Google’s bumpy history with privacy and security is long and well-documented. Back in 2009, the company attempted to make structural changes to battle critics and ultimately save face. The 2009 privacy summit reassured both Google employees and users that the top brass was committed — both on paper and in practice — to not only security but also to privacy.
Despite new options for protecting privacy and the option to turn on features like Incognito mode, Google has still had a battle with flaws, gaffes, and public perception. Because while Google appears to the consumer mind to be a software company or even solely a search company, it is at its core an advertising company. In 2019, the company expected $120 billion to come from advertising, which made up 83.3% of Alphabet’s total revenue.
There’s no such thing as complete and total security on the internet or otherwise. However, at the same time, Google continues to come under fire not only for security flaws but for the way the company seemingly haphazardly stores data.
What do users need to know, and what are the implications for the wider field of cybersecurity?
Google’s Touchy History with Data Privacy
Google has the same problems with hacking and phishing that virtually any other internet behemoth has. There’s not much that can be done other than taking a holistic security-first approach to data protection. In these respects, Google works hard to protect consumer data from hackers.
One of the biggest headlines surrounding Google’s approach to privacy and security isn’t about an outside threat but an inside one. In 2018, reporting found that Google still stored user location data even when users paused data collection. Google then had to close down Google+ posthaste after a report showed that Google left 500,000 users’ personal information out in the open for the world to see.
Indeed, the problem with this approach (beyond the violations of basic security practices) is that Google’s place as an advertisement company means that its objective is to collect as much personalized and unique data from its users as possible. Over 80% of Google’s revenue depends on its ability to do that.
Google Walks the Line Between Surveillance Geo-Targeting
Geo-targeting is one of Google’s biggest value propositions to its advertising customers. It allows buyers to target their ads to people more specifically by using location data gathered by Google through Google Maps or Chrome. There’s a fine line between geo-targeting and surveillance: geo-targeting ensures that ads are hyper-relevant, which both businesses and customers like. However, geo-targeting can turn into surveillance when it feels intrusive.
The line is hard to measure because it tends to be a feeling of control rather than a carefully drawn line in the sand. One of the ways to that ensure consumers get the control they want is to allow them to control their own data. However, as noted above, Google doesn’t always allow that.
After the reporting in 2018 that showed Google was still storing user location data, Google rolled out Incognito mode for Google Maps, first for Android users and then for iOS. Incognito mode doesn’t prevent Google from collecting user data location data. In particular, it still uses the data for Google Maps development and other Google services, including voice search.
The rollout didn’t stop Google from collecting all data. Users still need to take several other steps if they don’t want their location data tracked and used, such as turning off their location tracking within their settings or even switching to a privacy-friendly mapping system. There are also other barriers: Google Maps offers features like predicting travel time, which open-source maps won’t do because they simply don’t have the data that makes it possible. Part of Google’s hold on customers is that it can offer well-built, secure, industry-leading products to customers for nothing — well, nothing but the ability to track their every move.
Again, the problem isn’t the use of geo-targeting, which can benefit both customers and businesses (as well as pad Google’s revenue). In contrast, the problem is that Google can be disingenuous about what privacy means on its apps and systems. As Max Eddy wrote for PC Mag, it’s worth remembering that Google very likely rolls out privacy features having already considered what they mean for its advertising revenue.
Google’s Lack of Privacy Features Make Security Threats Bigger
Google is fully in control of its own approach to privacy and security. Experts say there’s plenty of hardware, software, and training involved in the protection of its assets. However, the issue is less about the control of security threats: all companies of all sizes face vulnerabilities and should be taking similar precautions as Google (at scale) in terms of creating IT disaster recovery plans. Google is arguably better than many at preventing threats, but that doesn’t mean that there aren’t serious issues facing the company.
In February 2020, the U.S. government urged Chrome users to update their browsers again, just weeks after the Chrome 80 roll-out because of high-rated security flaws. The Google Play Store is another weakness, and in 2019, Google announced efforts to step up the Play Store’s security and better protect users from the malware floating around the platform. Some of the malware “cryptojacks” users’ phones, which allows hackers to use phones to mine a cryptocurrency called Monero.
Because Google focuses so heavily on the collection of personalized data and the average consumer might not understand how much data Google has, any slip in Google’s defenses could be devastating. Also the fact that Google has come under fire for failing to encrypt user data doesn’t help matters. It’s hard to have faith when Google admits to things like storing GSuite user passwords in plaintext, which it did for a small number of enterprise users from 2005 to 2019.
Users Need to Be Wary
At the end of the day, Google is able to offer such incredible products free at the point of purchase because it builds its business on the data it collects. It’s important not to see Google as a public service and instead treat it as an advertiser on par with Facebook. Google has contributed to an improved privacy culture, but it does seem to do so with both eyes on its own bottom line.
In conclusion, it’s important for users of all types to be wary of the double-edged sword offered by Google. Google’s services are only as groundbreaking as they are because of the huge amounts of data it collects. But users must ask Google to do as much as possible to opt out — or at least attempt to avoid full-blown surveillance.