Dr Wieland Holfelder heads the Google Safety Engineering Center in Munich

"Data security shouldn't be complicated."

Google has been focusing on data privacy and data security on the Internet at the Google Safety Engineering Center (GSEC) in Munich since 2019. Site Lead, Wieland Holfelder, discusses the latest developments at GSEC, his team's working methods and Munich’s position as a centre of digital excellence.

Dr. Holfelder, the Google Safety Engineering Center, or GSEC for short, was opened in Munich in 2019. What happens at the centre?

GSEC is Google's global privacy and security engineering hub. This is where we develop new products, identify user requirements, share our knowledge and work with our partners to improve Internet security.

Data privacy and security are very important in Germany. How important was that local tradition in establishing the Google Safety Engineering Center here?

Very important. It is not a coincidence that we set up development teams for data privacy and security in the heart of Europe. Germany has a long tradition of reflecting how Europeans think about online privacy and security, so when we first opened the Google Engineering office in Munich, these were among the first teams that we established here. After ten years of developing these teams in Munich, we wanted to broaden the scope, open up for dialogue and engage with users and key stakeholders from different backgrounds. This is why it made sense to set up the GSEC in Munich which is very focused on these issues. We have worked on making sure all our products meet the requirements of the European General Data Protection Regulation (GDPR). This knowledge and awareness is spreading to other countries. In fact, data privacy and security are gaining more and more attention around the world.

GSEC is an international place to work with staff from over 40 different countries.

Working with international products means we need to have a variety of perspectives. This is possible when our staff represent the users as much as possible. However, we're nowhere near where we want to be at the moment and we are committed to building diverse teams, including and beyond gender, as a long term goal, e.g. by providing scholarships to women in computer science or partnering with our local university on a mentoring program to support women students.

What does a normal day at GSEC look like?

We have more than 200 privacy engineers working on Google products like the Google Account and the Google Chrome browser every day. We also run workshops for those interested, including security training, and events such as Differential Privacy Codelabs. This is particularly important to me because the landscape is rapidly changing and we want to offer more information about the topic of Internet security.

A mission statement from Munich: a glimpse inside the Google Safety Engineering Center

What kinds of things do you do that Internet users might encounter on an everyday basis?

If you use Google products, you may have wondered about the kind of data that is used for personalisation in order to produce better search results, for instance. The Google Account helps you manage your information, privacy, and security to make Google work better for you across different products. Controls like Activity Controls and Ad Settings allow you to decide what data is used to personalise your experience, so all of Google can work better for you. For this purpose we’ve developed Privacy Checkup, which allows you to quickly set your privacy preferences in your Google Account. For Chrome and Android, we’ve developed Password Manager, which automatically creates and stores a password for every website and app you use, on demand. Users can also use the Password Checkup to analyse their passwords for security issues. They will be able to learn if their password has been compromised in a data breach that is known to us. They are then provided with instructions on how to change their passwords. I’m particularly proud of the work GSEC has done on these password protection tools.

Can you explain why?

Password Manager can't be tricked by phishing websites and you can create a new, strong password for each website without the need to remember them yourself. This keeps hackers from guessing passwords – and it prevents you from using the same password on multiple sites.

Why would that be a problem?

Let’s say I order flowers for my wife on a website and hastily enter a password for my customer account on that site that I also use elsewhere. If hackers can access the server of the flower shop and get hold of this password, they can quickly determine whether my email account or my Google Account can also be accessed using the same password. What's more, they can create new passwords for other accounts that I use. Password Manager ensures you remain safe online by automatically generating strong and unique passwords for each site.

Wieland Holfelder in front of the Google office in Munich

“Working with international products means we need to have a variety of perspectives.”

Wieland Holfelder, Vice President Engineering at Google and Site Lead

Are there even safer measures that can be used?

Yes, you can also use two-factor authentication if you have a Google Account. This means each time you sign into your account on a new device, you have to use a code that we will send you by phone. So if somebody in a foreign country hacks your password they would still need that second factor to be able to access your account. I personally, for example, have so much valuable information online in my account that I could not sleep anymore without that extra protection.

How exactly do you develop these kinds of new products at GSEC?

For example, we invite people to come to our "User Experience Research Lab" or to attend online interviews so we can learn about how they use the Internet or how they go about searching for things. This helps us to understand what tools and help they generally need to make informed decisions regarding their privacy preferences. We ask people questions like, “Can you tell us how you use the Chrome browser with different family members?” and we ask them to interact with our products so we can evaluate how they respond to them. These insights are very important because they help us to understand whether our information is positioned in the right place or whether the interface and buttons are helpful or not. This allows us to ensure our products match our users’ needs. Our philosophy is that you shouldn't have to be a security expert to feel safe on the web.

Among other things, you are currently working on making third-party cookies obsolete. What are cookies?

Cookies have been around for as long as the Internet. They are small files that website providers use to store information locally on a computer. Cookies still play an important role on the Internet. For example, first party cookies are used to keep you logged into an online account or operate shopping carts on e-commerce websites. There are also third party cookies that allow relevant advertising to be displayed. Third party cookies can also record that you have searched for a particular product online. So, a cookie can register that you are looking for a backpack on one site and then show you a similar backpack ad from another site.

Why is that?

The Internet is an open and mostly free platform. Website offerings are primarily financed by advertising and the more relevant the advertising is, the better it is for users and providers.

Third party cookies allow users’ movements to be tracked online. You're currently working on ways to stop this in the future. Is that correct?

Yes, we're currently developing the “Privacy Sandbox" so that in the future, advertisers will no longer be able to identify me through my cookies. There has been a broader realization across the web community that third-party cookies were not matching up to user expectations. Users are demanding greater privacy -including transparency, choice and control over how their data is used- and it’s clear the web ecosystem needs to evolve to meet these demands. To end cross-site tracking, the web needs to move away from third-party cookies and other covert techniques such as browser fingerprinting. But over the last 30-plus years, many core web capabilities have also come to rely on these same techniques. We don’t want the web to lose critical capabilities, such as enabling publishers to keep growing their businesses and keep the web sustainable, ensuring universal access to content, providing best experiences for people on their individual devices, differentiating real users from bots and frauders and more. Our goal for the Privacy Sandbox open source initiative is to make the web more private and secure for users, while also supporting publishers.

How does Google solve the problem?

As part of the Privacy Sandbox initiative, we’re working with the web community to develop new technology that keeps user information private and avoids invasive tracking techniques, like fingerprinting, while also giving sites a way to provide useful ads and fund their business. Earlier this year, we previewed the Topics API, a new Privacy Sandbox proposal for interest-based advertising that replaces FloC based on feedback regulators, privacy advocates, and developers. It allows advertisers to show relevant ads to people based on their interests, such as “Sports”, inferred from the websites they visit, all in the most privacy-safe way for users. Cookies have been used to identify users in the past, but the idea behind Topics is that your personal browsing history doesn’t leave your browser or your device, and it’s not shared with anyone, including advertisers. This means advertisers can continue to serve relevant ads and content without needing to track across the web.

We’re also making great progress on other proposals for Privacy Sandbox, including FLEDGE and measurement APIs, and continuing to collaborate with the U.K.’s Competition and Markets Authority (CMA) to ensure our proposals are developed in a way that works for the entire ecosystem.

In recent years, Munich has become a popular location for digital start-ups and other tech companies. What has your experience of this been as Google Munich’s Site Lead?

Munich is undergoing remarkable changes. Apple, Amazon and Google are all investing and expanding their operations here as well as other fantastic companies like Celonis, a unicorn company that provides data analytics services. A higher proportion of B2B companies have been set up here than elsewhere because there are so many other strong tech businesses in the region. We also have some excellent universities such as the LMU and the TUM that operate local entrepreneurship centres. In addition, the Bavarian state government is offering unparalleled levels of support with its “High-Tech Agenda” action plan. For example, we are seeing huge investments in artificial intelligence and quantum computing – which is great. In addition to a long-standing regional tradition and expertise in engineering and technology, its strong economic position, good political support, excellent educational institutions and a high quality of life are a winning combination that make Munich such a great location.

GSEC opened its doors in the Bavarian capital two years ago.

Construction is currently underway on new Google offices in Munich. Has the coronavirus pandemic changed your plans?

Before the pandemic, we spent most of our time in the office where there are many cafes, meeting rooms and restaurants for employees to meet and co-create in person. Obviously this way of working has been altered quite substantially during the pandemic and we are now incorporating many of our learnings from the past year into the planning of our new and exciting Arnulfpost project.

Is it possible to create the same atmosphere with remote working?

Our company was born in the cloud, evolved in the cloud and we all live in the cloud. That's why we try to encourage staff to interact online in breakfast meetings or open video conferences. However, we believe that we can’t draw on the social capital we have built up over the years forever. We’ve hired a lot of people who haven’t actually stepped foot in our offices yet. It’s a challenge for all managers to take each and every individual with them.

What does this mean for the way work is carried out in the future at GSEC in Munich specifically?

We firmly believe in the importance of bringing people together at work to create the serendipity that is necessary to come up with new innovative ideas, so we will not be 100 percent virtual. But we’ve asked ourselves whether everyone needs to have a fixed place of work. Our sales teams can already work flexibly. Many of our engineers' development tools are moving to the cloud. In the future, each team will be able to decide for itself how many flexible and how many fixed workstations it wants to retain. Today we are exploring new ways of working by providing agile desk allocation tools and new collaboration spaces that allow teams to work together in a more dynamic setup and based on individual work location preferences and schedules.

Photos: Sima Dehgani

Explore how Google helps keep everyone safe online.

Learn how we keep more people safe online than anyone else in the world.

Learn more