lauren.vortex.comLauren Weinstein's

Blog Blog Vortex Technology PFIR PRIVACY Forum Network Neutrality Squad About Lauren - - - lauren@vortex.com On Mastodon Go to postings from 2003 through March 2016 Google and Seniors Google refuses to create a specific role for someone to oversee the issues of older users, who depend on Google for so many things but so often get the shaft and lose everything when something goes wrong with their accounts. Google should AT LEAST (I still think the role is crucial), be providing focused help resources and a recurring (at least monthly) blog to help this class of users (Google for Seniors”, Google Seniors Blog”). This would all be specifically oriented toward helping these users deal with the kinds of Google Account and other Google problems that so often disproportionately affect this group. This would be good for these users (who Google unreasonably and devastatingly considers to be an unimportant segment of their user base) and frankly good for Google’s PR in a highly challenging and toxic political environment. I’m so tired of having so many people in this category approach me for help with account and other Google issues because they never understood the existing Google resources that, frankly, are written for a different level of tech expertise and understanding. I have more detailed thoughts on this if anyone cares. No, I’m not holding my breath on this one. –Lauren– Author Lauren Posted on 9 May 2024 About Google and Location Privacy You may have seen a lot of press over the last few days about Google moving location data by default to be on-device (e.g., your phone) rather than stored centrally (and encrypted if you choose to store it centrally), and how this will help prevent abuses of broad geofence” warrants that law enforcement uses to get broad data about devices in a particular specified area. These are all positive moves by Google, but keep in mind that Google has long provided users with control over their location history — how long it’s kept, the ability for users to delete it manually, whether it’s kept at all, etc. But when is the last time your mobile carrier offered you any control over the detailed data they collect on your devices’ movements? If you’re like most people, the answer seems to be never. And while cellular tracking may not usually be as precise as GPS, these days it can be remarkably accurate. One wonders why there’s all this talk about Google, when the mobile carriers are collecting so much location data that users seem to have no control over at all, data that is of similar interest to law enforcement for mass geofence warrants, one might assume. Think about it. –Lauren– Author Lauren Posted on 16 Dec 2023 16 Dec 2023 Google’s Inactive Account Policy and Phishing Attacks Concerns As you may know, Google has recently begun a protocol to delete inactive Google accounts, with email notices going out to the account and recovery addresses in advance as a warning. Leaving aside for the moment the issue that so many people who have lost track of accounts probably have no recovery address specified (or an old one that no longer reaches them), there’s another serious problem. A few days ago I received a legitimate Google email about an older Google account of mine that I haven’t used in some time. I was able to quickly reauthenticate it and bring it back to active status. However, this may be the first situation (there may be earlier ones, but I can’t think of any offhand) where Google is actively out of the blue” soliciting people to log into their accounts (and typically, older accounts that I suspect are more likely not to have 2-factor authentication enabled, for example). This is creating an ideal template for phishing attacks. We’ve long strongly urged users not to respond to emailed efforts to get them to provide their login credentials when they have not taken any specific actions that would trigger the need for logging in again — and of course this is a very common phishing technique (You need to verify your account — click here.” Your password is expiring — click here.”, etc.) Unfortunately, this is essentially the form of the Google reactivate your account” email notice. And for ordinary busy users who may get confused to see one of these pop into their inbox suddenly, they may either ignore them thinking that they are a phishing attack (and so ultimately lose their account and data), or may fall victim to similar appearing phishes leveraging the fact that Google is now sending these out. I’ve already seen such a phish, claiming to be Google prompting with a link for a login to a supposedly inactive account. So this scenario is already occurring. The format looked good, and it was forged to appear to be from the same Google address as used for the legitimate Google inactive account notification emails. Even the internal headers had been forged to make it appear to be from Google. The top level Received from” header line IP address was wrong of course, but how many people would notice this or even look at the headers to see this in the first place? I can think of some ways to help mitigate these risks, but as this stands right now I am definitely very concerned. –Lauren– Author Lauren Posted on 18 Nov 2023 In Support of Google’s Progress On AI Content Choice and Control Last February, in: Giving Creators and Websites Control Over Generative AI https://lauren.vortex.com/2023/02/14/giving-creators-and-websites-control-over-generative-ai I suggested expansion of the existing Robots Exclusion Protocol (e.g. robots.txt”) as a path toward helping provide websites and creators control over how their contents are used by AI systems. Shortly thereafter, Google publicly announced their own support for the robots.txt methodology as a useful mechanism in these contexts. While it’s true that adherence to robots.txt (or related webpage Meta tags — also part of the Robots Exclusion Protocol) is voluntary, my view is that most large firms do honor its directives, and if ultimately moves toward a regulatory approach to this were deemed genuinely necessary, a more formal approach would be a possible option. This morning Google ran a livestream discussing their progress in this entire area, emphasizing that we’re only at the beginning of a long road, and asking for a wide range of stakeholder inputs. I believe of particular importance is Google’s desire for these content control systems to be as technologically straightforward as possible (so, building on the existing Robots Exclusion Protocol is clearly desirable rather than creating something entirely new), and for the effort to be industry-wide, not restricted to or controlled by only a few firms. Also of note is Google’s endorsement of the excellent AI taxonomy” concept for consideration in these regards. Essentially, the idea is that AI Web crawling exclusions could be specified by the type of use involved, rather than by which entity was doing the crawling. So, a set of directives could be defined that would apply to all AI-related crawlers, irrespective of who was doing the crawling, but permitting (for example) crawlers that are looking for content related to public interest AI research to proceed, but direct that content not be taken or used for commercial Generative AI chatbot systems. Again, these are of course only the first few steps toward scalable solutions in this area, but this is all incredibly important, and I definitely support Google’s continuing progress in these regards. –Lauren– Author Lauren Posted on 26 Oct 2023 Radio Transcript: Google Passkeys and Google Account Recovery Concerns As per requests, this is a transcript of my national network radio report earlier this week regarding Google passkeys and Google account recovery concerns. – – – So there really isn’t enough time tonight to get into any real details on this but I think it’s important that folks at least know what’s going on if this pops up in front of them. Various firms now are moving...