the board was: we need to help our partners in the region address the shortage of cybersecurity skills and training; improve operational partnerships and information sharing; and promote better cyber hygiene for citizens. We are pleased to work with governments and industry to advance innovative solutions on all of these fronts. Deepening our partnerships in this region will not only protect our users, it will make the Internet safer for all.

A framework for Asia’s digital growth

While governments and communities across the Indo-Pacific continue to grapple with COVID-19 and other challenges, it’s important not to lose sight of the opportunities of the world’s most economically dynamic region. Embracing economic engagement and digital trade — and strengthening the frameworks and capability to do that openly and responsibly — can help ensure recovery in the Indo-Pacific region is more inclusive and sustainable. In this way, we can also build greater trust and confidence for the future.

An inclusive, sustainable and digitally-enabled recovery will not happen automatically. It requires collective action by governments, the private sector, civil society and other stakeholders to ensure that digital technologies are widely accessible and that everyone has the skills needed to harness those technologies. New tools, rules and partnerships are needed to foster greater regulatory alignment and interoperability, to ensure the benefits of the digital economy are felt more widely, and in order to address cross-border digital challenges.

That’s why we welcome the announcement in Tokyo today to launch the Indo-Pacific Economic Framework (IPEF). IPEF promises a new mode of economic cooperation to maximize the opportunities that arise from the global digital economy. We hope that IPEF will advance a strong, affirmative digital trade agenda which will promote:

  • Inclusive trade. 78 million workers across countries in the Asia-Pacific region require digital skills training to keep pace with technological advancements. Google and others have been working to address these gaps — for example, since 2015, Google has trained over 58 million people in Asia in digital skills under our Grow with Google program. But frameworks like IPEF can help ensure coordinated action -— including by sharing best practices, incentivizing public-private partnerships, and developing joint strategies. IPEF should also address barriers that make it uniquely difficult for small businesses to reach foreign markets, like requirements to open a local office as a condition to do business.
  • Openness and non-discrimination. IPEF should look to apply traditional trade principles such as openness and non-discrimination to the digital economy. It should ensure that data can flow freely across borders. It should enable businesses of all sizes to provide digital products and services free of discrimination, while allowing for appropriate guardrails. And it should enable consumers to access and use services and applications of their choice on the internet.
  • Trust and shared values. IPEF should be a model to show that data flows and privacy protection can be mutually reinforcing concepts for building trust in the digital economy and cross-border digital transactions. IPEF participants could also commit to greater collaboration on cybersecurity, and safeguard against the use of censorship as a trade barrier or a means to access private data.
  • Resilient and green digital infrastructure. IPEF should promote adoption of green digital infrastructure — for example, by incentivizing the use of cloud services that meet international standards for energy efficiency. IPEF should also promote a resilient and secure digital infrastructure, including by ensuring sound, non-discriminatory regulation of submarine cables.

IPEF is particularly significant given the region’s size and innovativeness. The Indo-Pacific region represents nearly two-thirds of the global economy, and is second only to the U.S. when it comes to the number of “unicorns” — companies that are valued at $1 billion and above. It is the perfect place to try to ensure that the promise of the digital economy is fully realized and shared.

This is the moment for Indo-Pacific countries to chart a bold, inclusive and sustainable path forward to address common challenges and seize the tremendous opportunities the digital economy can bring.

The facts about the temporary Match Group agreement

No other mobile platform is as open as Android and Google Play, and no other platform has shown more willingness to champion user choice, invest in change, or collaborate with developers. We are currently defending these points in court against Match Group, and at the court's request, on May 19 we reached a temporary agreement while the case is being heard and we prepare our planned countersuit.

On May 20, Match Group disregarded the stipulations it agreed to in court with a misleading press release that mischaracterizes what happened in the proceeding. We want to once again set the record straight to make sure the rest of the developer ecosystem is aware of the facts.

The court asked us temporarily not to remove Match Group’s apps from the Play Store on June 1 for its violation of our terms until a full trial in exchange for the following:

  • Match Group has to put up to $40 million in an escrow account to begin to account for the service fees it owes us.
  • Match Group must also provide Google with a monthly accounting of all in-app sales of digital goods and services from June 1 through trial so we can track what it owes for the immense benefit it receives from Google Play.
  • Match Group must work in good faith to further enable Google Play’s billing system as an option for users. Google agreed to work in good faith to continue to develop additional billing system features that are important to Match Group, as Google has already been doing for years with countless developers, including Match Group.

And Match Group’s claim that it can't integrate Play’s billing system because it lacks key features contradicts the fact that Match Group has been proactively and successfully using Play’s billing in more than 10 of its apps. Match Group collected hundreds of millions in consumer revenue in over 50 countries through Google Play’s billing last year.

Not only are we confident we’ll succeed in defending against Match Group’s unfounded complaint, we will be filing a countersuit against Match Group for violating their obligations under the Developer Distribution Agreement and to ensure Google Play remains a trusted destination for users.

Building a secure world

The following is adapted from remarks delivered by Royal Hansen, Vice President of Engineering for Privacy, Safety and Security during his keynote United in Cyberpower: The Role of Companies in Building a Cybersecure World at Cybersec Europe 2022 in Katowice, Poland.

I believe cybersecurity is one of the top issues facing the world today and I’d like to share a bit about why it’s so important for companies, countries, and communities of all sizes to work together.

This is particularly true right here in Central and Eastern Europe where the Russian invasion of Ukraine has brought these issues into sharp focus. I’m honored to be here today and to get to meet with so many of you who are working on this day in and day out.

As governments in this region and elsewhere in the world tackle this issue we want to ensure we are doing everything we can to support those efforts. Google’s mission has always been about organizing the world's information and making it universally accessible and useful. The work we’re doing to ensure people can get access to quality information–and do so safely–has never been more important than it is today.

Securing users in Ukraine and the broader region

As the Russian invasion of Ukraine unfolded, Google mobilized to help the people of Ukraine and protect the security of our users and services – an area where we are uniquely positioned to help in this conflict.

We have our own specialized teams dedicated to identifying, tracking, and countering threats from government-backed actors.

Russia-backed hacking and influence operations are not new to us; we’ve been tracking and taking action against them for years. To put this into perspective, we’ve seen and worked to disrupt Russian operations targeting the U.S. elections in 2016 and 2017 and campaigns targeting the 2018 Olympic games. In October, we blocked a Russian campaign targeting 14,000 Google users.

And we’ve seen first hand the targeting of Ukraine by Russia. It has been ongoing for years with both espionage and occasional cyber attacks tracked by our teams. As the war intensified, we also saw Russian threat actors shift focus to targets elsewhere in Eastern Europe.

Our Threat Analysis Group (TAG), regularly publishes details on campaigns it detects, and disrupts these efforts to help governments and private sector companies better defend their systems.

We’ve seen threat actors beyond Russia shift their focus and targeting, including a growing number of threat actors using the war as a lure in phishing and malware campaigns. This includes government-backed actors from China, Iran, North Korea, Belarus and financially-motivated, criminal actors using current events as a means for targeting users.

For example, we’ve seen one cyber crime group impersonating military personnel to extort money for rescuing relatives in Ukraine.

In addition to disrupting threats, we are doing everything we can to increase protections for high risk users and organizations in Ukraine. We’ve redoubled our efforts to offer free tools to help – including protecting hundreds of high risk users on the ground with our Advanced Protection Program, and expanding eligibility of Project Shield to include the Ukraine government. Shield is currently protecting over 200 websites in Ukraine from distributed denial of service attacks.

It is in this spirit of action that we are expanding our partnerships and investment in the broader region on cybersecurity.

In fact, this week a delegation of our top security engineers and leaders are on the ground across Eastern Europe to provide hands-on training to high risk groups, deliver security keys and support local businesses as they look to improve their security posture.

To share what we know about the threat, we are engaging in technical exchanges with governments in the region.

We’re providing free tools and expertise to democratic institutions and civil society, such as the Protect Your Democracy Toolkit - which we launched today in partnership with our Jigsaw team.

We’re also investing in, and shaping, the next generation of cybersecurity professionals. For example, Google has committed to provide scholarships for 150,000 people in Europe, the Middle East and Africa through the new Google Career Certificate training.

We’re also helping governments and businesses stay ahead of the threat, including helping government agencies, companies and utilities who rely on outdated hardware and software to replace old systems with better foundations and we are here to build up businesses and governments’ confidence to embrace digital transformation securely.

Google’s approach to security

We believe we are uniquely positioned to help users, organizations, and governments in this region because of our approach to security.

First, we focus on the basics. We bake in security from the beginning instead of bolting it on as an afterthought and we design helpful products that are secure by default for our users. In fact, we are the first consumer tech company to automatically turn on 2 step verification, our version of multifactor authentication, or MFA, for our users. We recommend businesses and governments focus on these fundamentals as well.

Second, we take an open and interoperable approach to security, and we invest to ensure this model of the Internet as a whole is protected. In today’s interconnected environment, our collective security is only as strong as the weakest link. Our business cannot thrive if people don’t feel safe online. That’s why we design solutions that eliminate entire classes of threats from being effective both on our platforms, and across the Internet as a whole.

Finally, and perhaps most importantly – we are looking at the future of cybersecurity and investing in advanced, state-of-the-art capabilities. We know that cyber threats evolve quickly – as soon as a new technology is introduced or adopted, there are threat actors and cyber criminals looking for ways to exploit it. That’s why it’s not enough to just stay a few steps ahead of the threat.

We need to invest in the future of technology, from cutting-edge artificial intelligence capabilities, to advanced cryptography, to quantum computing – our teams are already working on the future of cybersecurity. And we see it as part of our mission to ensure that we open source and share these findings so that organizations and governments can stay ahead of the latest cyber threats.

Security-proofing our tech policies

Our approach enables us to weather online security threats. But advanced capabilities are not enough if government policies inadvertently undermine our ability to protect users.

I support smart tech regulation, which can fuel the vitality of the Internet and ensure technology is meeting society's needs. Unfortunately, some technology regulation is not adequately considering the impact to safety and security efforts online.

For example, some policies seek to limit sharing of data between different services on platforms’ like ours, but overly-broad bans on cross-platform data sharing also have significant implications for the threat intelligence work I mentioned earlier.

The ability to share intelligence on threat actors and their technical signatures helps identify and stop the work of threat actors and cybercriminals. It protects not just one company or two companies, but the Internet as a whole.

To realize the full benefits of technology to society, society must be able to trust that the technology they are using is safe and secure. By ensuring security has a seat at the table in these policy discussions, we can strike this balance and unlock technology’s full potential. Today’s conflict and challenges point to a need for better cooperation and giving technical experts a seat at the table in these policy discussions.

We applaud the Declaration for the Future of the Internet, which calls on governments and industry to protect a future for the Internet that is open, free, global, interoperable, reliable, and secure.

At our core, Google is an Internet company, and our fate is tied to the Internet remaining true to these principles. The internet itself is a multi-stakeholder system, and protecting users and citizens online requires cooperation among us, governments and businesses.

It’s never been more urgent, and our ability to make a difference is greater than anyone anticipated. We all must work together to protect this future, whether that means combating cyber threats, building safe technologies that unlock society’s full potential, or developing responsible technology policies.

We stand ready to partner with governments, businesses, and individual users to see this future secured.

Setting the Record Straight on Match Group’s Cynical Campaign Against Google Play

Google Play has been the launchpad for millions of developer businesses to connect with consumers around the world. That’s because we’ve earned the trust of billions of users as a safe place to find great apps and games. Google Play’s billing is an important part of our business model, and it allows us to provide consumers with critical safety protections from things like payment fraud and subscription abuse. But Match Group would have you believe that all Google Play provides is payment processing. This simply isn’t true, and Match Group knows it.

Match Group knows Google Play provides tools and a global distribution platform that helps developers grow their business. And Match Group knows this because they have used these tools and our platform to build a very successful global business. They want access to Google Play’s global distribution platform and users, they want to unfairly leverage Google’s substantial investments in the platform, and they want it all for free.

Many other developers recognize the value of Google Play and are partnering with us to grow the ecosystem in a responsible way, but Match Group is attempting to freeload off our investments rather than being a responsible partner. Now, after years of reaping the benefits of Google Play, Match Group is doing all it can to avoid paying for the enormous benefits it receives–including misusing the courts, lobbying policymakers, and even suggesting to investors that alternative billing systems would exempt them from paying for the valuable services they receive from Google Play.

And because Match Group doesn’t believe it should have to pay anything for the substantial services we provide, it’s willing to compromise user safety as part of a global campaign to smear our business and how we operate. We think the facts speak for themselves:

  • Our fees cover the full range of services that Google Play provides, not just payment processing. Just as it costs money to build an app, it costs money to build a platform. Android and Google Play have expanded consumers’ access to affordable devices and services, provided cutting edge technologies to empower developers to build new features and experiences, put a global consumer base within reach for businesses around the world, and kept consumers safe on their devices at a scale that’s unparalleled. Because of the investments we’ve made, Google Play has built a dedicated consumer base of more than 2.5 billion 30-day active users in 190 countries around the world. It’s no small feat to earn that kind of loyalty, and the trust we’ve built has created economic opportunity for millions of developers that have built great businesses with us. Our service fee helps sustain this thriving app and game ecosystem.
  • Our fees are the lowest among major app stores. Google Play is the first major platform to move away from one-size-fits-all pricing to meet developers’ different needs. Today, just around 3% of developers are subject to a service fee and 99% of those developers qualify for a service fee of 15% or less. Match Group’s apps, for example, are eligible to pay just 15% on Google Play for digital subscriptions, which is the lowest rate among major app platforms. Developers have praised our approach. Match Group claims that they’d suffer if they complied with our policies, but they already comply with the policies of other app stores that charge much more than Google Play.
  • Regulators are investigating Match Group’s safety problems. Match Group wants to continue imposing its own billing system, a billing system that has repeatedly faced regulatory scrutiny for things like subscription fraud. Google Play’s billing system is focused on protecting users from these same types of abusive practices by providing transparency and easy-to-use features to manage purchases and subscriptions. Match Group may not like these protections, but consumers do.
  • Match Group has had ample time to make changes. Match Group has known about Google Play’s billing requirement for years, and certainly since September 2020 when we began to bring previously non-compliant apps onto Google Play’s billing system. For the few developers like Match Group that weren’t offering Google Play’s billing to their users, we provided an additional 18 months to give the entire developer community ample time to make any necessary changes.
  • Match Group isn’t interested in true user choice billing. While Match Group claims to support user choice, it has yet to offer its users that option in South Korea, where user choice billing is now available on Google Play. Likewise, they inaccurately allege that users “sometimes” pick Match Group’s billing 3 to 1 over Google Play. But many of their apps only offer Match Group’s billing. In the cases where Google Play is theoretically a user choice, it isn’t presented as a fair choice and is hidden in small text at the very bottom of the app.
  • We’re the only major app store piloting true user choice billing. We recently announced a pilot to invite developers to help us test and iterate on user choice billing in other markets outside South Korea. We started with Spotify as our first partner as they have made substantial investments in the platform and have deep product integrations across all of Android’s form factors. We are actively looking to add more partners in the coming months and developers can express interest.
  • Android is the only mobile platform that offers Match Group alternative distribution choices. More than half of Android devices come preinstalled with 2 or more app stores. Android is a uniquely open operating system and provides Match Group with multiple ways of distributing their apps to users outside of Google Play, including through other Android app stores, or directly to users via their website. And Match Group can of course distribute through Google Play as consumption-only apps.

As a platform, we’re always looking to work in good faith with partners to grow and evolve the ecosystem, but we’ll stand firm against false attacks on our business, especially when it puts users at risk and endangers our ability to continue investing in and serving our developer community.

No other mobile platform is as open as Android, and no other platform has shown more willingness to champion user choice, invest in change or collaborate with developers. Google remains focused on helping developers succeed and we look forward to continuing to work with our partners to grow and improve Google Play.

Coming together to protect the global internet

The global internet began with an incredible promise: a shared resource that everyone could access wherever they lived. Over the last few years, this ideal has been strained to the breaking point as governments around the world have adopted conflicting regulations that are fragmenting the internet to the detriment of people everywhere.

That’s why it’s great to see countries coming together today to launch the Declaration for the Future of the Internet (DFI). Through this effort, allies across the public and private sectors will work together to protect the importance of the global web, including by opposing shutdowns and other “efforts to splinter the global Internet.”

Digital fragmentation impacts everyone using the internet. As conflicting regulations proliferate, people’s access to content, privacy protections, and freedom to transact and communicate increasingly vary depending on where they are located. Digital fragmentation has become a significant barrier to international trade, with a particularly pernicious effect on small businesses, which lack the resources to navigate an array of conflicting rules. And it discriminates against smaller, developing countries, as new products become harder to launch and scale on a fragmented Internet to all markets.

The DFI provides a path to address the most urgent threats to the global internet. In particular, we’re seeing a number of governments take actions to crack down on the free flow of information and ideas, increase government surveillance, and restrict access to cross-border internet services under the banner of “cyber-sovereignty.”

The DFI joins the EU-US Trade & Tech Council and the Indo-Pacific Economic Framework as important fora where like-minded partners can join together to address cross-border challenges. We hope this work will be grounded in a few key principles:

  • First, governments should strive to agree on common standards to guide the development of new rules for digital technologies, so that consumers have consistent protections across borders and access to digital tools.
  • Second, governments should strive to increase interoperability between national digital rules, as we’ve seen with the US-EU Data Privacy Framework.
  • Third, governments should commit to intergovernmental regulatory dialogue to ensure that new rules strengthen shared values.
  • And fourth, governments should abide by core open trade principles like non-discriminatory approaches to regulation that don’t single out foreign companies.

The private sector also plays an important role in maintaining the global internet. That’s especially true in times of crisis, as security teams work to disrupt disinformation campaigns, cyber attacks and other online threats. Since Russia’s invasion in Ukraine, our teams have been working around the clock to support people in Ukraine through our products, defend against cybersecurity threats, and surface high-quality, reliable information. We are committed to partnering with governments and civil society through the Declaration to disrupt disinformation campaigns and foreign malign activity, while ensuring people around the world are able to access trustworthy information.

Ultimately, the cross-border availability of secure technologies and digital services – coupled with forward-looking decisions by governments – can protect access to information everywhere and ensure that the enormous benefits resulting from the global internet are not lost. We stand ready to support the DFI’s mission to promote an open, secure, and reliable internet for all.

Reforming the patent system to support American innovation

Over the years, Google has worked to ensure that the United States patent system continued to spur new inventions and technologies. A healthy patent system incentivizes and rewards the most original and creative inventors — while helping others build on existing ideas and avoiding frivolous litigation. Supporting that balanced approach, we were one of the first companies to pledge not to sue any user, distributor, or developer of open-source software on specified patents, unless first attacked. We helped found the License on Transfer (LOT) Network, which shields its members from being sued over patents that other members have sold to patent trolls. And we worked in collaboration with others to create a repository of hard-to-find “prior art” documents to improve the patenting process, resulting in higher quality patents.

We have also invested heavily in patenting our engineers’ inventions in advanced technologies. Our tens of thousands of engineers have authored over 42,000 home-grown patents and we have licensed hundreds of thousands more at fair value. We are proud of our patented innovations like the ability to predict traffic or extend battery life. And we have sold hundreds of patents to smaller companies interested in bolstering their own portfolios.

But we are concerned that America’s patent system is increasingly failing to promote the cause of innovation and progress. The quality of patents issued in the U.S is declining. And, after a few years where earlier reforms reduced abusive patent litigation, it’s back with force, with 46% more lawsuits in 2021 than in 2018. Patent trolls and opportunistic companies have begun to weaponize patents against their rivals, hindering both competition and innovation, and ultimately harming the quality of new products. America’s prized “culture of innovation” is being undermined by a “culture of litigation.”

Reversing the rising tide of wasteful patent litigation

Aggressive litigants waste valuable court resources unsuccessfully trying to stretch patents beyond recognition. And prolific patent trolls wage litigation shakedown campaigns with low-quality patents that are later found to be invalid, wasting time and resources that could have been spent on developing new products.

Google is a resourceful company with a strong record of fighting overreaching patent claims, and we can defend our users and products. But many smaller companies, especially those producing nascent technologies, cannot afford the risk and expense of these lawsuits, which raise costs for consumers and stifle companies’ ability to bring products to market. That is why we are calling for more support for the United States Patent and Trademark Office (PTO), reforms to how the judicial system handles patent claims, and Congressional changes to address patent abuse.

Investing in the Patent Office

Each year, the PTO approves more than half of the more than 600,000 patent applications it receives, working to balance incentives for investment and freedom to innovate. Evaluating those applications is a monumental task and in recent years the agency has not had the tools it needs to do its job right. Technology can help, and the PTO is working on AI solutions to streamline the process. But its hard-working employees remain under-resourced to keep up with advancing technology. This results in invalid patents getting issued to inventors, which undermines their ability to protect technology confidently. Others face the cost and hassle of defending infringement claims against patents that should never have been granted in the first place. This isn’t fair for anyone except patent trolls.

Ending forum shopping

There are 677 federal district court judgeships in the United States. But many companies suing over patent claims are gaming the system. This forum shopping has gotten so out of hand that almost 25% of all US patent litigation is now being filed in a single courthouse. After a bipartisan request for action, Chief Justice John Roberts has committed to investigate the issue and push to restore the integrity of the judicial process.

Restoring Inter Partes Review

On top of all this, changes to PTO rules have weakened Inter Partes Review (IPR), the program that Congress created to help companies cost-effectively invalidate low-quality patents. Congress carefully constructed the IPR program to provide expert review of the small subset of patents with the greatest impact on our economy. But new PTO policies make it harder to use IPRs to invalidate patents in a cost-effective and streamlined way.

Preserving America’s culture of innovation

A series of steps would improve the current system, benefiting both innovation and consumers:

  • At the United States Patent and Trademark Office, a new director is now at the helm, with a clear mandate to improve patent quality as set out in the Commerce Department’s Strategic Plan. To do so, the Office should work to ensure that the agency’s process for reviewing an application for a patent is robust, and that patents that shouldn’t have been granted can be promptly, efficiently, and effectively challenged. Of course, that will require giving the PTO the resources it needs. The PTO is funded by fees paid by patent applicants, and we support increasing fees for the largest patent filers, including Google. With the confirmation of PTO Director Kathi Vidal, this important work can finally begin.
  • In the judiciary, the Supreme Court’s year-end report on the federal judiciary made the issue of forum shopping one of three topics of focus for 2022. As the review requested by the Chief Justice moves forward, we hope it urgently addresses the judicial imbalances caused by abusive forum shopping.
  • Finally, before Congress, there is pending, bipartisan legislation that would help reduce abusive patent litigation. We are supportive of the goals of this bill, which would restore access to the Inter Partes Review program and increase transparency and accountability. It makes clear that the PTO is the most effective forum for reviewing patent validity, giving the Office the opportunity to double-check its own work in an efficient, expert, and cost-effective way. We and a broad cross-section of supporters rallied behind this program back in 2011 when it was enacted as part of the America Invents Act with resounding bipartisan support, and it’s time to live up to its original purpose.

With changes like these, we are optimistic that the patent system can get back to what it is intended to do: preserve the U.S. culture of innovation, advance the development of new technology, and reward entrepreneurs who are building new products that benefit American consumers and people around the world.

The urgent necessity of enacting a national privacy law

The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at Beyond the Basics: The Many Pillars of U.S. Privacy Law, an event hosted by R Street Institute at The National Press Club in Washington, DC. Google also published an accompanying white paperon Responsible Data Practices.

Information is all around us. Americans sometimes take it for granted, but from the moment we walk out our front doors, information powers everything we do.

After a two-years-and-counting pandemic, when people have taken to tech at an unprecedented pace, they’re more aware of both the possibilities and the privacy challenges.

They may have even heard about the shadowy world of data brokers who buy and sell information to actors they’ve never heard of, for purposes that they can’t see or control, in ways that may risk their privacy and security.

And they may have a greater appreciation for the need for consistency across the country — not a patchwork of 50 different state laws, but a law that organizations and people can rely on as they go about their daily lives

There is a range of views when it comes to technology and technology regulation. But when it comes to national privacy regulation, there is a clear consensus: Americans want it.

A Pew Research poll found that 75 percent of people support government regulation of consumer data.

And the absence of a comprehensive federal privacy law has left a vacuum that states are trying to fill by scrambling to pass their own, often inconsistent, laws — a trend that actually risks fragmenting consumer protections.

People are counting on all of us to address this issue — and fast. The good news is that after many years of discussion, today, there seems to be a growing consensus on this. We are starting to see interest from both parties, from many different constituencies. They are coming together on how to do this well.

President Biden in his State of the Union address highlighted the importance of privacy, and there are growing reports that Congress is making progress toward comprehensive privacy legislation. We’ve long supported that goal, and we welcome the forward movement.

When data is misused, when consumers find their trust is misplaced, it hurts not just the whole digital ecosystem, but the potential for future innovation.

And let me be clear: We at Google get it, and we’ve rethought and adapted our own approaches to product development to promote privacy and security.

For example, because digital services should keep your information for only as long as you find it helpful, we introduced auto-delete controls to let you easily delete your location history, web history, and YouTube history.

Try to do that with any other business that holds data about you.

We were the first platform to make it easy for people to download or transfer personal data when they want to switch to other services.

And today, we keep more people safe online than anyone else in the world — because if it’s not secure, it’s not private.

To set new standards for responsible data use, we’ve also done what we do best – built new technological solutions, investing in privacy-preserving technologies.

Privacy-preserving technologies don’t just promote privacy by design, they achieve privacy through innovation. They help us minimize the collection of identifying data. They reduce the risk of data being misused — without undermining the tremendous value that people get from information services.

As an example, at the start of COVID, we had an unprecedented partnership with Apple to develop Exposure Notifications, helping public health authorities supplement contact-tracing. Our North Star had to be designing a system with privacy protections baked in. So we worked with public health officials, privacy experts, regulators, used our most advanced technology to keep data safe, and established strict guidelines – all of which built public trust and adoption, saving thousands of lives.

Now we’ve got a complex business, and we haven’t always gotten everything right, but we’ve learned from those experiences, and we know what’s possible when private industry and regulators work together.

Of course it’s not enough for some organizations to operate responsibly — we need a law that establishes consistent rules and reins in bad actors.

So how do we do that? What’s the best path forward?

We're not focused on pie-in-the-sky proposals like creating an entirely new agency to regulate all the different uses of digital tools. We don’t want snappy soundbites; we want sound solutions.

The reality is that all companies are becoming digital companies, each with the potential to create new technologies and use information in new ways. We need consistent rules across the economy, and across the country.

Instead of chasing theoretical approaches, we want to support the practical, real-world privacy work already being done by Congress.

Current legislative privacy proposals like the ones put forward by Senators Cantwell and Wicker reflect important areas of agreement on the practical points that matter to people. And we hope they will work closely with Chairman Pallone and Ranking Member McMorris Rodgers to move legislation through the committees expeditiously.

We can build on the work that has already happened in this space, like proposals put forward by Senators Cortez Masto and Fischer and Representatives Stevens and Gonzalez to promote privacy-preserving technologies.

With the right leadership from the White House and leadership in Congress, we can get this done – this year.

So what are the sticking points? Issues like when and how consumers can file suit? The scope of FTC rulemaking? How federal and state laws will work together?

Those issues are debated in some form nearly every time Congress passes new business regulations, including the sectoral privacy laws Congress has already passed. So, none of this is new or unresolvable. With the right working group and some reasonable compromises, these points can be reconciled.

In fact, those conversations are already happening. Of course there has been no shortage of positions when it comes to privacy, ranging from ideas of notice and choice to proposals around new duties of care or loyalty.

One possible finesse would be a responsible data approach that works in practice, across a growing digital economy.

For example, we could start by giving consumers reasonable baseline assurances around transparency and control.

And we could build on that, by requiring responsible data practices — like privacy reviews and data minimization — that could be easy to implement and promote shared processes for protecting people’s data. Norms around good development processes could improve privacy practices for everyone.

But the time to act is now.

A U.S. privacy law would align us all on the privacy measures that people want and promote confidence in U.S. companies and our digital ecosystem.

It would increase trust in U.S. leadership, as we promote cross-border data flows and compatible, pro-privacy, pro-innovation rules around the world.

It would give everyone much-needed clarity and consistency so that organizations spend less time trying to navigate inconsistent rules and more time preventing harm and responsibly innovating – the kind of work that yields research breakthroughs and a stronger U.S. economy.

There’s no question that getting it done will take thoughtful compromises. Compromises by different groups in Congress. Compromises by advocates. And compromises by companies, including Google, who are used to doing business in certain ways. But that’s what we need to get this done.

Whatever final legislation comes out of the negotiations won’t be perfect, and it won’t address every concern. But we urge both businesses and advocates not to make the perfect the enemy of the good. Or of better, more consistent protections for all Americans.

In closing, I’ll say this: Google is an engineering company — and we look at problems from an engineering perspective. When we spot an issue with our services, we make fixing it a priority, and we often move engineers from other projects to help.

This is that all-hands-on-deck moment for privacy.

The vast majority of Americans want a federal privacy law. In fact, we’ve never seen such broad-based, bipartisan consensus about the need for that law.

It’s a moment for Congress to come together, on a bipartisan basis, and deliver for the American people.

Lawmakers and regulators face an important challenge, and an important opportunity. We pledge our support for that effort, and we hope that a broad cross-section of stakeholders will join together in support of their work.

The Trans-Atlantic Data Privacy Framework: Building for the long term

We commend the European Commission and U.S. government on the work they’ve done to reach a new Trans-Atlantic Data Privacy Framework.

People want to be able to use digital services from anywhere in the world and know that their privacy is respected, and their information safe and protected. This agreement acknowledges that reality: it commits the parties to a high standard of data protection while establishing a reliable and durable foundation for the future of internet services on both sides of the Atlantic.

A meaningful agreement

The work to get to this stage was anything but trivial, and required addressing important considerations of both national security and individual privacy. Google has long advocated reasonable limits on government surveillance. The U.S. government has now committed to systems that will enable independent and meaningful redress for people in the EU, strengthen the guardrails and proportionality of U.S. intelligence collection, and ensure effective oversight of these new privacy and civil liberties standards in ways that address the concerns articulated by the Court of Justice of the European Union.

Citizens expect these safeguards from democratically elected governments, even as they understand the importance of protecting people from national security threats.

Building for the long term

People rely more than ever before on the global exchange of information in their daily lives. Everything from online shopping and travel to business operations and security depends on data flows across borders. The Framework guarantees that the tools and services people in the EU use every day will remain available, even while being held to the highest standards of privacy and data protection.

We look forward to certifying our processes under the Trans-Atlantic Data Privacy Framework at the first opportunity. For Google, these (and similar) standards serve as a floor, not a ceiling, for the protections we offer our users and customers. We already help our customers meet stringent data protection requirements by offering industry-leading technical controls, contractual commitments, and resources for risk assessment, and we have long offered leading data access and control tools to our users. Our investment in that work continues to grow.

Sustaining transatlantic cooperation

The Framework shows that it is possible to take difficult steps to reinforce transatlantic cooperation and address emerging security and information threats. This urgency should carry over to enacting a robust new U.S. federal privacy law to align with international standards and enhance trust and confidence in digital services.

For similar reasons, we called eight months ago for the creation of the Transatlantic Trade & Technology Council (TTC) to enable the kind of bilateral coordination necessary to get ahead of future challenges and ensure that the U.S. and EU avoid discordant or discriminatory approaches. We were encouraged by the creation of the TTC and its commitment to avoiding unnecessary barriers to technological trade. There is now a need for progress in other areas of transatlantic divergence, from online content to taxation to competition to supply chains.

The importance of safe, resilient distributed computing in the face of war and autocracy makes this work even more urgent. As the TTC prepares for its next meeting, it is more important than ever that it carry forward the lessons of the Trans-Atlantic Data Privacy Framework to promote a durable digital partnership.