Google has gone from collecting the world’s information to protecting it with Project Zero, a new initiative through which the company will hire security professionals and task them with finding bugs in digital products and informing their creators of the issue as fast as possible. A member of Google’s security team explained the reasoning behind the project in a blog post:
You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of “zero-day” vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem.
Project Zero is our contribution, to start the ball rolling. Our objective is to significantly reduce the number of people harmed by targeted attacks. We’re hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet.
If the program works as intended, Google’s new security team will scour the Web for zero-day vulnerabilities, work to get them fixed, and then reveal their existence to consumers. It won’t discuss the problems before they are fixed, at which point it will communicate the problem to potential victims and then keep a running tally of how long it took for the problem to be fixed.
The program represents a shift from many technology companies’ approach to security, which amounted to little more than crossed fingers and trust in the open source communities behind many of the tools upon which the Web has been built. It’s about time that changed — the idea that everyone is responsible for the Web’s security has made it so no one claims responsibility:
[Heartbleed] was caused by a coding error that its author described as “quite trivial” despite the effect it had on Internet security. The volunteers who checked his work failed to spot the bug, and so it was introduced into a security tool used by roughly two-thirds of the Internet. No-one else bothered to check for a vulnerability because — fittingly enough — many open source tools are considered more secure than their proprietary counterparts because anyone can edit them.
Consider it the digital version of the bystander effect, whereby an entire crowd will ignore a cry for help because everyone assumes that someone else will take care of the problem. The effect becomes more pronounced as the number of people witnessing the problem grows. This is like that, except it threatens the foundation of online security, and the crowd is so massive that it’s amazing that anyone even bothered to look for the Heartbleed bug in the first place.
Other companies have committed to funding independent security auditors in an effort to promote digital security — the oxymoron that it is — and restore faith in the foundation of the Web. Project Zero goes far beyond that by encouraging security experts to find problems in products that have nothing to do with their employer and making sure they’re promptly fixed.
Google’s commitment to degrading personal privacy might make it seem like a strange fit for something like Project Zero, which will inevitably help people keep some information private. But that misses the point of Google’s efforts to gain consumer trust. It doesn’t need to force its way into our digital houses; it’s already been invited in and told to make itself feel at home.
Committing to finding security vulnerabilities will make it easier to trust Google with that information. Better to have your locks replaced by someone you’ve already allowed to snoop through your drawers than to leave the door open to people with more nefarious intentions.
[Illustration by Brad Jonas for Pando]