Privacy and security are not the top concerns for Google’s Larry Page, at least if the CEO’s most recent message to investors is any indication.
The 3,500 word letter makes scant mention of either security or user privacy and gives the public little indication of Google’s plans to address the security of its products and customer data, amid a rising chorus of concern from security experts and government inquiries on both sides of the Atlantic.
The letter was published on Google’s investor relations Web site this week. In it, Page lauds the company’s new Google+ social network, and outlines the company’s long term vision and plans for the remainder of 2012 and beyond. Those plans include improvements to Google’s core search engine that will allow the company to personalize search results, and tie search with more specific functions (like making travel reservations). Page celebrated the success of Google’s Android operating system, and its purchase of device maker Motorola Mobility.
Missing from his letter, however, was acknowledgement that the Mountain View, California company faces challenges in both the security and privacy arena.
In February, the company found itself in hot water, again, after it was found to be evading the privacy controls of Apple’s Safari and Microsoft’s Internet Explorer Web browser in order to track user behavior online.
Finally, the company faced a wave of criticism for a privacy makeover in March that combined scores of distinct privacy agreements with its users into a uniform policy. The revised policy prompted complaints from the EU and Japan’s Ministry of Internal Affairs and Communications that the new policy violated domestic privacy protections as well as the “lawfulness and fairness” of the policy.
Page’s letter makes not mention of those controversies, beyond allowing that the company’s privacy changes “generated a lot of interest.” The changes, he said “will enable us to create a much better, more intuitive experience across Google – our focus for the year.”
So too with security, where Google’s Android mobile operating system has become the platform of choice for hackers and cyber criminals. Security researchers documented a steep increase in new malicious programs targeting Android throughout 2011. Researchers have also discovered large botnets of Android phones – the first such examples of mobile botnets. Finally, Google was forced this year to begin vetting applications on its Android Marketplace after compromised and malicious applications, including the DroidDream malware, repeatedly fooled Google monitors and appeared on the marketplace for download.
Page, however, took an entirely rosy view of Android in his letter: touting the success of the mobile operating ystem and its integration with Google Docs, Gmail and the company’s other hosted services.
While Page’s audience – Google investors – may explain the upbeat tone, it does raise the question of whether security and privacy rank highly on the company’s list of priorities, as Google attempts to diversify its core business out from online advertising. The truth is that most of Google’s thinking and plans on both privacy and security are opaque.
The company has an impressive team of security experts on staff, and even made targeted security acquisitions, such as the German firm Zynamics in March, 2011. Google has also received praise from security researchers for the relatively high bar it has set for security in products like Chrome. However, critics have argued that the company has sown the seeds of insecurity with both Android and its search products. On the mobile front, Google’s decision to give carriers and handset makers the ability to decide when to push out Android updates means that consumers are often running out of date and vulnerable versions of that mobile operating system.
Privacy experts point out that security and privacy are not equivalent. Google may do a better job than most creating secure products, but that its business is built on users divulging personal information for the benefit of advertisers, meaning that the company undercuts its own revenue stream by making online privacy protections a priority.