Tag Archives: Safety & Security

Why we’re committing $10 billion to advance cybersecurity

We welcomed the opportunity to participate in President Biden’s White House Cyber Security Meeting today, and appreciated the chance to share our recommendations to advance this important agenda. The meeting comes at a timely moment, as widespread cyberattacks continue to exploit vulnerabilities targeting people, organizations, and governments around the world.


That’s why today, we are announcing that we will invest $10 billion over the next five years to strengthen cybersecurity, including expanding zero-trust programs, helping secure the software supply chain, and enhancing open-source security. We are also pledging, through the Google Career Certificate program, to train 100,000 Americans in fields like IT Support and Data Analytics, learning in-demand skills including data privacy and security. 


Governments and businesses are at a watershed moment in addressing cybersecurity. Cyber attacks are increasingly endangering valuable data and critical infrastructure. While we welcome increased measures to reinforce cybersecurity, governments and companies are both facing key challenges: 


First, organizations continue to depend on vulnerable legacy infrastructure and software, rather than adopting modern IT and security practices. Too many governments still rely on legacy vendor contracts that limit competition and choice, inflate costs, and create privacy and security risks. 


Second, nation-state actors, cybercriminals and other malicious actors continue to target weaknesses in software supply chains and many vendors don’t have the tools or expertise to stop them. 


Third, countries simply don’t have enough people trained to anticipate and deal with these threats. 


For the past two decades, Google has made security the cornerstone of our product strategy. We don’t just plug security holes, we work to eliminate entire classes of threats for consumers and businesses whose work depends on our services. We keep more users safe than anyone else in the world — blocking malware, phishing attempts, spam messages, and potential cyber attacks. We’ve published over 160 academic research papers on computer security, privacy, and abuse prevention, and we warn other software companies of weaknesses in their systems. And dedicated teams like our Threat Analysis Group work to counter government-backed hacking and attacks against Google and our users, making the internet safer for everyone.


Extending the zero-trust security model 

We’re one of the pioneers inzero-trust computing, in which no person, device, or network enjoys inherent trust.  Trust that allows access to information must be earned.  We’ve learned a lot about both the power and the challenges of running this model at scale. 


Implemented properly, zero-trust computing provides the highest level of security for organizations.  We support the White House effort to deploy this model across the federal government. 


As government and industry work together to develop and implement zero-trust solutions for employee access to corporate assets, we also need to apply the approach to production environments. This is necessary to address events like Solarwinds, where attackers used access to the production environment to compromise dozens of outside entities. The U.S. government can encourage adoption by expanding zero-trust guidelines and reference architecture language in the Executive Order implementation process to include production environments, which in addition to application segmentation substantially improves an organization’s defense in depth strategy. 


Securing the software supply chain 

Following the Solarwinds attack, the software world gained a deeper understanding of the real risks and ramifications of supply chain attacks. Today, the vast majority of modern software development makes use of open source software, including software incorporated in many aspects of critical infrastructure and national security systems. Despite this, there is no formal requirement or standard for maintaining the security of that software. Most of the work that is done to enhance the security of open source software, including fixing known vulnerabilities, is done on an ad hoc basis. 


That’s why we worked with the Open Source Security Foundation (OpenSSF) to develop and release Supply Chain Levels for Software Artifacts (SLSA or “salsa”), a proven framework for securing the software supply chain. In our view, wide support for and adoption of the SLSA framework will raise the security bar for the entire software ecosystem. 


To further advance our work and the broader community’s work in this space, we committed to invest in the expansion of the application of our SLSA framework to protect the key components of open-source software widely used by many organizations. We also pledged to provide $100 million to support third-party foundations, like OpenSSF, that manage open source security priorities and help fix vulnerabilities.


Strengthening the digital security skills of the American workforce

Robust cybersecurity ultimately depends on having the people to implement it. That includes people with digital skills capable of designing and executing cybersecurity solutions, as well as promoting awareness of cybersecurity risks and protocols among the broader population. In short, we need more and better computer security education and training.  


Over the next three years, we're pledging to help 100,000 Americans earn Google Career Certificates in fields like IT Support and Data Analytics to learn in-demand skills including data privacy and security. The certificates are industry-recognized and supported credentials that equip Americans with the skills they need to get high-paying, high-growth jobs. To date, more than half of our graduates have come from backgrounds underserved in tech (Black, Latinx, veteran, or female). 46% of our graduates come from the lowest income tertile in the country. And the results are strong: 82% of our graduates report a positive career impact within six months of graduation. Additionally, we will train over 10 million Americans in digital skills from basic to advanced by 2023.


Leading the world in cybersecurity is critical to our national security. Today’s meeting at the White House was both an acknowledgment of the threats we face and a call to action to address them. It emphasized cybersecurity as a global imperative and encouraged new ways of thinking and partnering across government, industry and academia. We look forward to working with the Administration and others to define and drive a new era in cybersecurity. Our collective safety, economic growth, and future innovation depend on it.


Why we’re committing $10 billion to advance cybersecurity

We welcomed the opportunity to participate in President Biden’s White House Cyber Security Meeting today, and appreciated the chance to share our recommendations to advance this important agenda. The meeting comes at a timely moment, as widespread cyberattacks continue to exploit vulnerabilities targeting people, organizations, and governments around the world.


That’s why today, we are announcing that we will invest $10 billion over the next five years to strengthen cybersecurity, including expanding zero-trust programs, helping secure the software supply chain, and enhancing open-source security. We are also pledging, through the Google Career Certificate program, to train 100,000 Americans in fields like IT Support and Data Analytics, learning in-demand skills including data privacy and security. 


Governments and businesses are at a watershed moment in addressing cybersecurity. Cyber attacks are increasingly endangering valuable data and critical infrastructure. While we welcome increased measures to reinforce cybersecurity, governments and companies are both facing key challenges: 


First, organizations continue to depend on vulnerable legacy infrastructure and software, rather than adopting modern IT and security practices. Too many governments still rely on legacy vendor contracts that limit competition and choice, inflate costs, and create privacy and security risks. 


Second, nation-state actors, cybercriminals and other malicious actors continue to target weaknesses in software supply chains and many vendors don’t have the tools or expertise to stop them. 


Third, countries simply don’t have enough people trained to anticipate and deal with these threats. 


For the past two decades, Google has made security the cornerstone of our product strategy. We don’t just plug security holes, we work to eliminate entire classes of threats for consumers and businesses whose work depends on our services. We keep more users safe than anyone else in the world — blocking malware, phishing attempts, spam messages, and potential cyber attacks. We’ve published over 160 academic research papers on computer security, privacy, and abuse prevention, and we warn other software companies of weaknesses in their systems. And dedicated teams like our Threat Analysis Group work to counter government-backed hacking and attacks against Google and our users, making the internet safer for everyone.


Extending the zero-trust security model 

We’re one of the pioneers inzero-trust computing, in which no person, device, or network enjoys inherent trust.  Trust that allows access to information must be earned.  We’ve learned a lot about both the power and the challenges of running this model at scale. 


Implemented properly, zero-trust computing provides the highest level of security for organizations.  We support the White House effort to deploy this model across the federal government. 


As government and industry work together to develop and implement zero-trust solutions for employee access to corporate assets, we also need to apply the approach to production environments. This is necessary to address events like Solarwinds, where attackers used access to the production environment to compromise dozens of outside entities. The U.S. government can encourage adoption by expanding zero-trust guidelines and reference architecture language in the Executive Order implementation process to include production environments, which in addition to application segmentation substantially improves an organization’s defense in depth strategy. 


Securing the software supply chain 

Following the Solarwinds attack, the software world gained a deeper understanding of the real risks and ramifications of supply chain attacks. Today, the vast majority of modern software development makes use of open source software, including software incorporated in many aspects of critical infrastructure and national security systems. Despite this, there is no formal requirement or standard for maintaining the security of that software. Most of the work that is done to enhance the security of open source software, including fixing known vulnerabilities, is done on an ad hoc basis. 


That’s why we worked with the Open Source Security Foundation (OpenSSF) to develop and release Supply Chain Levels for Software Artifacts (SLSA or “salsa”), a proven framework for securing the software supply chain. In our view, wide support for and adoption of the SLSA framework will raise the security bar for the entire software ecosystem. 


To further advance our work and the broader community’s work in this space, we committed to invest in the expansion of the application of our SLSA framework to protect the key components of open-source software widely used by many organizations. We also pledged to provide $100 million to support third-party foundations, like OpenSSF, that manage open source security priorities and help fix vulnerabilities.


Strengthening the digital security skills of the American workforce

Robust cybersecurity ultimately depends on having the people to implement it. That includes people with digital skills capable of designing and executing cybersecurity solutions, as well as promoting awareness of cybersecurity risks and protocols among the broader population. In short, we need more and better computer security education and training.  


Over the next three years, we're pledging to help 100,000 Americans earn Google Career Certificates in fields like IT Support and Data Analytics to learn in-demand skills including data privacy and security. The certificates are industry-recognized and supported credentials that equip Americans with the skills they need to get high-paying, high-growth jobs. To date, more than half of our graduates have come from backgrounds underserved in tech (Black, Latinx, veteran, or female). 46% of our graduates come from the lowest income tertile in the country. And the results are strong: 82% of our graduates report a positive career impact within six months of graduation. Additionally, we will train over 10 million Americans in digital skills from basic to advanced by 2023.


Leading the world in cybersecurity is critical to our national security. Today’s meeting at the White House was both an acknowledgment of the threats we face and a call to action to address them. It emphasized cybersecurity as a global imperative and encouraged new ways of thinking and partnering across government, industry and academia. We look forward to working with the Administration and others to define and drive a new era in cybersecurity. Our collective safety, economic growth, and future innovation depend on it.


Giving kids and teens a safer experience online

We're committed to building products that are secure by default, private by design, and that put people in control. And while our policies don’t allow kids under 13 to create a standard Google account, we’ve worked hard to design enriching product experiences specifically for them, teens, and families. Through Family Link, we allow parents to set up supervised accounts for their children, set screen time limits, and more. Our Be Internet Awesome digital literacy program helps kids learn how to be safe and engaged digital citizens; and our dedicated YouTube Kids app, Kids Space andteacher approved apps in Play offer experiences that are customized for younger audiences.

Technology has helped kids and teens during the pandemic stay in school through lockdowns and maintain connections with family and friends. As kids and teens spend more time online, parents, educators, child safety and privacy experts, and policy makers are rightly concerned about how to keep them safe. We engage with these groups regularly, and share these concerns.

Some countries are implementing regulations in this area, and as we comply with these regulations, we’re looking at ways to develop consistent product experiences and user controls for kids and teens globally. Today, we’re announcing a variety of new policies and updates.

Giving minors more control over their digital footprint

While we already provide a range of removal options for people using Google Search, children are at particular risk when it comes to controlling their imagery on the internet. In the coming weeks, we’ll introduce a new policy that enables anyone under the age of 18, or their parent or guardian, to request the removal of their images from Google Image results. Of course, removing an image from Search doesn’t remove it from the web, but we believe this change will help give young people more control of their images online.

Tailoring product experiences for kids and teens

Some of our most popular products help kids and teens explore their interests, learn more about the world, and connect with friends. We’re committed to constantly making these experiences safer for them. That’s why in the coming weeks and months we're going to make a number of changes to Google Accounts for people under 18:

  • YouTube: We’re going to change the default upload setting to the most private option available for teens ages 13-17. In addition, we’ll more prominently surface digital wellbeing features, and provide safeguards and education about commercial content. Learn more about these changes on the YouTube Blog

    https://blog.youtube/news-and-events/new-safety-and-digital-wellbeing-options-younger-people-youtube-and-youtube-kids/

    .
  • Search:We have a range of systems, tools, and policies that are designed to help people discover content from across the web while not surprising them with mature content they haven’t searched for. One of the protections we offer is SafeSearch, which helps filter out explicit results when enabled and is already on by default for all signed-in users under 13 who have accounts managed by Family Link. In the coming months, we’ll turn SafeSearch on for existing users under 18 and make this the default setting for teens setting up new accounts.
  • Assistant:We’re always working to prevent mature content from surfacing during a child’s experience with Google Assistant on shared devices, and in the coming months we’ll be introducing new default protections. For example, we will apply our SafeSearch technology to the web browser on smart displays.
  • Location History: Location History is a Google account setting that helps make our products more useful. It's already off by default for all accounts, and children with supervised accounts don’t have the option of turning Location History on. Taking this a step further, we’ll soon extend this to users under the age of 18 globally, meaning that Location History will remain off (without the option to turn it on).
  • Play:Building on efforts like content ratings, and our "Teacher-approved apps" for quality kids content, we're launching a new safety section that will let parents know which apps follow our Families policies. Apps will be required to disclose how they use the data they collect in greater detail, making it easier for parents to decide if the app is right for their child before they download it.
  • Google Workspace for Education: As we recently announced, we’re making it much easier for administrators to tailor experiences for their users based on age (such as restricting student activity on YouTube). And to make web browsing safer, K-12 institutions will have SafeSearch technology enabled by default, while switching to Guest Mode and Incognito Mode for web browsing will be turned off by default.

New advertising changes

We’ll be expanding safeguards to prevent age-sensitive ad categories from being shown to teens, and we will block ad targeting based on the age, gender, or interests of people under 18. We’ll start rolling out these updates across our products globally over the coming months. Our goal is to ensure we’re providing additional protections and delivering age-appropriate experiences for ads on Google.


New digital wellbeing tools

In Family Link, parents can set screen time limits and reminders for their kids’ supervised devices. And, on Assistant-enabled smart devices, we give parents control through Digital Wellbeing tools available in the Google Home app. In the coming months, we’ll roll out new Digital Wellbeing filters that allow people to block news, podcasts, and access to webpages on Assistant-enabled smart devices.

On YouTube, we’ll turn on take a break and bedtime reminders and turn off autoplay for users under 18. And, on YouTube Kids we’ll add an autoplay option and turn it off by default to empower parents to make the right choice for their families.


Improving how we communicate our data practices to kids and teens

Data plays an important role in making our products functional and helpful. It’s our job to make it easy for kids and teens to understand what data is being collected, why, and how it is used. Based on research, we’re developing engaging, easy-to-understand materials for young people and their parents to help them better understand our data practices. These resources will begin to roll out globally in the coming months.

Image of the Family Link Privacy Guide for Children and Teens and the Teen Privacy Guide

Transparency Resources: The Family Link Privacy Guide for Children and Teens and the Teen Privacy Guide


Ongoing work and engagement

We regularly engage with kids and teens, parents, governments, industry leaders, and experts in the fields of privacy, child safety, wellbeing and education to design better, safer products for kids and teens. Having an accurate age for a user can be an important element in providing experiences tailored to their needs. Yet, knowing the accurate age of our users across multiple products and surfaces, while at the same time respecting their privacy and ensuring that our services remain accessible, is a complex challenge. It will require input from regulators, lawmakers, industry bodies, technology providers, and others to address it – and to ensure that we all build a safer internet for kids.

Nest’s commitments to privacy and security

Two years ago Nest shared our commitments to privacy to give you a better understanding of how our products work in your home. Today, we’re publishing new security commitments and putting it all in one place: Nest’s new Safety Center. The Safety Center is meant to give you a clear picture of the work we do each day to build trustworthy products and create a safer and more helpful home.


Our new security commitments include standards Google has long held as well as updates that are specific to Nest’s connected home devices and services. Finally, we want to acknowledge the way this technology is evolving — for example, our recent announcements on Matter and our work on Project Connected Home over IP ). That’s why we’ve updated a small section in our privacy commitments to better reflect our focus on openness. Here are the details:


  1. We will validate our Google Nest devices using an independent security standard. Google Nest connected smart home devices introduced in 2019 or later are now validated using third-party, industry-recognized security standards, like those developed by the Internet of Secure Things Alliance (ioXt). And we publish the validation results so you can see how our products hold up according to those standards. Before new products launch we’ll assess them against these standards to make sure they’re meeting or exceeding them.
  2. We invest in security research to keep raising our standards.Google Nest participates in the Google vulnerability reward program. This provides monetary rewards for security researchers outside of Google who test our products and tell the Nest Security team about any vulnerabilities they find. This helps the Nest Security team learn about and get ahead of vulnerabilities, keeping Nest devices in your home more secure for the long run.
  3. We help protect your account security as the first step in safety.Your Google Account is your way into your Nest devices, and we take account security seriously. That’s why we help keep your Google Account secure with tools and automatic protections like suspicious activity detection, Security Checkup and two-step verification.
  4. We issue critical bug fixes and patches for at least five years after launch. We work hard to respond to the ever-changing technology and security landscape by building many lines of defense, including providing automatic software security updates that address critical issues known to Google Nest.
  5. We use verified boot to protect your devices. All our devices introduced in 2019 and after use verified boot, which checks that the device is running the right software every time it restarts. This helps make sure that no one has access to your account or control of your devices without your permission.
  6. We give you visibility into which devices are connected to your account.All the devices that you’re signed into will show up in your Google Account device activity page. That way, you can make sure your account is connected only to the devices it should be.

A helpful home is a safe home, and Nest’s new safety center is part of making sure Nest products help take care of the people in your life and the world around you.

Safer learning with Google for Education

When the Google for Education team designs products, we put the safety, security and privacy needs of our users first. This means keeping schools’ data safer with built-in security features that provide automated protection, compliance visibility and control, to ensure a private, safe and secure learning environment. We aim to support and protect the entire education community, and particularly teachers and students, so they can focus on what matters most: teaching and learning.

Everything we build is guided by three important principles:

  1. Secure by default: Protecting your privacy starts with the world’s most advanced security. Even before you set up security controls for your school’s digital environment specific to your needs, our built-in security is automatically protecting you from threats, like ransomware. 

  2. Private by design: We uphold responsible data practices designed to respect your privacy. Our products can be used in compliance with the most rigorous data privacy standards, including FERPA, COPPA and GDPR.  Google does not use data from Google Workspace for Education Core Services for advertising purposes, and users’ personal information is never sold.

  3. You’re in control: You own your data in Core Workspace Services, which means that you retain full intellectual property rights over your customer data, and you control who can download it, and when. You can get real-time alerts so you can act immediately if an incident occurs, and customize the security dashboard to get reports on your security status at any time. 

Introducing new features to provide more visibility and control

To help admins and teachers as they build safe digital learning environments, we’re adding additional features to provide more visibility and control. We are also updating ourprivacy notice to to make it easier for teachers, parents and students to understand what information we collect and why we collect it. Nothing is changing about how your information is processed. Rather, we’ve improved the way we describe our practices and privacy controls with a simpler structure and clearer language.

Tailor access based on age

We’re launching a new age-based access setting to make it easier for admins to tailor experiences for their users based on age when using Google services like YouTube, Photos and Maps. Starting today, all admins from primary and secondary institutions must indicate which of their users, such as their teachers and staff, are 18 and older using organizational units or groups in Admin Console. After September 1, 2021, students who are under 18 will see changes in their experience across Google products. 

For example, after September 1, students designated as under 18 in K-12 domains can view YouTube content assigned by teachers, but they won’t be able to post videos, comment or live stream using their school Google account. Administrators should ensure that Google Takeout is turned on so that end users can download their data, like previously uploaded videos, using Google Takeout.

If admins don’t make a selection by September 1, primary and secondary institutions users will all default to the under-18 experience, while higher-education institutions users will default to the 18-and-older experience. These age-based settings are not locked and admins can always adjust them according to the age of their users.

New default experiences for Chrome users in K-12 institutions

Many schools already have policies in place for SafeSearch, SafeSites, Guest Mode and Incognito Mode, and we are updating their defaults to ensure a safer web browsing experience for K-12 institutions. Now, SafeSearch and SafeSites will be on by default, and Guest Mode and Incognito Mode will be off by default. Admins can still change each of these policies on Chrome OS for individual organization units, for example allowing the use of Guest Mode for users in their domain. 

The Google for Education team is committed to creating tools and services that are secure by default and private by design, all the while giving you complete control over your environment. 

6 new features on Android this summer

From keeping your account password safe to scheduling text messages to send at the right moment, we’re constantly rolling out new updates to the 3 billion active Android devices around the world. Today, we’re welcoming summer with six updates for your Android that focus on safety  — so you’re protected at every turn.


1. Android Earthquake Alerts System is rolling out globally

Earthquake alert screen that clicks through to an earthquake safety info screen

Last year, we embarked on a mission to build the world’s largest earthquake detection network, based on technology built into Android devices. With this free system, people in affected areas can get alerts seconds before an earthquake hits, giving you advance notice in case you need to seek safety. We recently launched the Android Earthquake Alerts System in New Zealand and Greece. Today, we’re introducing the Android Earthquake Alerts System in Turkey, the Philippines, Kazakhstan, Kyrgyz Republic, Tajikistan, Turkmenistan and Uzbekistan.

We are prioritizing launching Earthquake Alerts in countries with higher earthquake risks, and hope to launch in more and more countries over the coming year.


2. Star what’s important with the Messages app

With tons of messages from family, friends, colleagues and others, it’s easy for information to get lost. Now, you can star a message on your Messages app to keep track of what’s important, and easily find it later without scrolling through all of your conversations. Just tap and hold your message, then star it. And when you want to revisit a message, like your friend’s address or the photo from your family reunion, tap on the starred category. 


Starred messages will start to roll out more broadly over the coming weeks.


3. Find the perfect Emoji Kitchen sticker at the perfect time

After typing a message, relevant emoji mixes are proactively displayed at the top of the keyword

In May, we introduced a new section in your recently used Emoji Kitchen stickers so you can quickly get back to the ones you use most frequently. Soon you’ll also start to see contextual suggestions in Emoji Kitchen once you’ve typed a message. These will help you discover the perfect emoji combination at the exact moment you need it.


Contextual Emoji Kitchen suggestions are available in Gboard beta today and are coming to all Gboard users this summer for messages written in English, Spanish and Portuguese on devices running Android 6.0 and above.


4. Access more of your favorite apps with just your voice

Ask Google to open or search many of your favorite apps using just your voice — you can say things like,  “Hey Google, pay my Capital One bill” to jump right into the app and complete the task or “Hey Google, check my miles on Strava” to quickly see your weekly progress right on the lock screen. See what else you can do by saying “Hey Google, shortcuts.” 


5. Improved Password Input and gaze detection on Voice Access

A gaze detection icon on a screen changes from crossed out to active when a character turns its head towards the device to speak the "scroll down" command in Voice Access

Built with and for people with motor disabilities, and helpful for those without, Voice Access gives you quick and efficient phone and app navigation with just your voice.


With gaze detection, now in beta, you can ask Voice Access to work only when you are looking at the screen — so you can naturally move between talking to friends and using your phone. 


Voice Access now has enhanced password input. When it recognizes a password field, it will let you input letters, numbers and symbols. For example, you can say “capital P a s s w o r d” or names of symbols (like “dollar sign” to input a $), so it’s faster to safely enter your password.


6. More customization and new app experiences on Android Auto

After a user taps on the Messages app icon and + New, Google Assistant is activated to help send a new message from the launcher screen

You can now customize more of your Android Auto experience for easier use, like personalizing your launcher screen directly from your phone and manually setting dark mode. It’s also easier to browse content with new tabs in your media apps, a “back to top” option and an A to Z button in the scroll bar. And, if it’s your first time using Android Auto, you can now get started faster in your car with a few simple taps.


We’ve also added new app experiences to help enhance your drive. EV charging, parking and navigation apps are now available to use in Android Auto. Plus, we’ve improved the messaging experience, so you can access your favorite messaging apps  from the launcher screen. You can easily read and send new messages directly from apps like WhatsApp or Messages — now available globally. 


These Android Auto features are available on phones running Android 6.0 or above, and when connected to your compatible car.

Our commitments for the Privacy Sandbox

We all expect a more private and secure web. The Privacy Sandbox initiative aims to help build it by developing new digital advertising tools to protect people’s privacy and prevent covert tracking, while supporting a thriving ad-funded web. From the start of this project, we have been developing these tools in the open, and sought feedback at every step to ensure that they work for everyone, not just Google. As many publishers and advertisers rely on online advertising to fund their websites, getting this balance right is key to keeping the web open and accessible to everyone. 


So when the United Kingdom’s Competition and Markets Authority (CMA) announced its formal investigation of the Privacy Sandbox in January, we welcomed the opportunity to engage with a regulator with the mandate to promote competition for the benefit of consumers. 


This process has also recognized the importance of reconciling privacy and competition concerns. In a first-of-its-kind review involving converging regulatory authorities and expertise, the United Kingdom’s privacy regulator, the Information Commissioner’s Office (ICO), is working collaboratively with, and providing direct input to, the CMA on Google’s approach.


Today we are offering a set of commitments — the result of many hours of discussions with the CMA and more generally with the broader web community — about how we’ll design and implement the Privacy Sandbox proposals and treat user data in Google’s systems in the years ahead. The CMA is now asking others in the industry for feedback on these commitments as part of a public consultation, with a view to making them legally binding. If the CMA accepts these commitments, we will apply them globally. 


The commitments


Consultation and collaboration  

Throughout this process, we will engage the CMA and the industry in an open, constructive and continuous dialogue. This includes proactively informing both the CMA and the wider ecosystem of timelines, changes and tests during the development of the Privacy Sandbox proposals, building on our transparent approach to date. We will work with the CMA to resolve concerns and develop agreed parameters for the testing of new proposals, while the CMA will be getting direct input from the ICO.  


No data advantage for Google advertising products 

Google has always had policies and practices to safeguard the use of people’s data. And we have explicitly stated that once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use such identifiers in our products. 


Building on this principle, the commitments confirm that once third-party cookies are phased out, our ads products will not access synced Chrome browsing histories (or data from other user-facing Google products) in order to track users to target or measure ads on sites across the web. 


Further, our ads products will also not access synced Chrome browsing histories or publishers' Google Analytics accounts to track users for targeting and measuring ads on our own sites, such as Google Search. 


No self-preferencing

We will play by the same rules as everybody else because we believe in competition on the merits. Our commitments make clear that, as the Privacy Sandbox proposals are developed and implemented, that work will not give preferential treatment or advantage to Google’s advertising products or to Google’s own sites. 


What’s next

We appreciate the CMA’s thoughtful approach throughout the review and their engagement with the difficult trade-offs that this process inevitably involves. We also welcome feedback from the public consultation and will continue to engage with the CMA and with the industry on this important topic. We understand that our plans will be scrutinized, so we’ll also continue to engage with other regulators, industry partners and privacy experts as well. 


We believe that these kinds of investments in privacy will create more opportunity, not less. The Privacy Sandbox seeks a way forward that improves people’s privacy online while ensuring that advertisers and publishers of all sizes can continue to succeed.


Source: Google Chrome


How Google supports today’s critical cybersecurity efforts

The past six months have seen some of the most widespread and alarming cyber attacks against our digital infrastructure in history — against public utilities, private sector companies, government entities and people living in democracies around the world. Attacks by nation-states and criminals are increasingly brazen and effective, penetrating even widely used products and services that are supposed to keep you safe.

We are deeply concerned by these trends. Security is the cornerstone of our product strategy, and we’ve spent the last decade building infrastructure and designing products that implement security at scale: every day Gmail blocks more than 100 million phishing attempts that never reach you. Google Play Protect scans over 100 billion apps for malware and other issues. We strive to deliver the most trusted cloudin the industry.  And we have dedicated teams like Project Zero who focus on finding and fixing vulnerabilities across the web to make the internet safer for all of us. 

Our security-first approach builds on awareness of an evolving threat environment, industry-wide information sharing, and the leadership of the international security community. We welcome growing efforts by governments around the world to address cybersecurity challenges. The recent cyber attacks create an opportunity to improve international cooperation and collaboration on areas of common concern. 

In the United States, we are committed to supporting the most recent White House Cybersecurity Executive Order, which makes critical strides to improve America’s cyber defenses in three key areas: 


Modernization and security innovation 

One of the most promising aspects of the U.S. government’s approach is to set agencies and departments on a path to modernize security practices and strengthen cyber defenses across the federal government. We strongly support modernizing computing systems, making security simple and scalable by default, and adopting best practices like zero trust frameworks. As we saw with SolarWinds and the Microsoft Exchange attacks, proprietary systems and restrictions on interoperability and data portability can amplify a network’s vulnerability, helping attackers scale up their efforts. Being tied to a single legacy system also keeps public sector agencies and businesses from taking advantage of the latest cloud-based security solutions. 

Modern systems create the ability to make frequent security updates and changes safely, a critical part of cyber-defense for both the government and private sector. If we are going to solve big security problems, we need to move beyond security band-aids to eliminating entire classes of vulnerabilities, like the risk of clicking on bad links


Secure software development

The U.S. government’s call to action to secure software development practices could bring about the most significant progress on cybersecurity in a decade and will likely have a significant long-term impact on government risk postures. 

At Google, we’ve emphasized securing the software supply chain and we’ve long built technologies and advocated for standards that enhance the integrity and security of software. We continue to work with the U.S. Commerce Department on these issues and support their effort to develop and share best practices. 

Public-private partnerships

In the last few weeks, ransomware attacks have targeted our schools, hospitals, oil pipelines and food supply. Meaningful improvement in cybersecurity will require the public and private sectors to work together in areas like sharing information on cyber threats; developing a comprehensive, defensive security posture to protect against ransomware; and coordinating how they identify and invest in next-generation security tools. 

We are committed to advancing our collective cybersecurity. We have had to block many attacks, including some from nation-states.  Those experiences have given us insights into what works in practice, so our government and private-sector customers don’t have to tackle these issues on their own or depend on the same enterprise technology that created the issues in the first place. Governments need industry-wide support and we are ready and willing to do our part.

We look forward to expanding our work with the United States and other governments, as well as with private sector partners, to develop security technologies and standards that make us all safer. 


Fix your passwords in Chrome with a single tap

Memorizing passwords is hard. That's why many of us use the same password across multiple sites. But this practice poses a huge risk, since it only takes one password breach to expose your account data from many different sites.

Not only that: changing passwords is itself a tedious task. You have to navigate to the site, sign in, find the account settings, open the password page — and then save it. Rinse and repeat on all your favorite sites, and that's a lot of work.

The good news is that Chrome comes with a strong password manager built-in. It's been checking the safety of your passwords for a while now. And starting today, whenever Chrome detects a breach, it can also fix any compromised passwords quickly, and safely.

Warning you about stolen passwords — and fixing them, too

Going forward, Chrome will help you change your passwords with a single tap. On supported sites, whenever you check your passwords and Chrome finds a password that may have been compromised, you will see a "Change password" button from Assistant. When you tap the button, Chrome will not only navigate to the site, but also go through the entire process of changing your password.  

Animation showing how Chrome will help you change stolen passwords automatically.

Going forward, Chrome will help you change compromised passwords automatically.

Importantly, you can control the entire experience and choose to go through the change password process manually from the start, or at any point during the process. And even if a site isn’t supported yet, Chrome’s password manager can always help you create strong and unique passwords for your various accounts.

Building on Duplex on the Web technology

Under the hood, Chrome is using Duplex on the Web to power this feature. We first introduced this technology in 2019 so that  Google Assistant could help you complete tasks on the web, like buying movie tickets. Since then, we’ve expanded to even more tasks, now helping millions of people every week order food and check in to flights. Powered by Duplex on the Web, Assistant takes over the tedious parts of web browsing: scrolling, clicking and filling forms, and allows you to focus on what’s important to you. And now we’re expanding these capabilities even further by letting you quickly create a strong password for certain sites and apps when Chrome determines your credentials have been leaked online. 

Expanding to more sites and apps soon

Automated password changes are rolling out gradually in Chrome on Android, to users who sync their passwords. It's starting in the U.S., and will become available on more sites and more countries in the coming months. 

Hallo from Munich 

Password generation, password leak checks, automated password changes and many more safety features were developed at the Google Safety Engineering Center (GSEC), a hub of privacy and security product experts and engineers based in Munich, which opened in 2019. GSEC is home to the engineering teams who work to deliver the safest personal browser experience to everyone, and we look forward to bringing more new features to strengthen the privacy and security of Chrome in 2021. 

Fix your passwords in Chrome with a single tap

Memorizing passwords is hard. That's why many of us use the same password across multiple sites. But this practice poses a huge risk, since it only takes one password breach to expose your account data from many different sites.

Not only that: changing passwords is itself a tedious task. You have to navigate to the site, sign in, find the account settings, open the password page — and then save it. Rinse and repeat on all your favorite sites, and that's a lot of work.

The good news is that Chrome comes with a strong password manager built-in. It's been checking the safety of your passwords for a while now. And starting today, whenever Chrome detects a breach, it can also fix any compromised passwords quickly, and safely.

Warning you about stolen passwords — and fixing them, too

Going forward, Chrome will help you change your passwords with a single tap. On supported sites, whenever you check your passwords and Chrome finds a password that may have been compromised, you will see a "Change password" button from Assistant. When you tap the button, Chrome will not only navigate to the site, but also go through the entire process of changing your password.  

Animation showing how Chrome will help you change stolen passwords automatically.

Going forward, Chrome will help you change compromised passwords automatically.

Importantly, you can control the entire experience and choose to go through the change password process manually from the start, or at any point during the process. And even if a site isn’t supported yet, Chrome’s password manager can always help you create strong and unique passwords for your various accounts.

Building on Duplex on the Web technology

Under the hood, Chrome is using Duplex on the Web to power this feature. We first introduced this technology in 2019 so that  Google Assistant could help you complete tasks on the web, like buying movie tickets. Since then, we’ve expanded to even more tasks, now helping millions of people every week order food and check in to flights. Powered by Duplex on the Web, Assistant takes over the tedious parts of web browsing: scrolling, clicking and filling forms, and allows you to focus on what’s important to you. And now we’re expanding these capabilities even further by letting you quickly create a strong password for certain sites and apps when Chrome determines your credentials have been leaked online. 

Expanding to more sites and apps soon

Automated password changes are rolling out gradually in Chrome on Android, to users who sync their passwords. It's starting in the U.S., and will become available on more sites and more countries in the coming months. 

Hallo from Munich 

Password generation, password leak checks, automated password changes and many more safety features were developed at the Google Safety Engineering Center (GSEC), a hub of privacy and security product experts and engineers based in Munich, which opened in 2019. GSEC is home to the engineering teams who work to deliver the safest personal browser experience to everyone, and we look forward to bringing more new features to strengthen the privacy and security of Chrome in 2021.