Tag Archives: safety and security

Extending enterprise zero trust models to the web

For over a decade, Chrome has been committed to advancing security on the web, and we’re proud of the end-user and customer safety improvements we’ve delivered over the years. We take our responsibility seriously, and we continue to work on ways to better protect billions of users around the world, whether it’s driving the industry towards HTTPS, introducing and then advancing the concept of a browser sandbox, improving phishing and malware detection via Safe Browsing improvements or working alongside Google’s Project Zero team to build innovative exploit mitigations. 

To continue our work of making a safer web for everyone, we’ve partnered with Google’s Cloud Security team to expand what enterprises should expect from Chrome and web security. Today the Cloud Security team is announcing BeyondCorp Enterprise, our new zero trust product offering, built around the principle of zero trust: that access must be secured, authorized and granted based on knowledge of identities and devices, and with no assumed trust in the network. With Chrome, BeyondCorp Enterprise is able to deliver customers a zero trust solution that protects data, better safeguards users against threats in real time and provides critical device information to inform access decisions, all without the need for added agents or extra software. These benefits are built right into Chrome, where users are already spending much of their workday accessing the apps and resources they need to be productive, and IT teams can easily manage these controls right through our Chrome Browser Cloud Management offering.

By extending zero trust principles to Chrome, we’re introducing the following advanced security capabilities that will help keep users and their company data safer than ever before:

Enhanced malware and phishing prevention: BeyondCorp Enterprise allows for real-time URL checks and deep scanning of files for malware.

Notification that reads "sample.zip is dangerous, so Chrome has blocked it."

Sensitive data protection across the web:IT teams can enforce a company’s customized rules for what types of data can be uploaded, downloaded or copied and pasted across sites.

Notification that reads "This file has sensitive or dangerous content. Remove this content and try again.

Visibility and insights: Organizations can get more insights into potential risks or suspicious activity through cloud-based reporting, including tracking of malicious downloads on corporate devices or employees entering passwords on known phishing sites. 

Three bar charts labeled "Chrome high risk users," "Chrome high risk domains," and "Chrome data protection summary."

Including Chrome in your zero trust strategy is critical not only because your employees spend much of the working day in the browser, but also because Chrome is in a unique position to identify and prevent threats across multiple web-based apps. Enhanced capabilities surrounding data protection and loss prevention protects organizations from both external threats and internal leak risks, many of which may be unintentional. We’ve built these capabilities into Chrome in a way that gives IT and security teams flexibility around how to configure policies and set restrictions, while also giving administrators more visibility into potentially harmful or suspicious activities. Naturally, these threat and data protections are also extended to Chrome OS devices, which offer additional proactive and built-in security protections.  

As with many of the major security advances Chrome has introduced in the past, we know it takes time to adopt new approaches. We’re here to help with a solution that is both simple and more secure for IT teams and their users. As you look at 2021 and where your security plans will take you, check out BeyondCorp Enterprise

Chrome will host a webinar on Thursday, January 28, highlighting some of our recent enterprise enhancements, and offering a preview of what’s to come in 2021. We’ll also talk more about the Chrome-specific capabilities of BeyondCorp Enterprise. We hope you can join us!

Source: Google Chrome

Guest Mode: An easy privacy control for your home devices

It's our responsibility to respect your privacy, no matter what device you're using. That's why Google Assistant is built to automatically keep your information private, safe and secure. By default, we don’t save your audio recordings and you can ask Google Assistant questions like “How do you keep my information private?” or delete activity from your Google Account by saying things like “Hey Google, delete everything I said to you this week.” 

Last year, we also added a way to adjust how sensitive Google Assistant is to the phrase “Hey Google,” giving you more ways to reduce unintentional activations. And as more people discover the convenience of smart speakers and displays, we want to make sure it’s as easy to control how Google Assistant works with your data as it is to play your favorite song.

“Hey Google, tell me about Guest Mode” 

Today, we’re introducing Guest Mode, another easy way to control your privacy on smart speakers and Smart Displays, like Nest Audio and Nest Hub Max. Just say, “Hey Google, turn on Guest Mode,” and your Google Assistant interactions will not be saved to your account. While in Guest Mode, you can enjoy popular features, like asking questions, controlling smart home devices, setting timers and playing music. Your device won’t show personal results, like your calendar entries or contacts, until you turn the mode off. 

Once Guest Mode has been turned on, your device will play a special chime and you’ll see a guest icon on the display. If you’re ever unsure if you’re in Guest Mode, you can always ask your device, “Is Guest Mode on?” Guest Mode will stay on until you choose to turn it off: When you’re ready, say “Hey Google, turn off Guest Mode” to return to your full, personalized Google Assistant experience. 

Animated GIF showing

More privacy for your shared devices

Recently, I was looking up new recipes to surprise my family with a nice New Year’s Eve dinner, but didn’t want those suggestions to appear on our Smart Display and spoil my plans. By turning on Guest Mode I could ask Google for recipes suggestions knowing that research wouldn’t show up in my history, and without having to manually go through my settings or toggle other controls on and off. When I finished, I turned Guest Mode off so I could enjoy my fully personalized Assistant and use things like my custom routine, which helps me unwind by playing my favorite jazz music and prepares me for the next day by reviewing my calendar.

Guest Mode can also come in handy when you have people over and you don't want their interactions with your device to be saved to your account. You or your guests can easily turn it on and off at any time. Whatever your reason, we know there are times you may not want your own Google Assistant interactions saved — the choice is always yours. When you use your Assistant in Guest Mode to interact with other apps and services, like Google Maps, YouTube or media and smart home services, those apps may still save that activity. You can find more information here.

Google Assistant is designed to automatically safeguard your privacy and offer simple ways for you to control how it works with your data. Try Guest Mode today on Google Nest speakers and displays in English, and we’ll be bringing it to more languages and devices in the next few months. For more information, just say, “Hey Google, tell me about Guest Mode” to your Google speaker or smart display, or visit g.co/assistant/guestmode. 

Our work to keep you safe and in control of your privacy

Building helpful products starts with keeping you and your information safe online. The data you trust us with provides helpful and personalized experiences for you in Google products, whether it’s letting you know if you’ve been near someone with COVID-19, or simply being able to find an old email with a special family recipe. It’s also why we keep you and your data safe, and provide easy-to-use settings that put you in control. 

Our privacy and security engineers remain focused on building the most advanced protections into the products you use every day. Treating your information responsibly, protecting it with world-class security and keeping you in control are the principles that guide our work. 

Today we’re sharing a look back at how we kept you safe in the last year, and the ways we’re always working to keep you in control of your privacy.

Responsible data practices designed to keep your personal information safe

The COVID-19 pandemic brought unprecedented challenges in 2020, and we helped people stay safe and informed last year. We worked with Apple to launch the Exposure Notifications System to help with contact tracing in a privacy-preserving way. All Exposure Notification matching happens on your device, and the system does not share your identity with other users, Apple, or Google, nor does it collect or use the location from your device. We continue to make this technology available to public health authorities globally, and now more than 50 countries and states have launched Exposure Notification apps in six months, including most recently California. And people are downloading their regional apps: Forty percent of the population in the UK have downloaded the app, and in the United States, 53 percent of Washington, D.C. residents have enabled Exposure Notifications. 

We continue to invest in differential privacy—the world-class anonymization technology used in our products every day—and have made it available to all developers through an open-source version of the differential privacy library. In the last year, we’ve released new versions of the library to make it even easier for developers to use. Our COVID-19 Community Mobility Reports also use differential privacy to help public health officials as they make critical decisions for their communities. As we head into 2021, we’ll continue to invest in these privacy technologies to help keep your personal information private and secure.

World-class security that protects you automatically

Protecting your privacy starts with the world’s most advanced security. Last year we continued  to invest in industry leading security that automatically detects and blocks a wide range of threats to keep people safe online. One example is Safe Browsing, which gives you state-of-the-art protections from phishing, malware and other web-based threats when you use Chrome. And we continue to work on our long-term effort to make the web more private and secure with the Privacy Sandbox initiative and will share more updates soon. Google Workspace regularly adds new security and privacy safeguards to keep our customers and users and their information protected, including for Google Meet that continues to keep your video meetings for work, school or family gatherings safe. And when it comes to keeping your passwords safe, Google’s Password Manager and Security Checkup help by automatically offering to save your passwords and making them more secure, and Sign-in with Google continues to make it easier to securely sign into new apps and sites—now with just one tap.
GIF showing Google’s Password Manager and Security Checkup, including a notification suggesting changing compromised passwords

New, simple ways to control what gets saved and deleted across platforms and devices

As we work to keep your data private and secure, we’re also always working to make it easy for you to manage or delete it. We launched auto-delete controls so you can choose to have Google automatically and continuously delete activity data from your Google Account after 3, 18 or 36 months. Last June we made auto-delete the default when you first turn on your core activity settings, which are Location History, Web & App Activity and YouTube History. We also brought Incognito mode to Google’s most popular apps, including Maps, Search and YouTube, so you can use those products without saving your activity data to your Google Account. Last year Chrome rolled out new controls to help you simply manage your information and we announced Guest mode as a new way to use your Google Assistant on home devices.
The auto-delete options for your data

Easy-to-use Account controls and settings 

In 2020 we continued to invest in easy-to-use privacy and security settings, which are automatically built into every Google Account and Google products. How you use our products and services is a personal choice: When you sign up for Google products and services, we offer you settings that let you choose how to personalize your experience, and control what activity gets saved to your Google Account. And you can change these settings at any time. 

These privacy and security controls are available in your Google Account and the products you use every day across platforms and devices, including on iOS. For example, Your Data in Search, Maps and YouTube helps you easily understand how data makes these apps work for you and quickly access the right controls, directly in the apps. You can also just search for things like “Is my Google Account secure?” and a box only visible to you will show your privacy and security settings so you can easily review or adjust them. Google Pay, which was recently redesigned in the U.S., has strong privacy and security controls built-in that are easy to understand and simple to set up, access and manage.
GIF showing "Your data in Search" and the ability to delete Search activity

As Google’s iOS apps are updated with new features or to fix bugs, you’ll see updates to our app page listings that include the new App Privacy Details. These labels represent the maximum categories of data that could be collected—meaning if you use every available feature and service in the app. The data you provide to Google products delivers helpful services to you, and you can always control your privacy settings by visiting your Google Account or going directly to the Google products you use on iOS.

Keeping you safe online is core to everything we do. And as we make privacy and security advancements in 2021, we’ll continue to advocate for sensible data regulations around the world, including strong, comprehensive federal privacy legislation in the U.S. We look forward to sharing more with you about our ongoing work in the coming weeks and months. Visit our Safety Center to learn more about how our products keep you safe every day.

How you’ll find accurate and timely information on COVID-19 vaccines

Since the outbreak of COVID-19, teams across Google have worked to provide quality information and resources to help keep people safe, and to provide public health, scientists and medical professionals with tools to combat the pandemic. We’ve launched more than 200 new products, features and initiatives—including the Exposure Notification API to assist contact tracing—and have pledged over $1 billion to assist our users, customers and partners around the world. 

As the world turns its focus to the deployment of vaccines, the type of information people need will evolve. Communities will be vaccinated at an unprecedented pace and scale. This will require sharing information to educate the public, including addressing vaccine misperceptions and hesitance, and helping to surface official guidance to people on when, where and how to get vaccinated. 

Today, we’re sharing about how we’re working to meet these needs—through our products and partnering with health authorities—while keeping harmful misinformation off our platforms. 

Raising authoritative information

Beginning in the United Kingdom, we’re launching a new feature on Search so when people look up information for COVID-19 vaccines, we will surface a list of authorized vaccines in their location, as well as information panels on each individual vaccine. As other health authorities begin authorizing vaccines, we’ll introduce this new feature in more countries.

Vaccine information on Google Search

Launched in March, our COVID-19 information panels on YouTube have been viewed 400 billion times, making them an important source of authoritative information. These panels are featured on the YouTube homepage, and on videos and in search results about the pandemic. Updates to the panels will connect people directly to vaccine information from global and local health authorities. Because YouTube creators are a trusted voice within their communities, we’re also supporting creators by connecting them with leading health experts to make helpful and engaging content for their audiences about COVID-19 and vaccines. 

Since the beginning of the pandemic, we’ve given $250 million in Ad Grants to help more than 100 government agencies around the world run critical public service announcements about COVID-19. Grantees can use these funds throughout 2021, including for vaccine education and outreach campaigns, and we’re announcing today an additional $15 million in Ad Grants to the World Health Organization (WHO) to assist their global campaign.

Supporting quality reporting and information on vaccines

Journalism continues to play a crucial role in informing people about the pandemic, sharing expert knowledge about vaccines, and proactively debunking misinformation about the immunization process. In April, we gave $6.5 million to support COVID-19 related fact-checking initiatives, which have provided training or resources to nearly 10,000 reporters around the world.

Now, the Google News Initiative is providing an additional $1.5 million to fund the creation of a COVID-19 Vaccine Media Hub and support new fact-checking research. Led by the Australian Science Media Centre, and with support from technology non-profit Meedan, the hub will be a resource for journalists, providing around-the-clock access to scientific expertise and research updates. The initiative includes science media centers and public health experts from Latin America, Africa, Europe, North America and the Asia-Pacific region, with content being made available in seven languages. 

To better understand what type of fact-checking can effectively counteract misinformation about vaccines, we’re funding research by academics at Columbia, George Washington and Ohio State universities. This research project will survey citizens in ten countries to find out what kinds of formats, headlines and sources are most effective in correcting COVID-19 vaccine misinformation and whether fact checks that follow these best practices impact willingness to get vaccinated.

Protecting our platforms against misinformation 

Across our products, we’ve had long-standing policies prohibiting harmful and misleading medical or health-related content. When COVID-19 hit, our global Trust and Safety team worked to stop a variety of abuses stemming from the pandemic: phishing attempts, malware, dangerous conspiracy theories, and fraud schemes. Our teams have also been planning for new threats and abuse patterns related specifically to COVID-19 vaccines. For example, in October, we expanded our COVID-19 medical misinformation policy on YouTube to remove content about vaccines that contradicts consensus from health authorities, such as the Centers for Disease Control or the WHO. Our teams have removed more than 700,000 videos related to dangerous or misleading COVID-19 medical information. We also continue to remove harmful COVID-19 misinformation across other products like Ads, Google Maps, and the Play store.

The fight against the pandemic and the development of new vaccines has required global collaboration between the public health sector, and the scientific and medical communities. As work begins to vaccinate billions of people, we’ll support these efforts with additional products and features to ensure people have the right information at the right time. 

Our work on the 2020 U.S. election

It’s been over a month since polls closed in the U.S. 2020 election, and more Americans voted in this election than in any recent Presidential race. In the months—and years—leading up to this cycle, our teams worked hard to create tools that help voters find authoritative information about the election, educate campaigns on how to connect with voters and equip them with best-in-class security features, and protect our platforms from abuse. 

After Election Day, as votes were still being counted, we continued this work to show timely election results from The Associated Press (AP) on Google. We also enforced a Sensitive Events ads policy after polls closed, temporarily pausing more than 5 million ads referencing the U.S. 2020 election, the candidates, or its outcome as election results were certified. This week, we are lifting this pause and allowing advertisers to continue running election-related ads on our platforms, as long as they comply with our global advertising policies.

Record numbers of voters engaged with Google tools

We know that people turn to Google to look for information on a variety of topics, and the U.S. 2020 election would be no different. In fact, this U.S. election cycle saw all-time highs in searches for civics-related topics. We worked to create and launch features that would help people find the information they needed to participate in the democratic process. We introduced several features to help voters find information about how to register and how to vote in their states, and as the election neared, we also helped people find polling and ballot drop off locations. Across our products, these features were seen nearly 500 million times. 

We worked with non-partisan, third-party data partners, such as Democracy Works, which aggregates official data directly from state and county election administrators, and we linked to state government official websites for more information. Using this data, we also made it easy for people to quickly find nearby voting locations in Google Maps, along with information about how far they were, how to get there, and voting hours. From mid-October through Election Day, we added more than 125,000 voting locations in Google Maps. 

We also showed “how to register” and “how to vote” reminders to all our U.S. users directly on Google Search, Maps and YouTube, to help everyone across the country find the information they needed to register to vote, find their voting locations, and cast their ballots. These reminders were seen over 2 billion times across our products. And starting on Election Day, we worked with the AP to provide real-time election results for relevant searches on Google. This results feature had more than six times the number of views in 2020 as in 2016. Additionally, YouTube linked to this results feature in its election results information panel, which was shown over 4.5 billion times.

How we helped educate and protect campaigns

We also focused on helping campaigns and elected officials effectively use Google and YouTube products to reach voters and on helping them enhance their election security. As part of our Civics Outreach Virtual Training Series, Google held 21 training sessions for over 900 candidates, campaigns, public officials, and nonprofit leaders. Overall, we held 45 group and individual trainings to help more than 2,900 election workers learn to use Google tools to amplify their message and better connect with voters through events like digital town halls, debates and virtual campaign rallies.

And as a part of our Election Cybersecurity Initiative with the University of Southern California’s Annenberg School, nearly 4,000 elected officials, secretaries of state, campaign staffers, political party representatives, and state election directors in all 50 states received training on ways to secure their information and protect their campaigns against cyberattacks. At the start of the 2020 election season, we partnered with Defending Digital Campaigns (DDC) to give any federal campaign access to free security keys—the strongest form of two-factor authentication. We helped DDC distribute more than 10,500 Advanced Protection kits. Now, we continue to educate campaigns and newly elected officials about digital security and encourage them to enroll in our Advanced Protection Program.

Protecting our platforms from abuse

In the years leading up to the 2020 election, we made numerous enhancements to protect the integrity of elections around the world and better secure our platforms: we introduced strict policies and restrictions around who can run election-related advertising on our platform; we launched comprehensive political ad libraries in the U.S., the UK, the European Union, India, Israel and New Zealand; we developed and implemented policies to prohibit election-related abuse such as voter suppression and deceptive practices on platforms like YouTube, Google Ads, Google Maps and Google Play; our Threat Analysis Group (TAG) launched a quarterly bulletin to provide regular updates on our work to combat coordinated influence operations across our platforms and flagged phishing attempts against the presidential campaigns this summer; and we worked closely with government agencies, including the FBI’s Foreign Influence Task Force, and others companies to share information around suspected election interference campaigns. 

And long before any voting in this election started, our global Trust and Safety teams were already working through possible threat scenarios and abuse vectors related to the election. These teams work in a variety of roles to help develop and enforce our policies in an apolitical and non-partisan way, monitor our platforms for abuse, and protect users from everything from account hijackings and disinformation campaigns to misleading content and inauthentic activity. We estimate that we spent at least $1 billion over the past year on content moderation systems and processes. We continue to invest aggressively in this area.

The job of protecting our platforms from abuse is always a top priority, but especially during sensitive times like elections. Our election integrity work may not directly drive Google’s business, but it’s a crucial part of our responsibility to our users and to the democratic process. That’s why our teams are already looking at what's coming up next—including 2021 elections in the U.S., the Netherlands, Japan, Israel, Ecuador and many other countries.

Source: Search

Making Chrome extensions more private and secure

Every day 4 million Chrome extensions are downloaded, and with more than 250,000 extensions and themes available on the Chrome Web Store, no two Chrome browsers are alike. From productivity and learning tools to entertainment and shopping, extensions on Chrome open up a new world of possibilities that let you customize your experience and help you get things done. We make sure the extensions that our developers build meet your expectations for privacy and security so you can continue to explore and enjoy browsing the web with Chrome. Here's how we’ve improved in 2020 and what’s coming next year:

Stricter privacy rules and more control over your data

In 2021, we’ll change how extensions access data and how permissions work when an extension is installed. You will get to determine which websites the extension can access when you browse the web, instead of letting the extension decide. These updates follow other changes we made this year when we introduced the puzzle icon on the toolbar to make extension controls more visible and granular. 

Once you grant an extension permission to access a website's data, that preference can be saved for that domain. You can also still decide to grant an extension access to all the websites you visit, but that is no longer the default.

Gif showing that you will be able to manage the extension’s permissions, so you control which websites it can access as you browse the web.

In 2021, you will be able to manage the extension’s permissions, so you control which websites it can access as you browse the web. 

Transparent extensions’ data usage

We’ve also been improving our developer policies to make extensions more transparent. Starting January 18th, every extension will publicly display its “privacy practices” which will use clear visuals and simple language to explain the data they collect and use. We’re also limiting what developers can do with the data they collect. 

Image showing user interface for Chrome extension "privacy practices" feature

You will find the new privacy practices overview right on the extension listing.

More security updates to keep you safe

Over the last year,  we’ve updated our security practices to help us identify more harmful extensions before they enter the Chrome Web Store. For instance, thanks to our integration with Google Safe Browsing, the number of malicious extensions that Chrome disabled to protect people grew by 81 percent.

Earlier this year we also updated Chrome’s Safety check in Settings to help you quickly confirm if harmful extensions are installed and learn how to remove them. Next year, we’re planning to launch more protections through Enhanced Safe Browsing

Image showing user interface for Chrome’s Safety check. Image dialogue box reading "2 potentially harmful extensions are off. You can also remove them."

If malicious extensions are installed, Chrome’s Safety check will tell you how to remove them.

Ready to start customizing your experience on Chrome? Check out the extension collections we feature on the Chrome Web Store, including the regularly updated Editor’s Pick, Staying at home, Enhance your gameplay or Personalize Chrome collections. Our priority is to continue developing features that protect your data and keep you safe, while you choose extensions that help you get the best out of Chrome.

Decrypted: How Heather Adkins thinks about security

Heather was hacked and the rest is history. 

An 18-year veteran of Google’s security team, Heather Adkins’ interest in security was sparked when the small ISP she worked for in college suffered a data breach. Her reaction to the incident wasn’t exactly typical:

“Most people when they get hacked, panic. There's a sense of fear, and a sense of unknowing. But I did not panic or have any fear—I was really excited! I felt very curious: I wanted to know how the attackers did this, how they managed to bypass our security. And I fell in love with the role.”

In our latest edition of Public Key, Google's director of information security discusses the details of incident detection and response—“the function of security that looks for hackers and kicks them out of the network,” why COVID-19 marks a turning point in her team’s approach to securing people working and learning from home, how medieval history informs her work, and the future of online security.

More from this Series

Public Key

Googlers and academics share their thoughts about our approach to security and how product design, threats to high-risk users, research partnerships and medieval history (yup!) contribute to the ways we protect people online. 

View more from Public Key

Public Key: Sharing our approach to security

In asymmetric cryptography, a common system for encrypting data, there are two decryption tools, or “keys.” The first is a private key that only the user knows, and the other is a public key, which is safe to share with everyone. 

Public Key is also the name of a new series about our approach to security, across Google. From home offices everywhere, Googlers and academics share their thoughts about how product design, threats to high-risk users, research partnerships, medieval history (yup!) and more, contribute to the ways we protect people online. We want to make sure people aren’t just aware of our automatic protections, but understand the thinking behind them too. That’s always been the case, but at this particular moment in time, it’s especially important.

You can think of this series as a public key, for Google security…on the Keyword. For a peek at what we’ll be covering, watch our video above. And stay tuned for more over the coming weeks.

More from this Series

Public Key

Googlers and academics share their thoughts about our approach to security and how product design, threats to high-risk users, research partnerships and medieval history (yup!) contribute to the ways we protect people online. 

View more from Public Key

Why design is important to security

Security is usually invisible. More often than not, we just protect you automatically and you don’t need to lift a finger. But sometimes, we’ll notify you and suggest that you take action to better secure your information, like check your Account activity after we block a suspicious attempt to sign in. Whether the issue is critical or less serious, getting these notifications right—making sure they’re written clearly and presented in a simple and useful way—is really important. These alerts shouldn’t just keep you safe, but help you feel safe too. 

Over the years, we’ve made changes to our notifications that have had a big impact on people’s security. In 2015 for example, we started using Android alerts to notify people about critical issues with their Google Accounts, like a suspected hack. Compared to email, we saw a 20-fold increase in the number of people that engaged with these new notifications within an hour of receiving them.

Today we announced a new type of critical alert that will display within the Google app you’re using. So we thought it was a good time to dive a bit deeper into the thinking behind how we develop useful security notices. In this video, Jonathan Skelker, a product manager who specializes in alerts and notifications, and Niti Arora, a UX designer for Google security, discuss how we think about communicating with users in our products to help them feel safe.

More from this Series

Public Key

Googlers and academics share their thoughts about our approach to security and how product design, threats to high-risk users, research partnerships and medieval history (yup!) contribute to the ways we protect people online. 

View more from Public Key