Here are some of the things you can do with My Account:
Take the Privacy Checkup and Security Checkup, our simple, step-by-step guides through your most important privacy and security settings.
Manage the information that can be used from Search, Maps, YouTube and other products to enhance your experience on Google. For example, you can turn on and off settings such as Web and App Activity, which gets you more relevant, faster search results, or Location History, which enables Google Maps and Now to give you tips for a faster commute back home.
Use the Ads Settings tool to control ads based on your interests and the searches you’ve done.
Control which apps and sites are connected to your account.
We built My Account to be a resource for everyone, even if you don't have a Google Account. Check out your controls at myaccount.google.com.
Answering your questions about privacy and security
We listen to feedback from people around the world to better understand their concerns about privacy and security. In addition to My Account, we want to help people find answers to common questions on these topics, such as: "What data does Google collect? What does Google do with the data it collects? What tools do I have to control my Google experience?"
Our new site, privacy.google.com, candidly answers these questions, and more. We also explain how we show relevant ads without selling your personal information, how encryption and spam filtering help keep your data safe, and how your information helps customize your experience on Google. Visit this site often to learn about new tools, features, and information that can help you make the choices that are right for you.
When you trust your personal information with us, you should expect powerful controls that keep it safe and private as well as useful answers to your questions. Today’s launches are just the latest in our ongoing efforts to protect you and your information on Google. There’s much more to come, and we look forward to your feedback.
Posted by Guemmy Kim, Product Manager, Account Controls and Settings
This looks like a fairly standard login page, but it’s not. It’s what we call a “phishing” page, a site run by people looking to receive and steal your password. If you type your password here, attackers could steal it and gain access to your Google Account—and you may not even know it. This is a common and dangerous trap: the most effective phishing attacks can succeed 45 percent of the time, nearly 2 percent of messages to Gmail are designed to trick people into giving up their passwords, and various services across the web send millions upon millions of phishing emails, every day.
To help keep your account safe, today we’re launching Password Alert, a free, open-source Chrome extension that protects your Google and Google Apps for Work Accounts. Once you’ve installed it, Password Alert will show you a warning if you type your Google password into a site that isn’t a Google sign-in page. This protects you from phishing attacks and also encourages you to use different passwords for different sites, a security best practice.
Here's how it works for consumer accounts. Once you’ve installed and initialized Password Alert, Chrome will remember a “scrambled” version of your Google Account password. It only remembers this information for security purposes and doesn’t share it with anyone. If you type your password into a site that isn't a Google sign-in page, Password Alert will show you a notice like the one below. This alert will tell you that you’re at risk of being phished so you can update your password and protect yourself.
Password Alert is also available to Google for Work customers, including Google Apps and Drive for Work. Your administrator can install Password Alert for everyone in the domains they manage, and receive alerts when Password Alert detects a possible problem. This can help spot malicious attackers trying to break into employee accounts and also reduce password reuse. Administrators can find more information in the Help Center.
We work to protect users from phishing attacks in a variety of ways. We’re constantly improving our Safe Browsing technology, which protects more than 1 billion people on Chrome, Safari and Firefox from phishing and other dangerous sites via bright, red warnings. We also offer tools like 2-Step Verification and Security Key that people can use to protect their Google Accounts and stay safe online. And of course, you can also take a Security Checkup at any time to make sure the safety and security information associated with your account is current.
Safe Browsing gives users—both on Google and across on the web—information they need to steer clear of danger. The dangerous sites detected by Safe Browsing generally fall into two categories: sites that attack users intentionally with either malware, phishing, or unwanted software that is deceptive or hard to uninstall, or sites that attack users unintentionally because they have been compromised, often without the site’s owner realizing this has happened.
Once we detect these sites, Safe Browsing warns people about them in a variety of ways. You’ve probably come across a warning like this in Chrome, Firefox or Safari; it’s powered by Safe Browsing:
Today, Safe Browsing shows people more than 5 million warnings per day for all sorts of malicious sites and unwanted software, and discovers more than 50,000 malware sites and more than 90,000 phishing sites every month. If you’re interested, you can see information about the dangerous sites that are detected by this technology anytime in our Safe Browsing Transparency Report.
We also use Safe Browsing technology to warn website owners or operators about issues with their sites so they can quickly fix them. We provide basic site maintenance tips, as well as specific Safe Browsing notifications in Webmaster Tools and Google Analytics. Often site owners don’t realize there are issues with their sites until they get these notifications.
Recent developments
Since its earliest days, Safe Browsing has been widely available, and free—for users, site owners, and other companies—to use and integrate into their own products. In the early days, we focused on detecting dangerous sites and then showing people warnings:
An early Safe Browsing notification, c. 2007. These would appear in the top right corner of people’s web browsers when they visited a site that had been flagged by Safe Browsing as potentially dangerous.
But, just as attacks become more sophisticated, we’ve made sure our own technologies have kept up. Over the years, we’ve built Safe Browsing into other Google products to help protect people in more places:
Safe Browsing API: We already make Safe Browsing data available for free to developers. This week we’re adding information about sites that host unwanted software, allowing developers to better protect their users as well.
Chrome: Before people visit a site delivering unwanted software, or try to download some of it, we show them a clear warning.
Google Analytics: We recently integrated Safe Browsing notifications into Google Analytics, so site owners can quickly take action to protect their users if there are issues with their websites. Previously, we’d only provided these warnings via our Webmaster Tools service.
Ads: We’ve also recently begun to identify ads that target people with unwanted software.
As the web grows up, Safe Browsing technology will, too. We’re looking forward to protecting the web, and its users, for many birthdays to come.
Posted by Panayiotis Mavrommatis, Safe Browsing Team
Here are some of the important items you can review during your Security Checkup:
Recovery information: Adding a phone number can help us get in touch if you’re locked out of your account. We’ll only use your phone number to protect your account, unless you say otherwise.
Recent activity: This is a quick overview of your recent sign-ins to Google. If you see any activity from a location or device you don’t recognize, change your password immediately.
Account permissions: These are the apps, websites and devices connected to your Google account. Take a look and make sure you trust—and actually use—all of them. You might want to remove an old phone, or that dusty app you never use.
It takes just a few minutes to make sure your information is accurate and up to date. And as an extra thank you, we’ll add 2GB to your Drive storage plan if you complete the Security Checkup by February 17. Visit your Account Settings and take your Security Checkup today.
Gmail has always supported encryption in transit by using Transport Layer Security (TLS), and will automatically encrypt your incoming and outgoing emails if it can. The important thing is that both sides of an email exchange need to support encryption for it to work; Gmail can't do it alone.
Our data show that approximately 40 to 50 percent of emails sent between Gmail and other email providers aren’t encrypted. Many providers have turned on encryption, and others have said they’re going to, which is great news. As they do, more and more emails will be shielded from snooping.
For people looking for even stronger email security, end-to-end encryption is a good option—but it’s been hard to use. So today we’re making available the source code for End-to-End, a Chrome extension. It's currently in testing, and once it's ready for general use it will make this technology easier for those who choose to use it.
We encourage you to find tips about choosing strong passwords and adding another layer of protection to your account in our Safety Center. And check out Reset the Net, a broad coalition of organizations, companies and individuals coming together this week to promote stronger security practices on the web; we’re happy to be a participant in that effort.
Posted by Brandon Long, Tech Lead, Gmail Delivery Team
Legitimate accounts blocked for sending spam: Our security systems have dramatically reduced the number of Google Accounts used to send spam over the past few years
How Google Security helps protect your account
Every time you sign in to Google, whether via your web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you. In fact, there are more than 120 variables that can factor into how a decision is made.
If a sign-in is deemed suspicious or risky for some reason—maybe it’s coming from a country oceans away from your last sign-in—we ask some simple questions about your account. For example, we may ask for the phone number associated with your account, or for the answer to your security question. These questions are normally hard for a hijacker to solve, but are easy for the real owner. Using security measures like these, we've dramatically reduced the number of compromised accounts by 99.7 percent since the peak of these hijacking attempts in 2011.
Help protect your account
While we do our best to keep spammers at bay, you can help protect your account by making sure you’re using a strong, unique password for your Google Account, upgrading your account to use 2-step verification, and updating the recovery options on your account such as your secondary email address and your phone number. Following these three steps can help prevent your account from being hijacked—this means less spam for your friends and contacts, and improved security and privacy for you.
Malware authors often compromise legitimate sites to deliver content from a malicious attack site or to redirect to an attack site. These attack sites will often deliver "drive-by downloads" to visitors, which launch and run malware programs on their computers without their knowledge. To try to avoid detection, these attack sites adopt several techniques, such as rapidly changing their Internet location with free web hosting services and auto-generated domain names. Although less common than drive-by downloads, we’re also seeing more malware authors bypassing software vulnerabilities altogether and instead employing methods to try to trick users into installing malicious software—for example, fake anti-virus software.
How you can help prevent malware and phishing
Our system is designed to protect users at high volumes, but people still need to take steps to keep their computers safe. Ignoring a malware problem is never a good idea—if one of our warnings pop up, you should never click through to the suspicious site. Webmasters can help protect their visitors by signing up for malware warnings at Google Webmaster Tools. These warnings are free and will help us inform them if we find suspicious code on their sites. Finally, everyone can help make our system better. You can opt-in to send additional data to our team that helps us expand the coverage of Safe Browsing.
Looking forward
Some of our recent work to counter new forms of abuse includes:
It’s a good feeling to know that we’re making the web more secure and directly protecting people from harm—whether they’re our users or not. We continue to invest heavily in the Safe Browsing team so we can defend against current and future security threats.
This particular malware causes infected computers to send traffic to Google through a small number of intermediary servers called “proxies.” We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections.
We hope to use the knowledge we’ve gathered to assist as many people as possible. In case our notice doesn’t reach everyone directly, you can run a system scan on your computer yourself by following the steps in our Help Center article.
Update July 20, 2011: We've seen a few common questions we thought we'd address here:
The malware appears to have gotten onto users' computers from one of roughly a hundred variants of fake antivirus, or "fake AV" software that has been in circulation for a while. We aren't aware of a common name for the malware.
We believe a couple million machines are affected by this malware.
We've heard from a number of you that you're thinking about the potential for an attacker to copy our notice and attempt to point users to a dangerous site instead. It's a good security practice to be cautious about the links you click, so the spirit of those comments is spot-on. We thought about this, too, which is why the notice appears only at the top of our search results page. Falsifying the message on this page would require prior compromise of that computer, so the notice is not a risk to additional users.
In the meantime, we've been able to successfully warn hundreds of thousands of users that their computer is infected. These are people who otherwise may never have known.
Please spend ten minutes today taking steps to improve your online security so that you can experience all that the Internet offers—while also protecting your data.
*We also relied on user reports and this external report to uncover the campaign described.
Posted by Eric Grosse, Engineering Director, Google Security Team
Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples (like the classic "Mugged in London" scam) that demonstrate why it's important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information.
Most of us are used to entrusting our information to a password, but we know that some of you are looking for something stronger. As we announced to our Google Apps customers a few months ago, we've developed an advanced opt-in security feature called 2-step verification that makes your Google Account significantly more secure by helping to verify that you're the real owner of your account. Now it's time to offer the same advanced protection to all of our users.
2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using your phone. Over the next few days, you'll see a new link on your Account Settings page that looks like this:
Take your time to carefully set up 2-step verification—we expect it may take up to 15 minutes to enroll. A user-friendly set-up wizard will guide you through the process, including setting up a backup phone and creating backup codes in case you lose access to your primary phone. Once you enable 2-step verification, you'll see an extra page that prompts you for a code when you sign in to your account. After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device. The choice is up to you. When you enter this code after correctly submitting your password we'll have a pretty good idea that the person signing in is actually you.
It's an extra step, but it's one that significantly improves the security of your Google Account because it requires the powerful combination of both something you know—your username and password—and something that only you should have—your phone. A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a "Remember verification for this computer for 30 days" option, and you won't need to re-enter a code for another 30 days. You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.
Remember, even with so many people and groups focused on creating a safer web experience for everyone, we all have a responsibility to take steps to protect ourselves online. The NCSA recommends that we keep our wits about us and think carefully about our online actions before we take them. In that spirit, we encourage you to: Stop. Think. Connect.
Posted by Eric Davis, Public Policy Manager, Security
On Friday May 14 the Irish Data Protection Authority asked us to delete the payload data we collected in error in Ireland. We can confirm that all data identified as being from Ireland was deleted over the weekend in the presence of an independent third party. We are reaching out to Data Protection Authorities in the other relevant countries about how to dispose of the remaining data as quickly as possible.
You can read the letter from the independent third party, confirming deletion, here.
[original post]
Nine days ago the data protection authority (DPA) in Hamburg, Germany asked to audit the WiFi data that our Street View cars collect for use in location-based products like Google Maps for mobile, which enables people to find local restaurants or get directions. His request prompted us to re-examine everything we have been collecting, and during our review we discovered that a statement made in a blog post on April 27 was incorrect.
In that blog post, and in a technical note sent to data protection authorities the same day, we said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products.
However, we will typically have collected only fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car WiFi equipment automatically changes channels roughly five times a second. In addition, we did not collect information traveling over secure, password-protected WiFi networks.
So how did this happen? Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data.
As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it.
Maintaining people’s trust is crucial to everything we do, and in this case we fell short. So we will be:
Asking a third party to review the software at issue, how it worked and what data it gathered, as well as to confirm that we deleted the data appropriately; and
Internally reviewing our procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future.
In addition, given the concerns raised, we have decided that it’s best to stop our Street View cars collecting WiFi network data entirely.
This incident highlights just how publicly accessible open, non-password-protected WiFi networks are today. Earlier this year, we encrypted Gmail for all our users, and next week we will start offering an encrypted version of Google Search. For other services users can check that pages are encrypted by looking to see whether the URL begins with “https”, rather than just “http”; browsers will generally show a lock icon when the connection is secure. For more information about how to password-protect your network, read this.
The engineering team at Google works hard to earn your trust—and we are acutely aware that we failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake.
Posted by Alan Eustace, Senior VP, Engineering & Research
.png)
Follow
