Can Google’s security push overcome the public’s eroded trust?
Google in the coming months will embark on a marketing campaign to raise awareness about a service the company says will better protect people accessing new websites.
They just need users to trust them first, a tall order when roughly half of Americans polled by the Pew Research Center said they were “not at all” or “not too confident” tech firms would protect their data.
Tech executives now are beginning to publicly reflect on the ramifications – specifically an erosion of trust – that occurs after big time data breaches, or scandals such as Facebook’s sharing data about 87 million users with Cambridge Analytica. It’s still early, and conversations are awkward, but the topic was a big theme at the Davos World Economic Forum in January as corporate bigwigs consider what it might mean if users stop trusting them with their information, said Justin Harvey, global incident response leader at Accenture Security.
“There’s no litmus test for trust. It’s a gut feeling,” Harvey said. “This is a new concept, but it’s about demonstrating stewardship and treating customers’ and partners’ information with respect. This is going to be a big thing over the next several years.”
Google now is pushing its “Google Sign In” service, a tool that enables users to log in to non-Google websites using their Google account information. The company last month released to developers a security feature for Sign In called Cross Account Protection, which allows the company to notify apps and third-party sites if Google determines that its users logged in there are at at risk. Google Sign In has been available for years, but traditionally has been marketed as a social media service, rather than a security offering.
By using Google’s encrypted connection and trusting the company to allow users only to connect to legitimate websites, the company says web users can avoid creating another account whose credentials could be leaked should a breach occur.
But adoption still is relatively low, said Mark Risher, Google’s head of account security. That’s partly because Google has done a poor job explaining what Sign In is all about, he said, but also because of a creeping mistrust users have in technology companies in general after revelations about mega data breaches and apparent privacy violations.
If Facebook lures users into providing a phone number to secure their account, then uses that number for marketing purposes, the logic goes, the public may view the tech industry as a whole with more skepticism.
“People don’t really understand the boundaries between tech companies,” Risher said. “We get all the time, ‘I can’t remember, do you own Facebook, or does Facebook own YouTube?’ So they don’t know where the lines are, and they don’t have to, but they don’t.”
Google’s Sign In push comes amid the company’s ongoing investment in user-friendly security tools. Last month, product managers there unveiled a Chrome extension meant to alert users when they’re relying on credentials that had been exposed in previous data breaches. Before that, Google released Security Checkup, which helps users see where their account could be vulnerable, a Chrome password generator, and the Titan security key.
But it also comes amid mistrust in the technology industry. Last year, Facebook announced a breach that affected some 30 million people, an attack made possible because of a flaw that enabled outsiders to steal access keys that allow users to access their account without having to log in each time they visited the site.
“[O]thers have used that technology to say that when you click that button, it sends an alert to all your friends telling them you’re reading an article about an embarrassing disease, so there’s this hesitancy out there about what’s happening,” said Risher, who didn’t refer to other companies specifically.
“One person can ruin it for the rest of us.”
Mistrust in technology companies isn’t the only issue on the minds of Google security pros.
Confusion is another challenge, propagated in part by a slew of research and reports that using SMS text messages as a second-factor in two factor authentication renders users vulnerable, he said. While two factor techniques are not perfectly secure, he said, using a second layer of authentication at least provides users with additional protection on top of their password.
“What people hear is a both sides-ism about security where, ‘Well, it could make you more secure or it could make you more vulnerable,’” Risher said. The net effect is that some potential customers might check out because there’s too much information to absorb about the product.
“That learned helplessness is way more dangerous,” he said.
