Google's tone-deaf comments on security & privacy

Since the early days, Google has proclaimed that one of its core values is: “Don’t be evil.”

Faith in that slogan is being tested as Google matures into a corporate behemoth. Its reputation was not helped last week by a couple of tone-deaf responses to security and privacy issues. These aren’t awful problems that should cause you to lose faith in Google and leave their ecosystem, but they leave an unsettling feeling.

SECURITY – Chrome exposes passwords

If you’re a Chrome user, try this experiment.

In Chrome, click on Settings / Show advanced settings / Passwords / Manage saved passwords. (Or, type chrome://settings/passwords into the address bar.)

You’re looking at a list of passwords saved by Chrome that can be filled in automatically at the websites you visit. Highlight one of them and it looks like this:

Google Chrome exposes passwords

When you click on the Show button next to the password, you can see your password in clear text. You’re not prompted for any additional credentials – no need to type in your Google account password or your Windows password. It looks like this:

Google Chrome exposes passwords

See the security problem? If you leave your computer without locking it, anyone can walk up to it and write down your passwords for Google, your bank, Amazon, and Facebook, and walk away again in 30 seconds, no one the wiser. (52 passwords in 57 seconds, in one informal test by The Guardian.) That’s your co-workers at the office, including the one you don’t really like. It’s your snoopy sister at home, or one of her creepy friends.

This is a security issue that doesn’t involve bad guys. It’s one of your daughter’s friends posting hurtful comments on Facebook using your daughter’s account as a “joke.” It’s someone in your office getting your bank account credentials when you’re away from your computer for a few minutes – no technical expertise required.

Internet Explorer requires entry of your Windows user password before it will open the store of saved credentials. If you use a password manager like LastPass, it has a similar option to stay logged in without requiring the master password each time you look something up – but it won’t let you use that setting until you go through a stern warning and acknowledge that you’re at extra risk.

Chrome never told you that your passwords would always be visible in plain text. When this was challenged last week, Google’s response was supercilious and insulting – as well as being wrong.

It started when blogger Elliott Kember wrote an article about “Chrome’s insane password security strategy.” It started a lively discussion on tech sites.

Google’s head of Chrome security, Justin Schuh, took issue with the article and wrote this tone-deaf response:

“I appreciate how this appears to a novice, but we’ve literally spent years evaluating it and have quite a bit of data to inform our position. And while you’re certainly well intentioned, what you’re proposing is that that we make users less safe than they are today by providing them a false sense of security and encouraging dangerous behavior. That’s just not how we approach security on Chrome.”

Let’s start with the first part. “I appreciate how this appears to a novice.” A novice? This discussion is taking place on Hacker News, a well-known news site and forum catering to programmers and developers. Things did not go well when Justin Schuh told a group of programmers that they are novices who can’t be expected to understand what the big boys are doing.

And then there’s his main point – that adding another security prompt would provide a “false sense of security” and “encourage dangerous behavior.” There is literally no way to interpret that so it makes any sense.

Things blew up quickly. Chrome’s insecure passwords were picked up first by tech sites like The Verge and Gizmodo, then spread to mainstream media outlets – here’s critical coverage from ABC (“Think twice before you save passwords in Chrome”) and CBS (“Chrome users beware”), for example.

Any hope that Google had of saving face was crushed when Tim Berners-Lee, the inventor of the World Wide Web, called it a “disappointing reply from Chrome team.”

Google has been silent since then. One assumes they will not accuse the inventor of the World Wide Web of being a “novice.”

Google’s design decision was not stupid. Their point is that someone sitting at your computer logged in with your credentials can do all kinds of dangerous things. They’re right. But additional barriers for specific things are meaningful! Someone standing outside your front door can do dangerous things, by smashing the door open or breaking a window, but that doesn’t mean that a lock on the front door creates a “false sense of security.”

Expect an update to Chrome that changes this “feature,” probably soon.

PRIVACY – Google reads your email

Consumer groups were in an uproar last week about a paragraph from a pleading filed by Google in a class-action lawsuit about scanning emails. This paragraph appears deep in the Motion To Dismiss:

“Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their emails are processed by the recipient’s [email provider] in the course of delivery. Indeed, ‘a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.’ "

Google says Gmail users have no expectation of privacy! Outrageous! Consumer Watchdog called it a “stunning admission.” Quote from the director of Consumer Watchdog: “Google’s brief uses a wrong-headed analogy; sending an email is like giving a letter to the Post Office. I expect the Post Office to deliver the letter based on the address written on the envelope.  I don’t expect the mail carrier to open my letter and read it.  Similarly when I send an email, I expect it to be delivered to the intended recipient with a Gmail account based on the email address; why would I expect its content will be intercepted by Google and read?”

Good point! But, to be fair, it misinterprets Google’s pleading, which was actually saying something much more mundane – that non-Gmail users sending a message to a Gmail address don’t have legal standing to complain that Google scans the mail to obtain data for advertisements directed at the Gmail user. Not to mention that the phrase about “no legitimate expectation of privacy” is not Google’s creation; it’s a quote from a 1979 case on point. Possibly a case that should be revisited in the Internet/email era, but perfectly appropriate. The Verge has a nice article about how the Google pleading was misread.

The real point, though, is that Google has left itself open to criticism like this because it’s become obvious just how much data it is assembling about every human being on the planet. Google claims to be zealous about safeguarding privacy but it will have to be much more careful about expressing itself.


It’s an appropriate time to remind you that Google’s real core value is to display advertising to you. That is its mission, its business plan, its reason to exist. Advertising made up 95% of Google’s revenues in 2012. Here’s an article with more information about how Google makes money.

Everything that Google does is driven by the desire to show you ads. When it provides “free” services, the goal is to obtain data about you to make its ads more effective. Creating a rich ecosystem helps convince you to see Google ads on multiple devices. Showing videos on YouTube is a way to show you ads – which, you might have noticed, now appear before and during every single video. In another development last week, Google once again blocked Microsoft from releasing a YouTube app on Windows Phones – a meanspirited and contemptible effort to make Windows Phones less attractive so Android can increase its market dominance and keep showing you ads.

Google is changing. Stay with it if you like, but have your eyes open: Google believes it deserves to know everything about you so it can show you advertising.It will safeguard your privacy up to a point: there are no limits to what it will do in its quest to show you advertising.

Share This