Now that the first major botnet that runs on Android has been found by the Anti-virus vendor community, I wonder what would Google do?
In October of 2011 the London Action Plan in cooperation with the Messaging Anti Abuse Working Group organised a session on mobile security. In December 2011 the Dutch Association ECP did the same for the Dutch market. At both events Google and Apple, as the main Operating System developing companies for the mobile world, declined participation. In the Netherlands not one mobile operator chose to participate in the event. What does this tell us?
At these sessions one main question prevailed: Are there lessons to be learned from the fixed network that can be applied fast to the mobile one? Yes, people decided and they are quiet predictable. What makes it hard, is who calls the shots? There are so many different layers involved, that it results in a form of stagnation where mobile cyber security is involved. Who decides on updates of operating systems? Will bought apps, downloaded software, etc. still work if an update is offered? How are app stores secured? Who decides whether a standard anti-virus product is sold with a smart phone?
And even if all these problems and a lot more are worked out between all the involved partners in the mobile chain, there are the individual users who download illegal software, often infected with a trojan. The two sessions made one thing clear, there is no easy solution to these questions.
If Google is present at international meetings (at least the ones I attend) they show how good they are and do. New search engine applications are shown that will better the world (and Google). You may have heard them also. I ask myself two questions here:
1. Why is Google not, actively, present when cyber crime and security is discussed?
2. Why does Google not apply its enormous potential to assist law enforcement and the cyber security community?
In the end if the Internet is hurt, as trust levels go down because of the possibilities the Internet offers to criminals and fraudsters and how this effects the choices of individual persons and organisations, Google will be seriously hurt in the process. Trust in Google(‘s products) will go down accordingly.
If I just stick to topics which are relevant to Google and leave other possibilities aside, the company has the potential to filter search queries for illegal software on the Internet as well as identify the related websites. How hard is it to engage with law enforcement and cyber security organisations on this data? Isn’t it in the interest of Google to do just this? And how about assisting in creating a level playing field among said agencies, e.g. by providing trainings that benefit Google as much as law enforcement officers and cyber security personnel?
Is this abusing the power of Google? I do not think it is. Companies are allowed to protect its products as well as its customers, especially when its own systems are used to abuse or hurt itself and/or its customers. As long as it does not go beyond its own terms of contract and the law. That abuse of its products will hurt Google in the end, is only a matter of time if it isn’t already happening.
I seriously wonder whether Google can afford to remain aloof where the stability and security of the (use of the) Internet are concerned. The Internet is its main source of existence. Making it a safer place with acceptable levels of risk may become a matter of priority for the company fast. Hence my question: What would Google do?
BTW. The same goes e.g. Apple and Facebook.
Wout de Natris, De Natris Consult
Leiderdorp, 5 July 2012