Dr. Wieland Holfelder heads the Google Safety Engineering Center in Munich

"Data security shouldn't be complicated."

Google has been focusing on data privacy and data security on the Internet at the Google Safety Engineering Center (GSEC) in Munich since 2019. Site Lead Wieland Holfelder discusses the latest developments at GSEC, his team's working methods and Munich’s position as a center of digital excellence.

Dr. Holfelder, the Google Safety Engineering Center, or GSEC for short, was opened in Munich in 2019. What happens at the center?

GSEC is Google's global privacy and security engineering hub. This is where we develop new products, identify user requirements, share our knowledge and work with our partners to improve Internet security.

Data privacy and security are very important in Germany. How important was that local tradition in establishing the Google Safety Engineering Center here?

Twelve years ago, when I was setting up the Google office in Munich, it quickly became clear that data protection was very important to our users in Germany. When it came to data protection and data security, the first thing we did was set up special development teams. After ten years of developing these teams in Munich, we wanted to broaden the scope, and open up for dialogue. This is why it made sense to set up the GSEC in Munich, which is very focused on these issues. We have worked on making sure all our products meet the requirements of the European General Data Protection Regulation (GDPR). This knowledge and awareness is spreading to other countries. In fact, data privacy and security are gaining more and more attention around the world.

GSEC is an international place to work with staff from over 40 different countries.

Working with international products means we need to have a variety of perspectives. This is possible when our staff are as representative as possible of the users. However, we're nowhere near where we want to be at the moment and we are committed to building diverse teams. We would like, for example, to have many more women in our development teams.

What does a normal day at GSEC look like?

We have more than 200 privacy engineers working on Google products like the Google Account and the Google Chrome browser every day. We also run workshops for those interested, including security training, and events such as Differential Privacy Codelabs. This is particularly important to me because the landscape is rapidly changing and we want to offer more information about the topic of Internet security.

A mission statement from Munich: a glimpse inside the Google Safety Engineering Center

What kinds of things do you do that Internet users might encounter on an everyday basis?

If you use Google products, you may have wondered about the kind of data that is used for personalization in order to produce better search results, for instance. The Google account gives you an overview of the activity data that is used for such personal information. You can also configure your Google account according to whether or not you want this data collection to continue. For this purpose, we’ve developed Privacy Checkup, which allows you to quickly set your privacy preferences in your Google Account. For Chrome and Android, we’ve developed Password Manager, which automatically creates and stores a password for every website and app you use, on demand. Users can also use the Password Checkup to analyze their passwords for security issues. Within a few seconds, they can see if any of their passwords have been compromised in a data theft and they are provided with instructions on how to change these passwords. I'm particularly proud of the work GSEC has done on these password protection tools.

Can you explain why?

Password Manager can't be tricked by phishing websites and you can create a new, strong password for each website without the need to remember them yourself. This keeps hackers from guessing passwords – and it prevents you from using the same password on multiple sites.

Why would that be a problem?

Let’s say I order flowers for my wife on a website and hastily enter a password for my customer account on that site that I also use elsewhere. If hackers can access the server of the flower shop and get hold of this password, they can quickly determine whether my email account or my Google Account can also be accessed using the same password. What's more, they can create new passwords for other accounts that I use. Password Manager ensures you remain safe online by automatically generating strong and unique passwords for each site.

Wieland Holfelder in front of the Google office in Munich

“Working with international products means we need to have a variety of perspectives.”

Wieland Holfelder, Vice President of Engineering at Google and Site Lead

Are there even safer measures that can be used?

Yes, you can also use two-factor authentication if you have a Google Account. This means each time you sign into your account on a new device, you have to use a code that we will send you by phone.

How exactly do you develop these kinds of new products at GSEC?

For example, we invite people to come to our "User Experience Research Lab" or to attend online interviews so we can learn about how they use the Internet or how they go about searching for things. This helps us understand what tools and help they generally need to make informed decisions regarding their privacy preferences. We ask people questions like, “Can you tell us how you use the Chrome browser with different family members?” and we ask them to interact with our products so we can evaluate how they respond to them. These insights are very important because they help us understand whether our information is positioned in the right place or whether the interface and buttons are helpful or not. This allows us to ensure our products match our users’ needs. Our philosophy is that you shouldn't have to be a security expert to feel safe on the web. These conditions, and the fact that needs are very different in this context, will continue to guide our work in the future.

Among other things, you are currently working on making third-party cookies obsolete. What are cookies?

Cookies have been around for as long as the Internet. They are small files that website providers use to store information locally on a computer. Cookies still play an important role on the Internet. For example, first-party cookies are used to keep you logged into an online account or operate shopping carts on e-commerce websites. There are also third-party cookies that allow relevant advertising to be displayed. Third-party cookies can also record that you have searched for a particular product online. So, a cookie can register that you are looking for a backpack on one site and then show you a similar backpack ad from another site.

Why is that?

The Internet is an open and mostly free platform. Website offerings are primarily financed by advertising, and the more relevant the advertising is, the better it is for users and providers.

Third-party cookies allow users’ movements to be tracked online. You're currently working on ways to stop this in the future. Is that correct?

Yes, we're currently developing the “Privacy Sandbox" so that in the future, advertisers will no longer be able to identify me through my cookies. There has been a broader realization across the web community that third-party cookies were not matching up to user expectations. Users are demanding greater privacy -- including transparency, choice and control over how their data is used -- and it’s clear the web ecosystem needs to evolve to meet these demands. To end cross-site tracking, the web needs to move away from third-party cookies and other covert techniques such as browser fingerprinting. But over the last 30-plus years, many core web capabilities have also come to rely on these same techniques. We don’t want the web to lose critical capabilities, such as enabling publishers to keep growing their businesses and keep the web sustainable, ensuring universal access to content, providing best experiences for people on their individual devices, differentiating real users from bots and frauders and more. Our goal for the Privacy Sandbox open source initiative is to make the web more private and secure for users, while also supporting publishers.

How does Google solve the problem?

As part of the Privacy Sandbox initiative, we’re working with the web community to develop new technology that keeps user information private and avoids invasive tracking techniques, like fingerprinting, while also giving sites a way to provide useful ads and fund their business. Earlier this year, we previewed the Topics API, a new Privacy Sandbox proposal for interest-based advertising that replaces FloC based on feedback regulators, privacy advocates, and developers. It allows advertisers to show relevant ads to people based on their interests, such as “Sports”, inferred from the websites they visit, all in the most privacy-safe way for users. Cookies have been used to identify users in the past, but the idea behind Topics is that your personal browsing history doesn’t leave your browser or your device, and it’s not shared with anyone, including advertisers. This means advertisers can continue to serve relevant ads and content without needing to track across the web.

We’re also making great progress on other proposals for Privacy Sandbox, including FLEDGE and measurement APIs, and continuing to collaborate with the U.K.’s Competition and Markets Authority (CMA) to ensure our proposals are developed in a way that works for the entire ecosystem.

In recent years, Munich has become a popular location for digital start-ups and other tech companies. What has your experience of this been as Google Munich’s Site Lead?

Munich is undergoing remarkable changes. Apple, Amazon and Google are all investing and expanding their operations here as well as other fantastic companies like Celonis, a unicorn company that provides data analytics services. A higher proportion of B2B companies have been set up here than elsewhere because there are so many other strong tech businesses in the region. We also have some excellent universities such as the LMU and the TUM that operate local entrepreneurship centers. In addition, the Bavarian state government is offering unparalleled levels of support with its “High-Tech Agenda” action plan. For example, we are seeing huge investments in artificial intelligence and quantum computing – which is great. In addition to a long-standing regional tradition and expertise in engineering and technology, its strong economic position, good political support, excellent educational institutions and a high quality of life are a winning combination that make Munich such a great location.

GSEC opened its doors in the Bavarian capital two years ago.

Construction is currently underway on new Google offices in Munich. Has the coronavirus pandemic changed your plans?

Before the pandemic, we spent most of our time in the office where there are many cafes, meeting rooms and restaurants for employees to meet and co-create in person. Obviously, this way of working has been altered quite substantially during the pandemic and we are now incorporating many of our learnings from the past year into the planning of our new and exciting Arnulfpost project.

Is it possible to create the same atmosphere with remote working?

Our company was born in the cloud, evolved in the cloud and we all live in the cloud. That's why we try to encourage staff to interact online in breakfast meetings or open video conferences. However, we believe that we can’t draw on the social capital we have built up over the years forever. We’ve hired a lot of people who haven’t actually stepped foot in our offices yet. It’s a challenge for all managers to take each and every individual with them.

What does this mean for the way work is carried out in the future at GSEC in Munich specifically?

We firmly believe in the importance of bringing people together at work to create the serendipity that is necessary to come up with new innovative ideas, so we will not be 100 percent virtual. But we’ve asked ourselves whether everyone needs to have a fixed place of work. Our sales teams can already work flexibly. Many of our engineers' development tools are moving to the cloud. In the future, each team will be able to decide for itself how many flexible and how many fixed workstations it wants to retain. And maybe instead of fixed workstations we might need more creative spaces for brainstorming, with cameras, projectors and electronic whiteboards.

Photos: Sima Dehgani

Cybersecurity

Learn how we keep more people safe online than anyone else in the world.

Learn more