Go to an activist, technologist, or journalist gathering, and you may find a free pile of Google’s security keys, dubbed Titan. These are small devices a Gmail user can plug into their computer via USB to make their account much harder to hack. The keys don’t just work with Google accounts; Twitter and other large sites now support hardware security tokens too.
But if you’re an activist inside Iran, Sudan, Syria, Cuba, the region of Crimea, or North Korea, Google probably won’t give you a Titan key. Google bars nonprofits and other groups from providing these tools, or promoting the availability of any Google product to activists in those countries, according to two independent sources familiar with Google’s approach and a legal document viewed by Motherboard. Motherboard granted the sources anonymity to speak more candidly about community security practices.
Although Google may be simply trying to stay in line with export legislation—it’s not totally clear if providing these devices to people in these countries would violate any US or international embargoes or export laws—the news does provide insight to the potential legal barriers private businesses face when trying to work with activists in certain parts of the world. It’s worth mentioning that activists in some of these sanctioned countries may be at high risk of digitally-focused attacks from governments that have a history of clamping down on activism and free speech.
“We know that high risk groups in some of these countries are hammered by phishing and malware. It's a shame that it's not easier for companies to help them with more usable security,” John Scott-Railton, a researcher at Citizen Lab, an organization that has deeply investigated hacking campaigns against journalists, activists, and human rights dissidents, told Motherboard in an online chat.
Do you work at Google, or used to? We would love to hear from you. Using a non-work computer or phone, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or OTR chat on firstname.lastname@example.org.
Google’s Titan keys work as a form of two-factor authentication on a Google account. Often two-factor authentication comes in the form of a text sent to the user’s phone, or a code generated in an app. Although highly effective at keeping hackers out for the vast majority of users, both of those forms of security codes can be phished by hackers. This means users who face a particularly high-risk of hacking may opt for a hardware security key instead, like Titan, which is much harder for a hacker to circumvent, in part because the hacker would need to get physical access to the key.
Both sources familiar with Google’s practices described how the company sends legal documents to activist groups that it affiliates with, urging them not to tell people in those countries about the availability of any Google products. Motherboard viewed a relevant section of one of these documents.
Of course, it is arguably not Google’s responsibility to provide particular communities with more security tools. The reason for limiting the distribution of the company’s tools, it appears, is due to embargoes with those countries, as well as exportation legalisation, which regulates the sale or distribution of certain technologies, including those dealing with cryptography.
However, the exact contours of how that and other legislation would apply to something like a security key are not totally clear. Google declined to answer what specific sections of particular pieces of legislation it was concerned about regarding the distribution of these keys when asked by Motherboard.
Edin Omanovic, who leads the State Surveillance program at campaign group Privacy International, told Motherboard in an email, “The US has a dizzying labyrinth of sanctions and export regulations in place which affects not just companies, but individual people—sometimes even if they’re abroad. In the past we’ve seen how regulations on the export of cryptography have caused lasting long-term damage to IT security, making everyone more vulnerable.”
“Over-compliance with US sanctions and export controls, where companies take the most conservative interpretation of the often vague rules, has hampered efforts to spread secure and open access to the internet since before I can remember.”
Digital rights experts say that tech companies are sometimes overly cautious when it comes to staying within the bounds of export and sanction law. For example, last year, chat app Slack banned an Iranian academic living in Canada, and Google hasn’t turned on certain anti-censorship tools in Iran, even though Amazon and Microsoft have enabled similar tools in the country.
Peter Micek, general counsel at campaign group Access Now, told Motherboard in an email, “Over-compliance with US sanctions and export controls, where companies take the most conservative interpretation of the often vague rules, has hampered efforts to spread secure and open access to the internet since before I can remember.”
And that can lead to concrete security issues with already at-risk users.
“When companies over-comply with sanctions and export controls, vulnerable people in the sanctioned places are forced to turn to more risky alternatives, including unlicensed software without the latest security patches,” Micek added.
Scott-Railton pointed to how during the Arab Spring, Syrian activists kept getting infected with malware because they couldn’t access the Google Play Store to download legitimate versions of apps. Instead, they turned to ones from unknown or non-official sources.
“For years Syrian regime malware groups, and others linked to Iran and Hezbollah, seeded malicious Android apps into the Syrian activist space,” he added.
Neither the US Department of the Treasury or the Department of Commerce responded to a request for comment.
A Google spokesperson told Motherboard in a statement, “Our focus has always been to provide the best security for all of our users, and that includes protections tailored to people at elevated risk of attack. For years, we've invested in products and initiatives for these users, including: Gmail's government-backed attack warnings, support for NGOs like RightsCon, DDoS protection via Project Shield, the Advanced Protection program, and most recently, enabling phones that run Android 7.0 or higher to function as security keys. We comply with the law and will continue working to protect our users, worldwide.”
Subscribe to our new cybersecurity podcast, CYBER.