Hey—we've moved. Visit
The Keyword
for all the latest news and stories from Google
Official Blog
Insights from Googlers into our products, technology, and the Google culture
Keeping your personal information private and safe—and putting you in control
June 1, 2015
We've all been there at some point or another…
You just lost your phone and want to wipe your personal information.
You attend an event, and you want to share your photos with some people (but not everyone).
You hesitate as you download another app that's asking for a lot of information.
Everyday, we make choices that affect our privacy and security online. Most people, however, don’t feel they have the right level of control to make these important decisions. According to a
recent Pew study
, 93 percent of people think it’s important to control access to their personal information, and 90 percent care about the type of information that’s collected about them. But only 9 percent feel they have “a lot” of control over it. We want to change that.
Google builds simple, powerful privacy and security tools that keep your information safe and put you in control of it. At Google I/O, we
announced
that people will have more control over the information they provide to mobile apps in the M release, the next version of Android. Today, we’re rolling out two significant improvements to our privacy and security tools: a new hub for managing your Google settings called My Account, and a new site that answers important questions about privacy and security on Google.
Privacy and security controls, all in one place
Privacy and security are two sides of the same coin: if your information isn’t secure, it certainly can’t be private.
My Account
gives you quick access to the settings and tools that help you safeguard your data, protect your privacy, and decide what information is used to make Google services work better for you. It also provides more context to help you understand your options and make the right choices for you.
Here are some of the things you can do with My Account:
Take the
Privacy Checkup
and
Security Checkup
, our simple, step-by-step guides through your most important privacy and security settings.
Manage the information that can be used from Search, Maps, YouTube and other products to enhance your experience on Google. For example, you can turn on and off settings such as Web and App Activity, which gets you more relevant, faster search results, or Location History, which enables Google Maps and Now to give you tips for a faster commute back home.
Use the Ads Settings tool to control ads based on your interests and the searches you’ve done.
Control which apps and sites are connected to your account.
We built My Account to be a resource for everyone, even if you don't have a Google Account. Check out your controls at
myaccount.google.com
.
Answering your questions about privacy and security
We listen to feedback from people around the world to better understand their concerns about privacy and security. In addition to My Account, we want to help people find answers to common questions on these topics, such as: "What data does Google collect? What does Google do with the data it collects? What tools do I have to control my Google experience?"
Our new site,
privacy.google.com
, candidly answers these questions, and more. We also explain how we show relevant ads without selling your personal information, how encryption and spam filtering help keep your data safe, and how your information helps customize your experience on Google. Visit this site often to learn about new tools, features, and information that can help you make the choices that are right for you.
When you trust your personal information with us, you should expect powerful controls that keep it safe and private as well as useful answers to your questions. Today’s launches are just the latest in our ongoing efforts to protect you and your information on Google. There’s much more to come, and we look forward to your feedback.
Posted by Guemmy Kim, Product Manager, Account Controls and Settings
Protect your Google Account with Password Alert
April 29, 2015
Would you enter your email address and password on this page?
This looks like a fairly standard login page, but it’s not. It’s what we call a “phishing” page, a site run by people looking to receive and steal your password. If you type your password here, attackers could steal it and gain access to your Google Account—and you may not even know it. This is a common and dangerous trap: the most effective phishing attacks can succeed
45 percent of the time
, nearly 2 percent of messages to Gmail are designed to trick people into giving up their passwords, and various services across the web send millions upon millions of phishing emails, every day.
To help keep your account safe, today we’re launching Password Alert, a
free, open-source Chrome extension
that protects your Google and Google Apps for Work Accounts. Once you’ve installed it, Password Alert will show you a warning if you type your Google password into a site that isn’t a Google sign-in page. This protects you from phishing attacks and also encourages you to use different passwords for different sites, a security best practice.
Here's how it works for consumer accounts. Once you’ve installed and initialized Password Alert, Chrome will remember a “scrambled” version of your Google Account password. It only remembers this information for security purposes and doesn’t share it with anyone. If you type your password into a site that isn't a Google sign-in page, Password Alert will show you a notice like the one below. This alert will tell you that you’re at risk of being phished so you can update your password and protect yourself.
Password Alert is also available to Google for Work customers, including Google Apps and Drive for Work. Your administrator can install Password Alert for everyone in the domains they manage, and receive alerts when Password Alert detects a possible problem. This can help spot malicious attackers trying to break into employee accounts and also reduce password reuse. Administrators can find more information
in the Help Center
.
We work to protect users from phishing attacks in a variety of ways. We’re constantly improving our
Safe Browsing
technology, which protects more than 1 billion people on Chrome, Safari and Firefox from phishing and other dangerous sites via bright, red warnings. We also offer tools like
2-Step Verification
and
Security Key
that people can use to protect their Google Accounts and stay safe online. And of course, you can also take a
Security Checkup
at any time to make sure the safety and security information associated with your account is current.
To get started with Password Alert, visit the
Chrome Web Store
or the
FAQ
.
Posted by Drew Hintz, Security Engineer and Justin Kosslyn, Google Ideas
Protecting people across the web with Google Safe Browsing
March 12, 2015
Online security is
on everybody's minds these days
, so we want to give you updates about various ways Google keeps you safe online. Today, on the web’s birthday, we’re highlighting recent improvements to Safe Browsing, technology that protects more than 1.1 billion people all over the world.
-Ed.
As the web continues to evolve, it’s important that user protections develop in lockstep so that people stay safe online. Our Safe Browsing technology may not be
quite
as old as the web—which celebrates its
26th birthday
today—but ever since Safe Browsing
launched
nearly eight years ago, it’s continually adapted to protect web users, everywhere.
Safe Browsing gives users—both on Google and across on the web—information they need to steer clear of danger. The dangerous sites detected by Safe Browsing generally fall into two categories: sites that attack users
intentionally
with either
malware
,
phishing
, or
unwanted software
that is deceptive or hard to uninstall, or sites that attack users
unintentionally
because they have been compromised, often without the site’s owner realizing this has happened.
Once we detect these sites, Safe Browsing warns people about them in a variety of ways. You’ve probably come across a warning like this in Chrome, Firefox or Safari; it’s powered by Safe Browsing:
Today, Safe Browsing shows people more than 5 million warnings per day for all sorts of malicious sites and unwanted software, and discovers more than 50,000 malware sites and more than 90,000 phishing sites every month. If you’re interested, you can see information about the dangerous sites that are detected by this technology anytime in our
Safe Browsing Transparency Report
.
We also use Safe Browsing technology to warn website owners or operators about issues with their sites so they can quickly fix them. We provide basic site maintenance tips, as well as specific Safe Browsing notifications in Webmaster Tools and Google Analytics. Often site owners don’t realize there are issues with their sites until they get these notifications.
Recent developments
Since its earliest days, Safe Browsing has been widely available, and free—for users, site owners, and other companies—to use and integrate into their own products. In the early days, we focused on detecting dangerous sites and then showing people warnings:
An early Safe Browsing notification, c. 2007. These would appear in the top right corner of people’s web browsers when they visited a site that had been flagged by Safe Browsing as potentially dangerous.
But, just as attacks become more sophisticated, we’ve made sure our own technologies have kept up. Over the years, we’ve built Safe Browsing into other Google products to help protect people in more places:
Safe Browsing API:
We already make Safe Browsing data available for free to developers. This week we’re adding information about sites that host unwanted software, allowing developers to better protect their users as well.
Chrome:
Before people
visit
a site delivering
unwanted software
, or try to
download
some of it, we show them a clear warning.
Google Analytics:
We recently
integrated
Safe Browsing notifications into Google Analytics, so site owners can quickly take action to protect their users if there are issues with their websites. Previously, we’d only provided these warnings via our Webmaster Tools service.
Ads:
We’ve also
recently
begun to identify ads that target people with unwanted software.
As the web grows up, Safe Browsing technology will, too. We’re looking forward to protecting the web, and its users, for many birthdays to come.
Posted by Panayiotis Mavrommatis, Safe Browsing Team
Take a Security Checkup on Safer Internet Day
February 10, 2015
Online security is on everyone’s mind these days. According to a recent
Gallup poll
, more people are worried about their online accounts being hacked than having their home broken into.
Security has always been a top priority for Google. Our
Safe Browsing
technology identifies unsafe websites and warns people before they visit them, protecting more than one billion Chrome, Firefox, and Safari users everyday.
2-Step Verification
adds an extra layer of security, beyond your password, to your Google account; it’s like a second padlock on your account’s door. And our research teams regularly release new findings about nefarious online activity, like
Gmail account hijacking attempts
, so people can stay informed.
We have many protections in place to keep people, and their information, secure, but there's also a lot that you can do to protect yourself. Today, on
Safer Internet Day
, take a quick
Security Checkup
, an easy way to review and manage your Google Account’s security settings.
Here are some of the important items you can review during your Security Checkup:
Recovery information
: Adding a phone number can help us get in touch if you’re locked out of your account. We’ll only use your phone number to
protect your account
, unless you say otherwise.
Recent activity
: This is a quick overview of your recent sign-ins to Google. If you see any activity from a location or device you don’t recognize, change your password immediately.
Account permissions
: These are the apps, websites and devices connected to your Google account. Take a look and make sure you trust—and actually use—all of them. You might want to remove an old phone, or that dusty app you never use.
It takes just a few minutes to make sure your information is accurate and up to date. And as an extra thank you, we’ll
add 2GB to your Drive storage plan
if you complete the Security Checkup by February 17. Visit your
Account Settings
and take your Security Checkup today.
Posted by Andreas Tuerk, Product Manager
Transparency Report: Protecting emails as they travel across the web
June 3, 2014
When you mail a letter to your friend, you hope she’ll be the only person who reads it. But a lot could happen to that letter on its way from you to her, and prying eyes might try to take a look. That’s why we send important messages in sealed envelopes, rather than on postcards.
Email works in a similar way. Emails that are
encrypted
as they’re routed from sender to receiver are like sealed envelopes, and less vulnerable to snooping—whether by bad actors or through government surveillance—than postcards.
But some email is more secure than others. So to help you better understand whether your emails are protected by encryption, we’re launching a
new section
in the
Transparency Report
.
Gmail has always supported encryption in transit by using
Transport Layer Security
(TLS), and will
automatically encrypt
your incoming and outgoing emails if it can. The important thing is that
both
sides of an email exchange need to support encryption for it to work; Gmail can't do it alone.
Our data show that approximately 40 to 50 percent of emails sent between Gmail and other email providers aren’t encrypted. Many providers have turned on encryption, and others have said they’re going to, which is great news. As they do, more and more emails will be shielded from snooping.
For people looking for even stronger email security,
end-to-end encryption
is a good option—but it’s been hard to use. So today we’re making available the source code for
End-to-End
, a Chrome extension. It's currently in testing, and once it's ready for general use it will make this technology easier for those who choose to use it.
We encourage you to find tips about
choosing strong passwords
and
adding another layer of protection
to your account in our
Safety Center
. And check out
Reset the Net
, a broad coalition of organizations, companies and individuals coming together this week to promote stronger security practices on the web; we’re happy to be a participant in that effort.
Posted by Brandon Long, Tech Lead, Gmail Delivery Team
Helping passwords better protect you
May 30, 2013
Knowing how to stay safe and secure online is important, which is why we created our Good to Know site with advice and tips for safe and savvy Internet use. Starting today, we'll also be posting regularly with privacy and security tips. We hope this information helps you understand the choices and control that you have over your online information.
-Ed.
It could be your Gmail, your photos or your documents—whatever you have in your Google Account, we work hard to make sure it’s protected from would-be identity thieves, other bad guys, or any illegitimate attempts to access your information.
But you can also help keep your information safe. Think of how upset you would be if someone else got access to your Google Account without your permission, and then take five minutes to follow the steps below and help make it more secure. Let’s start with the key to unlocking your account—your password:
1. Use a different password for each important service
Make sure you have a different password for every important online account you have. Bad guys will steal your username and password from one site, and then use them to try to log into lots of other sites where you might have an account. Even large, reputable sites sometimes have their password databases stolen. If you use the same password across many different sites, there’s a greater chance it might end up on a list of stolen passwords. And the more accounts you have that use that password, the more data you might lose if that password is stolen.
Giving an account its own, strong password helps protect you and your information in that account. Start today by making sure your Google Account has a unique password.
2. Make your password hard to guess
“password.” “123456.” “My name is Inigo Montoya. You killed my father. Prepare to die!” These examples are terrible passwords because everyone knows them—including potential attackers. Making your passwords longer or more complicated makes them harder to guess for both bad guys and people who know you. We know it’s hard: the average password is shorter than 8 characters, and many just contain letters. In a database of 32 million real passwords that were made public in 2009,
analysis showed
(PDF) only 54 percent included numbers, and only 3.7 percent had special characters like & or $.
One way to build a strong password is to think of a phrase or sentence that other people wouldn’t know and then use that to build your password. For example, for your email you could think of a personal message like “I want to get better at responding to emails quickly and concisely” and then build your password from numbers, symbols, and the first letters of each word—“iw2gb@r2eq&c”. Don’t use popular phrases or lyrics to build your password—
research suggests
that people gravitate to the same phrases, and you want your password to be something only you know.
Google doesn’t restrict password length, so go wild!
3. Keep your password somewhere safe
Research shows
(PDF) that worrying about remembering too many passwords is the chief reason people reuse certain passwords across multiple services. But don’t worry—if you’ve created so many passwords that it’s hard to remember them, it’s OK to make a list and write them down. Just make sure you keep your list in a safe place, where you won’t lose it and others won’t be able to find it. If you’d prefer to manage your passwords digitally, a trusted password manager might be a good option.
Chrome
and many web browsers have free password managers built into them, and there are many independent options as well—take a few minutes to read through reviews and see what would be best for your needs.
4. Set a recovery option
Have you ever forgotten your password? Has one of your friends ever been locked out of their account?
Setting a recovery option
, like an alternate email address or a telephone number, helps give the service provider another way to contact you if you are ever locked out of your account. Having an up-to-date recovery phone or email address is the best thing you can do to make sure you can get back into your account fast if there is ever a problem.
If you haven’t set a recovery option for your Google Account,
add one now
. If you have, just take a second to make sure it’s up to date.
We have more tips on how to pick a good password on our
Help Center
, and in the video below:
Your online safety and privacy is important to you, and it’s important to us, too. We’ve made a
huge amount of progress
to help protect your Google Account from people who want to break into it, but for the time being, creating a unique, strong password is still an important way to protect your online accounts. Please take five minutes today to reset your important passwords using the tips above, and stay tuned for more security tips throughout the summer.
Posted by Diana Smetters, Software Engineer
An update on our war against account hijackers
February 19, 2013
Have you ever gotten a plea to wire money to a friend stranded at an international airport? An oddly written message from someone you haven’t heard from in ages? Compared to five years ago, more scams, illegal, fraudulent or spammy messages today come from someone you know. Although spam filters have become very powerful—in Gmail, less than 1 percent of spam emails make it into an inbox—these unwanted messages are much more likely to make it through if they come from someone you’ve been in contact with before. As a result, in 2010 spammers started changing their tactics—and we saw a large increase in fraudulent mail sent from Google Accounts. In turn, our security team has developed new ways to keep you safe, and dramatically reduced the amount of these messages.
Spammers’ new trick—hijacking accounts
To improve their chances of beating a spam filter by sending you spam from your contact’s account, the spammer first has to break into that account. This means many spammers are turning into account thieves. Every day, cyber criminals break into websites to steal databases of usernames and passwords—the online “keys” to accounts. They put the databases up for sale on the black market, or use them for their own nefarious purposes. Because many people re-use the same password across different accounts, stolen passwords from one site are often valid on others.
With stolen passwords in hand, attackers attempt to break into accounts across the web and across many different services. We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time. A different gang attempted sign-ins at a rate of more than 100 accounts per second. Other services are often more vulnerable to this type of attack, but when someone tries to log into your Google Account, our security system does more than just check that a password is correct.
Legitimate accounts blocked for sending spam:
Our security systems have dramatically reduced the number of Google Accounts used to send spam over the past few years
How Google Security helps protect your account
Every time you sign in to Google, whether via your web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you. In fact, there are more than 120 variables that can factor into how a decision is made.
If a sign-in is deemed suspicious or risky for some reason—maybe it’s coming from a country oceans away from your last sign-in—we ask some simple questions about your account. For example, we may ask for the phone number associated with your account, or for the answer to your security question. These questions are normally hard for a hijacker to solve, but are easy for the real owner. Using security measures like these, we've dramatically reduced the number of compromised accounts by 99.7 percent since the peak of these hijacking attempts in 2011.
Help protect your account
While we do our best to keep spammers at bay, you can help protect your account by making sure you’re using a
strong, unique password
for your Google Account, upgrading your account to
use 2-step verification
, and
updating the recovery options
on your account such as your secondary email address and your phone number. Following these three steps can help prevent your account from being hijacked—this means less spam for your friends and contacts, and improved security and privacy for you.
Posted by Mike Hearn, Google Security Engineer
Safe Browsing—protecting web users for five years and counting
June 19, 2012
In this post, we've collected some highlights from the past five years of
our Safe Browsing efforts, aimed at keeping people safe online.
See the
Security Blog
for the full details and more visuals. -Ed.
Five years ago, we launched
Safe Browsing
, an initiative designed to keep people safe from malicious content online. Our primary goal was to safeguard Google's search results against malware (software capable of taking control of your computer) and phishing (fraudulent websites that entice users to give up their personal information). We also wanted to help
educate webmasters
on how to protect their own sites.
Malware and phishing are still big problems online, but our Safe Browsing team has labored continuously to adapt to the rising challenges of new threats. We've also developed an infrastructure that automatically detects harmful content around the globe.
Here’s a look at the highlights from our efforts over the past five years:
We protect 600 million users through built-in protection for Chrome, Firefox and Safari, where we show several million security warnings every day to Internet users.
When we detect malware or phishing, we trigger a red warning screen that discourages clicking through to the website. Our free and public
Safe Browsing API
allows other organizations to keep their users safe by using the data we’ve compiled.
We find about 9,500 new malicious websites every day
and show warnings to protect users. These are either innocent websites that have been compromised by malware authors, or others that are built specifically for malware distribution or phishing. Our detection techniques are highly accurate—we have had only a handful of false positives.
Approximately 12-14 million Google Search queries per day warn users about current malware threats,
and
we provide malware warnings for about 300 thousand downloads per day
through our
download protection service for Chrome
.
We send thousands of notifications daily to webmasters.
When webmasters sign up for
Webmaster Tools
we give them the option to receive warning notices if we find something malicious on their site.
Malware and phishing aren’t completely solvable problems because threats continue to evolve, but our technologies and processes do, too.
Phishing and malware trends
Online commerce sites are still favorite phishing targets because phishers are motivated by money. Some tried-and-true phishing methods are still used, but attacks are also getting more creative and sophisticated. Attacks are faster, with phishers sometimes remaining online for less than an hour to try to avoid detection. They’re also more geographically dispersed and are
getting more targeted.
Malware authors often compromise legitimate sites to deliver content from a malicious attack site or to redirect to an attack site. These attack sites will often deliver "
drive-by downloads
" to visitors, which launch and run malware programs on their computers without their knowledge. To try to avoid detection, these attack sites adopt several techniques, such as rapidly changing their Internet location with free web hosting services and auto-generated domain names. Although less common than drive-by downloads, we’re also seeing more malware authors bypassing software vulnerabilities altogether and instead employing methods to try to trick users into installing malicious software—for example, fake anti-virus software.
How you can help prevent malware and phishing
Our system is designed to protect users at high volumes, but people still need to take steps to keep their computers safe. Ignoring a malware problem is never a good idea—if one of our warnings pop up, you should never click through to the suspicious site. Webmasters can help protect their visitors by signing up for malware warnings at Google Webmaster Tools. These warnings are free and will help us inform them if we find suspicious code on their sites. Finally, everyone can help make our system better. You can opt-in to send additional data to our team that helps us expand the coverage of Safe Browsing.
Looking forward
Some of our recent work to counter new forms of abuse includes:
Instantaneous
phishing detection and download protection
within the Chrome browser
Chrome extension malware scanning
Android application protection
It’s a good feeling to know that we’re making the web more secure and directly protecting people from harm—whether they’re our users or not. We continue to invest heavily in the Safe Browsing team so we can defend against current and future security threats.
Posted by Niels Provos, Security Team
Tech tips that are Good to Know
January 16, 2012
Does this person sound familiar? He can’t be bothered to type a password into his phone every time he wants to play a game of Angry Birds. When he does need a password, maybe for his email or bank website, he chooses one that’s easy to remember like his sister’s name—and he uses the same one for each website he visits. For him, cookies come from the bakery, IP addresses are the locations of Intellectual Property and a correct Google search result is basically magic.
Most of us know someone like this. Technology can be confusing, and the industry often fails to explain clearly enough why digital literacy matters. So today in the U.S. we’re kicking off
Good to Know
, our biggest-ever consumer education campaign focused on making the web a safer, more comfortable place. Our ad campaign, which we introduced in the U.K. and Germany last fall, offers privacy and security tips: Use
2-step verification
! Remember to lock your computer when you step away! Make sure your connection to a website is
secure
! It also
explains
some of the building blocks of the web like cookies and IP addresses. Keep an eye out for the ads in newspapers and magazines, online and in New York and Washington, D.C. subway stations.
The campaign and
Good to Know website
build on our commitment to keeping people safe online. We’ve created resources like
privacy videos
, the
Google Security Center
, the
Family Safety Center
and
Teach Parents Tech
to help you develop strong privacy and security habits. We design for privacy, building tools like
Google Dashboard
,
Me on the Web
, the
Ads Preferences Manager
and
Google+ Circles
—with more on the way.
We encourage you to take a few minutes to check out the
Good to Know site
, watch
some
of
the
videos
, and be on the lookout for ads in your favorite newspaper or website. We hope you’ll learn something new about how to protect yourself online—tips that are always good to know!
Update
Jan 17:
Updated to include more background about Good to Know.
Posted by Alma Whitten, Director of Privacy, Product and Engineering
Making search more secure
October 18, 2011
We’ve worked hard over the past few years to increase our services’ use of an encryption protocol called SSL, as well as encouraging the industry to adopt stronger security standards. For example, we made
SSL the default setting in Gmail
in January 2010 and
introduced
an encrypted search service located at
https://encrypted.google.com
four months later. Other prominent web companies have
also
added
SSL support in recent months.
As search becomes an increasingly customized experience, we recognize the growing importance of protecting the
personalized search results
we deliver. As a result, we’re enhancing our default search experience for signed-in users. Over the next few weeks, many of you will find yourselves redirected to
https://www.google.com
(note the extra “s”) when you’re signed in to your Google Account. This change
encrypts your search queries
and Google’s results page. This is especially important when you’re using an unsecured Internet connection, such as a WiFi hotspot in an Internet cafe. You can also navigate to
https://www.google.com
directly if you’re signed out or if you don’t have a Google Account.
What does this mean for sites that receive clicks from Google search results? When you search from
https://www.google.com
, websites you visit from our organic search listings will still know that you came from Google, but won't receive information about each individual query. They can also receive an aggregated list of the top 1,000 search queries that drove traffic to their site for each of the past 30 days through
Google Webmaster Tools
. This information helps webmasters keep more accurate statistics about their user traffic. If you choose to click on an ad appearing on our search results page, your browser will continue to send the relevant query over the network to enable advertisers to measure the effectiveness of their campaigns and to improve the ads and offers they present to you.
As we continue to add more support for SSL across our products and services, we hope to see similar action from other websites. That’s why our researchers
publish information
about SSL and provide advice to help facilitate broader use of the protocol. We hope that today’s move to increase the privacy and security of your web searches is only the next step in a broader
industry effort
to employ SSL encryption more widely and effectively.
Posted by Evelyn Kao, Product Manager
National Cyber Security Awareness Month 2011: Our Shared Responsibility
October 7, 2011
(Cross-posted on the
Public Policy Blog
)
On the Internet, as with the offline world, the choices we make often have an impact on others. The links we share and the sites we visit can affect our security and sometimes introduce risk for people we know. Given how quickly our collective use of technology is evolving, it’s useful to periodically remind ourselves of practices that can help us achieve a more secure and enjoyable online experience.
This month, Google once again joins the
National Cyber Security Alliance (NCSA)
, government agencies, corporations, schools and non-profit organizations in recognizing
National Cyber Security Awareness Month
. It’s a time for us to offer education that increases online security for everyone.
It’s fitting that the theme of this year’s Cyber Security Awareness Month is “Our Shared Responsibility.” With ever-increasing ways to access the web and share information, we need to focus on keeping our activities secure. In that spirit, and to help kick off Cyber Security Awareness Month, we’re introducing a new
Google Security Center
. The Security Center is full of practical tips and information to help people stay safe online, from choosing a secure password to using 2-step verification and avoiding phishing sites and malware.
We also continue to develop products and services that help people protect their information online. Examples that have stood out so far this year include the
Chromebook
,
2-step verification in 40 languages
, and Chrome browser warnings for
malicious downloads
and
out-of-date plugins
, among others. We develop free products and tools such as
DOM Snitch
, a Chrome extension that helps developers identify insecure code.
We recognize the importance of security education and are committed to helping make your online experience both exciting and safe to use. We all have a responsibility to take steps to protect ourselves and together develop a culture of security. We encourage everyone to
Stop. Think. Connect.
Posted by Eric Davis, Public Policy Manager, Security
2-step verification: stay safe around the world in 40 languages
July 28, 2011
(Cross-posted on the
Online Security Blog
)
Earlier this year, we
introduced
a security feature called
2-step verification
that helps protect your Google Account from threats like password compromise and identity theft. By entering a one-time verification code from your phone after you type your password, you can make it much tougher for an unauthorized person to gain access to your account.
People have told us how much they like the feature, which is why we're thrilled to offer 2-step verification in 40 languages and in more than 150 countries. There’s never been a better time to set it up: Examples in the news of password theft and data breaches constantly remind us to stay on our toes and take advantage of tools to properly secure our valuable online information. Email, social networking and other online accounts still get compromised today, but 2-step verification cuts those risks significantly.
We recommend investing some time in keeping your information safe by watching our
2-step verification video
to learn how to quickly increase your Google Account’s resistance to common problems like reused passwords and
malware and phishing scams
. Wherever you are in the world,
sign up for 2-step verification
and help keep yourself one step ahead of the bad guys.
To learn more about online safety tips and resources, visit our ongoing security
blog series
, and review a couple of simple
tips and tricks
for online security. Also, watch our video about
five easy ways
to help you stay safe and secure as you browse.
Update
on 12/1/11
: We recently made 2-step verification available for users in even more places, including Iran, Japan, Liberia, Myanmar (Burma), Sudan and Syria. This enhanced security feature for Google Accounts is now available in more than 175 countries.
Posted by Nishit Shah, Product Manager, Google Security
Using data to protect people from malware
July 19, 2011
(Cross-posted on the
Google Online Security Blog
)
The Internet brings remarkable benefits to society. Unfortunately, some people use it for harm and their own gain at the expense of others. We believe in the power of the web and information, and we work every day to detect potential abuse of our services and ward off attacks.
As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or “malware.” As a result of this discovery, today some people will see a prominent notification at the top of their Google web search results:
This particular malware causes infected computers to send traffic to Google through a small number of intermediary servers called “proxies.” We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections.
We hope to use the knowledge we’ve gathered to assist as many people as possible. In case our notice doesn’t reach everyone directly, you can run a system scan on your computer yourself by following the steps in our
Help Center article
.
Update
July 20, 2011:
We've seen a few common questions we thought we'd address here:
The malware appears to have gotten onto users' computers from one of roughly a hundred variants of fake antivirus, or "fake AV" software that has been in circulation for a while. We aren't aware of a common name for the malware.
We believe a couple million machines are affected by this malware.
We've heard from a number of you that you're thinking about the potential for an attacker to copy our notice and attempt to point users to a dangerous site instead. It's a good security practice to be cautious about the links you click, so the spirit of those comments is spot-on. We thought about this, too, which is why the notice appears only at the top of our search results page. Falsifying the message on this page would require prior compromise of that computer, so the notice is not a risk to additional users.
In the meantime, we've been able to successfully warn hundreds of thousands of users that their computer is infected. These are people who otherwise may never have known.
Posted by Damian Menscher, Security Engineer
Ensuring your information is safe online
June 1, 2011
The Internet has been an amazing force for good in the world—opening up communications, boosting economic growth and promoting free expression. But like all technologies, it can also be used for bad things. Today, despite the efforts of Internet companies and the security community, identity theft, fraud and the hijacking of people’s email accounts are common problems online.
Bad actors take advantage of the fact that most people aren’t that tech savvy—hijacking accounts by using
malware and phishing scams
that trick users into sharing their passwords, or by using passwords obtained by hacking other websites. Most account hijackings are not very targeted; they are designed to steal identities, acquire financial data or send spam. But some attacks are targeted at specific individuals.
Through the strength of our cloud-based security and abuse detection systems*, we recently uncovered a campaign to collect user passwords, likely through phishing. This campaign, which appears to originate from Jinan, China, affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.
The goal of this effort seems to have been to monitor the contents of these users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings. (Gmail enables you to forward your emails automatically, as well as grant others access to your account.)
Google detected and has disrupted this campaign to take users’ passwords and monitor their emails. We have notified victims and secured their accounts. In addition, we have notified relevant government authorities.
It’s important to stress that our internal systems have not been affected—these account hijackings were not the result of a security problem with Gmail itself. But we believe that being open about these security issues helps users better protect their information online.
Here are some ways to improve your security when using Google products:
Enable
2-step verification
. This Gmail feature uses a phone and second password on sign-in, and it protected some accounts from this attack. So check out
this video
on setting up 2-step verification.
Use a
strong password
for Google that you do not use on any other site. Here’s a
video
to help.
Enter your password only into a proper sign-in prompt on a
https://www.google.com
domain. We will
never ask you to email your password
or enter it into a form that appears within an email message. Here’s a
video
with more advice.
Check your Gmail settings for suspicious
forwarding addresses
(“Forwarding and POP/IMAP” tab, Fig. 1) or
delegated accounts
(“Accounts” tab, Fig. 2).
Fig. 1
Fig. 2
Watch for the red warnings about
suspicious account activity
that may appear on top of your Gmail inbox.
Review the security features offered by the
Chrome browser
. If you don’t already use Chrome, consider switching your browser to Chrome.
Explore other
security recommendations
and a
video with tips
on how to stay safe across the web.
Please spend ten minutes today taking steps to improve your online security so that you can experience all that the Internet offers—while also protecting your data.
*We also relied on user reports and this
external report
to uncover the campaign described.
Posted by Eric Grosse, Engineering Director, Google Security Team
Advanced sign-in security for your Google account
February 10, 2011
(Cross-posted on the
Gmail Blog
)
Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples (like the classic
"Mugged in London" scam
) that demonstrate why it's important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information.
Most of us are used to entrusting our information to a password, but we know that some of you are looking for something stronger. As we announced to our Google Apps customers
a few months ago
, we've developed an advanced opt-in security feature called
2-step verification
that makes your Google Account significantly more secure by helping to verify that you're the real owner of your account. Now it's time to offer the same advanced protection to all of our users.
2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using your phone. Over the next few days, you'll see a new link on your
Account Settings page
that looks like this:
Take your time to carefully set up 2-step verification—we expect it may take up to 15 minutes to enroll. A user-friendly set-up wizard will guide you through the process, including setting up a backup phone and creating backup codes in case you lose access to your primary phone. Once you enable 2-step verification, you'll see an extra page that prompts you for a code when you sign in to your account. After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device. The choice is up to you. When you enter this code after correctly submitting your password we'll have a pretty good idea that the person signing in is actually you.
It's an extra step, but it's one that significantly improves the security of your Google Account because it requires the powerful combination of both something you
know
—your username and password—and something that only you should
have
—your phone. A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a "Remember verification for this computer for 30 days" option, and you won't need to re-enter a code for another 30 days. You can also set up one-time
application-specific passwords
to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.
To learn more about 2-step verification and get started, visit our
Help Center
. And for more about staying safe online, see our ongoing
security blog series
or visit
http://www.staysafeonline.org/
. Be safe!
Update
Dec 7, 2011
: Updated the screenshots in this post.
Posted by Nishit Shah, Product Manager, Google Security
National Cyber Security Awareness Month 2010: Stop. Think. Connect.
October 4, 2010
Governments, industry and everyday people have been abuzz this year about online security to a larger extent than ever before. People are talking about their information, how they share it with others and how they secure it. With more information moving online, and with cyber attacks on the rise, we think it’s important that we keep the conversation about security flowing.
Google has renewed its commitment to security this year and has pushed industry boundaries to help people better protect their information in new ways. Here are just a few examples: We became the first major email provider to offer
default HTTPS encryption
for the entire email session, and we introduced an
encrypted search option
for Google.com. We designed a
new system
to make Google Accounts more secure, and added
suspicious activity detection
for our users. Google Apps became the first suite of cloud computing applications to receive Federal Information Security Management Act (FISMA)
certification
from the U.S. government. We also published new security
products
,
tools
and
research
to help web developers and network administrators make the rest of the web more secure.
I sit on the board of the
National Cyber Security Alliance
(NCSA) to promote work that encourages safer online habits. Together with that organization, the U.S. Department of Homeland Security (DHS) and a host of other companies, Google is taking the month of October to recognize National Cyber Security Awareness Month. As we did in a
blog post series
last year, we’ll explore simple ways that people can make use of Google’s technologies and tools, as well other freely available resources and advice, to better protect themselves and their information.
We will post links here throughout the month, so be sure to check back often:
Tips and Tricks: Sharing Google Docs Like a Pro
Protect your data in the cloud
This Internet is Your Internet: Digital Citizenship from California to Washtenaw County
Understanding the omnibox for better security
(Google Chrome Blog)
Safe browsing on Blogger
Stop. Think. Connect. To protect yourself from fake Checkout invoices.
Tips for a more secure orkut experience
Remember these tips for safer shopping
Remember, even with so many people and groups focused on creating a safer web experience for everyone, we all have a responsibility to take steps to protect ourselves online. The NCSA recommends that we keep our wits about us and think carefully about our online actions before we take them. In that spirit, we encourage you to:
Stop. Think. Connect.
Posted by Eric Davis, Public Policy Manager, Security
Three million businesses have gone Google: celebrating growth, innovation and security
September 20, 2010
Today we’re hosting more than 300 CIOs and IT professionals from around the world in Paris at Google Atmosphere, our annual European event dedicated to cloud computing—web-based applications that are built on shared infrastructure and delivered through the browser. This year, the discussion at Atmosphere is focused on how companies can benefit from the breakthroughs in productivity and security that cloud-based applications are uniquely capable of delivering.
This event also marks some major milestones:
As of today, more than 3 million businesses have
gone Google
, and over 30 million users within businesses, schools and organizations now depend on our messaging and collaboration tools.
We’re launching new cloud-powered capabilities: two-step verification to help enhance security and soon, mobile editing in Google Docs on Android and the iPad™.
First, Google Apps Premier, Education and Government Edition administrators can now have users sign in with the combination of their password (something they
know
) and a one-time verification code provided by a mobile phone (something they
have
). Users can continue to access Google Apps from Internet-connected devices, but with
stronger protections
to help fend off risks like phishing scams and password reuse. For the first time, we’re making this technology accessible to organizations large and small without the costs and complexities that have historically limited two-step verification to large enterprises with deep pockets. Furthermore, in the coming months, Standard Edition and hundreds of millions of individual Google users will be able to enjoy this feature as well.
Second, today we demonstrated new mobile editing capabilities for Google Docs on the Android platform and the iPad. In the next few weeks, co-workers around the world will soon be able to co-edit files simultaneously from an even wider array of devices.
Only cloud computing is able to deliver the whole package of productivity-enhancing collaboration, superior reliability and virtually unlimited scale at a price that’s affordable for any size organization. Our Atmosphere event is a nice opportunity to step back and fully appreciate the power of the cloud with customers and future customers alike.
Posted by Dave Girouard, President, Google Enterprise
Simpler sign-ups for Yahoo! users with OpenID
September 7, 2010
How many times have you created a new account at a website and seen a message that said: “Thank you for creating an account. To activate your new account, please access your email and click the verification URL provided.”
Even though you just want to start using the website, this lengthy process requires you to manually perform a whole bunch of steps—including switching to your mailbox, trying to find the message the website sent you (which might be in your Spam folder), opening the message, clicking the link, etc. Until recently, we also required people to follow these steps if they wanted to sign up for a Google Account using their existing email address, such as a @yahoo.com, @hotmail.com, or other address.
To make this process simpler, we’re now using an Internet standard called
OpenID
which is supported by several email providers, including Yahoo!. Instead of the process above, Yahoo! users who sign up with Google see the page below with a button that sends them to Yahoo! for verification.
Once you click that button, Yahoo! shows you a page to get your consent to share your email address with Google.
After you agree, you’re done and can start using any Google service, such as Google Groups, Docs, Reader, AdWords, etc. We have found that a much larger number of people complete the email verification process when this method is used.
In the future we hope to expand this feature to other email providers, and we also hope other website operators will read more on the
Google Code Blog
about how they can implement a similar feature.
Posted by Eric Sachs, Senior Product Manager, Google Security
Search more securely with encrypted Google web search
May 21, 2010
Update June 25, 2010:
Since we introduced our encrypted search option last month, we’ve been listening closely to user feedback. Many users appreciate the capability to perform searches with better protection against snooping from third parties. We’ve also heard about some challenges faced by various school districts, and today, we want to inform you that we’ve moved encrypted search from
https://www.google.com
to
https://encrypted.google.com
. The site functions in the same way. For more information on this change, please read on
here
.
As people spend more time on the Internet, they want greater control over who has access to their online communications. Many Internet services use what are known as Secure Sockets Layer (SSL) connections to encrypt information that travels between your computer and their service. Usually recognized by a web address starting with “https” or a browser lock icon, this technology is regularly used by online banking sites and e-commerce websites. Other sites may also implement SSL in a more limited fashion, for example, to help protect your passwords when you enter your login information.
Years ago Google added SSL encryption to products ranging from Gmail to Google Docs and others, and we continue to enable encryption on more services. Like banking and e-commerce sites, Google’s encryption extends beyond login passwords to the entire service. This session-wide encryption is a significant privacy advantage over systems that only encrypt login pages and credit card information. Early this year, we took an important step forward by making SSL the
default setting for all Gmail users
. And today we’re gradually rolling out a new choice to search more securely at
https://www.google.com
.
When you search on
https://www.google.com
, an encrypted connection is created between your browser and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party on your network. The service includes a modified logo to help indicate that you’re searching using SSL and that you may encounter a somewhat different Google search experience, but as always, remember to check the start of the address bar for “https” and your browser lock indicators:
Today’s release comes with a “beta” label for a few reasons. First, it currently covers only the core Google web search product. To help avoid misunderstanding, when you search using SSL, you won’t see links to offerings like Image Search and Maps that, for the most part, don’t support SSL at this time. Also, since SSL connections require additional time to set up the encryption between your browser and the remote web server, your experience with search over SSL might be slightly slower than your regular Google search experience. What won’t change is that you will still get the same great search results.
A few notes to remember: Google will still
maintain search data
to improve your search quality and to provide better service. Searching over SSL doesn’t reduce the data sent to Google — it only hides that data from third parties who seek it. And clicking on any of the web results, including Google universal search results for unsupported services like Google Images, could take you out of SSL mode. Our hope is that more websites and services will add support for SSL to help create a better and more consistent experience for you.
We think users will appreciate this new option for searching. It’s a helpful addition to users’ online privacy and security, and we’ll continue to add encryption support for more search offerings. To learn more about using the feature, refer to our
help article on search over SSL
.
Posted by Evan Roseman, Software Engineer
WiFi data collection: An update
May 14, 2010
Update June 9, 2010:
When we announced three weeks ago that we had mistakenly included code in our software that collected samples of payload data from WiFi networks, we said we would ask a third party to review the software at issue, how it worked, and what data it gathered. That report, by the security consulting firm
Stroz Friedberg
, is now complete and was sent to the interested data protection authorities today. In short, it confirms that Google did indeed collect and store payload data from unencrypted WiFi networks, but not from networks that were encrypted. You can read the report
here
. We are continuing to work with the relevant authorities to respond to their questions and concerns.
Update May 17, 2010:
On Friday May 14 the Irish Data Protection Authority asked us to delete the payload data we collected in error in Ireland. We can confirm that all data identified as being from Ireland was deleted over the weekend in the presence of an independent third party. We are reaching out to Data Protection Authorities in the other relevant countries about how to dispose of the remaining data as quickly as possible.
You can read the letter from the independent third party, confirming deletion,
here
.
[original post]
Nine days ago the data protection authority (DPA) in Hamburg, Germany asked to audit the WiFi data that our Street View cars collect for use in location-based products like Google Maps for mobile, which enables people to find local restaurants or get directions. His request prompted us to re-examine everything we have been collecting, and during our review we discovered that a statement made in a
blog post
on April 27 was incorrect.
In that blog post, and in a technical note sent to data protection authorities the same day, we said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products.
However, we will typically have collected only fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car WiFi equipment automatically changes channels roughly five times a second. In addition, we did not collect information traveling over secure, password-protected WiFi networks.
So how did this happen? Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data.
As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it.
Maintaining people’s trust is crucial to everything we do, and in this case we fell short. So we will be:
Asking a third party to review the software at issue, how it worked and what data it gathered, as well as to confirm that we deleted the data appropriately; and
Internally reviewing our procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future.
In addition, given the concerns raised, we have decided that it’s best to stop our Street View cars collecting WiFi network data entirely.
This incident highlights just how publicly accessible open, non-password-protected WiFi networks are today. Earlier this year, we encrypted Gmail for all our users, and next week we will start offering an encrypted version of Google Search. For other services users can check that pages are encrypted by looking to see whether the URL begins with “https”, rather than just “http”; browsers will generally show a lock icon when the connection is secure. For more information about how to password-protect your network,
read this
.
The engineering team at Google works hard to earn your trust—and we are acutely aware that we failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake.
Posted by Alan Eustace, Senior VP, Engineering & Research
Labels
accessibility
41
acquisition
26
ads
131
Africa
19
Android
58
apps
419
April 1
4
Asia
39
books + book search
48
commerce
12
computing history
7
crisis response
33
culture
12
developers
120
diversity
35
doodles
68
education and research
144
entrepreneurs at Google
14
Europe
46
faster web
16
free expression
61
google.org
73
googleplus
50
googlers and culture
202
green
102
Latin America
18
maps and earth
194
mobile
124
online safety
19
open source
19
photos
39
policy and issues
139
politics
71
privacy
66
recruiting and hiring
32
scholarships
31
search
505
search quality
24
search trends
118
security
36
small business
31
user experience and usability
41
youtube and video
140
Archive
2016
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2015
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2014
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2013
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2012
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2011
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2010
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2009
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2008
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2007
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2006
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2005
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
2004
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Feed
Google
on
Follow @google
Follow
Give us feedback in our
Product Forums
.
.png)
Follow
