That was not the question asked. Google is good at data security, and at the same time they are probably the biggest privacy violators, and both of this can be true.
Some users may consider targeting advertising to be a threat, others less so.
My take is, if targeted advertising is the biggest thing you're worried about in terms of cybersecurity, you are probably doing reasonably well at staying secure.
It's the kind of answer that makes me wish people actually followed the HN guidelines. I understand people are very passionate, but I prefer to make decisions based on facts. My experience is that the people who are super passionate often show themselves to be uninformed when you drill down and start asking them hard questions about their strong claims.
I'm not particularly worried about Google stealing my credit card number and making fraudulent purchases. But I am worried about criminal organizations doing this.
There's so much FUD on HN about big tech companies, but I'm skeptical that their wickedness actually lives up to the hype. I suspect it is more of a clickbait miasma (journalists hate Google because they took revenue from the media industry) than anything based in fact. Google provides free and useful products (Google Search, Gmail, Android) to people across the world. Billions of people use this stuff voluntarily -- why?
If Google is "about as user hostile of an organization as there has ever been", it should be easy for you to come up with at least 3 examples off the top of your head (no searching for "14 ways Google is evil" listicles) of them being at least as nasty (on a per capita basis relative to the population of people they have relationships with) as the literal mafia. It should be no trouble at all. So, could you please do that for me?
Over a billion people smoke cigarettes, doesn't make it a good idea. Most of the worlds population can't afford an iPhone, so are left using Android.
Is it unreasonable to think they're probably doing something else illegal that hurts us right now? Or that they'll use their ill gotten treasure hoard to buy the resolution of their choice when they're caught again?
I agree that if the NSA is your threat model, then you shouldn't trust any company.
I also think we can learn a lot about security from Google even if they comply with federal court orders requesting user data. "Willingness to comply with federal court orders" and "competence at securing data against cyberattacks" are two different things.
"if NSA is your threat model" sounds like something somebody from the 1980's would say. It's been a long time now that we've known they spy on everybody and that they share the data, and they Five Eyes the data they can't get. NSA is everybody's threat model and it has been for a long time. Intervening in electoral politics, getting private companies to do their bidding... where have you been?
The turn this thread has taken has been interesting. A few comments ago,
stcroixx wrote:
>Have you ever seen security done right anywhere? In my experience, it's always the bare minimum.
I think there's a lot of ground between doing the bare minimum for security and hardening your organization against the NSA. Every step towards greater security is a step I support, even if your organization isn't able to reach the "hardened against the NSA" level.
I'm happy for you if you want to harden yourself against the NSA, but I dislike black-and-white thinking. I care about harms to users which come from non-NSA threats too. Case in point: the original post about hackers selling 23andme data -- presumably to clients who are not the NSA, in some cases.
If every discussion of how to improve security gets derailed into a discussion of how evil the NSA is and how practically no one is secure against them, then organizations will continue to do security badly, and we'll see more breaches like this 23andme breach. Fatalism is a self-fulfilling prophecy. I see it every day here on HN.
When "your" military officers are selling state secrets out for $5k in bribes [0], you realize there's probably very little you can do to prevent bad actors in positions of trust from blowing up any security model anywhere. Your only choice is between minimizing your risk with hoping for the best, or rolling your own everything and not taking part in any modern anything and living and dying alone. And even then, there's still probably going to be a file on you somewhere.
What's interesting to me remembering this is that back then, even that late into Google's life, Google had enough people to actually be pissed off about this and try doing something about it. Google of today? I have the sense that management would just shrug its shoulders and let the violating by any nation-state-backed group that pleases continue.
There's a mutual cynicism here. If Google's users think: "Google will violate my privacy no matter what, there's no point in complaining", then Google's executives will think: "Users will believe we are weak on privacy no matter what, there's no point in protecting user privacy".
To break the cycle, it helps to share concrete evidence of Google misbehaving rather than just presenting it as a fact that everyone knows. You get what you incentivize. If the feeling that Google sucks on privacy isn't linked to specific Google misbehavior whenever it is brought up, Google execs will correctly realize that users will feel the same no matter what decisions they actually make.
As a concrete point for discussion, in the zdnet article it states:
>After the news about NSA snooping first broke over the summer, Google decided it was time to start encrypting its datacenter-to-datacenter communications.
Is there an analogous security story from more recently where Google didn't try to address the problem in a similar way?