This is the script from my national radio report yesterday on how
devastating it is for innocent users to be locked out of their
accounts at Big Tech firms like Google, and how new security measures
may make these problems even worse for these users, especially at
Google, which has atrocious account recovery policies. As always, my
report may have had minor wording variations from this script as I
presented the report live on air.
- - -
So at the same time Big Tech is trying to get us to hand over even
more of our lives to their tender embrace, now pushing us to accept
their frequently inept and saturated with errors generative AI
systems, whether we want them or not, many people are still struggling
with the way some of these firms treat them as relates to the legacy
applications that most of us have become dependent on over the years,
like email for example.
And more than ever, losing access to your account at these firms, I'll
use Google as my example, can be devastating to your life. You can be
cut off from all new and old email, your photos, all kinds of stuff.
And every day, innocent users get cut off from all that because Google
locks innocent users out of their accounts, due to issues related to
passwords, or where they're trying to login from, or a lost device or
a new device or ... it a long, long list.
And ironically, a new security feature that Google and other Big Tech
firms are really pushing HARD may make the situation worse for many
users, rather than better. This is called passkeys and you may already
have seen prompts for these and even perhaps unknowingly accepted some
onto your device or devices. These are cryptographic tokens that are
designed to replace usernames and passwords and two factor
authentication, and in theory are more secure since they shouldn't be
spoofable by attackers.
Google REALLY wants you using these, and it seems that the Chrome
browser (at least some versions) is now defaulting to not even asking
if you want passkeys but rather where to put them when a site offers
them. You can still cancel out, but of course the interface is
designed to get you to quickly click acceptance and not click at the
small cancel button.
Passkeys are often device-centric. There are service portability
efforts and cross-device syncing services, but the idea is that some
outside attacker should not be able to use your passkeys to access
your accounts. However, this also means that anyone else that knows
how to access your device will typically have access to all your
services that use passkeys as well.
And with many people choosing not to use biometric authentication like
fingerprints or face ID due to conflicting legal decisions regarding
related privacy concerns, that makes the specter of, for example, a
phone thief capturing your authentication sequence before stealing
your phone in a crowded venue, even more of a concern.
Big Tech is likely to eventually force the issue when it comes to
passkeys, because generally they really don't care much about users
who are disadvantaged by these systems. Personally I'm avoiding use of
passkeys as long as possible, but of course the decision is yours when
it comes to your own devices.
This wouldn't be quite as serious a problem if Google's atrocious
account recovery systems and policies were less of a train wreck for
many users, especially non-techies and persons who use a single device
for all of their Internet access -- and there are a lot of people in
both categories. I've argued directly with Google many times about how
they could improve their account recovery systems and protocols --
including in cost neutral ways.
We should demand that innocent users who get locked out of their
accounts -- and that can still happen with passkeys -- have reasonable
recourse for regaining access at least to their data and preferably to
the entire accounts.
But Google seems to insist that working to stop account fraud makes it
impossible for them to help these innocent users more. I disagree.
It's completely practical to do both.
In my opinion, Google just doesn't want to bother. And in what seems
to be their current "All that matters is AI" mindset, I'm afraid that
absent some unlikely changes of heart among Google executives, the
situation for many users could become drastically worse.
- - -
L
- - -
--Lauren--
Lauren Weinstein
lau...@vortex.com (https://www.vortex.com/lauren)
Lauren's Blog: https://lauren.vortex.com
Mastodon: https://mastodon.laurenweinstein.org/@lauren
Signal: By request on need to know basis
Founder: Network Neutrality Squad: https://www.nnsquad.org
PRIVACY Forum: https://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility
_______________________________________________
nnsquad mailing list
https://lists.nnsquad.org/mailman/listinfo/nnsquad
