Advanced sign-in security for your Google account

(Cross-posted on the Gmail Blog)

Has anyone you know ever lost control of an email account and inadvertently sent spam—or worse—to their friends and family? There are plenty of examples (like the classic "Mugged in London" scam) that demonstrate why it's important to take steps to help secure your activities online. Your Gmail account, your photos, your private documents—if you reuse the same password on multiple sites and one of those sites gets hacked, or your password is conned out of you directly through a phishing scam, it can be used to access some of your most closely-held information.

Most of us are used to entrusting our information to a password, but we know that some of you are looking for something stronger. As we announced to our Google Apps customers a few months ago, we've developed an advanced opt-in security feature called 2-step verification that makes your Google Account significantly more secure by helping to verify that you're the real owner of your account. Now it's time to offer the same advanced protection to all of our users.

2-step verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using your phone. Over the next few days, you'll see a new link on your Account Settings page that looks like this:

Take your time to carefully set up 2-step verification—we expect it may take up to 15 minutes to enroll. A user-friendly set-up wizard will guide you through the process, including setting up a backup phone and creating backup codes in case you lose access to your primary phone. Once you enable 2-step verification, you'll see an extra page that prompts you for a code when you sign in to your account. After entering your password, Google will call you with the code, send you an SMS message or give you the choice to generate the code for yourself using a mobile application on your Android, BlackBerry or iPhone device. The choice is up to you. When you enter this code after correctly submitting your password we'll have a pretty good idea that the person signing in is actually you.

It's an extra step, but it's one that significantly improves the security of your Google Account because it requires the powerful combination of both something you know—your username and password—and something that only you should have—your phone. A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a "Remember verification for this computer for 30 days" option, and you won't need to re-enter a code for another 30 days. You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.

To learn more about 2-step verification and get started, visit our Help Center. And for more about staying safe online, see our ongoing security blog series or visit http://www.staysafeonline.org/. Be safe!

Posted by Nishit Shah, Product Manager, Google Security

National Cyber Security Awareness Month 2010: Stop. Think. Connect.

Governments, industry and everyday people have been abuzz this year about online security to a larger extent than ever before. People are talking about their information, how they share it with others and how they secure it. With more information moving online, and with cyber attacks on the rise, we think it’s important that we keep the conversation about security flowing.

Google has renewed its commitment to security this year and has pushed industry boundaries to help people better protect their information in new ways. Here are just a few examples: We became the first major email provider to offer default HTTPS encryption for the entire email session, and we introduced an encrypted search option for Google.com. We designed a new system to make Google Accounts more secure, and added suspicious activity detection for our users. Google Apps became the first suite of cloud computing applications to receive Federal Information Security Management Act (FISMA) certification from the U.S. government. We also published new security products, tools and research to help web developers and network administrators make the rest of the web more secure.


I sit on the board of the National Cyber Security Alliance (NCSA) to promote work that encourages safer online habits. Together with that organization, the U.S. Department of Homeland Security (DHS) and a host of other companies, Google is taking the month of October to recognize National Cyber Security Awareness Month. As we did in a blog post series last year, we’ll explore simple ways that people can make use of Google’s technologies and tools, as well other freely available resources and advice, to better protect themselves and their information.

We will post links here throughout the month, so be sure to check back often:

Tips and Tricks: Sharing Google Docs Like a Pro
Protect your data in the cloud
This Internet is Your Internet: Digital Citizenship from California to Washtenaw County

Understanding the omnibox for better security (Google Chrome Blog)

Safe browsing on Blogger

Stop. Think. Connect. To protect yourself from fake Checkout invoices.

Tips for a more secure orkut experience

Remember these tips for safer shopping

Remember, even with so many people and groups focused on creating a safer web experience for everyone, we all have a responsibility to take steps to protect ourselves online. The NCSA recommends that we keep our wits about us and think carefully about our online actions before we take them. In that spirit, we encourage you to: Stop. Think. Connect.


Posted by Eric Davis, Public Policy Manager, Security

Three million businesses have gone Google: celebrating growth, innovation and security

Today we’re hosting more than 300 CIOs and IT professionals from around the world in Paris at Google Atmosphere, our annual European event dedicated to cloud computing—web-based applications that are built on shared infrastructure and delivered through the browser. This year, the discussion at Atmosphere is focused on how companies can benefit from the breakthroughs in productivity and security that cloud-based applications are uniquely capable of delivering.

This event also marks some major milestones:

• As of today, more than 3 million businesses have gone Google, and over 30 million users within businesses, schools and organizations now depend on our messaging and collaboration tools.
• We’re launching new cloud-powered capabilities: two-step verification to help enhance security and soon, mobile editing in Google Docs on Android and the iPad™.

First, Google Apps Premier, Education and Government Edition administrators can now have users sign in with the combination of their password (something they know) and a one-time verification code provided by a mobile phone (something they have). Users can continue to access Google Apps from Internet-connected devices, but with stronger protections to help fend off risks like phishing scams and password reuse. For the first time, we’re making this technology accessible to organizations large and small without the costs and complexities that have historically limited two-step verification to large enterprises with deep pockets. Furthermore, in the coming months, Standard Edition and hundreds of millions of individual Google users will be able to enjoy this feature as well.


Second, today we demonstrated new mobile editing capabilities for Google Docs on the Android platform and the iPad. In the next few weeks, co-workers around the world will soon be able to co-edit files simultaneously from an even wider array of devices.

Only cloud computing is able to deliver the whole package of productivity-enhancing collaboration, superior reliability and virtually unlimited scale at a price that’s affordable for any size organization. Our Atmosphere event is a nice opportunity to step back and fully appreciate the power of the cloud with customers and future customers alike.

Posted by Dave Girouard, President, Google Enterprise

Simpler sign-ups for Yahoo! users with OpenID

How many times have you created a new account at a website and seen a message that said: “Thank you for creating an account. To activate your new account, please access your email and click the verification URL provided.”

Even though you just want to start using the website, this lengthy process requires you to manually perform a whole bunch of steps—including switching to your mailbox, trying to find the message the website sent you (which might be in your Spam folder), opening the message, clicking the link, etc. Until recently, we also required people to follow these steps if they wanted to sign up for a Google Account using their existing email address, such as a @yahoo.com, @hotmail.com, or other address.

To make this process simpler, we’re now using an Internet standard called OpenID which is supported by several email providers, including Yahoo!. Instead of the process above, Yahoo! users who sign up with Google see the page below with a button that sends them to Yahoo! for verification.

Once you click that button, Yahoo! shows you a page to get your consent to share your email address with Google.

After you agree, you’re done and can start using any Google service, such as Google Groups, Docs, Reader, AdWords, etc. We have found that a much larger number of people complete the email verification process when this method is used.

In the future we hope to expand this feature to other email providers, and we also hope other website operators will read more on the Google Code Blog about how they can implement a similar feature.

Posted by Eric Sachs, Senior Product Manager, Google Security

Search more securely with encrypted Google web search

Update June 25, 2010: Since we introduced our encrypted search option last month, we’ve been listening closely to user feedback. Many users appreciate the capability to perform searches with better protection against snooping from third parties. We’ve also heard about some challenges faced by various school districts, and today, we want to inform you that we’ve moved encrypted search from https://www.google.com to https://encrypted.google.com. The site functions in the same way. For more information on this change, please read on here.

As people spend more time on the Internet, they want greater control over who has access to their online communications. Many Internet services use what are known as Secure Sockets Layer (SSL) connections to encrypt information that travels between your computer and their service. Usually recognized by a web address starting with “https” or a browser lock icon, this technology is regularly used by online banking sites and e-commerce websites. Other sites may also implement SSL in a more limited fashion, for example, to help protect your passwords when you enter your login information.

Years ago Google added SSL encryption to products ranging from Gmail to Google Docs and others, and we continue to enable encryption on more services. Like banking and e-commerce sites, Google’s encryption extends beyond login passwords to the entire service. This session-wide encryption is a significant privacy advantage over systems that only encrypt login pages and credit card information. Early this year, we took an important step forward by making SSL the default setting for all Gmail users. And today we’re gradually rolling out a new choice to search more securely at https://www.google.com.

When you search on https://www.google.com, an encrypted connection is created between your browser and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party on your network. The service includes a modified logo to help indicate that you’re searching using SSL and that you may encounter a somewhat different Google search experience, but as always, remember to check the start of the address bar for “https” and your browser lock indicators:

Today’s release comes with a “beta” label for a few reasons. First, it currently covers only the core Google web search product. To help avoid misunderstanding, when you search using SSL, you won’t see links to offerings like Image Search and Maps that, for the most part, don’t support SSL at this time. Also, since SSL connections require additional time to set up the encryption between your browser and the remote web server, your experience with search over SSL might be slightly slower than your regular Google search experience. What won’t change is that you will still get the same great search results.

A few notes to remember: Google will still maintain search data to improve your search quality and to provide better service. Searching over SSL doesn’t reduce the data sent to Google — it only hides that data from third parties who seek it. And clicking on any of the web results, including Google universal search results for unsupported services like Google Images, could take you out of SSL mode. Our hope is that more websites and services will add support for SSL to help create a better and more consistent experience for you.

We think users will appreciate this new option for searching. It’s a helpful addition to users’ online privacy and security, and we’ll continue to add encryption support for more search offerings. To learn more about using the feature, refer to our help article on search over SSL.

Posted by Evan Roseman, Software Engineer

WiFi data collection: An update

Update June 9, 2010: 

When we announced three weeks ago that we had mistakenly included code in our software that collected samples of payload data from WiFi networks, we said we would ask a third party to review the software at issue, how it worked, and what data it gathered. That report, by the security consulting firm Stroz Friedberg, is now complete and was sent to the interested data protection authorities today. In short, it confirms that Google did indeed collect and store payload data from unencrypted WiFi networks, but not from networks that were encrypted. You can read the report here. We are continuing to work with the relevant authorities to respond to their questions and concerns.

Update May 17, 2010:

On Friday May 14 the Irish Data Protection Authority asked us to delete the payload data we collected in error in Ireland. We can confirm that all data identified as being from Ireland was deleted over the weekend in the presence of an independent third party. We are reaching out to Data Protection Authorities in the other relevant countries about how to dispose of the remaining data as quickly as possible.


You can read the letter from the independent third party, confirming deletion, here.


[original post]
Nine days ago the data protection authority (DPA) in Hamburg, Germany asked to audit the WiFi data that our Street View cars collect for use in location-based products like Google Maps for mobile, which enables people to find local restaurants or get directions. His request prompted us to re-examine everything we have been collecting, and during our review we discovered that a statement made in a blog post on April 27 was incorrect.

In that blog post, and in a technical note sent to data protection authorities the same day, we said that while Google did collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router) using Street View cars, we did not collect payload data (information sent over the network). But it’s now clear that we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products.

However, we will typically have collected only fragments of payload data because: our cars are on the move; someone would need to be using the network as a car passed by; and our in-car WiFi equipment automatically changes channels roughly five times a second. In addition, we did not collect information traveling over secure, password-protected WiFi networks.

So how did this happen? Quite simply, it was a mistake. In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data. A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data.

As soon as we became aware of this problem, we grounded our Street View cars and segregated the data on our network, which we then disconnected to make it inaccessible. We want to delete this data as soon as possible, and are currently reaching out to regulators in the relevant countries about how to quickly dispose of it.

Maintaining people’s trust is crucial to everything we do, and in this case we fell short. So we will be:

• Asking a third party to review the software at issue, how it worked and what data it gathered, as well as to confirm that we deleted the data appropriately; and
• Internally reviewing our procedures to ensure that our controls are sufficiently robust to address these kinds of problems in the future.

In addition, given the concerns raised, we have decided that it’s best to stop our Street View cars collecting WiFi network data entirely.

This incident highlights just how publicly accessible open, non-password-protected WiFi networks are today. Earlier this year, we encrypted Gmail for all our users, and next week we will start offering an encrypted version of Google Search. For other services users can check that pages are encrypted by looking to see whether the URL begins with “https”, rather than just “http”; browsers will generally show a lock icon when the connection is secure. For more information about how to password-protect your network, read this.

The engineering team at Google works hard to earn your trust—and we are acutely aware that we failed badly here. We are profoundly sorry for this error and are determined to learn all the lessons we can from our mistake.

Posted by Alan Eustace, Senior VP, Engineering & Research

A new approach to China

Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different.

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.

We have already used information gained from this attack to make infrastructure and architectural improvements that enhance security for Google and for our users. In terms of individual users, we would advise people to deploy reputable anti-virus and anti-spyware programs on their computers, to install patches for their operating systems and to update their web browsers. Always be cautious when clicking on links appearing in instant messages and emails, or when asked to share personal information like passwords online. You can read more here about our cyber-security recommendations. People wanting to learn more about these kinds of attacks can read this Report to Congress (PDF) by the U.S.-China Economic and Security Review Commission (see p. 163-), as well as a related analysis (PDF) prepared for the Commission, Nart Villeneuve's blog and this presentation on the GhostNet spying incident.

We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech. In the last two decades, China's economic reform programs and its citizens' entrepreneurial flair have lifted hundreds of millions of Chinese people out of poverty. Indeed, this great nation is at the heart of much economic progress and development in the world today.

We launched Google.cn in January 2006 in the belief that the benefits of increased access to information for people in China and a more open Internet outweighed our discomfort in agreeing to censor some results. At the time we made clear that "we will carefully monitor conditions in China, including new laws and other restrictions on our services. If we determine that we are unable to achieve the objectives outlined we will not hesitate to reconsider our approach to China."

These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

Update: Added a link to another referenced report in paragraph 5.

Posted by David Drummond, SVP, Corporate Development and Chief Legal Officer

Cutting back on your long list of passwords

Does anyone actually like passwords? Most people can't stand them because they end up having to keep track of a long (and often memorized) list of usernames and passwords to sign into the websites they visit. Website owners hate them because it's hard to get people to create a new account on their website, and almost half of those account registrations are never completed. Thanks to the utilization of new technology, we're now seeing large-scale success in eliminating the need for passwords while increasing the successful registration rate at websites to over 90%. The most visible examples come from Plaxo, Facebook, Yahoo! and Google using a technique the industry calls hybrid onboarding. In the past, if you're a Gmail user who got an invitation to use Plaxo or Facebook, you were asked to perform the traditional process of creating a new account with yet another password, and then you might also have been asked to provide the password of your email account so Plaxo or Facebook could look up the list of your friends. With hybrid onboarding, if you click on such an invitation in your Gmail, you'll see a page like one of these:


Clicking the large button on the Plaxo page takes you to a page at Google like this:


If you give consent to share a few pieces of information, you are sent back to Plaxo with all key registration steps finished.

The registration process used to involve more than 10 steps, including requiring you to find one of those "email validation" messages in your inbox. If you've followed the steps above, you can now sign into Plaxo more easily — by simply clicking a button.

While Plaxo showed the first successful results of this technique in early 2009, other companies like Facebook are starting to use the same model and to recognize its business value potential. At the same time, the hybrid onboarding model improves authentication security because websites like Plaxo that use this technique never see a password from you at all. Since you don't have to enter your password on additional sites, your password remains closer to you and is less likely to be misused. We'd like to applaud Plaxo and Facebook's work in designing the user experience needed for this technique as well as pushing us to create the optimizations needed to carry out their design. Today we're happy to announce that all of these login flow designs are now available to any website operator. All of these hybrid onboarding techniques are based on industry standards that both Google and Yahoo! support, and that other email providers are beginning to support as well. For more technical details, check out our Google Code Blog post.

Hybrid onboarding is also being used by Enterprise Software-as-a-Service vendors — such as ZoHo — that want to eliminate the need for employees at their customers' businesses to create another password. More details are available on our Enterprise Blog. In addition, after a thorough evaluation of the security and privacy of these technologies, the same techniques are being piloted by President Obama's open identity initiative to enable citizens to sign in more easily to government-operated websites.

There is still a long way to go before you'll be able to trim down your long list of website passwords, but this progress demonstrates the potential for even the largest websites to adopt to adopt the hybrid onboarding model. We hope many other websites will follow.

Posted by Eric Sachs, Product Manager, Google Security

Next steps in cyber security awareness

(Cross-posted from the Public Policy blog)

Last week I joined several industry experts to speak at a cyber security panel on Capitol Hill organized by Congresswoman Yvette Clarke and sponsored by the Committee on Homeland Security. The conversation focused on things everyday Internet users can do to help protect their computers and stay safe online. Given that we just wrapped up our observation of National Cyber Security Awareness Month, I thought I'd share some of the key recommendations from the panel:

What are the most important things we all need to do to protect our computers and mobile devices?
You should have the same expectations when using the Internet as you would when exploring a city: you don't give your credit card to the person selling watches on the street just because you recognize the brand, you don't let your kids wander around by themselves and you don't give personal information unless you know who's getting it. If an offer is "urgent" or seems too good to be true, take a step back and research the offer. Add a password to your mobile phone, and browse cautiously on open WiFi networks as you would when using a computer.

What are the most common misconceptions about cyber security?
Many dangerous websites are not designed to be dangerous. In fact, most of the sites that serve malware (malicious software) are innocent sites that have been compromised in one way or another. Your computer isn't necessarily safe just because you're avoiding sites that contain adult content or pirated software. Use reputable anti-virus and anti-spyware programs, and keep your computer operating system and applications updated with the latest software versions.

How do I know if my computer or network has been compromised?
First, disconnect it from the Internet. Take note of any slowness, and if you're not sure how to proceed, get someone with technical expertise to check your network logs for high traffic appearing during times when you're not using the computer. When in doubt, contact a computer support expert.

As President Obama recently stated, cyber security is a shared responsibility. At Google, we recognize how important awareness and education are because many online security threats can only be avoided if we work together.

We spent the month of October exploring cyber security and talking about how to use Google products in a more secure manner. If you haven't seen them already, take a look at the posts we've released over the last month:

• Kick-off and YouTube Cyber Security Awareness Channel
• Choosing smart passwords
• How the website malware review process works
• Blogging security tips
• New malware snippets feature for webmasters
• Protecting users and ads from malware
• Best practices for verifying and cleaning up a malware-infected site
• Gmail account security tips
• Online commerce security
• Updating your web browser
• Taking charge of document sharing with Google Docs
• Web browser security and Google Chrome security messages

Be sure to share the tips you find most helpful with others, and remember to stay safe online.

Posted by Eric Davis, Head of Anti-Malvertising

Celebrating National Cyber Security Awareness Month 2009

Internet security and online safety are topics that leave many people scratching their heads. While many companies and organizations work to make the Internet a safer place, it can be difficult to know what to do as an Internet user beyond creating numerous passwords for your various online accounts and steering clear of that email from a "long lost relative" who wants you to immediately wire thousands of dollars to him. Here's the good news: even though security can become quite technical and complicated, there are simple steps you can take that can make a big difference in helping to keep your information safe.


This month, Google joins the National Cyber Security Alliance (NCSA), governmental agencies, corporations, schools and non-profit organizations in recognizing National Cyber Security Awareness Month. Throughout October, we'll be raising awareness of important Internet security and safety issues that will teach you how to be an informed web user. Keep an eye on our various product blogs, as we'll be sharing tips that are tailored to users of Google products and services. To kick off the series, visit our newly created Google Cyber Security Awareness Channel on YouTube to watch a variety of online safety videos created by individuals and groups with an interest in cyber security.

The web is a great platform for all kinds of things — finding information, interacting with others and even running your business. Practicing good cyber security habits can help keep it that way. Join us this month by brushing up on your cyber security awareness and sharing the tips you like with others.

Update on 10/22/2009: We're excited to hear that the U.S. House of Representatives today unanimously passed a resolution formally supporting the goals and ideals of National Cyber Security Awareness Month 2009. Rep. Yvette D. Clarke’s resolution signals the government's willingness and commitment to help better protect the nation's online and information security.

Posted by Eric Davis, Head of Anti-Malvertising

How to steer clear of money scams

This post is the latest in an ongoing series on how to stay safe online. - Ed.

As the designated tech support person for my immediate family, I'm used to getting calls about issues like browser crashes and confusing websites. But recently my mom called to ask about something she saw online that said Google would pay her thousands of dollars to work from home with no experience required. She didn't buy it, but she did want to ask — is this for real?

My mom was right to be skeptical. In the current economic downturn, a lot of people are looking for ways to make extra money. Unfortunately, some unsavory characters see this trend as an opportunity to trick unsuspecting people with scams and elaborate get-rich-quick schemes. We're seeing disturbing cases in which websites, emails and advertisements claim that you can make large amounts of money from home with very little effort using Google products and services. They're designed to look like they were written by a regular person, just like you, who stumbled across an amazing opportunity to make their monetary dreams come true. What they don't tell you clearly is that Google is not affiliated with these sites and that they may add extra charges to your credit card or misuse your personal information.

To be clear, we are proud to say that many companies and individuals do legitimately make money placing ads on their websites with Google AdSense or participating in programs like the Google Affiliate Network. Creating a successful website is hard work — successful sites earn their money by writing compelling content, developing useful applications and maintaining vibrant user communities. Any claim that you can skip all of that and make just as much money by posting links, using a secret system, or running a kit to generate websites should be treated with a heavy dose of skepticism.

Spammers attempt to reach users by generating hundreds of webpages and sending out a flood of spam emails, sometimes even buying advertisements on reputable websites. Their sites also target other popular Internet companies. They may include family photos pilfered from another site or a picture of a check they supposedly received. Spammers use a wide range of techniques that try to slip past automatic filters to get to you. At Google, we work hard to protect users from these schemes by using a combination of automated and manual tools that remove them from our search index and ad network. However, scams target many companies and appear in various places around the web, so we all need to work cooperatively. Google collaborates with various government and non-governmental consumer protection agencies, such as the Federal Trade Commission, that are investigating these types of schemes further.

How to identify scams and other schemes

In general, if it looks too good to be true, it probably is. Here are some pointers on what to look out for:

• Before you fill out a form or give someone a credit card, do a web search to see what other people are saying about the company and its practices.

• Be wary of companies that ask for upfront charges for services that Google actually offers for free. Check out our business solutions page before writing a check.

• Always read the fine print. Watch out for get-rich-quick schemes that charge a very low initial fee before sneaking in large reoccurring charges on your credit card or bank account.

• Google never guarantees top placement in search results or AdWords — beware of companies that claim to guarantee rankings, allege a special relationship with Google, or advertise a "priority submit" to Google. There is no priority submit for Google. In fact, the only way to submit a site to Google directly is through our Add URL page or through the Sitemaps program — you can do these tasks yourself at no cost whatsoever.

• Be wary of anything resembling a pyramid scheme, where you make commissions by recruiting more participants.

• Some sales pitches use the word "Google" or other trademarks right in their name with targeted phrases like "cash," "pay day," "money," "secrets," "home business," etc. If you can't find it on our list of Google products or on the business solutions page, don't trust it.

• Look for third party verification. Scammers can easily cut-and-paste images to plaster a site with "as seen on TV," "five-star reviews" and the logos of well-known news channels. Products that have really been recommended by experts and fellow users typically contain links from legitimate news sites and multiple user review sites.

• Reserve the same skepticism for unsolicited email about making money with Google AdWords as you do for "burn fat at night" diet pills or requests to help transfer funds from deposed dictators. In general, be wary of offers from firms that email you out of the blue. Amazingly, we get these spam emails too:

"I visited your website and noticed that you are not listed in most of the major search engines and directories..."

• Google is not running a lottery, and we have not picked your email address to win millions of dollars. Don't give out your bank account details via email in anticipation of a big jackpot.

What you can do

• If you've been ripped off, or suspect others are, report the site and file a complaint with the appropriate agency.

• If you come across many sites with duplicate content or common templates intended to direct users to the same product or scheme, please let us know with a spam report.

• If you've been contacted to place suspicious links on your site for money, let us know with the paid link report form. If you have your own website or are in charge of advertising on a site, think carefully before accepting ads or entering into affiliate programs that will lead your users to schemes like those mentioned above.

• If your site's forums or comment sections have been spammed with fake offers of fabulous financial gain, you may need to take steps to fight comment spam. Spammers will take advantage of any user-generated content sections of your site, and will even generate thousands of fake user profiles to try to slip under the radar.

• If you receive suspicious messages that claim to be from Google, these may be phishing attempts. Please report them to phishing@google.com.

Posted by Jason Morrison, Search Quality Team

What we've learned about spam

Blended threats. Payload viruses. Spam. If you're one of the more than 15 million people whose work email is protected by Postini's email security products, we hope you don't spend a lot of time thinking about these things. And if we're doing our job right, they certainly shouldn't be showing up in your inboxes. But we process more than 3 billion business emails per day for our customers, culling the spam, viruses, and other threats out, so we do think about this stuff. A lot.

On occasion, we like to share some of what we've learned, so that those of you who are interested can see what spammers are up to. If you're one of those people, head over to our Enterprise Blog for an update on spam trends over the past few months.

Posted by Ellen Leanse, Google Enterprise team

What to do if you can't access your webmail

This post is the latest in an ongoing series on how to stay safe online. - Ed.

We know how important webmail is to the people who use it regularly, since (of course) we use it ourselves at Google. So we know that not being able to access a webmail account -- no matter what the reason, or how long it lasts -- can be frustrating at the very least. Sometimes interruptions are caused by technical issues with your mail program or your Internet connection. More often, they're account-related.

When it comes to Gmail specifically, there are a couple of things that might cause account-related interruptions in access: a lost or forgotten password, unusual activity that triggers the safety measures designed to keep accounts from being compromised, or, in the worst case, someone has stolen your login info and changed it.

Most of the questions we get about account interruptions are the result of lost or forgotten passwords and as such are relatively easy to fix (more below). But no matter what their origin, we take these issues very seriously. Of course, there are certain cases where our options are limited -- we don't ask for much personal information when you sign up for Gmail, which can sometimes make it difficult to prove ownership of an account and trigger the recovery process.

Still, there are some simple steps you can take to ensure that your account stays in your hands, and to greatly improve the chances of regaining access if you have any problems:

• Don't share your Gmail password with anyone. Not friends, not family, not anyone. And if you need to write down your password, be sure to keep it in a safe place, away from your computer. (For info on how to choose a good password and keep it safe, check out this post.)

• Don't respond to messages asking for your login info. As you may already know, there are people out there who will try to steal your login info. Google will never send you an email, IM, or any other communication asking for your Gmail login info, so don't respond to any messages asking for it.

• Always keep the verification number you get when you sign up for Gmail. When you sign up for Gmail, we'll ask you for a secondary email address and then email a verification number to that account. This number is the best way to prove ownership of your account, so be sure to hang on to it.

• If you aren't able to access your account, try resetting your password. As mentioned above, most of the support requests we get turn out to be lost or forgotten passwords, rather than something more serious. Resetting your password usually gets the job done.

• If resetting your password doesn't work, try our account-recovery process. We recently launched an account-recovery form in our help center that can drastically reduce the amount of time it takes to verify ownership of an account and restore access. If you have the information necessary to prove ownership -- such as the verification code for the account -- this new process can help our support team restore access within a matter of hours.

Again, we're always working on ways to help you keep your account secure and to stay safe online. Some of that work is educational, and some of it is technical, like the feature we recently launched for Gmail that lets you see when your account was last logged into and whether your account is currently open on another computer. Head over to our Gmail blog for more info.

Posted by Colin Bogart, Gmail user support team

Another step to protect user privacy

Today, we're announcing a new logs retention policy: we'll anonymize IP addresses on our server logs after 9 months. We're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users.

Back in March 2007, Google became the first leading search engine to announce a policy to anonymize our search server logs in the interests of privacy. And many others in the industry quickly followed our lead. Although that was good for privacy, it was a difficult decision because the routine server log data we collect has always been a critical ingredient of innovation. We have published a series of blog posts explaining how we use logs data for the benefit of our users: to make improvements to search quality, improve security, fight fraud and reduce spam.

Over the last two years, policymakers and regulators -- especially in Europe and the U.S. -- have continued to ask us (and others in the industry) to explain and justify this shortened logs retention policy. We responded by open letter to explain how we were trying to strike the right balance between sometimes conflicting factors like privacy, security, and innovation. Some in the community of EU data protection regulators continued to be skeptical of the legitimacy of logs retention and demanded detailed justifications for this retention. Many of these privacy leaders also highlighted the risks of litigants using court-ordered discovery to gain access to logs, as in the recent Viacom suit.

Today, we are filing this response (PDF file) to the EU privacy regulators. Since we announced our original logs anonymization policy, we have had literally hundreds of discussions with data protection officials, government leaders and privacy advocates around the world to explain our privacy practices and to work together to develop ways to improve privacy. When we began anonymizing after 18 months, we knew it meant sacrifices in future innovations in all of these areas. We believed further reducing the period before anonymizing would degrade the utility of the data too much and outweigh the incremental privacy benefit for users.

We didn't stop working on this computer science problem, though. The problem is difficult to solve because the characteristics of the data that make it useful to prevent fraud, for example, are the very characteristics that also introduce some privacy risk. After months of work our engineers developed methods for preserving more of the data's utility while also anonymizing IP addresses sooner. We haven't sorted out all of the implementation details, and we may not be able to use precisely the same methods for anonymizing as we do after 18 months, but we are committed to making it work.

While we're glad that this will bring some additional improvement in privacy, we're also concerned about the potential loss of security, quality, and innovation that may result from having less data. As the period prior to anonymization gets shorter, the added privacy benefits are less significant and the utility lost from the data grows. So, it's difficult to find the perfect equilibrium between privacy on the one hand, and other factors, such as innovation and security, on the other. Technology will certainly evolve, and we will always be working on ways to improve privacy for our users, seeking new innovations, and also finding the right balance between the benefits of data and advancement of privacy.

Posted by Peter Fleischer, Global Privacy Counsel; Jane Horvath, Senior Privacy Counsel; and Alma Whitten, Software Engineer

Does your password pass the test?

Posted by HongHai Shen, Engineer

This post is the latest in an ongoing series about online safety. - Ed.

One of the things I work on is password security. And because I'm someone who pays close attention to passwords and how people use them, I sometimes hear interesting stories. For example, a couple of my colleagues are so careful about the security of their passwords that they generate a random eight-character string, memorize it, and then use it as their password for two to three months. After that time elapses, they start the process over again and generate a new random password.

Do we all need to be that careful about our passwords? Probably not. But passwords are one of the web's most important security tools. Whether it's for your Google account, your banking center, or your favorite store, choosing a good password and keeping it safe can go a long way toward protecting your information online.

So how do you choose a good password, and then keep it safe? A few of these tips can help:

• Avoid common elements when choosing your password. Specifically, you should avoid using words or phases from the dictionary, especially things that are easy to guess, like "password," "let me in," or the name of the site you're logging into. You should also avoid using keyboard patterns, such as "asdf1234" or "aqswdefr," or personal information, such as birthdays, addresses, or phone numbers.

• Make your password as unique as possible. Once you've settled on a good base for your password, you should go a step further and add in numbers and non-alphanumerical characters, mix in upper-case letters, or use similar-looking substitutions for parts of the password, such as "$" for "s," "1" for "l," and "0" for "o."

• Create different passwords for different sites. Doing so will help ensure that if one password is compromised, the others will remain secure. You may not be able to have a unique password for every place you visit on the web (for some of us, that would be a lot of passwords to manage), but alternating between a set of different passwords across the web and making sure all accounts that contain highly sensitive information (like email accounts or online banking accounts) have unique passwords is a good place to start.

• Don't share your passwords with anyone. Not family, not friends, not anyone. This may seem a little strict, but the reality is the more people you share your password with, the greater your chances of having that password compromised will be. Also, if you need to write your passwords down, keep them away from your computer, and never send them in emails. And if you suspect someone might have discovered one of your passwords, change it immediately.

• Be careful how you share your information online. Some online services -- such as social networking sites and gadgets that scrape information from other products -- may ask you for a password or an API key. If you choose to use these kinds of services, take a few minutes to learn more about what they do to keep your sensitive information secure. And just like sharing passwords with other people, you should be aware that sharing this information increases the chances that it could be compromised.

Another thing that can help keep your password secure is choosing a good security question and answer on the sites that offer that option. You've probably seen this before: When you're creating an account on many sites, you will be asked to choose a question to verify your identity if you forget your password.

Some sites will let you write in your own question; in these cases, you should make sure the Q&A you create isn't something that's easy to guess or something that your family and friends would know. Other sites will present you with a list of preset questions to choose from, such as "What is your mother's maiden name?" These kinds of questions are less secure, as they're easier for other people to guess the answer. In these cases, you should find a way to make your answer unique -- whether it's using the tips above, or by adding in other information -- so that even if someone guesses the answer, they won't know how to enter it properly.

Read more about choosing a good password and security question.

How to avoid getting hooked

Posted by Ian Fette, Google Security Team

This post is one of a series devoted to online security. - Ed.

Millions of people have gotten "urgent" emails asking them to take immediate action to prevent some impending disaster. "Our bank has a new security system. Update your information now or you won't be able to access your account," or "We couldn't verify your information; click here to update your account." Sometimes the email claims that something awful will happen to the sender (or a third party), as in "The sum of $30,000,000 is going to go to the Government unless you help me transfer it to your bank account."

People who click on the links in these emails may see a web page that looks like a legitimate site they've visited before. Because the page looks familiar, these people enter their username, password, or other private information on the site. What they've actually done is given an unknown third party all the information needed to hijack their account, steal their money, or open up new lines of credit in their name. They just fell for a phishing attack.

The concept behind such an attack is pretty simple: Someone masquerades as someone else in an effort to fool you into sharing personal or other sensitive information with them. Phishers can masquerade as just about anyone, including banks, email and application providers, online merchants, online payment services, and even governments. And while some of these attacks are crude and easy to spot, many of them are sophisticated and well constructed. That fake email from "your bank" can look very real; the bogus "login page" you're redirected to can seem completely legitimate.

The good news is there are things you can do to steer clear of phishing attacks:

• Be careful about responding to emails that ask you for sensitive information. You should be wary of clicking on links in emails or responding to emails that are asking for things like account numbers, user names and passwords, or other personal information such as social security numbers. Most legitimate businesses will never ask for this information via email. Google doesn't.

• Go to the site yourself, rather than clicking on links in suspicious emails. If you receive a communication asking for sensitive information but think it could be legitimate, open a new browser window and go to the organization's website as you normally would (for instance, by using a bookmark or by typing out the address of the organization's website). This will improve the chances that you're dealing with the organization's website rather than with a phisher's website, and if there's actually something you need to do, there will usually be a notification on the site. Also, if you're not sure about a request you've received, don't be afraid to contact the organization directly to ask. It takes just a few minutes to go to the organization's website, find an email address or phone number for customer support, and reach out to confirm whether the request is legitimate.

• If you're on a site that's asking you to enter sensitive information, check for signs of anything suspicious. If you're on a site that's asking for sensitive information -- no matter how you got there -- check for the signs that it's really the official website for the organization. For example, check the URL to make sure the page is actually part of the organization's website, and not a fraudulent page on a different domain (such as mybankk.com or g00gle.com.) If you're on a page that should be secured (like one asking you to enter in your credit card information) look for "https" at the beginning of the URL and the padlock icon in the browser. (In Firefox and Internet Explorer 6, the padlock appears in the bottom right-hand corner, while in Internet Explorer 7 the padlock appears on the right-hand side of the address bar.) These signs aren't infallible, but they're a good place to start.

• Be wary of the "fabulous offers" and "fantastic prizes" that you'll sometimes come across on the web. If something seems too good to be true, it probably is, and it could be a phisher trying to steal your information. Whenever you come across an offer online that requires you to share personal or other sensitive information to take advantage of it, be sure to ask lots of questions and check the site asking for your information for signs of anything suspicious.

• Use a browser that has a phishing filter. The latest versions of most browsers -- including Firefox, Internet Explorer, and Opera -- include phishing filters that can help you spot potential phishing attacks.

All fairly simple, right? What it all comes down to is if someone asks you to share personal or other sensitive information online, take a moment to think through the request carefully. Doing so will help you stay safe online, and help us all put phishers out of business.

Working together to fight malware

Posted by Panayiotis Mavrommatis, Google Security Team

We recently began a series of posts related to online security that focus on how we secure information (with posts like these) and how you can protect yourself online. Here's the latest in the series.- Ed.

As part of this ongoing security series, we'd like to talk a little about malware. The term malware, derived from "malicious software," refers to any software specifically designed to harm your computer or the software it's running.

Malware can be added to your computer, with or without your knowledge, in a number of ways -- usually when you visit a website containing malware or when you download seemingly innocent software. It can then slow down your system, send fake emails from your email account, steal sensitive information like credit card numbers or passwords from your computer, and more.

The conventional wisdom was that you could avoid malware by learning to spot sites that were created with the sole purpose of spreading it, and by staying away from other sites that might be risky. But recent research from Google suggests that an increasing number of malware attacks are taking place on sites you'd normally regard as safe or legitimate, but have actually been compromised.

Google works closely with the security community to identify malware on the web and then share that information more broadly. We've set up a number of automated systems to scour our index for potentially dangerous sites, and we add a label to those that appear to be a vehicle for malware. If you're searching on Google and click on a link that we've flagged, a warning page will appear before you move forward.

We also notify webmasters if we discover that a site is no longer secure and provide a method for webmasters that clean up their sites to request a review. And starting soon, we'll be providing more detail on sites that appear to be spreading malware, so users have a better sense of why we have flagged a given site and webmasters can more easily identify and correct issues on their sites.

All this stems directly from our security philosophy: We believe that if we all work together to identify threats and stamp them out, we can make the web a safer place for everyone. Of course, we can't catch everything, so our users play a crucial part of this effort too. Below are a few tips that can help you reduce your chances of being affected by malware:

• Use anti-virus software. Most anti-virus software is specifically designed to find and remove harmful software on your computer. Be sure you have anti-virus software installed on your computer (you can get a free trial through Google Pack if you don't), keep it current, and use it to run frequent full-system checks.

• Make sure your operating system and browser are up to date. Attackers typically target vulnerabilities in your operating system (OS) and your browser to install malware on your computer. OS and browser providers frequently release updates to close those vulnerabilities. Enable automatic updates for both your browser and your OS, and check for alerts to ensure you have the latest and greatest protection.

• Be careful about what you download. While Google and everyone else in the online community is working hard to identify harmful sites, new sources of malware are emerging all the time. Whenever you're prompted to download an email attachment, install a plug-in, or download an unfamiliar piece of software, take a moment to think it through. You won't always be able to identify a risky download, but if you practice some reasonable caution, you'll be able to reduce that risk.

If you come across a potentially dangerous site that hasn't already been flagged, please report it. To learn more about malware and how to protect yourself, check out StopBadware.org's help page.

Making search better in Catalonia, Estonia, and everywhere else

Posted by Paul Haahr and Steve Baker, Software Engineers, Search Quality

We recently began a series of posts on how we harness the power of data. Earlier we told you how data has been critical to the advancement of search; about using data to make our products safe and to prevent fraud; this post is the newest in the series. -Ed.

One of the most important uses of data at Google is building language models. By analyzing how people use language, we build models that enable us to interpret searches better, offer spelling corrections, understand when alternative forms of words are needed, offer language translation, and even suggest when searching in another language is appropriate.

One place we use these models is to find alternatives for words used in searches. For example, for both English and French users, "GM" often means the company "General Motors," but our language model understands that in French searches like seconde GM, it means "Guerre Mondiale" (World War), whereas in STI GM it means "Génie Mécanique" (Mechanical Engineering). Another meaning in English is "genetically modified," which our language model understands in GM corn. We've learned this based on the documents we've seen on the web and by observing that users will use both "genetically modified" and "GM" in the same set of searches.

We use similar techniques in all languages. For example, if a Catalan user searches for resultat elecció barris BCN (searching for the result of a neighborhood election in Barcelona), Google will also find pages that use the words "resultats" or "eleccions" or that talk about "Barcelona" instead of "BCN." And our language models also tell us that the Estonian user looking for Tartu juuksur, a barber in Tartu, might also be interested in a "juuksurisalong," or "barber shop."

In the past, language models were built from dictionaries by hand. But such systems are incomplete and don't reflect how people actually use language. Because our language models are based on users' interactions with Google, they are more precise and comprehensive -- for example, they incorporate names, idioms, colloquial usage, and newly coined words not often found in dictionaries.

When building our models, we use billions of web documents and as much historical search data as we can, in order to have the most comprehensive understanding of language possible. We analyze how our users searched and how they revised their searches. By looking across the aggregated searches of many users, we can infer the relationships of words to each other.

Queries are not made in isolation -- analyzing a single search in the context of the searches before and after it helps us understand a searcher's intent and make inferences. Also, by analyzing how users modify their searches, we've learned related words, variant grammatical forms, spelling corrections, and the concepts behind users' information needs. (We're able to make these connections between searches using cookie IDs -- small pieces of data stored in visitors' browsers that allow us to distinguish different users. To understand how cookies work, watch this video.)

To provide more relevant search results, Google is constantly developing new techniques for language modeling and building better models. One element in building better language models is using more data collected over longer periods of time. In languages with many documents and users, such as English, our language models allow us to improve results deep into the "long tail" of searches, learning about rare usages. However, for languages with fewer users and fewer documents on the web, building language models can be a challenge. For those languages we need to work with longer periods of data to build our models. For example, it takes more than a year of searches in Catalan to provide a comparable amount of data as a single day of searching in English; for Estonian, more than two and a half years worth of searching is needed to match a day of English. Having longer periods of data enables us to improve search for these less commonly used languages.

At Google, we want to ensure that we can help users everywhere find the things they're looking for; providing accurate, relevant results for searches in all languages worldwide is core to Google's mission. Building extensive models of historical usage in every language we can, especially when there are few users, is an essential piece of making search work for everyone, everywhere.

A common sense approach to Internet safety

Posted by Elliot Schrage, Vice President of Global Communications and Public Affairs

Over the years, we've built tools and offered resources to help kids and families stay safe online. Our SafeSearch feature, for example, helps filter explicit content from search results.

We've also been involved in a variety of local initiatives to educate families about how to stay safe while surfing the web. Here are a few highlights:

• In the U.S., we've worked with Common Sense Media to promote awareness about online safety and have donated hardware and software to improve the ability of the National Center for Missing and Exploited Children to combat child exploitation.

• Google UK has collaborated with child safety organizations such as Beatbullying and Childnet to raise awareness about cyberbullying and share prevention messages, and with law enforcement authorities, including the Child Exploitation and Online Protection Centre, to fight online exploitation.

• Google India initiated "Be NetSmart," an Internet safety campaign created in cooperation with local law enforcement authorities that aims to educate students, parents, and teachers across the country about the great value the Internet can bring to their lives, while also teaching best practices for safe surfing.

• Google France launched child safety education initiatives including Tour de France des Collèges and Cherche Net that are designed to teach kids how to use the Internet responsibly.

• And Google Germany worked with the national government, industry representatives, and a number of local organizations recently to launch a search engine for children.

As part of these ongoing efforts to provide online safety resources for parents and kids, we've created Tips for Online Safety, a site designed to help families find quick links to safety tools like SafeSearch, as well as new resources, like a video offering online safety pointers that we've developed in partnership with Common Sense Media. In the video, Anne Zehren, president of Common Sense, offers easy-to-implement tips, like how to set privacy and sharing controls on social networking sites and the importance of having reasonable rules for Internet use at home with appropriate levels of supervision.

Users can also download our new Online Family Safety Guide (PDF), which includes useful Internet Safety pointers for parents, or check out a quick tutorial on SafeSearch created by one of our partner organizations, GetNetWise.

We all have roles to play in keeping kids safe online. Parents need to be involved with their kids' online lives and teach them how to make smart decisions. And Internet companies like Google need to continue to empower parents and kids with tools and resources that help put them in control of their online experiences and make web surfing safer.

Using data to help prevent fraud

Posted by Shuman Ghosemajumder, Business Product Manager for Trust & Safety

We recently began a series of posts on how we harness the power of data. Earlier we told you how data has been critical to the advancement of search technology. Then we shared how we use log data to help make Google products safer for users. This post is the newest in the series. -Ed.

Protecting our advertisers against click fraud is a lot like solving a crime: the more clues we have, the better we can determine which clicks to mark as invalid, so advertisers are not charged for them.

As we've mentioned before, our Ad Traffic Quality team built, and is constantly adding to, our three-stage system for detecting invalid clicks. The three stages are: (1) proactive real-time filters, (2) proactive offline analysis, and (3) reactive investigations.

So how do we use logs information for click fraud detection? Our logs are where we get the clues for the detective work. Logs provide us with the repository of data which are used to detect patterns, anomalous behavior, and other signals indicative of click fraud.

Millions of users click on AdWords ads every day. Every single one of those clicks -- and the even more numerous impressions associated with them -- is analyzed by our filters (stage 1), which operate in real-time. This stage certainly utilizes our logs data, but it is stages 2 and 3 which rely even more heavily on deeper analysis of the data in our logs. For example, in stage 2, our team pores over the millions of impressions and clicks -- as well as conversions -- over a longer time period. In combing through all this information, our team is looking for unusual behavior in hundreds of different data points.

IP addresses of computers clicking on ads are very useful data points. A simple use of IP addresses is determining the source location for traffic. That is, for a given publisher or advertiser, where are their clicks coming from? Are they all coming from one country or city? Is that normal for an ad of this type? Although we don't use this information to identify individuals, we look at these in aggregate and study patterns. This information is imperfect, but by analyzing a large volume of this data it is very helpful in helping to prevent fraud. For example, examining an IP address usually tells us which ISP that person is using. It is easy for people on most home Internet connections to get a new IP address by simply rebooting their DSL or cable modem. However, that new IP address will still be registered to their ISP, so additional ad clicks from that machine will still have something in common. Seeing an abnormally high number of clicks on a single publisher from the same ISP isn't necessarily proof of fraud, but it does look suspicious and raises a flag for us to investigate. Other information contained in our logs, such as the browser type and operating system of machines associated with ad clicks, are analyzed in similar ways.

These data points are just a few examples of hundreds of different factors we take into account in click fraud detection. Without this information, and enough of it to identify fraud attempted over a longer time period, it would be extremely difficult to detect invalid clicks with a high degree of confidence, and proactively create filters that help optimize advertiser ROI. Of course, we don't need this information forever; last year we started anonymizing server logs after 18 months. As always, our goal is to balance the utility of this information (as we try to improve Google’s services for you) with the best privacy practices for our users.

If you want to learn more about how we collect information to better detect click fraud, visit our Ad Traffic Quality Resource Center.