The Blog of Random

Google: A Misrepresented Evil

Don't be evil, sometimes.

Humble beginnings

Google had its humble beginnings in 1995 as a research project by Stanford University students Larry Page, Sergey Brin, and Scott Hassan. While Hassan left before the company was officially founded, the other two remained, and went on to become owners of one of the largest companies in the world.

Now, the company that started out as a simple search engine controls the daily lives of millions of people around the world, with their largest product being Google Search. It's so popular that "Googling" has become synonymous with searching the web. Other than the search engine, Google's other products are also widely used, such as Google Drive, Gmail, Google Maps, etc. However, Google's most popular products are Android and Chrome.

Billionaires

Alphabet is the current parent company of Google and its former subsidiaries, and fills the position that Google used to fill until October 2015. Alphabet was the 3rd-largest tech company (by revenue) in the world in 2021, only behind Apple and Samsung, beating out other huge companies like Microsoft and Facebook/Meta. That's impressive, but where do they get so much money, when most of Google's products are free for people to use?

Subsidiaries

Alphabet and Google own a lot of companies. Here's a small list of companies that they own:

Alphabet

Google

Combining revenue from all of these companies, Alphabet earned over $250 billion in 2021.

Minor sources

Google also has other, minor sources of income, such as:

However, these contribute to a very small percentage of Google's total income.

Advertising and data collection

This is by far the most profitable business for Google, earning over $200 billion in 2021 from ads alone. Seeing as their total revenue for 2021 was just over $250 billion, it's clear how important advertising has been for Google. However, Google's advertising strategy isn't as straightforward as people believe it to be.

Myth: Google sells user data

This is actually false. Considering how valuable data is, especially in this day and age, it wouldn't make sense for Google to simply give it away for a (relatively) small amount of money. Instead, Google employs a far more complex and intelligent strategy, which is the reason they're the advertising kings.

Ad spots and RTB

Let's say you have a website that you own, grandmascooking.com, and you want to earn money from the website. There are a few ways you can do this. Your first option is to create a paywall to enter and use the site, including one-time payments, a subscription model, etc. However, this would significantly limit the number of users your site gets, and there are services like 12ft that are made specifically to bypass subscriptions.

Your other option is to have ads on your website, and earn revenue from that. This is generally a much more profitable option, since you'll get more users and most people are generally used to seeing ads on the internet, even if they're not happy about it. Most websites, both big and small, usually opt for this.

In order to display ads on your website, you set up certain areas where ads can be displayed, which I'll call ad spots. You go to Google Adsense, and you tell them that you want to display ads on your website. Google will then generate some code, which you can copy onto your website, and voilà! You now have ads shown on your website.

Now, whenever Google sees that someone has visited your website, they pull up that person's profile to see their interests. Say I've just visited your website and Google sees that I have an interest in watches. They'll go to the companies that want to advertise their products, like Tissot or Omega, and tell them, "Hey we've got a person who may be interested in your stuff". The companies then start "bidding" (RTB) for the ad spot to show me an advertisement for whatever product they have, and Google will select the highest bid depending on how much the company paid for it and how likely I am to click on it.

All of this is automated, obviously. It's a bunch of bots bidding against other bots, and an algorithm to select the most optimal advertisement to show to users.

This is only one of the many ways that Google can earn money from ads. There's also search engine advertisements, YouTube ads, in-app advertisements, etc.

Data collection

Although Google doesn't sell your data, this doesn't mean they don't collect it. They collect a lot of data, such as your browsing history, app usage, contacts, photos, name, search data, and so much more.

If you trust Google with this data, then great! Google has implemented extensive security measures to keep your personal information safe from anyone else, malicious or otherwise. Nothing's 100% secure, but Google is definitely one of the closest.

However, if you don't trust Google, then this can be a huge issue. They hold a immense amount of data on everyone that is currently using and has previously used their services. And I don't just mean those people using Google services like Gmail, Google Docs, Drive, etc., that list also includes anyone who has filled out a reCAPTCHA, or has used a website or app that uses Google Analytics. While it is anonymised and encrypted, encryption can be broken and information can be de-anonymised with relative ease. This is a huge privacy issue, and Google's paid the price for it. However, at this point, companies are setting aside huge amounts of money specifically to cover fines imposed on them, so that they don't have to change their ways.

Monopoly

If you think back to 2001, you may recall United States v. Microsoft Corp., which was an antitrust law case against Microsoft for illegally maintaining a monopoly. At the time, Microsoft's Internet Explorer had an approximately 90% share in the global web browser market, eventually peaking at 96% in 2002.

Today, Microsoft no longer holds that position in browsers. Chrome is now the leader in browsers, with a 65% market share (as of June 2022). Chrome is built on the open source Chromium project, which is mainly developed by Google. Other companies also use Chromium as their base to build their own browsers, such as Brave, Microsoft Edge, Opera, Samsung Internet, Vivaldi, Yandex Browser, etc. However, any changes Google makes to Chromium will generally be followed by these browsers. This gives Google a lot of power over the internet.

On top of that, Google Search has a 92% share in the search engine market, with no one to contest them. While there are privacy-friendly options, like DuckDuckGo, Brave Search, Startpage and more, most people don't know they exist. And those that do, don't find the results good enough to use.

My Experience

I've used all 3 of the search engines listed above, and the only one that has worked consistently well for me has been Brave Search. DuckDuckGo is basically Bing without the tracking, and Bing has never given me good results.

While Startpage has decent results (they use Google Search for their results), it doesn't work well if you're using Tor or a VPN, and they show their own ads which, while privacy-friendly, are annoying. Other than that, for most people, Startpage is the closest to Google you can get, privately. However, keep in mind that Startpage was bought by System1, an ad company. While this doesn't seem to have much impact on Startpage and its privacy, I think it's something to look out for in the future. After all, these kinds of deals have never ended well in the past, such as in the case of DuckDuckGo and Microsoft. DuckDuckGo eventually did block those trackers, but it was enough that people stopped trusting them.

I do recommend Brave Search, however. They use their own search index for results, and it's worked flawlessly for ~95% of my searches. If you like Brave Search, you can set it as the default search engine in your browser.

I am not affiliated with any of these companies. This recommendation is purely based on personal experience.

Google also makes Android, which is used by over 70% of all mobile devices, most of which are also using Google Play Services and Google's apps.

Google has tried to use this monopolistic position to control the internet, and have been sued for it, multiple times.

Heroes

Now, hearing all of that, you may be led to believe that Google isn't the best of companies, or even the worst. That's a completely valid opinion to have. That's where the "Evil" part of the title comes in. However, they aren't completely horrible, and are oftentimes misrepresented as being the worst company of all time.

Open source connoisseurs

Google has been very involved with the open source community, far more than any other companies of Big Tech. From Android, Chromium, Angular, Dart, Flutter, Golang, Kubernetes, and more, Google has always been very supportive of the open source philosophy. Even their upcoming OS, Fuchsia, is open source.

This shows that Google is inclusive of the developer community as a whole, not just their own employees. Google open sourcing their work is what has allowed us to get amazing projects such as GrapheneOS, Brave Browser, Electron, Scully, Hugo, and more. Open source has plenty of other benefits too, in terms of privacy and trust, as I've outlined in my Intro to Privacy, Security and Anonymity post.

Security

Google is one of the world leaders in software and hardware security, from Project Zero, Google's team of security researchers, to paying millions of dollars for bug bounties. Google has encryption in transit for all of your data, so that no one else can access it. They also have the Advanced Protection Program for those needing extra security.

Google Advanced Protection Program

Advanced Protection is recommended for anyone who is at an elevated risk of targeted online attacks. This includes journalists, activists, political campaign staffers, business leaders, IT admins, and anyone else whose Google Account contains valuable files or sensitive information.

Chromium

Chromium (and by extension Chromium-based browsers like Chrome, Brave and Edge) is one of the most secure browsers in the world, better than most alternatives like Firefox. This is widely agreed-upon in the security community.

Daniel Micay, lead developer of GrapheneOS

Chromium-based browsers [...] provide the strongest sandbox implementation, leagues ahead of the alternatives. It is much harder to escape from the sandbox and it provides much more than acting as a barrier to compromising the rest of the OS. Site isolation enforces security boundaries around each site using the sandbox by placing each site into an isolated sandbox. [...] Site isolation is important even without a compromise, due to side channels. Browsers without site isolation are very vulnerable to attacks like Spectre.

[...]

Chromium is using Network Isolation Keys to divide up connection pools, caches and other state based on site and this will be the foundation for privacy. Chromium itself aims to prevent tracking through mechanisms other than cookies

Madaidan, Whonix security researcher

For security, use Chromium. Avoid Firefox or browsers based on it, as they are currently very lacking in security. Microsoft Edge is a better choice for Windows users, as it can utilise Microsoft Defender Application Guard (MDAG) and has an enhanced security mode in which JIT is disabled and mitigations such as ACG, CIG, CFG and CET are all enabled in the renderer process.

If a lot of that made no sense to you, don't worry, you're not alone. I tried to pick out the easiest-to-understand parts, but it takes years and years of research and experience to get to the level of understanding these people have reached. However, their main point is clear: Chromium is really secure. The Chromium team has a whole page about their security in their documentation, if you want to read more. It's a little easier to read than the technical stuff the researchers above were talking about.

From what I've understood, one of Chromium's best security features is sandboxing, which is a way to separate processes from one another so that they can't access each other, at least without your permission. Firefox has its own sandboxing solution, called Project Fission, which rolled out in Firefox 95. However, it's not as strong as Chromium's site isolation (this is a type of sandboxing).

Madaidan

Firefox fully rolled out their Fission project in Firefox 95. However, Fission in its current state is not as mature as Chromium's site isolation, and it will take many more years for it to reach that point. Fission still suffers from all the security issues of the baseline content process sandbox, as documented below, and it is not a panacea for all sandboxing issues. However, more specific to Fission itself, there are numerous cross-site leaks, allowing a compromised content process to access the data of another and bypass site isolation.

Android and ChromeOS

Android and ChromeOS are Google's operating systems for mobile and desktop, respectively. Similar to Google Chrome, they are leaders in operating system security, challenged only by Apple's iOS/iPadOS and macOS. They are both based on open source projects:

Both Android and ChromeOS are based on Linux, and while most consumer Linux distributions by themselves are very insecure, ChromeOS and Android have modified the Linux kernel and base so much that they could very well qualify as completely independent operating systems built on a Linux-like kernel.

Patrick Brady, Google engineer

Android is not Linux

Ars Technica

Although Android is built on top of the Linux kernel, the platform has very little in common with the conventional desktop Linux stack.

Android's security model is often praised as one of the strongest, and that can be further improved by GrapheneOS on a Google Pixel device.

On the ChromeOS side of things, a similar story can be seen. Chromebooks take extensive measures to ensure your security, even on those not made by Google.

Both ChromeOS and Android have security features like:

This is just a few of the security features that Google has implemented into their operating systems. Their upcoming OS, Fuchsia, should have even stronger security, with its custom-made Zircon kernel and all of the knowledge Google has attained over the years.

Google Pixel

Google's Pixel devices, especially their phones, are an excellent example of hardware security done right. The Pixel line is built from the ground up with security in mind, and every version that Google releases improves on that.

Tommy, PrivSec.dev

Google Pixel phones are the only devices I would recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google’s custom Titan security chips acting as the Secure Element.

This starts with the Titan M series of security chips that they've used in their devices starting from the Pixel 3. The chip is custom-built by Google, and gives the Pixel line a lot of security advantages over the competition, at least on the Android side.

Google Security Blog

Titan M performs several security sensitive functions, including:

  • Storing and enforcing the locks and rollback counters used by Android Verified Boot.

  • Securely storing secrets and rate-limiting invalid attempts at retrieving them using the Weaver API.

  • Providing backing for the Android Strongbox Keymaster module, including Trusted User Presence and Protected Confirmation. Titan M has direct electrical connections to the Pixel's side buttons, so a remote attacker can't fake button presses. These features are available to third-party apps, such as FIDO U2F Authentication.

  • Enforcing factory-reset policies, so that lost or stolen phones can only be restored to operation by the authorized owner.

  • Ensuring that even Google can't unlock a phone or install firmware updates without the owner's cooperation with Insider Attack Resistance.

This only got better when Google introduced their custom Tensor processor in the Pixel 6, since they were then able to secure not only the security chip, but also the processor. This was a significant step forward for Pixel security, and has since made the Pixel 6 line one of, if not the most, secure phones to use in the world. Additionally, Google is now able to provide software updates for a longer amount of time: 5 years instead of 3, which means your phone can be even more secure, for longer. This is one of the main reasons that privacy- and security-focused projects like GrapheneOS only recommend and support the Pixel line, at least for now.

Conclusion

I've seen people online slandering Google and their services, making quite absurd claims sometimes. While Google isn't the crown jewel of companies, they've got their benefits too, and its not fair to ignore them entirely to prove a point. I agree that Google's services are not private, at all. I would not trust them with my data or personal information. However, there's not many others I would trust to keep me safe from attackers. This is one of the main advantages of Google, and for many people, the only one. However, it's such a big advantage that, in certain sensitive situations, it can dwarf any of the privacy and data collection issues Google has.

Like I said before, if you trust Google, then great! If not, then you have to look somewhere else to manage your personal information. However, this doesn't mean you can't utilise the benefits of Google's open source products, and their world-class security. Buying a Pixel phone and loading up GrapheneOS on it is possibly one of the best things you can do for your privacy and security.

Overall, Google, in my opinion, is "evil" in terms of their business model. However, they are sometimes horribly misrepresented, and their importance on the current software and security community is often overlooked. I wrote this post in the hope that I could provide a balanced and factual look into Google. You can decide for yourself how you feel about them, but give credit where it's due.

P.S. Google, please stop killing off all of your products.

Additional Sources

How it works - Google AdSense - Wikipedia

Google Safety Center

Google Security Blog