Tag Archives: Safety & Security

Helping high-risk users stay safe online

Helping people stay safe online is our top priority. That’s why we design our products with built-in protections and invest in global teams and operations to prevent abuse on our platforms.

In recent years, there has been a significant increase in cybersecurity threats, especially for individuals and groups that tend to be at higher risk for online attacks, such as activists, journalists, election and campaign officials, and people working in public life. To help anyone at risk, we’re making our strongest security protections easily accessible and sharing more details about the best tools, tips, and resources people can use to protect themselves online.

  • Enrolling in our Advanced Protection Program: We have dedicated teams of security professionals responsible for detecting and disrupting cyber threats to protect people all over the world. We have invested in advanced security solutions like our Advanced Protection Program (APP), which helps safeguard users from digital attacks, including sophisticated phishing attacks (through the use of security keys), malware and other malicious downloads on Chrome and Android, and unauthorized access to personal account data (such as Gmail, Drive, and Photos). APP is available to all users, but is specifically designed for individuals and organizations such as elected officials, political campaigns, human rights activists, and journalists, who are at higher risk of targeted online attacks.
  • Keeping Google accounts secure and private: Our Security Checkup gives people personalized security recommendations and flags actions they should take to immediately secure their Google account. Additionally, Privacy Checkup provides helpful reminders of what activity is being saved, which third-party apps have permission to access user data, and the option to adjust user settings with simple controls. Both checkups take people through a step-by-step process to customize their security and privacy controls based on their individual preferences.
  • Helping you control your online presence: On Google Search, we offer a set of policies and tools to help people take more control over how their sensitive, personally-identifiable information can be found. With the new Results about you tool, users can quickly and easily request the removal of personal contact information—like their home address, email address, or phone number—from search results. We also have a set of policies to allow people to request the removal of other types of highly personal content from Search that can cause direct harm, such as in cases of doxxing or information like bank account or credit card numbers that could be used for financial fraud. (It’s important to remember that removing content from Google Search won’t remove it from the internet entirely, so people may wish to contact the hosting site directly, if they’re comfortable doing so.)
  • Making sign-ins more secure: We make signing into Google and user apps and services secure by default. We offer tools like Google Password Manager to help people create unique passwords, warn them if they’re compromised, and stop them from being entered into a malicious site. We also continue to encourage the adoption of 2-Step Verification (2SV), which provides an extra layer of sign-in security across a user’s account. And we’re always innovating new ways to make sign-ins safer and less painful.
  • Exploring the online world safely: To help people stay safe and secure when browsing the web, especially on public or free WiFi, we recommend using Chrome and ensuring there is a gray locked icon in the URL field indicating a secure connection. Users should make sure the sites they visit utilize HTTPS, which indicates the browser or app is securely connected to the website they’re visiting. We also encourage people to use Chrome or Google Drive before downloading documents or opening suspicious email attachments. Both will automatically scan for viruses and make sure users are not being targeted by a phishing campaign.

We will continue to bring our strongest security protections to those who need them most, and build new tools that keep everyone, everywhere, safer. Visit our Safety Center to learn more.

Continued investment in measures to help fight financial fraud in the UK

In recent years, scammers continue to deploy new fraudulent practices in order to take advantage of people. According to UK Finance’s latest figures, over £1.3 billion was stolen through fraud in 2021, up from £1.26 billion the year before.

To combat this concerning trend, Google continues to invest in teams, new policies and better enforcement capabilities. In 2021, we blocked or removed 58.9 million financial services bad ads globally to protect the advertising ecosystem.

Today, we are announcing a significant additional measure to protect both consumers and legitimate advertisers in the UK. The Google Ads Financial Products and Services policy will be updated to require that all advertisers be FCA (Financial Conduct Authority) authorised for debt adjusting and debt counselling in order to show debt services advertisements starting from 6 December 2022. Insolvency practitioners, including those licensed by a recognized professional body, will no longer be allowed to advertise for these services. Advertisers must successfully complete the updated verification process by the time enforcement begins on 16 January 2023. The policy update also allows advertisers that are included on the FCA Financial Services Register as ‘exempt professional firms’ or recognised investment exchanges to be verified as UK FCA-authorised advertisers.

Our financial services certification policy, launched initially in 2021, has led to a pronounced decline in reports of ads promoting financial scams, and has subsequently been rolled out across Google platforms in Australia, Singapore, Taiwan, Indonesia, India, Portugal, Brazil, France, Spain and Germany. A problem of this scale needs cross-industry effort, so we are pleased to see other tech companies now commit to introducing similar policies in the UK.

Today’s announcement builds on longstanding and robust financial products and services policies and engagement with industry in order to deliver a safer experience for users, publishers and advertisers.

Further collaborative industry progress to date

In addition to ongoing policy reviews and updates, we continue to adapt and collaborate with industry and government organisations to tackle these evolving tactics by scammers. Last year, Google was the first major technology company to join Stop Scams UK, an industry-led collaboration of responsible businesses from across the banking, telecoms and technology sectors who have come together to develop best practices to stop scams at the source.

We also pledged $5 million in advertising credits to support public awareness campaigns in the UK, helping to ensure that consumers are better informed about how to spot the tactics of scammers both online and offline. We encourage businesses and consumers to refer to industry resources from trusted sources and Google partners including Stop Scams, UK Finance’s ‘Take 5’ campaign and the Advertising Standards Authority to stay up to date with the latest solutions we can all adopt to operate safely online.

Meet the hackers keeping you safe online

The work of Google’s security teams mostly happens behind closed doors — whether that be intercepting government backed cyber attacks, or taking on the job of hacking Google to strengthen our defenses. But today, we’re taking you behind the scenes with HACKING GOOGLE, a new six-part docuseries featuring the elite security teams that keep you safe everyday.

The story begins in 2010, when we announced to the world that Google had witnessed a sophisticated nation-state attack against our corporate infrastructure that resulted in the theft of intellectual property and affected at least 20 other companies. The attack was a watershed moment in the history of cybersecurity. Dubbed Operation Aurora, it was the first time that a company like Google had publicly acknowledged an attack of this magnitude. And it was the turning point for how we secure Google’s infrastructure.

In the aftermath of Aurora, we began a complete overhaul of our security team, strategy and technical capabilities. Billions of dollars of new investment, thousands of the world’s top security experts, new paradigms, new hardware and new highly specialized teams were gathered, all with one purpose: to ensure that users stay safe in the face of any and all future attacks. Thirteen years later, we’re proud to say that Google keeps more people safe online than anyone else in the world.

HACKING GOOGLE profiles some of the many teams that do this work. The series is now public following our H4CK1NG G00GL3 Challenge, which saw thousands of hackers, hobbyists, and students from more than a hundred countries work together over the weekend to solve security puzzles and unlock each of the episodes:

  • Episode 000: Operation Aurora. What happens when a nation-state attacks a company? Google found out and cybersecurity was never the same again.
  • Episode 001: Threat Analysis Group. Watchguards. Lookouts. Sentries. When faced with threats there have always been those who look out to protect the rest. But who looks out for the threats lurking online?
  • Episode 002: Detection & Response. Meet the internet’s fire department, the elite team that answers the call when chaos ignites online.
  • Episode 003: Red Team. They have one job: hack Google from the inside.
  • Episode 004: Bug Hunters. They’re high schoolers, lawyers, IT professionals, and hobbyists. And they’ve made millions hacking Google in their free time.
  • Episode 005: Project Zero. Zero days. They can be the world’s most dangerous exploits. And the race is on to find them before the attackers do.
  • And finally, Hacking Google to Defend Enterprise. Go behind the scenes with Chief Information Security Officer of Google Cloud, Phil Venables, to meet the people keeping every organization on Google Cloud safe from threats.

Every day, billions of people use Google to find reliable information, get to their destination, connect with loved ones, and more. When people use our products and services, it’s our responsibility to keep their personal information private, safe and secure.

For the never-before-told stories of the experts who do this work, check out HACKING GOOGLE, now streaming on YouTube.

Supporting the EU and securing the digital space

Citizens, companies and governments across the European Union agree that everyone should be free to live their lives and use technology without fear that their information will be stolen or held ransom by cybercriminals or other malicious actors.

But with each passing week, cyber threats are growing more costly and more aggressive, undermining the trust essential to a vibrant, inclusive digital society. This is a moment that calls for international leadership, which is why it’s notable that the European Commission has featured security at the center of its vision for digital transformation.

Today, Google is publishing a set of recommendations and white paper supporting the Commission’s efforts, and we commit to extending our full capabilities to help secure Europe’s “digital decade”.

The need

We applaud the European Commission’s effort to meet this moment, and believe that companies should step up to do their part as well.

The stakes have never been clearer. Even before Russia’s invasion of Ukraine — a ground assault accompanied by an attack on Europe’s cyberspace — there were troubling signs that Europe’s democratic values were being challenged by authoritarian governments.

I spoke about the importance of these values recently at the Copenhagen Democracy Summit. Democracies provide fertile ground for advances in science and technology. Technology owes its success to the conditions — openness, pluralism, free exchange — that democracy creates, enabling inventors to take risks and pursue new avenues for inquiry and collective innovation. So it’s no surprise that Ukraine’s tech sector thrived in recent years under the flag of a free European democracy.

But how can technology, in turn, contribute to the defense of Europe’s digital space? We have been reflecting on lessons we learned the hard way more than a decade ago, and how we used them to create a next-generation security infrastructure.

In the months ahead, we plan to share our experience in proactive digital defense with leaders in Europe. We are keenly aware of our responsibility to support the work of Europe’s democratic governments and institutions on economic progress, national security, and defense of the public square.

Google’s role

Our white paper recommends several areas where the European Union can make progress in securing Europe’s digital space, including:

  • Open security: Driving European resilience through “open security,” on the principle that openness and interoperability encourage scrutiny, threat sharing, and rapid adoption of best practices and new technologies.
  • Security by default: Promoting systemic investments in digital transformation, zero-trust architectures, and operating systems and devices that are secure by default, helping organizations overcome an overreliance on outdated and hard-to-patch technology infrastructures and devices that lie open to risks of espionage and extortion.
  • Partnership: Engaging partners by facilitating public-private threat information exchanges and briefings involving EU policymakers and technical experts — and by increasing dialogue to explore new areas of cooperation, such as applying artificial intelligence to improve security.
  • Encryption: Prioritizing strong encryption as superior means of protecting sensitive data compared to data localization requirements, which can have the unintended effect of actually undermining security and resilience.

These recommendations reflect both our decades of security expertise and our deep interest in the EU’s digital defense. Some of our leading security initiatives, and top security researchers, are based in Europe.

At the Google Safety Engineering Centers (GSEC) in Munich and Dublin, Google engineers don’t just talk about digital safety, they build it. And they do so on Europe’s distinctive strengths: respected technical universities, many thousands of Google employees, and top expertise in fields including privacy and computer science.

VirusTotal, a Google team that began as a small Málaga-based startup in 2004 and grew into a European champion before its acquisition by Google in 2012, helps millions in the public sector, commerce and research to understand malware and cybersecurity trends. In 2023, VirusTotal will open a brand new headquarters in the heart of Andalusia’s tech hub.

And, as we announced last week, Mandiant, one of the world’s premier cybersecurity teams, has now joined Google — bringing with it hundreds of industry-leading European experts in the field of threat intelligence and incident response.

These teams and others like them will ensure we’re countering tomorrow’s challenges with tomorrow’s tools. And our commitment to Europe’s digital security will be accompanied by a commitment to collaboration — building on the kind of innovation that has always made democracies stronger than their adversaries.

Matt Brittin at DMEXCO on enhancing the ad-supported web

The following is adapted from a speech given by Matt Brittin, President, Google EMEA, at DMEXCOin Cologne.

Across the world, we’re seeing increased uncertainty. We’re living through a pandemic, seeing rising prices, a global energy crisis, increasing climate disasters and a horrific war in Ukraine. Access to quality information has never been more important — to help people search for answers, find ways to save money, make more sustainable choices and stay safe and informed.

But the web as we know it is at risk. People are more concerned than ever about their privacy online. Regulators across the world are demanding a more private internet — with some critics calling for a ban on personalised ads completely.

The future of the web depends on earning people’s trust — building responsible, private advertising to secure a sustainable internet that is safer for people, stronger for businesses and successful for publishers.

A grown-up attitude to responsibility

For generations, ads have funded our favourite content: from newspapers, magazines and entertainment to the web. Today 66% of the world is online. The ad-supported internet model has become a remarkable resource for humanity: putting an explosion of tools, information and content at our fingertips.

But nearly 40 years after its creation, the internet needs a grown-up attitude to responsibility.

As people manage more of their lives online, their concerns over how personal data is gathered, used and shared have increased. People want great online experiences — delivered with the privacy they deserve, by brands they can trust.

For advertisers, that presents a clear responsibility - but also an opportunity. And the good news is this: privacy safe ads are effective ads.

This year, we asked 20,000 Europeans about the consequences of good and bad privacy experiences. Our findings show that users view bad privacy experiences as almost as damaging as a theft of their data. It’s enough to make many of them switch to another brand entirely. And, because the impact of a negative privacy experience outweighs that of a positive one, it’s very difficult to recover from.

Instead, brands need to get it right the first time. People prefer to buy from brands that give them more control over their privacy — almost three quarters said they would prefer to buy from brands that are honest about what data they collect and why.

In times of uncertainty, companies may be tempted to put privacy on the backburner - but that would be a mistake. In tough times you need to invest for the future. Privacy is that investment.

A sustainable, private future for people, publishers and businesses

Making these changes won’t just lead to successful advertising — but a sustainable web.

Digital advertising needs to be safer for people. They need to feel protected online and able to trust what they view. It needs to be successful for publishers — funding quality journalism while giving us access to authoritative and diverse perspectives. And, it needs to be stronger for business — allowing businesses of all sizes the opportunity to grow and build a global customer base.

Across Europe, we’re investing in that vision. We’re one of the world’s biggest financial supporters of journalism, committing billions of dollars every year; we’re delivering authoritative information and creating privacy-first technology.

At our Google Safety Engineering Center in Munich, hundreds of engineers are creating tools and technology that combine two German traditions: exemplary engineering and rigorous privacy standards.

The privacy-first technology they’re creating is minimising the amount of data used, simplifying data downloads and deletion, and helping root out hijacked passwords — building on our shared values and breaking new ground in the global industry.

Today, as part of our commitment to that transition, we’re announcing two new tools.

The first is the Google Ads Privacy Hub, launching today with the rollout starting here in Germany. It will show you the latest on product innovations and how best-in-class marketers are doing it — helping you take the first steps on this journey, whatever your company size.

The second tool we’re launching focuses on users. Last year, 300 million people visited Ad Settings — choosing to make the ads they see more specific to them. So we’ll soon launch the new My Ad Center globally — expanding our existing Ad Settings to give people a single place where they can control the ads they see across Google Search, Discover and YouTube — seeing more of what they like, and less of what they don’t. Because the best ads are helpful, relevant and safe — benefiting the user, and responsible businesses too.

Image showing Matt Brittin on a conference stage in front of a screen.

Matt Brittin speaking at DMEXCO conference

Building the web that people want and deserve

Moving to a world without third-party cookies means rethinking the tech on which much of the web advertising system is built and building new, privacy-first solutions.

We’re doing that through the Privacy Sandbox: sharing and testing new technologies with the industry, while staying on course to deprecate third party cookies by the end of 2024, in line with our commitments to the UK Competition Authority, which we are applying globally.

There are those that say that efforts like the Privacy Sandbox aren’t enough. Some say that we should ban personalised advertising altogether — that “contextual” advertising can fill the gap. But that won’t pay for the web everyone wants.

It has been estimated that if personalised advertising were to suddenly go away, as much as $32 to $39 billion would shift away from those who rely on open web technology — including publishers, at a time where authoritative information has never been more important.

There are others that say that all services should simply be paid for. But that turns the web into a luxury good — shutting billions out. It’s why Netflix, a pioneer of the modern subscription model, and others like Disney Plus and HBO, are introducing ads for users who want — or need — to pay less. Now, the advertising industry is a big tent. There is plenty of room for newcomers.

But recent events underscore how flawed these arguments really are - and unpopular to boot. Research by IAB Europe shows that 75% of Europeans would choose today’s experience of the internet over one without targeted ads, where they would need to pay for access to websites, content and apps.

So there should be no question as to whether the ads-supported internet model is important: only what kind of advertising industry we want to see. We want an advertising industry that makes room for businesses large and small; that supports value for publishers, media and journalism, and that protects people’s privacy from tracking.

A now or never moment

But it’s not just enough to want that future. We have to actually choose it. For online advertising, and the future of the internet, this is a now or never moment: without people’s trust, the future of the ad-supported web is at stake.

The next two years are critical. The industry must embrace the journey and invest in privacy. It has to build stronger relationships with customers, create better ad campaigns and navigate the uncertainty. If we do nothing, the web as we know it will be under threat.

Together, we can build an ad-supported web fit for the future — giving us better content, richer perspectives and further protection online.

Matt Brittin at DMEXCO on enhancing the ad-supported web

The following is adapted from a speech given by Matt Brittin, President, Google EMEA, at DMEXCOin Cologne.

Across the world, we’re seeing increased uncertainty. We’re living through a pandemic, seeing rising prices, a global energy crisis, increasing climate disasters and a horrific war in Ukraine. Access to quality information has never been more important — to help people search for answers, find ways to save money, make more sustainable choices and stay safe and informed.

But the web as we know it is at risk. People are more concerned than ever about their privacy online. Regulators across the world are demanding a more private internet — with some critics calling for a ban on personalised ads completely.

The future of the web depends on earning people’s trust — building responsible, private advertising to secure a sustainable internet that is safer for people, stronger for businesses and successful for publishers.

A grown-up attitude to responsibility

For generations, ads have funded our favourite content: from newspapers, magazines and entertainment to the web. Today 66% of the world is online. The ad-supported internet model has become a remarkable resource for humanity: putting an explosion of tools, information and content at our fingertips.

But nearly 40 years after its creation, the internet needs a grown-up attitude to responsibility.

As people manage more of their lives online, their concerns over how personal data is gathered, used and shared have increased. People want great online experiences — delivered with the privacy they deserve, by brands they can trust.

For advertisers, that presents a clear responsibility - but also an opportunity. And the good news is this: privacy safe ads are effective ads.

This year, we asked 20,000 Europeans about the consequences of good and bad privacy experiences. Our findings show that users view bad privacy experiences as almost as damaging as a theft of their data. It’s enough to make many of them switch to another brand entirely. And, because the impact of a negative privacy experience outweighs that of a positive one, it’s very difficult to recover from.

Instead, brands need to get it right the first time. People prefer to buy from brands that give them more control over their privacy — almost three quarters said they would prefer to buy from brands that are honest about what data they collect and why.

In times of uncertainty, companies may be tempted to put privacy on the backburner - but that would be a mistake. In tough times you need to invest for the future. Privacy is that investment.

A sustainable, private future for people, publishers and businesses

Making these changes won’t just lead to successful advertising — but a sustainable web.

Digital advertising needs to be safer for people. They need to feel protected online and able to trust what they view. It needs to be successful for publishers — funding quality journalism while giving us access to authoritative and diverse perspectives. And, it needs to be stronger for business — allowing businesses of all sizes the opportunity to grow and build a global customer base.

Across Europe, we’re investing in that vision. We’re one of the world’s biggest financial supporters of journalism, committing billions of dollars every year; we’re delivering authoritative information and creating privacy-first technology.

At our Google Safety Engineering Center in Munich, hundreds of engineers are creating tools and technology that combine two German traditions: exemplary engineering and rigorous privacy standards.

The privacy-first technology they’re creating is minimising the amount of data used, simplifying data downloads and deletion, and helping root out hijacked passwords — building on our shared values and breaking new ground in the global industry.

Today, as part of our commitment to that transition, we’re announcing two new tools.

The first is the Google Ads Privacy Hub, launching today with the rollout starting here in Germany. It will show you the latest on product innovations and how best-in-class marketers are doing it — helping you take the first steps on this journey, whatever your company size.

The second tool we’re launching focuses on users. Last year, 300 million people visited Ad Settings — choosing to make the ads they see more specific to them. So we’ll soon launch the new My Ad Center globally — expanding our existing Ad Settings to give people a single place where they can control the ads they see across Google Search, Discover and YouTube — seeing more of what they like, and less of what they don’t. Because the best ads are helpful, relevant and safe — benefiting the user, and responsible businesses too.

Image showing Matt Brittin on a conference stage in front of a screen.

Matt Brittin speaking at DMEXCO conference

Building the web that people want and deserve

Moving to a world without third-party cookies means rethinking the tech on which much of the web advertising system is built and building new, privacy-first solutions.

We’re doing that through the Privacy Sandbox: sharing and testing new technologies with the industry, while staying on course to deprecate third party cookies by the end of 2024, in line with our commitments to the UK Competition Authority, which we are applying globally.

There are those that say that efforts like the Privacy Sandbox aren’t enough. Some say that we should ban personalised advertising altogether — that “contextual” advertising can fill the gap. But that won’t pay for the web everyone wants.

It has been estimated that if personalised advertising were to suddenly go away, as much as $32 to $39 billion would shift away from those who rely on open web technology — including publishers, at a time where authoritative information has never been more important.

There are others that say that all services should simply be paid for. But that turns the web into a luxury good — shutting billions out. It’s why Netflix, a pioneer of the modern subscription model, and others like Disney Plus and HBO, are introducing ads for users who want — or need — to pay less. Now, the advertising industry is a big tent. There is plenty of room for newcomers.

But recent events underscore how flawed these arguments really are - and unpopular to boot. Research by IAB Europe shows that 75% of Europeans would choose today’s experience of the internet over one without targeted ads, where they would need to pay for access to websites, content and apps.

So there should be no question as to whether the ads-supported internet model is important: only what kind of advertising industry we want to see. We want an advertising industry that makes room for businesses large and small; that supports value for publishers, media and journalism, and that protects people’s privacy from tracking.

A now or never moment

But it’s not just enough to want that future. We have to actually choose it. For online advertising, and the future of the internet, this is a now or never moment: without people’s trust, the future of the ad-supported web is at stake.

The next two years are critical. The industry must embrace the journey and invest in privacy. It has to build stronger relationships with customers, create better ad campaigns and navigate the uncertainty. If we do nothing, the web as we know it will be under threat.

Together, we can build an ad-supported web fit for the future — giving us better content, richer perspectives and further protection online.

Meet the team responsible for hacking Google

Creating safe and secure products for everyone is the top priority for Google's security teams. We work across the globe to keep up with current threats, improve security controls, conduct attack detection/prevention, and eliminate entire classes of vulnerabilities by driving new and better frameworks. Our teams also actively monitor adversaries, making sure we have all the intelligence to be prepared for malicious activity and targeted campaigns against our Googlers or the people who use our services daily.

Today, we would like to shine a spotlight on one security team at Google — the Red Team — that supports all of these efforts in a way that might initially seem counterintuitive: by hacking Google.

The term “Red Team” came from the military, and described activities where a designated team would play an adversarial role (the “Red Team”) against the “home” team, who would seek to adapt to the Red Team’s activities and counteract them. Over the years, these terms have found their way into the information security (InfoSec) space.

Google’s Red Team is a team of hackers that simulate a variety of adversaries, ranging from nation states and well-known Advanced Persistent Threat (APT) groups to hacktivists, individual criminals or even malicious insiders. Whatever actor is simulated, we will mimic their strategies, motives, goals, and even their tools of choice — placing ourselves inside the minds of hackers targeting Google.

The benefits of Red Team exercises

Running these simulations provides value in various ways. To start, it offers our teams tasked with detecting and responding to actual attackers a unique opportunity to identify improvements. And it allows us to determine if an attack could have been detected earlier or responded to faster. Along with security and subject matter experts on rotation, the collective industry experience and diverse backgrounds of the Red Team’s members allow us to identify blind spots that can turn into actionable improvements.

From 20% project to established team

The Red Team started in 2010 as a “20% project” — an internal initiative where Googlers are free to pursue projects we feel are worth investing time in outside of our day-to-day responsibilities. The team quickly proved its worth, and leadership recognized its positive impact on Google’s infrastructure and the value in applying a hacker mindset to problems in the security space. Since then, the Red Team has become an integral part of the security engineering function, running multiple exercises in parallel and collaborating across multiple continents.

Collaborative adversity

While Red Team exercises conducted at Google simulate an actor that is in most cases hostile and/or disruptive, there is a very clear distinction between the simulated threat and the engineers that play their role. While the threat actor seeks to reach their nefarious goals, Red Team engineers are Googlers that keep people’s safety in mind.

There is very close collaboration between the team simulating the attackers and the teams acting as defenders (e.g., Threat Analysis Group (TAG) and Detection/Response teams), who might identify suspicious activities and respond to them. Since there are multiple exercises happening at any given time, we differentiate between several types of exercises and the response after detection. For most exercises, one of our primary goals is to test detection and make it as efficient as possible for defenders to verify that a signal is associated with an exercise. By doing this, we avoid using resources that could be used to thwart malicious activities targeting people using our services or our wider infrastructure. In other exercises, we want to make sure that the entire process of identifying, isolating and ejecting the attackers, works as intended and that we are able to improve processes.

Safety First

Given the sensitive nature of the work the Red Team does, safety protocols are key and all exercises are overseen by senior engineers. Making sure an exercise is conducted in a safe and responsible manner is as important as any other goal the team is trying to achieve. This may mean forgoing realistic simulation in favor of spending more time on making sure each action is documented, no sensitive data is accessed without proper oversight, and that laws and regulations are obeyed — which is traditionally not something that APT groups are overly concerned about. For the Red Team, accurately simulating the technical capabilities of highly advanced threat actors in a safe and responsible way is core to their mission.

For exercises focusing on detection, actions taken by the team are accessible at any time by the defenders to ensure that we can quickly rule out an external actor acting maliciously. Even if this does not become a necessity, the team will report their activities in detail to address any new findings discovered during the exercise.

Fostering change

In addition to testing and helping improve detection and response capabilities, we also actively research and identify new attack vectors based on adversarial research. It is critical to the Red Team's mission to ensure that any newfound attack surface is shared with both the responsible product teams and the larger security team as soon as possible so that Google can adapt defensive controls and implement improvements to remediate the root cause.

Since its inception over a decade ago, the Red Team has adapted to a constantly evolving threat landscape and been a reliable sparring partner for defense teams across Google. Yet, new challenges await every day and the Red Team continually works to make the job – the job of hacking Google – harder. It’s a challenge we happily accept to keep people safe.

Expanding testing for the Privacy Sandbox for the Web

Improving people's privacy, while giving businesses the tools they need to succeed online, is vital to the future of the open web. That's why we started the Privacy Sandbox initiative to collaborate with the ecosystem on developing privacy-preserving alternatives to third-party cookies and other forms of cross-site tracking. Over the past several months, we've released trial versions of a number of new Privacy Sandbox APIs in Chrome for developers to test.

Throughout this process, we’ve worked closely to refine our design proposals based on input from developers, publishers, marketers, and regulators via forums like the W3C, and earlier this year, we reached an agreement with the UK’s Competition and Markets Authority (CMA) on how we develop and release the Privacy Sandbox in Chrome worldwide.

The most consistent feedback we’ve received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome. This feedback aligns with our commitment to the CMA to ensure that the Privacy Sandbox provides effective, privacy-preserving technologies and the industry has sufficient time to adopt these new solutions. This deliberate approach to transitioning from third-party cookies ensures that the web can continue to thrive, without relying on cross-site tracking identifiers or covert techniques like fingerprinting.

For these reasons, we are expanding the testing windows for the Privacy Sandbox APIs before we disable third-party cookies in Chrome.

Developers can already test these APIs today, and beginning in early August, the Privacy Sandbox trials will expand to millions of users globally, and we’ll gradually increase the trial population throughout the rest of the year and into 2023. Before users are added into the trials, they will be shown a prompt giving them the option to manage their participation. As the web community tests these APIs, we’ll continue to listen and respond to feedback.

By Q3 2023, we expect the Privacy Sandbox APIs to be launched and generally available in Chrome. As developers adopt these APIs, we now intend to begin phasing out third-party cookies in Chrome in the second half of 2024.

Updated Privacy Sandbox for Web timeline

The updated timeline will soon be available on privacysandbox.com.

We're grateful to be working with companies across the industry who are invested in developing privacy-first experiences on the web, and will be testing Privacy Sandbox in the coming months.

  • quote from Masanaga Konishi
  • quote from Todd Parsons
  • quote from Townsend Feehan
  • quote from Sundeep Parsa

The Privacy Sandbox initiative is an ambitious undertaking for the entire industry, and we look forward to continuing to engage with the web community as testing expands.

Source: Google Chrome


Google’s efforts to identify and counter spyware

The following testimony was delivered to the U.S. House Intelligence Committeeby Shane Huntley, Senior Director of Google’s Threat Analysis Group (TAG) on July 27, 2022.

Chairman Schiff, Ranking Member Turner, and esteemed Members of the Committee:

Thank you for the opportunity to appear before the Committee to discuss Google’s efforts to protect users from commercial spyware. We appreciate the Committee’s efforts to raise awareness about the commercial spyware industry that is thriving and growing, creating risks to Americans and Internet users across the globe.

Our expert teams

Google has been tracking the activities of commercial spyware vendors for years, and we have been taking critical steps to protect our users. We take the security of our users very seriously, and we have dedicated teams in place to protect against attacks from a wide range of sources. Our Threat Analysis Group, or TAG, is dedicated to protecting users from threats posed by state-sponsored malware attacks and other advanced persistent threats. TAG actively monitors threat actors and the evolution of their tactics and techniques. For example, TAG has been closely tracking and disrupting campaigns targeting individuals and organizations in Ukraine, and frequently publishes reports on Russian threat actors.

We use our research to continuously improve the safety and security of our products and share this intelligence with our industry peers. We also publicly release information about the operations we disrupt, which is available to our government partners and the general public. TAG tracks and proactively counters serious state-sponsored and financially motivated information cyber criminal activities, such as hacking and the use of spyware. And we don’t just plug security holes – we work to eliminate entire classes of threats for consumers and businesses whose work depends on the Internet. We are joined in this effort by many other security teams at Google, including Project Zero, our team of security researchers at Google who study zero-day vulnerabilities in the hardware and software systems that are depended upon by users around the world.

Our ongoing work

Google has a long track record combating commercial surveillance tools targeting our users. In 2017, Android – which is owned by Google – was the first mobile platform to warn users about NSO Group’s Pegasus spyware. At the time, our Android team released research about a newly discovered family of spyware related to Pegasus that was used in a targeted attack on a small number of Android devices. We observed fewer than three dozen installs of this spyware. We remediated the compromises for these users and implemented controls to protect all Android users.

NSO Group continues to pose risks across the Internet ecosystem. In 2019, we confronted the risks posed by NSO Group again, relying upon NSO Groups’s marketing information suggesting that they had a 0-day exploit for Android. Google was able to identify the vulnerability in use and fix the exploit quickly. In December 2021, we released research about novel techniques used by NSO Group to compromise iMessage users. iPhone users could be compromised by receiving a malicious iMessage text, without ever needing to click a malicious link. Short of not using a device, there is no way to prevent exploitation by a zero-click exploit; it's a weapon against which there is no defense. Based on our research and findings, we assessed this to be one of the most technically sophisticated exploits we had ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.

Although this Committee must be concerned with the exploits of NSO Group, it is not the only entity posing risks to our users. For example, TAG discovered campaigns targeting Armenian users which utilized zero-day vulnerabilities in Chrome and Internet Explorer. We assessed that a surveillance vendor packaged and sold these technologies. Reporting by CitizenLab linked this activity to Candiru, an Israeli spyware vendor. Other reporting from Microsoft has linked this spyware to the compromise of dozens of victims, including political dissidents, human rights activists, journalists, and academics.

Most recently, we reported in May on five zero-day vulnerabilities affecting Chrome and Android which were used to compromise Android users. We assess with high confidence that commercial surveillance company Cytrox packaged these vulnerabilities, and sold the hacking software to at least eight governments. Among other targets, this spyware was used to compromise journalists and opposition politicians. Our reporting is consistent with earlier analysis produced by CitizenLab and Meta.

TAG also recently released information on a segment of attackers we call “hack-for-hire” that focuses on compromising accounts and exfiltrating data as a service. In contrast to commercial surveillance vendors, who we generally observe selling a capability for the end user to operate, hack-for-hire firms conduct attacks themselves. They target a wide range of users and opportunistically take advantage of known security flaws when undertaking their campaigns. In June, we provided examples of the hack-for-hire ecosystem from India, Russia, and the United Arab Emirates.

The growth of commercial spyware vendors and hack-for-hire groups has necessitated growth in TAG to counter these threats. Where once we only needed substreams to focus on threat actors such as China, Russia, and North Korea, TAG now has a dedicated analysis subteam dedicated to commercial vendors and operators.

Risks posed by commercial spyware are increasing

Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments. These vendors operate with deep technical expertise to develop and operationalize exploits. We believe its use is growing, fueled by demand from governments.

Seven of the nine zero-day vulnerabilities our Threat Analysis Group discovered in 2021 were originally developed by commercial providers and sold to and used by state-sponsored actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to state-sponsored actors.

This industry appears to be thriving. In fact, there was recently a large industry conference in Europe, sponsored by many of the commercial spyware vendors we track. This trend should be concerning to the United States and all citizens. These vendors are enabling the proliferation of dangerous hacking tools, arming nation state actors that would not otherwise be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are found to be used by some state actors for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers, and opposition party politicians.

We have also observed proliferation risk from nation state actors attempting to gain access to the exploits of these vendors. Last year, TAG identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attributed to a government-backed entity based in North Korea, have employed a number of means to target researchers.

In addition to these concerns, there are other reasons why this industry presents a risk more broadly across the Internet. While vulnerability research is an important contributor to online safety when that research is used to improve the security of products, vendors stockpiling zero-day vulnerabilities in secret can pose a severe risk to the Internet when the vendor itself gets compromised. This has happened to multiple spyware vendors over the past ten years, raising the specter that their stockpiles can be released publicly without warning.

The proliferation of commercial hacking tools is a threat to national security, making the Internet less safe and undermining the trust on which a vibrant, inclusive digital society depends. This is why when Google discovers these activities, we not only take steps to protect users, but also disclose that information publicly to raise awareness and help the entire ecosystem, in line with our historical commitment to openness and democratic values.

Google’s work to protect users

Across all Google products, we incorporate industry-leading security features and protections to keep our users safe. On Search, Google’s Safe Browsing is an industry-leading service to identify unsafe websites across the web and notify users and website owners of potential harm. Google Safe Browsing helps protect over four billion devices every day by showing warnings to users when they attempt to navigate to unsafe sites or download harmful files. Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem so that their visitors stay safer.

On Gmail, we recommend certain Gmail security precautions to prevent spoofing, phishing, and spam. Spoofers may send forged messages using an organization’s real name or domain to subvert authentication measures. We use email authentication to protect against email spoofing, which is when email content is changed to make the message appear from someone or somewhere other than the actual source. And we offer other advanced phishing and malware protection to administrators to better protect their users. By default, Gmail displays warnings and moves untrustworthy emails to the user’s spam folder. However administrators can also use advanced security settings to enhance their users’ protection against suspicious attachments and scripts from untrusted senders.

For Android, through its entire development lifecycle, we subject the products to a rigorous security program. The Android security process begins early in the development lifecycle, and each major feature of the platform is reviewed by engineering and security resources. We ensure appropriate controls are built into the architecture of the system. During the development stage, Android-created and open source components are subject to vigorous security reviews For users, Android provides safety and control over how apps and third parties can access the data from their devices. For example, users are provided visibility into the permissions requested by each app, and they are able to control those permissions.

We have also built additional tools to prevent successful attacks on devices that run Android once those devices are in users’ hands. For example, Google Play Protect, our built-in malware protection for Android, continuously scans devices for potentially harmful applications.

Although our security precautions are robust, security issues can still occur, which is why we created a comprehensive security response process to respond to incidents. Google manages a vulnerability rewards program (VRP), rewarding researchers millions of dollars for their contributions in securing our devices and platforms. We also provide research grants to security researchers to help fund and support the research community. This is all part of a larger strategy to keep Google products and users, as well as the Internet at large more secure. Project Zero is also a critical component of this strategy, pushing transparency and more timely patching of vulnerabilities.

Finally, we also offer the leading tools to protect important civil society actors such as journalists, human rights workers, opposition party politicians, and campaign organizations – in other words, the users who are frequently targeted by surveillance tools. Google developed Project Shield, a free protection against distributed denial of service (DDoS) attacks, to protect news media and human rights organization websites. We recently expanded eligibility to protect Ukraine government organizations, and we are currently protecting over 200 Ukraine websites today. To protect high risk user accounts, we offer the Advanced Protection Program (APP), which is our highest form of account security. APP has a strong track record protecting users – since the program’s inception, there are no documented cases of an account compromise via phishing.

Whole of Society response necessary to tackle spyware

We believe it is time for government, industry and civil society to come together to change the incentive structure which has allowed these technologies to spread in secret. The first step is to understand the scope of the problem. We appreciate the Committee’s focus on this issue, and recommend the U.S. Intelligence Community prioritize identifying and analyzing threats from foreign commercial spyware providers as being on par with other major advanced threat actors. The U.S. should also consider ways to foster greater transparency in the marketplace, including setting heightened transparency requirements for the domestic surveillance industry. The U.S. could also set an example to other governments by reviewing and disclosing its own historical use of these tools.

We welcome recent steps taken by the government in applying sanctions to the NSO Group and Candiru, and we believe other governments should consider expanding these restrictions. Additionally, the U.S. government should consider a full ban on Federal procurement of commercial spyware technologies and contemplate imposing further sanctions to limit spyware vendors’ ability to operate in the U.S. and receive U.S. investment. The harms from this industry are amply evident by this point, and we believe they outweigh any benefit to continued use.

Finally, we urge the United States to lead a diplomatic effort to work with the governments of the countries who harbor problematic vendors, as well as those who employ these tools, to build support for measures that limit harms caused by this industry. Any one government’s ability to meaningfully impact this market is limited; only through a concerted international effort can this serious risk to online safety be mitigated.

Google is investing heavily as a company and as an industry to counter serious threats to our users. In the modern world, we must be able to trust the devices we use every day and ensure that foreign adversaries do not have access to sophisticated exploits. While we continue to fight these threats on a technical level, the providers of these capabilities operate openly in democratic countries. Google is committed to leading the industry in detecting and disrupting these threats.

I thank the Committee for this attention on this critical issue.

Google’s efforts to identify and counter spyware

The following testimony was delivered to the U.S. House Intelligence Committeeby Shane Huntley, Senior Director of Google’s Threat Analysis Group (TAG) on July 27, 2022.

Chairman Schiff, Ranking Member Turner, and esteemed Members of the Committee:

Thank you for the opportunity to appear before the Committee to discuss Google’s efforts to protect users from commercial spyware. We appreciate the Committee’s efforts to raise awareness about the commercial spyware industry that is thriving and growing, creating risks to Americans and Internet users across the globe.

Our expert teams

Google has been tracking the activities of commercial spyware vendors for years, and we have been taking critical steps to protect our users. We take the security of our users very seriously, and we have dedicated teams in place to protect against attacks from a wide range of sources. Our Threat Analysis Group, or TAG, is dedicated to protecting users from threats posed by state-sponsored malware attacks and other advanced persistent threats. TAG actively monitors threat actors and the evolution of their tactics and techniques. For example, TAG has been closely tracking and disrupting campaigns targeting individuals and organizations in Ukraine, and frequently publishes reports on Russian threat actors.

We use our research to continuously improve the safety and security of our products and share this intelligence with our industry peers. We also publicly release information about the operations we disrupt, which is available to our government partners and the general public. TAG tracks and proactively counters serious state-sponsored and financially motivated information cyber criminal activities, such as hacking and the use of spyware. And we don’t just plug security holes – we work to eliminate entire classes of threats for consumers and businesses whose work depends on the Internet. We are joined in this effort by many other security teams at Google, including Project Zero, our team of security researchers at Google who study zero-day vulnerabilities in the hardware and software systems that are depended upon by users around the world.

Our ongoing work

Google has a long track record combating commercial surveillance tools targeting our users. In 2017, Android – which is owned by Google – was the first mobile platform to warn users about NSO Group’s Pegasus spyware. At the time, our Android team released research about a newly discovered family of spyware related to Pegasus that was used in a targeted attack on a small number of Android devices. We observed fewer than three dozen installs of this spyware. We remediated the compromises for these users and implemented controls to protect all Android users.

NSO Group continues to pose risks across the Internet ecosystem. In 2019, we confronted the risks posed by NSO Group again, relying upon NSO Groups’s marketing information suggesting that they had a 0-day exploit for Android. Google was able to identify the vulnerability in use and fix the exploit quickly. In December 2021, we released research about novel techniques used by NSO Group to compromise iMessage users. iPhone users could be compromised by receiving a malicious iMessage text, without ever needing to click a malicious link. Short of not using a device, there is no way to prevent exploitation by a zero-click exploit; it's a weapon against which there is no defense. Based on our research and findings, we assessed this to be one of the most technically sophisticated exploits we had ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.

Although this Committee must be concerned with the exploits of NSO Group, it is not the only entity posing risks to our users. For example, TAG discovered campaigns targeting Armenian users which utilized zero-day vulnerabilities in Chrome and Internet Explorer. We assessed that a surveillance vendor packaged and sold these technologies. Reporting by CitizenLab linked this activity to Candiru, an Israeli spyware vendor. Other reporting from Microsoft has linked this spyware to the compromise of dozens of victims, including political dissidents, human rights activists, journalists, and academics.

Most recently, we reported in May on five zero-day vulnerabilities affecting Chrome and Android which were used to compromise Android users. We assess with high confidence that commercial surveillance company Cytrox packaged these vulnerabilities, and sold the hacking software to at least eight governments. Among other targets, this spyware was used to compromise journalists and opposition politicians. Our reporting is consistent with earlier analysis produced by CitizenLab and Meta.

TAG also recently released information on a segment of attackers we call “hack-for-hire” that focuses on compromising accounts and exfiltrating data as a service. In contrast to commercial surveillance vendors, who we generally observe selling a capability for the end user to operate, hack-for-hire firms conduct attacks themselves. They target a wide range of users and opportunistically take advantage of known security flaws when undertaking their campaigns. In June, we provided examples of the hack-for-hire ecosystem from India, Russia, and the United Arab Emirates.

The growth of commercial spyware vendors and hack-for-hire groups has necessitated growth in TAG to counter these threats. Where once we only needed substreams to focus on threat actors such as China, Russia, and North Korea, TAG now has a dedicated analysis subteam dedicated to commercial vendors and operators.

Risks posed by commercial spyware are increasing

Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments. These vendors operate with deep technical expertise to develop and operationalize exploits. We believe its use is growing, fueled by demand from governments.

Seven of the nine zero-day vulnerabilities our Threat Analysis Group discovered in 2021 were originally developed by commercial providers and sold to and used by state-sponsored actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to state-sponsored actors.

This industry appears to be thriving. In fact, there was recently a large industry conference in Europe, sponsored by many of the commercial spyware vendors we track. This trend should be concerning to the United States and all citizens. These vendors are enabling the proliferation of dangerous hacking tools, arming nation state actors that would not otherwise be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are found to be used by some state actors for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers, and opposition party politicians.

We have also observed proliferation risk from nation state actors attempting to gain access to the exploits of these vendors. Last year, TAG identified an ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign, which we attributed to a government-backed entity based in North Korea, have employed a number of means to target researchers.

In addition to these concerns, there are other reasons why this industry presents a risk more broadly across the Internet. While vulnerability research is an important contributor to online safety when that research is used to improve the security of products, vendors stockpiling zero-day vulnerabilities in secret can pose a severe risk to the Internet when the vendor itself gets compromised. This has happened to multiple spyware vendors over the past ten years, raising the specter that their stockpiles can be released publicly without warning.

The proliferation of commercial hacking tools is a threat to national security, making the Internet less safe and undermining the trust on which a vibrant, inclusive digital society depends. This is why when Google discovers these activities, we not only take steps to protect users, but also disclose that information publicly to raise awareness and help the entire ecosystem, in line with our historical commitment to openness and democratic values.

Google’s work to protect users

Across all Google products, we incorporate industry-leading security features and protections to keep our users safe. On Search, Google’s Safe Browsing is an industry-leading service to identify unsafe websites across the web and notify users and website owners of potential harm. Google Safe Browsing helps protect over four billion devices every day by showing warnings to users when they attempt to navigate to unsafe sites or download harmful files. Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem so that their visitors stay safer.

On Gmail, we recommend certain Gmail security precautions to prevent spoofing, phishing, and spam. Spoofers may send forged messages using an organization’s real name or domain to subvert authentication measures. We use email authentication to protect against email spoofing, which is when email content is changed to make the message appear from someone or somewhere other than the actual source. And we offer other advanced phishing and malware protection to administrators to better protect their users. By default, Gmail displays warnings and moves untrustworthy emails to the user’s spam folder. However administrators can also use advanced security settings to enhance their users’ protection against suspicious attachments and scripts from untrusted senders.

For Android, through its entire development lifecycle, we subject the products to a rigorous security program. The Android security process begins early in the development lifecycle, and each major feature of the platform is reviewed by engineering and security resources. We ensure appropriate controls are built into the architecture of the system. During the development stage, Android-created and open source components are subject to vigorous security reviews For users, Android provides safety and control over how apps and third parties can access the data from their devices. For example, users are provided visibility into the permissions requested by each app, and they are able to control those permissions.

We have also built additional tools to prevent successful attacks on devices that run Android once those devices are in users’ hands. For example, Google Play Protect, our built-in malware protection for Android, continuously scans devices for potentially harmful applications.

Although our security precautions are robust, security issues can still occur, which is why we created a comprehensive security response process to respond to incidents. Google manages a vulnerability rewards program (VRP), rewarding researchers millions of dollars for their contributions in securing our devices and platforms. We also provide research grants to security researchers to help fund and support the research community. This is all part of a larger strategy to keep Google products and users, as well as the Internet at large more secure. Project Zero is also a critical component of this strategy, pushing transparency and more timely patching of vulnerabilities.

Finally, we also offer the leading tools to protect important civil society actors such as journalists, human rights workers, opposition party politicians, and campaign organizations – in other words, the users who are frequently targeted by surveillance tools. Google developed Project Shield, a free protection against distributed denial of service (DDoS) attacks, to protect news media and human rights organization websites. We recently expanded eligibility to protect Ukraine government organizations, and we are currently protecting over 200 Ukraine websites today. To protect high risk user accounts, we offer the Advanced Protection Program (APP), which is our highest form of account security. APP has a strong track record protecting users – since the program’s inception, there are no documented cases of an account compromise via phishing.

Whole of Society response necessary to tackle spyware

We believe it is time for government, industry and civil society to come together to change the incentive structure which has allowed these technologies to spread in secret. The first step is to understand the scope of the problem. We appreciate the Committee’s focus on this issue, and recommend the U.S. Intelligence Community prioritize identifying and analyzing threats from foreign commercial spyware providers as being on par with other major advanced threat actors. The U.S. should also consider ways to foster greater transparency in the marketplace, including setting heightened transparency requirements for the domestic surveillance industry. The U.S. could also set an example to other governments by reviewing and disclosing its own historical use of these tools.

We welcome recent steps taken by the government in applying sanctions to the NSO Group and Candiru, and we believe other governments should consider expanding these restrictions. Additionally, the U.S. government should consider a full ban on Federal procurement of commercial spyware technologies and contemplate imposing further sanctions to limit spyware vendors’ ability to operate in the U.S. and receive U.S. investment. The harms from this industry are amply evident by this point, and we believe they outweigh any benefit to continued use.

Finally, we urge the United States to lead a diplomatic effort to work with the governments of the countries who harbor problematic vendors, as well as those who employ these tools, to build support for measures that limit harms caused by this industry. Any one government’s ability to meaningfully impact this market is limited; only through a concerted international effort can this serious risk to online safety be mitigated.

Google is investing heavily as a company and as an industry to counter serious threats to our users. In the modern world, we must be able to trust the devices we use every day and ensure that foreign adversaries do not have access to sophisticated exploits. While we continue to fight these threats on a technical level, the providers of these capabilities operate openly in democratic countries. Google is committed to leading the industry in detecting and disrupting these threats.

I thank the Committee for this attention on this critical issue.