Earlier this week, my friend Miguel Velosa Câmara showed me the following tweet:
Government-backed attackers may be trying to steal my Google password. This is what I received today morning. pic.twitter.com/rDoIz6fvUU
— Joshua Wong 黃之鋒 (@joshuawongcf) July 16, 2019
What are “Government-backed attackers”?
These warnings are rare—fewer than 0.1% of users ever receive them—but they are critically important. The users that receive these warnings are often activists, journalists, and policy-makers taking bold stands around the world.
Today, we’re launching a new, full-page warning with instructions about how these users can stay safe. They may see these new warnings instead of, or in addition to, the existing ones.
Google is telling Joshua that he’s the target. For the most used email platform in the world, things like this should be happening on the millions a day and, since Joshua Wong is an activist, this again is no surprise. Google is doing the right thing here. They flagged a user that has a higher risk of attack and are proposing increased measures to protect him. Google also states that “We can’t reveal what tipped us off because the attackers will take note and change their tactics…”. So far, so good.
So my question is: Why would Google say explicitly “Government-backed attackers” instead of something like “We found some irregular activity in your account”? Looking at Google’s help page. The text is much more revealing:
We regularly receive reports from users as well as from our own signaling systems that monitor for suspicious login attempts and other activity. It’s likely that you received emails containing harmful attachments, links to malicious software downloads, or links to fake websites that are designed to steal your passwords or other personal information.
For example, attackers have been known to send damaging PDF files, Office documents, or RAR files.
To protect users going forward, we can’t share details about precisely when or how we detected specific attacks. Google’s internal systems have not been compromised.
The Gmail warning includes personalized guidance to improve your security, based on your current account and browser settings. It will reappear after a short time to help remind you to take the recommended steps toward a more secure account. You can then switch off the warning; if it is shown again after weeks or months, it is because we detected new activity against your account.
Google is doing its job perfectly here. Informing that they are providing adequate information so that the user can secure his account, and what are the extra measures that he can take improve security further. The person can put productive actions and avoid issues. The steps are the same regardless of the attack is the next-door neighbor of a government so, in my opinion, there’s no need to create more stress to the user when he/she cannot do anything to stop the attack.
Google’s message should be the same tone as in the help page. Instead, the user got a scary alert with a vague “we cannot tell you more.” In turn, this allows you to make enormous assumptions to reach some far fetched (yet plausible) conclusions as this tweet shows.
Not this again! Dear Kremlin, please stop. pic.twitter.com/BxhMDvpncf
— Michael McFaul (@McFaul) November 23, 2016
Is this new?
Google first announced this feature back in May 2016 in a blog post. Up until then they were only flagging the emails (a feature introduced in 2012) but starting from that moment they would proactively send warnings to its users about these attacks. The program that Google mentions at the end of the email can exist and you can check for more details here. I encourage you to take a look, especially if you’re, part of the group of people that are most vulnerable to attacks.
In conclusion, Google should act on the information as any other security breach found by the team. Take the information to the appropriate venues and let them deal with the data accordingly. People who receive will have only one thing in mind. Post it online and complain about it. They cannot do anything whatsoever after that to stop these attacks. That’s why I think that this is careless and can be quite dangerous with no actual benefit to the person.
What do you think? Is there any benefit to this, or do you think that Google shouldn’t provide this information?
I also write about privacy. You can find some posts here.