What does the Google antitrust case mean for cybersecurity?
This analysis is in response to breaking news and will be updated. Please contact pr@rstreet.org to speak with the author.
The Department of Justice (DOJ) antitrust case against Google has made headlines this year, but an underreported angle is the cybersecurity implications should Google be forced to follow through on certain remedies called for by antitrust advocates. In fact, some potential remedies, such as divestiture and forced data sharing, could jeopardize progress on cybersecurity.
Large companies across the industry should watch this case carefully. On the antitrust front, courts and policymakers have zeroed in on large companies that also play a key role in the security ecosystem given the number of users and other companies that rely on their products. This could signal the future direction of courts and policy bodies. For example, there is another antitrust case directed toward Apple and legislation before Congress that would target platforms that exceed set thresholds, such as for the number of active users or annual sales. Security practitioners, unfortunately, have reason to worry.
This analysis is not meant to reflect on claims made by either side or to address underlying merits of U.S. v. Google or related actions. There are many analyses that do that. Rather, the goal is to explore the security implications of divestiture and forced data sharing. This analysis does not suggest that antitrust advocates intend to harm cybersecurity; however, unintended consequences remain a concern.
Assessing security impacts of divestiture
Before analyzing potential remedies, some background is helpful. U.S. v. Google revolves around a suit brought by the DOJ against Google for alleged anticompetitive behavior in its search business. In August, a district court judge found that Google is a “monopolist” because it uses exclusive distribution agreements to maintain monopolies in its general search services and general search text ads. The decision itself contains little discussion of security.
One potential outcome would force Google products to separate from one another. For example, Chrome and Android might need to spin off from their parent company. Corporate divestiture may seem trivial, but there are security benefits to having multiple offerings under one umbrella, such as monitoring, detecting, and analyzing threats across a company’s entire ecosystem. For example, rather than looking at malicious activity in the Android ecosystem alone, Google can see how activity might occur elsewhere and take coordinated security actions. Google’s Threat Analysis Group (TAG) routinely conducts this type of activity, which might be limited or made impossible should there be divestiture. Recent examples of TAG’s work include a coordinated takedown of YouTube channels, AdSense accounts, and Blogger blogs linked to influence operations. Accounts and operations linked to Russia, China, and Iran have been subject to these actions.
Similarly, companies routinely centralize resources and expertise to provide solutions for the different products they support, including for cybersecurity, like Apple does by combining hardware, software, and services like security updates and like Microsoft does as part of its Secure Future Initiative. With Google, this means providing security protections to Android, Chrome, and Ads. One example is Google Safe Browsing, which warns users when they try to visit potentially dangerous sites. It also warns website owners of potential compromises. This is available across Chrome, Android, Search, Ads, and Gmail, covering about five billion devices with a peak of about 64 million browser warnings in a single week. If the remedy were divestiture, these security protections would likely be unavailable to those entities, forcing them to develop solutions themselves, duplicate efforts, and/or lack a security solution. Even if they were still available, they would likely be less effective because they work across products and rely on insights gleaned from one to protect another.
Assessing security impacts from forced data sharing
Divestment is not the only outcome in the remedies trial. Some have called for forced data sharing with other companies. For example, there are critiques surrounding the holding of large amounts of data. One witness flagged that large amounts of search data can be used to train artificial intelligence models to be superior to others. However, proposing mandatory data sharing is not new or without concern. Previous unsuccessful antitrust proposals in Congress called for such requirements, which stemmed from earlier reports on alleged anticompetitive behavior.
This could have massive national security implications depending on the type of data covered or how it is leveraged. For example, it is not always clear who is receiving the data, much less the level to which they secure it, or even their true intentions. Data could go to a reputable U.S. company that inadvertently compromises it or to a company hiding alliances with an adversary.
Using data sharing to foster greater competition in the ad and search ecosystems might sound appealing, but if sensitive data ends up in the hands of an adversary or criminal group—or a company with weak data security and privacy protections—the consequences can be detrimental. Data can be used to identify military and intelligence assets, turned into potential blackmail, or enable adversaries to carry out more effective cybersecurity incidents. Internet search histories have been flagged specifically as a way to learn about personal activities or highly sensitive information.
For example, the Chinese Communist Party has a history of widespread data collection on its citizens and individuals worldwide. Even the White House has raised concerns about the use of potentially sensitive data, calling access to it by select countries “an unusual and extraordinary threat” and leading to an executive order to safeguard this data and limit its transfer. This risk is one of the many reasons a more holistic approach to data collection and use is warranted—namely, the passage of a federal comprehensive data privacy and security law.
Conflicting goals of security and antitrust policy
Improving our cybersecurity posture requires a coordinated approach from the public and private sectors, which recent administrations have prioritized. President Barack Obama leveraged the private sector for cyber efforts, and President Donald J. Trump’s National Cyber Strategy recognized shared cyber responsibilities for both sectors. However, these new antitrust efforts can stymie this. Antitrust advocates might overlook cybersecurity or national security implications, but the federal government must balance multiple policy goals.
Two examples of this mismatch stand out. First, the Biden administration has championed a National Cybersecurity Strategy that focuses on two large shifts: “rebalance the responsibility to defend cyberspace” and “realign incentives to favor long-term investments.” This is based on a premise that the private sector and large organizations are better positioned to defend against security risks than the typical consumer or small business user, meaning the burden should be shifted to them—which requires short- and long-term tools to drive action. The administration proposes a number of activities to accomplish these goals. Second, as part of its “shifting the balance of cybersecurity risk” effort, the Cybersecurity and Infrastructure Security Agency’s secure-by-design and secure-by-default initiatives aim to infuse security during product development and establish it as the default option. Industry has largely supported such efforts, evidenced by 220 signers of the Secure by Design pledge.
On one hand, the federal government asking the private sector to voluntarily lead on cybersecurity is critical because it cannot address all vulnerabilities alone. The federal government is even suggesting private industry should be legally liable for failing to meet a prescribed security standard or follow a cybersecurity regulation.
On the other hand, antitrust efforts could make security more challenging and less effective for industry. Limiting the ability to share threat data and security offerings across products and restricting the ability to secure and protect sensitive data could have that effect. Secondary impacts are also likely, including the need to divert security funding and resources to duplicate and recreate security products. If we truly want the private sector to lead on cybersecurity, it’s imperative to make that easier.
As the Google antitrust case continues to unfold, it is critical not to ignore these cybersecurity and data security possibilities. Companies, cybersecurity leaders, and even consumers must prepare should some of the outlined remedies come to fruition or should they experience a similar situation.