Finding the right balance
Stephan Somogyi works in security and privacy product management at Google. He believes we need to start thinking more critically about our online behavior
Mr. Somogyi, here in Germany we always buckle up in the car, have all sorts of insurance plans, and cover the PIN pad at the ATM – so why are we so careless when it comes to the internet?
This isn’t just a German phenomenon; it’s a global one. The reason behind it is the human psyche, which is better conditioned to deal with concrete, visible dangers. And that’s not something that applies to risks on the internet. That’s why it’s especially important for tech companies like Google to make sure their users are safe. In recent years, we’ve been working intensively to achieve that.
What have you been working on?
We’ve invested lots of time and money in getting to know our users better. For example, we discovered that we were showing too many security warnings, which led to people not taking them seriously enough. The question is: What is the right number of warnings? It’s not easy to find the right balance. Often, we underestimate the human factor.
What do you mean?
If a user makes the active decision to click on a link in an email or unthinkingly share their data, there’s not a lot you can do about it. Most attacks rely on human credulity.
"We have a natural inclination to trust other people. Criminals know that."
What’s the result?
We have a natural inclination to trust other people. Criminals know that. That’s why they’re sometimes able to trick us into trusting an email despite it coming from an unfamiliar email address. Or they simply try to scare us. In both cases, the consequences are the same – we make bad decisions.
Can you give an example?
Imagine you get a message in your inbox telling you that the video streaming service you were planning to use to watch new episodes of your favorite TV series is going to be blocked. In order to prevent that from happening, you have to click on the following link and confirm your bank details. In a moment like that, many people make the wrong decision and follow those instructions. And then a criminal has access to their bank account.
So attackers always try to get users to react unthinkingly?
Yes. But there are also many cases where people ignore security warnings out of ignorance or complacency. That’s why we’re working on making the guidance we offer more straightforward when it comes to security warnings. We don’t want to dictate what users should or shouldn’t do, but we need them to know that things could get dangerous. We want to provide them with all the facts they need to make an informed decision – no more, no less.
Desktop computers are no longer people's only point of access. Are security requirements the same for other devices?
That’s presenting a big challenge for us. Online security always requires an additional exchange of data – encryption, for example. On a desktop computer that doesn’t matter, but on a smartphone it might, because of data volume considerations. That means we have to build security measures that don‘t use more data than they absolutely need to. We‘ve made a huge effort to reduce the amount of data transferred on mobile devices, and it’s now a quarter of what it was before. After all, we don’t want customers to switch off security settings in order to avoid using up their data volume. This is where the human factor comes into play again.
Let’s assume I follow all the security advice and am careful with my personal data. Does that mean I can do without an external anti-virus program?
Put it this way: If you constantly update your system, you’re pretty well protected these days. But that hasn’t always been the case. In the past, many companies weren’t sufficiently thorough when it came to this issue. That situation has improved hugely in recent years, and the risk has been dramatically reduced.
Let’s take a brief look at the future. What’s your next objective?
We want to make HTTPS the standard protocol across the web so that connections are always encrypted. We’re already using secure HTTPS encryption to transfer data in many of our services, for example Google Search and Gmail.
So you want all online data to be transferred securely?
Yes. Up to now, secure connections were noted in the address bar. We want to flip that around so that in the future, it’s the unsecure connections that are flagged.
Photographs: Felix Brüggemann