Tag Archives: Safety & Security

Prigozhin interests and Russian information operations

One of Threat Analysis Group’s (TAG) missions is to understand and disrupt coordinated information operations (IO) threat actors. Our research enables Google teams to make enforcement decisions backed by rigorous analysis. TAG’s investigations do not focus on making judgements about the content on Google platforms, but rather examining technical signals, heuristics, and behavioral patterns to make an assessment that activity is coordinated inauthentic behavior.

In this post, TAG is highlighting four case studies involving Russian IO tied to the Internet Research Agency (IRA) and its financier, Russian oligarch Yevgeny Prigozhin. In several cases, those campaigns served the dual purpose of promoting Russia’s agenda and Prigozhin’s business interests.

These examples underline broader trends we’re seeing: Russian IO groups are increasingly obscuring their role in influence operations, relying on stronger operational security and cutouts (intermediaries to mask their work) to dissociate themselves from user-facing activity. They launder their messages via local media brands, NGOs and PR firms that were in fact created by Russian shell companies. And in some cases, IRA-affiliated actors have responded to platforms’ enforcement efforts by moving to more permissive online spaces and platforms.

IO amplifying Prigozhin’s pro-Russian films

Prigozhin has financed several movies through a partial ownership stake in the film company, Aurum LLC. The company’s movies show Russia — especially the Russian military and mercenaries — in a positive light. The films have high production values and fictionalize Russia’s actions abroad in the style of Hollywood action movies. Storylines in the films include depictions of Russian soldiers in the Central African Republic, soldiers defending native Russians in Ukraine, and even a satire about the IRA and its role in the 2016 US elections. In 2021, they released “Солнцепёк” (“Sunlight” or “Blazing Sun” in English), which takes place in eastern Ukraine and claims to be a story based on true events from 2014 of Russian mercenaries, connected to the paramilitary Wagner Group, protecting Russians in Ukraine against Ukrainian forces.

Shortly after Russia’s invasion of Ukraine, TAG identified several IRA-affiliated news sites hosting ads to drive traffic to the videos including sites like newinform[.]com and slovodel[.]com. While the film was an older release from 2021, the timing of this campaign was notable because the subject matter mirrored newly topical real world events in Ukraine in a way that portrayed Russia positively. Google terminated nine new IRA-linked accounts using Ads to advertise the film and 44 new IRA-linked YouTube channels hosting clips, the full-length film and related comments. Some accounts claimed to be officially affiliated with the film, while others presented themselves as fan accounts.

A movie advertisement featuring the film's poster

Advertisement for the movie “Sunlight” on an IRA-affiliated news site

IRA-linked IO campaigns in Africa

In recent years, Russian IO actors tied to Prigozhin and the IRA, have peddled influence campaigns promoting the interests of Russia and Prigozhin’s Wagner Group in Africa. Researchers at Stanford, Graphika, and our colleagues at Meta have documented this trend going back to 2019. These campaigns involved creating NGOs, media brands and news agencies across Africa including a Ghanaian NGO, Sudan Daily, Peace Data and SADC News. These entities presented themselves as independent non-profit organizations and recruited local journalists and subject matter experts to publish content on topics like pro-Russia narratives, African pride and empowerment, and stories suggesting that Western imperialism is destroying Africa. Some authors likely did not realize they were working for a Russia-backed IO and genuinely believed in the content they wrote.

TAG’s investigations align with these earlier findings. Google terminated accounts and channels associated with the IRA’s fake media brands and NGOs throughout 2019 and 2020. This included IRA-linked accounts using Gmail to create profiles on non-Google social platforms, creating YouTube channels affiliated with the so-called news brands, and publishing content to Blogger.

In March 2021, Google shut down activity by several IRA-linked actors who published content promoting Wagner’s operations in Africa along with pro-Russia narratives. These articles appeared on Blogger and a number of non-Google blogging platforms such as Balalaika, Hashtap, Technowar and Voskhodinfo. The blogs amplified false narratives that the United Nations is funding terrorists in the Central African Republic and that Syrians need Wagner protection. The blogs were not backed by a social media presence.

a blog post showing soldiers in action

Example of a blog posted by an IRA-affiliated account

a blog heading showing a person holding a rocket launcher

Example of a blog posted by an IRA-affiliated account

In September 2022 Google terminated three IRA-linked YouTube channels that were sharing content in French and supportive of Russian policy objectives in Libya, including promoting a film in the Shugaley trilogy, another Aurum LLC film.

IRA influence operations concerning Ukraine

Russia’s agenda in Ukraine has also been a consistent, but not overwhelming, focal point for IRA-linked influence campaigns. In February 2022, Google terminated five YouTube channels and 21 Blogger blogs posting coordinated narratives on Blogger, YouTube and the Ukrainian blogging platform, Hashtap. In addition to domestically-focused content about Russia, several of the narratives focused on maligning Ukraine. These included allegations of Ukrainians deceiving Europe and stories of how Kyiv authorities failed to properly handle the Covid-19 pandemic. This activity spanned multiple blogging platforms and TAG observed the same IRA-linked accounts posted similar commentary across various news sites.

a muted and off-color flag is used at the top of a blog

IRA-created blog on Blogger criticizing EU support for Ukraine

IRA IO targeting domestic Russian audiences

Google regularly disrupts activity by IRA-linked accounts targeting Russian domestic audiences. These are often clusters of related accounts that create YouTube channels, upload videos, and comment and upvote each other’s videos. The activity occurs during Russian work hours, with narratives focused on Russian domestic issues and typically targeting political dissidents. In October 2022, Google terminated a cluster of nearly 700 IRA-linked accounts that were posting YouTube Shorts. The Shorts were crafted for a Russian domestic audience, praising Russian soldiers in Ukraine, and had negligible views or subscribers.

Other campaigns have focused on blogs. In July 2021, Google terminated 28 Blogger blogs created by IRA-linked accounts. Narratives in the blogs focused on Russian domestic affairs, including stories dismissing protests supporting anti-corruption activist, Alexei Navalny, denigrating local opposition politicians, criticizing the mayor of St. Petersburg and praising the heroics of Wagner Group. IRA actors also mirrored the same content on Ukrainian blogging platform, Hashtap. In some cases, multiple Blogger profiles published very similar or near-identical content.

The evolution of the Russian IO landscape

These case studies underscore several developments TAG observes in Russian IO activity. The accounts created lack well-developed, and backstopped personas, and increasingly are disrupted before they can gain traction. Russian IO actors also increasingly obscure their role, using stronger operational security and a range of intermediaries to conduct the actual user-facing activity. These proxies include third party PR firms, marketing agents, or unknowing local journalists and creators. Using well-selected proxies launders their legitimacy, and this provides an advantage compared to creating direct personas with little reach.

In our investigations of IRA-backed IO, we have also noted several cases where the narratives pushed by the IRA serve a dual purpose. Not only do they amplify messages supporting Russia, they also promote the business interests of oligarch, Yevgeny Prigozhin. Prigozhin has organized his empire around projects that directly and indirectly support the Russian state, and as the main financier of the IRA, he has cleverly leveraged his IO apparatus to amplify narratives that benefit not only Russia, but his own business interests as well.

How Education Plus keeps schools safe online

From virtual classes to in-person lessons, the best learning environments may look different. But they have a few things in common: inspiring teachers, engaged students and a safe space to learn.

Over the last few years, spurred by COVID-19, millions of new users have come online to collaborate, create and learn. Because we support millions of education users every day, we think a lot about creating safe, digital-learning environments. It's only when users are safe online that learning can begin. It’s why our products are safe and secure by design, and why we continue to invest in this area.

We commissioned Forrester Consulting to conduct a Total Economic Impact study around Google Workspace for Education Plus, our most comprehensive edition of Google Workspace for Education. The study took a look at the security, administrative benefits and cost savings associated with it, and this is what it found: Education Plus helps reduce cyber threats, and the time to remediate them, for educational institutions worldwide.

Additionally, Forrester found organizations using Education Plus were more efficient in administration, and eliminated the need to invest in other education technology providers. You can download The Total Economic Impact Study to read the entire report, and we’ve included some highlights below:

  • 95% reduction in phishing incidents: Security and email filtering in Education Plus reduces phishing attempts by 95%, allowing IT staff to focus less on mitigating threats and more on optimizing security.
  • 98% less time addressing phishing attacks: Quickly prevent, detect and remediate security incidents with our investigation tool. Email filtering in Education Plus helps IT staff focus on optimization instead of obstacles.
  • 300 hours saved annually on administrative tasks: Education Plus helps administrators produce administrative, educational and security reports up to 80% faster with the investigation tool and Vault.
  • $73,000 in time saved from improved security: The time usually spent searching for and deleting phishing emails and resolving incidents saved 35 weeks of IT time.

Get hands-on with Education Plus, and
understand the impact

Want to see how Education Plus could benefit your organization? Check out our new Education Plus Impact Calculator to calculate potential benefits and cost savings. Simply answer a set of 10 questions and you’ll receive a downloadable, custom impact report for your institution.

Gif of Google Workspace for Education Plus impact calculator. The user answers four administrative efficiency questions and sees a monetary amount on the next screen of how much they could save in collaboration costs.

And whether you’re just learning about Education Plus or an existing customer, we’re announcing a new product demo experience for the premium features of Google Workspace for Education. Available to anyone, experience the real product interface and how your institution could use premium features including the investigation tool, security dashboard, advanced admin controls, Google Meet and originality reports.

Gif of Google Workspace for Education Plus product demo focused on Google Meet. The user sees a Google Meet interface, and is prompted to use the “Q&A” feature to ask a question to the rest of the Meet attendees.

Ready to create a safer digital learning experience for your school? Learn more and calculate the potential benefits and cost savings with our Education Plus Impact Calculator and product demo experience.

Helping to create a more resilient Europe

Helping to create a more resilient Europe

When Ukraine was invaded in February, a group of 15 Google employees dropped everything to do what they did best — write code. But unlike their day jobs of helping to build Google Maps or improve Google Search, this team of Google.org Fellows assisted the International Rescue Committee (IRC) to build out ‘matching over 10,000 refugees to temporary accommodations. Ensuring that they’re prepared for the next crisis, the IRC team, with support from Google.org Fellows, also worked to shorten the time required to launch future versions of the site, meaning people impacted by a crisis can get potentially lifesaving information much faster.

This is the kind of transformational innovation that a team of Google engineers working alongside issue area experts at nonprofits can achieve. We’ve seen how this combination of funding and the right technical expertise can support organisations using tech solutions to combat some of Europe’s biggest challenges, such as developing afree carbon emissions calculator for businesses of all sizes, building a new digital platform for jobseekers, and incorporating machine learning to automaticallyflag false claims online.

This is what has inspired us to launch a new €15M Google.org Impact Challenge: Tech for Social Good. European nonprofits, civic entities, academic and research institutions, and social enterprises can, for the first time, apply to receive pro bono technical help from a team of Google.org Fellows for up to six months, helping them transform their organisation’s work.

For this new Impact Challenge, we’re particularly interested in seeing submissions from organisations focused on sustainability, economic opportunity, and cyber security — projects that will help to combat the threats of climate change, economic challenges, and the spread of online disinformation across Europe.

A video with text saying The Google.org Impact Challenge: Tech For Social Good
10:25

When asked to reflect on the International Rescue Committee experience working with Google.org Fellows, IRC CEO David Miliband said: “With help from Google.org Fellows, we were able to rapidly broaden the reach of a digital platform for Ukrainian refugees, at a time when there was no time to spare. In just 3 months they helped us achieve half of our entire roadmap for the next 5 years.”

We’re now asking your organisation for the most ambitious and impactful technical project that you’ve never had the time nor the resources to pursue, and to imagine what would be possible if you had a team of Google.org Fellows working pro bono for six months full-time, as well as up to €3M in funding to make your project a reality.

Learn more about the selection criteria and process here. We look forward to seeing organisations apply with their bold ideas for a more prosperous, green, and secure Europe.

How we detect, remove and report child sexual abuse material

Since Google’s earliest days, we have worked to prevent the spread of illegal child sexual abuse material (referred to as CSAM). Child safety organizations and governments rightly expect — and in many cases require — us to take action to remove it from our systems. Which is why, when we find CSAM on our platforms, we remove it, report it and often take the step to suspend the account.

Although CSAM accounts for a very small portion of the material uploaded and shared across our platforms, we take the implications of both CSAM violations and suspending accounts seriously. Our goal is to prevent abuse on our platforms while minimizing the risk of an incorrect suspension. Today, we are sharing more information on how we detect this harmful content and the steps we are taking to be more transparent about our processes with users.

How we detect CSAM

We rely on two equally important technologies to help us proactively identify child sexual abuse material: hash matching and artificial intelligence (AI). We also have a team of highly specialized and trained content reviewers and subject matter experts who help ensure that our technology delivers accurate results.

This combination enables us to detect CSAM on our platforms at scale, while keeping our false positive rate extremely low.

How we use hash matching to identify known CSAM

CSAM that has been previously identified is automatically flagged by our systems using Hash Matching Technology. This technology assigns images and videos a unique digital signature — a “hash” — and then compares it against a database of known signatures. If the two match, the content is considered to be the same or closely similar.

We obtain hashes from a variety of highly trusted sources including Internet Watch Foundation (IWF), National Center for Missing and Exploited Children (NCMEC), and others. NCMEC specifically hosts a hash-sharing service used by the tech industry and specialist NGOs from around the world. This repository serves as one starting point – but we review every purported CSAM hash independently to confirm its accuracy. Once we confirm it as CSAM, we input it into our detection systems.

The overwhelming majority of imagery reported by Google – approximately 90% – matches previously identified CSAM, much of which is already in the NCMEC database.

How we use artificial intelligence to identify new content

While hash matching helps us find known CSAM, we use artificial intelligence to flag new content that is very similar to patterns of previously confirmed CSAM. Our systems are specifically designed to recognize benign imagery like a child playing in the bathtub or backyard, which will not be flagged. A specialist team of trained personnel also reviews each piece of new imagery flagged, to confirm it is CSAM before it is ever reported.

Quick detection of new images means that children who are being sexually abused today are much more likely to be identified and protected from further abuse. And to help promote safety across the web, we provide other companies and NGOs access to detection and processing technology through our Child Safety Toolkit. This includes our Content Safety API, which helps partners more quickly prioritize and review content that is highly likely to be abusive. In the past 30 days alone, the Content Safety API has helped partners process over four billion pieces of CSAM. Through the toolkit, partners can also license our proprietary CSAI Match Technology, to detect known video CSAM on their platforms.

Our specialized content reviewers

While technology is essential in the fight against CSAM at scale, human reviewers also play a critical role to confirm hash matches and content discovered through AI. Our team members bring deep expertise to this work with backgrounds in law, child safety and advocacy, social work, and cyber investigations, among other disciplines. They are specially trained on both our policy scope and what legally constitutes child sexual abuse material. We regularly update this training and our guidelines in consultation with legal counsel, independent experts and medical professionals.

We know this is incredibly sensitive work and have a number of measures in place to protect reviewers’ physical and mental wellness. Our teams have access to tools, workspaces, resources and professional expertise, including counseling.

Referring content to NCMEC

Following this review process, we report the imagery identified as CSAM to NCMEC as required by US law. NCMEC evaluates the report and may decide to refer the case to a relevant law enforcement agency. If the local law enforcement agency chooses to investigate the NCMEC report further, requests for additional information from Google must be made through valid legal process or in accordance with applicable laws. You can learn more here on how we handle these types of requests.

In doing this work, we also believe in the importance of transparency. Today, we updated our Transparency Report, with the latest data around our detection and reporting efforts. In the first half of this year, we've made over one million reports to NCMEC about content that met the legal definition of CSAM, and where appropriate, also suspended the Google accounts associated with that content (approximately 270,000 account suspensions).

By using existing, confirmed CSAM to identify identical or similar material uploaded or shared to our platforms, we maintain an incredibly low false positive rate. However, if someone believes their account was incorrectly disabled, including for content flagged as CSAM, they can appeal the determination. A member of our child safety team reviews the appeal, and if we find we have made a mistake, we reinstate the account as soon as possible.

Improving our processes

Avoiding CSAM on our platforms is incredibly important work and is an area we’ll continue to invest in. At the same time, we recognize that we can improve the user experience when people come to us with questions about their accounts or believe we made wrong decisions. For example, we are actively working on ways to increase transparency and provide more detailed reasons for account suspensions (while making sure we don’t compromise the safety of children or interfere with potential law enforcement investigations). And we will also update our appeals process to allow users to submit even more context about their account, including to share more information and documentation from relevant independent professionals or law enforcement agencies to aid our understanding of the content detected in the account.

We will continue to explore additional ways to balance preventing this harmful content from spreading on our platforms with creating a more streamlined support experience for all users.

How Android protects you from scams and phishing attacks

Cybercriminals are targeting smartphones and tablets more than ever before. That’s because people are spending more time on their mobile devices, and they’re using them to send and store significant amounts of valuable data — like banking information, healthcare data and passwords. Cybercriminals are also targeting mobile devices because of their smaller screen sizes and frequent app and messaging notifications, which make it more difficult to verify if a sender is legitimate.

These criminals are increasingly using phishing attacks, scams and malware to obtain sensitive financial information or account passwords. In fact, during the pandemic, phishing attacks grew by 600% and became the top infection method in 2021.

Phishing attempts can come from a variety of sources like emails, text messages, voice calls and even third-party messaging apps. So it’s critical to have a layered security approach in place to defend from many angles. To help ensure we’re providing strong protection on Android, we hired a third-party security lab to evaluate our features and functionality that help protect you from scam and phishing attacks on your mobile devices. The report concluded that Android devices provide more features for scam and phishing protection than other mobile operating systems[15bb22].

For Cybersecurity Awareness Month, let’s take a closer look at these features and ways you can further protect your devices.

Avoid spam, scam and phishing attempts

Attackers often use text messages since they’re an easy channel to reach people. Messages by Google uses machine learning models to help proactively detect 1.5 billion spam, phishing and scam messages every month. It looks for known patterns and either diverts bad messages into the spam folder or warns you if it notices something suspicious.

A phone screen shows a “suspected spam” warning underneath a phone number, with the option to “report spam.”

Messages by Google detects 1.5 billion spam, phishing and scams messages every month.

Messages are analyzed with your privacy in mind, so they stay on your device and are never shared with anyone. You can, however, report a message to Google to help protect others. Gmail, the default email app on most Android phones, is also highly effective at flagging malicious messages, automatically blocking 99.9% of spam, phishing and malware.

Attackers today aren’t just using text messages and emails to phish for data. We’ve seen a 5x increase in the number of attacks involving phone calls, where a criminal tries to impersonate your bank or IT department to get you to hand over your credentials. Phone by Google provides multiple security defenses to help protect against attacks like these — from built-in caller ID and spam protection to Call Screen.

Get warned about bad links, downloads and apps

Many phishing and scam attempts try to get you to visit a malicious page impersonating a legitimate-looking site to enter your credentials, steal your social security number or download malware. Safe Browsing on Android protects 3 billion devices globally and helps warn you about potentially risky sites, downloads and extensions. It offers broad protection throughout your Android experience — from browsing on Chrome and other browsers to connecting to the web through social media apps

A red phone screen shows a warning for a website, which says “the site ahead contains malware.

Safe Browsing helps defend you from dangerous websites and malicious files whether you're on a browser or an app.

Even if you download an app outside of Google Play, Google Play Protect checks the installation and can warn you about a harmful or malicious app. Play Protect also scans all the apps on your device every day for harmful ones, even if you’re offline.

Get notified about your Google account

On Android phones running version 7.0 and up, you can use the built-in security key for additional protection. When you or someone else tries to sign into your Google account, you’ll get a notification on your phone asking to confirm that it’s you.

And it’s always good to regularly do a Security Checkup, which you can access right from your device settings. It’ll provide personalized security tips for your account, remind you to keep your passwords up to date, and share what devices you’re currently signed in on and what apps have access to your data.

Learn more about how you and your data are safer with Google on Android devices.

Source: Android


Why Google supports the US Securing Open Source Software Act

Open source software — code that is made freely available to the public to use or modify — is the foundation of the modern internet. It’s given us a world that is more innovative and more accessible. Yet the very openness that makes the digital world accessible to everyone, also leaves it uniquely vulnerable to security threats and cyber attacks.

At Google, we’ve been working to solve this paradox for years — and have arrived at the conclusion that modern digital security actually can come through embracing openness. We protect more people online than anyone, and we recently announced a $10 billion investment in making the internet safer and more secure. But with the dramatic rise of state-sponsored cyber attacks and malicious actors online, it’s clear that we not only need stronger public-private partnerships — but dynamic policy frameworks to shore up security for everyone.

That’s why we welcome efforts by the U.S. Government to advance open source software security, such as the Securing Open Source Software Act introduced in the Senate last month. This bipartisan bill proposes the creation of a framework to guide the federal government in their use of open source software. The proposed legislation reflects a helpful focus on security and cyber risk mitigation to respond to a recent spike in malicious cyber activity against the software supply chain.

We are glad to see a continued emphasis on the importance of open source software security from the U.S. Government, and we hope that both public and private organizations will follow their lead to promote improved cybersecurity for the ecosystem at large.

The problem of securing open source

The world of open source software development allows collaboration and rapid innovation by sharing solutions freely. This community, built on openness and sharing, contributes an enormous amount of code to a majority of the applications we use today.

However, despite the benefits of this openness, the unprecedented scale of recent attacks has emphasized gaps in infrastructure and tooling and the need for improved transparency into the security practices and attributes of open source projects. Seemingly simple questions about the open source supply chain are still difficult to answer:

  • Does a project contain known vulnerabilities?
  • Are the project’s maintainers and community following security best practices during software development?
  • What open source dependencies are part of a particular piece of software?
  • How secure was the distribution supply chain?

Answering these questions requires specialized technical skills and capabilities, and given the primarily volunteer-driven nature of the open source community, we cannot expect open source developers to shoulder the full burden of advancing software security on their own.

Continued advances

Through our work with multiple industry collaborators, Google has helped create free tools, services and best practices to make it easier for the open source community to develop and distribute software securely, while providing consumers with information about the security of the software they use.

We envision a more secure future where the burden of security is shared, and there is increased trust in and resilience of the open source software ecosystem. To get there, we need freely available, automated solutions that make developer’s lives easier, such as:

  • Infrastructure that prevents tampering, by default, when software is being built and released
  • Advances in vulnerability discovery and management that automate finding, tracking and fixing bugs for developers
  • Seamless connections across sources of security data and tools for analysis so consumers can have meaningful insight into the security of their software

We’re currently working to make these solutions a reality, at scale, with little to no additional work for developers.

Sustaining the community

We hope that the framework that will emerge due to U.S. Government efforts drives further investments in open source communities by both the public and private sectors. We’re already seeing the impact of the $100M Google pledged to non-profit organizations and software foundations like the Open Source Security Foundation to support open source creators.

This pledge backs efforts like our “open source maintenance crew,” a team of developers who spend 100 percent of their time directly enabling critical open source projects to adopt key security improvements. It also supports our Linux Kernel team, which continues to drive efforts to eliminate entire classes of bugs from open source code, including paving the way for greater memory safety using the Rust language.

We encourage other major consumers of open source to follow this lead and directly invest both funds and developer time in securing open source projects and ecosystems. Furthermore, we call on other major consumers of open source, both public and private, to implement similar policies around safe open source usage as well.

Securing open source software is a shared responsibility, and we look forward to continued collaboration on this urgent, critical problem.

In Madrid, a pitch for “open security”

The following is adapted from remarks delivered by Kent Walker, President of Global Affairs, at the “Google Cybersecurity Summit: Protecting Europe's Digital Space” in Madridon October 26, 2022.

Kent Walker is on a platform stage addressing a room full of people

Today’s cybersecurity discussion couldn’t be more timely.

Against a backdrop of rising geo-political tensions, we are seeing more and more efforts to undercut our shared security.

Cyber and information wars have become tools of the trade in attempts to exploit our vulnerabilities and destabilize our economies and our democracies.

It is no wonder that when the European Commission unveiled its plan for Europe’s digital transformation by 2030, it called security a fundamental right central to its vision.

So where do we begin the task of securing the digital world?

On the one hand, some would embrace data localization requirements, limits on market access, and even restrictions to accessing some cross-border services.

Essentially walled gardens and high fortresses. But we would suggest a different tack.

Though it sounds like a paradox, the best modern digital security actually comes through embracing openness.

Though it sounds like a paradox, the best modern digital security actually comes through embracing openness. Kent Walker

That’s because in today’s mobile, hybrid environment, cybersecurity is a team sport. We are each only as strong as our weakest link. But when we work together, we spur innovation and advance best practices that benefit all.

I speak from some experience here, as Google’s services are attacked every day. And yet we keep more people safe than anyone else in the world. We do that by looking at security through a collective lens, leveraging open frameworks, and relying heavily on secure open-source software.

We hope to use what we have learned to help secure Europe’s “digital decade.”

To that end, we recently published a white paper with recommendations like investing in technology that’s secure by default; working with private and international partners on new areas of cooperation, and building security based on openness and interoperability.

These recommendations are based on first-hand experience. In 2009, Google was the victim of a major cybersecurity attack, code named Operation Aurora. We learned that transparency, coupled with security by design, was the best way to secure the digital ecosystem.

As we detail in our recently released docuseries, HACKING GOOGLE, Aurora changed everything. It spurred us to shift away from the old “perimeter defense” model of crunchy on the outside, chewy in the middle (with high outside walls but no interior defenses) to a zero-trust model in which all users, all devices, and all applications are continuously checked for security risks, and yet security comes easily and naturally for users.

After Aurora, we launched our Threat Analysis Group, or TAG, to spot, disclose, and attribute threats, whether they were coming from nation-state actors or commercial spyware and surveillance vendors. We also launched our Project Zero team to find and promptly disclose previously unknown zero-day vulnerabilities in our own and other companies’ software, raising the security bar for everyone.

It hasn’t always been comfortable work–but that kind of transparency is key to security. As the computer engineering saying goes, “with enough eyes, all bugs are shallow.”

Today, by adopting advanced security innovation and threat intelligence, we ensure vulnerabilities are fixed fast, before they can be widely exploited.

You can see our approach in action whenever TAG discloses a new threat. For example, in 2017, our Android operating system was the first mobile platform to warn users about NSO Group’s Pegasus spyware–“zero-click” malware designed to allow an attacker to compromise a smartphone without a user taking any action.

By sharing information early and widely, we raised awareness of this threat, helped victims understand if they were compromised, and promoted a greater focus on mitigations. Since then, TAG has continued to report on Pegasus and other commercial spyware tools, shining a light on this murky industry.

So when the war came in Ukraine, open security principles kept us one step ahead. Since the war began, we’ve sent thousands of warnings to users targeted by nation-state actors–another practice we pioneered after Aurora. We’ve succeeded in blocking the vast majority of the attacks. And we launched Project Shield, bringing not just journalists, but human rights organizations and even government websites in Ukraine under Google’s security umbrella against distributed denial of service attacks.

Because while it can be easy to DDOS small sites, it turns out that it’s pretty tough to DDOS Google.

We are all in on this collaborative approach to security. Currently, we are working with our team at VirusTotal to launch a new Google Safety Engineering Center in Málaga, Spain, which we hope will become a European hub for joint research on advanced threats.

Image of the exterior of a tall building on a tree-lined city street

In 2023, our newest Google Safety Engineering Center will be launching in Málaga.

Since we acquired VirusTotal in 2012, they have grown from a scrappy startup to become the world’s leading malware scanner and repository, what many call “the Google of cybersecurity tools.” VirusTotal enables people to search for malware against the millions of new samples submitted daily.

On top of that, when Google combined our existing security solutions with Mandiant’s cyber threat intelligence, we laid the groundwork to help public and private sector organizations in Europe anticipate, warn about, and mitigate threats.

What are the larger lessons for all of us as we work toward open security?

First, partnerships and agreements among democratic and rule-of-law societies are key. We need to set aside siloed approaches and embrace an ecosystem of innovation where security experts can share threats, evolve best practices, and adopt new technologies.

In support of that ecosystem, I’m pleased to announce that in 2023, we will be hosting a new Google for Startups Growth Academy for EU Cybersecurity, a growth program to help cybersecurity startups across Europe grow into success stories.

Second, interoperability and aligned security standards between technologies and among countries makes compliance easier for businesses, innovators, and manufacturers of all sizes–which makes for more secure hardware and better software.

The third and final thing to keep in mind is that when we shift away from buggy legacy technology and perimeter defense models and toward modern infrastructure, we can accommodate today’s increasingly global, hybrid workforces, without sacrificing security.

Collective security requires not just walls, but bridges.

By adopting an approach built on open principles like security-by-default, zero-trust architecture, transparency, and principled partnerships, we can advance the frontiers of information security, letting all of us sleep better at night.

Your ads, your choice

Online advertising doesn’t need to be confusing or out of your control. Whether you’re watching tutorials on YouTube or looking up recipes on Search, you should have a say in the ads you see online.

That’s why today, My Ad Center will start rolling out to users around the world to help you control the kinds of ads you see across Google on Search, YouTube and Discover. You’ll also be able to block sensitive ads and learn more about the information used to personalize your ad experience.

Ads about the things you care about

My Ad Center was designed to give you more control over your ad experience on Google’s sites and apps. When you’re signed into Google, you can access My Ad Center directly from ads on Search, YouTube and Discover, and choose to see more of the brands and topics you like and less of the ones you don’t. You will never have to spend time searching for the right control or decoding how your information is used. Instead, you can manage your ad preferences without interrupting what you’re doing online.

Imagine you spent months researching your latest beach trip, and now that you're back, you don’t want to see vacation ads. With My Ad Center, you can just tap on the three-dot menu next to a vacation ad and choose to see less of those types of ads. You can also choose to see ads about things that you care about, like deals for sneakers or holiday gifts for your loved ones.

Mock phone screen of YouTube search results with ads. Mock shows a users tapping on the three-dot menu next to an ad to access My Ad Center

On YouTube, you can tap on the three-dot menu next to an ad to access My Ad Center and choose the topics and brands you want to see more or less of.

You can also turn off ads personalization completely. My Ad Center makes this control easy to find by putting it front-and-center in the product. If you choose not to see personalized ads, you’ll still see ads, but you may find them less relevant or useful. This will apply anywhere you’re signed in with your Google Account.

There also may be certain ad topics that you don’t want to engage with at all. With My Ad Center, you can choose to limit ads related to topics such as alcohol, dating, weight loss, gambling, pregnancy and parenting.

Mock phone screen of My Ad Center that shows the “Customize Ads” section

In My Ad Center, you can tap on “Customize Ads” to choose the topics and brands you want to see more or less of.

Ad controls that put your privacy first

We follow a set of core privacy principles that guide what information we do and don’t collect. We never sell your personal information to anyone, and we never use the content you store in apps like Gmail, Photos and Drive for ads purposes. And we never use sensitive information to personalize ads — like health, race, religion or sexual orientation. It’s simply off limits.

My Ad Center builds on those commitments by giving you the ability to control what information is used to personalize the ads you see. And if you’re not sure what you’re sharing, it’s easy to quickly see what information we use, and control it based on your preferences.

You can decide what types of your activity are used to make Google products work for you — independent of the ads you're shown. In the past, if your YouTube History was on, it automatically informed how your ads were personalized. Now, if you don’t want your YouTube History to be used for ads personalization, you can turn it off in My Ad Center, without impacting relevant recommendations in your feed.

You may also see ads meant for certain audiences based on your Google activity – categories such as education, relationship status or the industry you work in. Now you’ll be able to choose and adjust how categories inform your ads, or turn them off completely. This way, you can more easily choose the ad experience that’s right for you.

Mock phone screens of My Ad Center that show a screen where you can choose to turn on or off YouTube History for ads personalization.

You can turn on or off YouTube History for ads personalization.

Ad controls beyond Google

Finally, there are times you may see ads from businesses which use Google tools to advertise on other sites and apps. The option to turn off personalized ads in My Ad Center applies to ads you see on and off Google, and will automatically apply on any device where you’re signed in to your Google account. If you’re not signed into Google, you can still control your preferences in Ad Settings.

It’s our responsibility to strengthen the ways we keep you in control of your ad experiences, while ensuring that every day, people are safer with Google. To learn more about our commitment to privacy, you can visit our Safety Center.

How Google is helping to make the Internet of Things more secure

The growing adoption of Internet of Things (IoT) technology affects consumers around the world in significant ways. Not only are we becoming more deeply connected through IoT devices, we’re now putting more of our lives and trust in the hands of digital technology. Yet, the IoT industry still lacks a global harmonized way for measuring the security quality of connected products, which means consumers may not have the visibility they need into whether their IoT devices protect their data.

Today, Google participated in a White House strategic discussion on IoT Security Labeling to discuss the future of connected device security and shared additional steps we’re taking to secure more of our IoT products.

IoT security today is in the early stages of standardization. We are encouraged by the US government’s efforts to accelerate that process, and to give people more transparency in the security of the IoT products they use every day. Achieving standardized security best practices and consumer transparency at scale could be a tide that raises all boats – giving consumers the ability to understand the level of security in IoT products, choose accordingly, while driving demand for “healthier” security choices from IoT device manufacturers.

Moving IoT security and transparency forward

Since Google began our "helpful home" IoT device journey over a decade ago, we’ve learned a lot and continue to work to deliver even more helpful and secure connected devices — and the software that supports them — to our users. Today, we are excited to announce additional steps that we’re taking to make connected IoT devices safer for consumers.

  • Google is helping lead industry efforts to create a functional, clear, and harmonized cybersecurity label for IoT devices that can help consumers make better device decisions, in an ongoing dialogue with government leaders in cybersecurity, including at NIST, CISA and the White House.
  • Google is extending its commitment to conduct security assessments to Fitbit devices. Announced last year for Nest and Pixel devices, we validate the security of our devices and publish the results. This gives consumers even more transparency by allowing them to review the results while demonstrating our commitment to developing the strongest security protections for our users across all of our IoT products.

Our unwavering commitment to security

We don’t take these commitments to security and transparency lightly. We see these steps as an opportunity to increase transparency and help improve the cybersecurity baseline for the entire ecosystem. And we’ll continue to encourage the community to leverage the security enhancements we continually make to the operating systems we maintain, the open source libraries and tools, and our first-party products which often act as reference implementations to help our broader ecosystem steadily improve their cybersecurity hygiene.

We’re also committed to partnering with organizations working to advance IoT security. Google welcomes the approach taken by the Connectivity Standards Alliance (CSA) to build a harmonized global certification program that addresses the requirements set forth in the major global IoT baselines. We believe a global and harmonized approach will raise the bar on IoT security for both enterprise and consumer devices.

As the IoT market continues to mature and adoption grows, we look forward to working with U.S. policymakers, industry partners, developers and public interest advocates to drive strong, standardized IoT security practices and transparency for everyone.

Continuous innovation to keep you safe online

Cybersecurity requires continual vigilance, whether it's using built-in protections, or providing resources for changing security threats. In acknowledgement of Cybersecurity Awareness Month, we wanted to share our progress across a number of security efforts, and announce a few new technologies that help us keep more people safe online than anyone else.

Continuing our efforts to keep you safer online

In the past year, we’ve worked on various security upgrades, from making sign-ins easier and more secure, to spreading awareness of specific threats. Recently, we shared our experiences from the last decade of building a world-class security operation with a behind the scenes look at our elite security teams in the new HACKING GOOGLE docuseries. Now, we’re building on our work by providing educational resources.

link to Hacking Google trailer
10:25

Today, we’re officially launching the online safety lessons we announced earlier this year. The lessons feature Khan Academy founder, Sal Khan, and Google security experts, giving actionable tips to help keep your online accounts secure, browse the web safely, detect phishing attempts and more. Whether you’re a professional, parent, grandparent or student, these videos — and Khan Academy's Internet Safety course — will help you stay safer even as new security risks emerge online.

For years, we’ve been at the forefront of improvements to authentication technology, and earlier this year we shared the progress we’ve made on our Google Password Manager in Android and Chrome, and how we’re accelerating industry-wide progress toward a passwordless future. Today, we’re announcing the next stage in this journey with the release of passkey support for developers on Android and Chrome. General availability for everyone using Android 9 and higher will follow later in November. This is a critical step in the wide adoption of passkeys, which will work with your Google Password Manager to further simplify sign-ins across devices, websites and applications — no matter the platform. The best part? Instead of typing a password, you can sign in with whatever method you usually use to unlock your phone (passcode, fingerprint, facial recognition, etc.).

image of passkey

Partnering to protect high-risk users

With the U.S. midterm elections quickly approaching, we’re continuing to protect high-risk users, like journalists and campaigns, through our security tools and partnerships. Our Campaign Security Project with Defending Digital Campaigns provides organizations across the political spectrum with tools and resources to train candidates and campaign workers on how to stay safe online. To date, the program has trained over 5,300 election-related stakeholders over the course of 52 training sessions and workshops around the country — allowing us to better protect these high-risk individuals amid a changing threat landscape.

We’re also continuing to help protect democracies on a global scale by collaborating with leading organizations like the International Foundation for Electoral Systems (IFES). This collaboration helps high-risk users enhance their cybersecurity with the Advanced Protection Program (APP), our strongest form of account security for those at risk of state sponsored attacks. We’ve also continued to donateGoogle Titan Security Keys to high-risk organizations and individuals, which can be used as a form of 2-Step Verification (2SV) for advanced account security.

Products that keep you secure by default

For security to be effective, it has to be easy, which is why most of our protections are built-in and automatic. For example, Google Play Protect provides automatic, daily malware scanning on all the apps on your Android device, even when you're offline. And our 2-Step Verification (2SV) requires just one tap to create secure, verified access to your account. Now Google is making it even easier to enroll in 2SV and get security notifications:

  • 2SV enrollment with Google Assistant: Simply ask, “Hey Google, how do I set up 2-Step Verification?” If you’re not enrolled, Assistant will even remind you to sign up when you ask privacy and security questions, such as, “Hey Google, how do you keep my data safe?" We’re also making it easier to apply software updates — a critical step in securing your devices — by enabling auto updates via Google Home.
  • Safety status: To further strengthen the security of your account, we’re making safety status on your Google Account easily visible as part of your profile picture across the apps you use every day. If anything on your account needs security attention, you’ll know right away. A simple yellow or red alert will highlight actions you should take to secure your account, so you never have to worry about missing a critical security update again.
  • Safety Insights: We’re rolling out a feature in the Google app for iOS that gives you site-specific safety information — including a description of the cookies used by the site, alerts for unsecure sites and soon, reminders for passwords that may have been compromised. You can also access the “Results about you” tool, which allows you to request the removal of search results that contain your personal contact information (i.e., phone number, home address, email address) from search results.
GIF showing recommended security actions

Keeping your connections private and secure

We build our products with your privacy and security in mind. That’s why our latest Nest cameras and doorbells are designed for your security: They use encrypted video, 2SV, and the enhanced security of your Google Account. And today, we’re announcing that if you have a Pixel 4 or more recent model that uses Android 12 or above, your mobile traffic on the Google Fi cellular network is automatically encrypted and private.

As we continue into Cybersecurity Awareness Month, stay tuned for more updates — from keeping the upcoming elections safer, to moving us further into a passwordless world. Visit our Safety Center to stay up to date and learn more about how we’re making every day safer with Google.