WingNews logo WingNews
top | item 37776944

(no title)

srazzaque | 2 years ago

I'm pretty sure the stated intent of the redirect is to prevent phishing (that is, provide an opportunity for Google to warn users about visiting a known dodgy site). The ability to track is just an added bonus!

Microsoft does this too with Teams. Links that my colleagues and I share with one another to _internal company sites_ get link checked then redirected. Microsoft must have a treasure trove of data about external company employee browsing habits as a result.

I would have infinitely more respect for companies that are upfront about their intentions, no matter how nefarious: "we're doing this to help protect you from phishing. But also, 99% of links are probably not phishing. So this feature really enables us to collect data to track what you do, and perform analytics to improve our bottom line".

Why sugar-coat it?

discuss

order

nerdjon|2 years ago

I DESPISE these links from Outlook and Teams (not sure if it is specifically the teams implementation or something else).

I don't know about your company but mine has us do these phishing tests and training videos all the time and then we get rid of one of the safety features that they keep hammering us about.

I can't just look at the URL before clicking it. I once "fell victim" to one of our phishing tests because I clicked the link in the email. And its like... well we have been trained by our own email system that the only way to actually see the validity of the link is to click it.

open-paren|2 years ago

Those corporate phishing tests are often administered by KnowBe4, and KnowBe4 identifies their phishing emails with custom email headers (can't remember what it is off the top of my head). So if you view the source code of an email and look for the obvious KnowBe4 header, you can tell ahead of time.

isoprophlex|2 years ago

lol yeah. I curled the url in a suspicious email once, to investigate what it was. YOU FAILED THE TEST. ugh...

hotnfresh|2 years ago

Our tests (outlook email) motherfucking bypass user filters too. I wrote some so I’d never have to worry about these damn things, but they go right through.

Guess I’m going to have to configure an actual user-agent email client that won’t screw me when someone else asks it to.

dacryn|2 years ago

funny you say that. Google is upfront about their intentions, but nobody believes them that they are not data mining this for behaviour tracking.

Can't win in that scenario

nonrandomstring|2 years ago

This old problem.

It's the word "win" that bothers me in this context.

Until one sees that conflicting models can make "security" a zero sum game, in which your security is my insecurity and vice versa, there is only psychological splitting, posturing and clamour for the "moral high ground".

Indeed, even using the word "security" as a bare noun is a mark of presumptuousness. One must always ask; Security for whom? Security against whom or what? Security to what end?

Unilaterally imposing a harm (leaking of data) upon others is disdainful, but then offering "security" as your reason/excuse, is condescending, since you do not know what my security needs are and how they are prioritised.

When it comes to messing with my data or devices "for my own good" the only proper response is "I'll be the judge of that!"

Many then respond that "people are too stupid and need a firm hand", which is not a good look, and frankly cuts to the core of so many problems in technology today.

Companies like Google need a better moral, sociological and psychological map of reality before putting on their boots and marching off down the road of good intentions in the direction of Hell.

glimshe|2 years ago

They can't win as a result of their own actions. Once you lose trust, it's hard to regain it.

srazzaque|2 years ago

Interesting, I wasn't aware Google had actually stated "we don't use this data for tracking, and we only use it for link protection" (does it?).

Assuming true: you are right in that it's basically no-win. The fact that Google draws so much revenue from advertising makes it difficult to reconcile.

Nothing short of a third-party code audit of Google's code against their asserted privacy policy would appease everyone. And even then, there would be doubters.

nerdponx|2 years ago

Why would anyone believe that they aren't? Or that they won't start doing it?

yafbum|2 years ago

You could say f-ck it, if nobody believes us anyways, let's just track the sh-t out of everything then

ladzoppelin|2 years ago

That's because they straight up lie about some things and use half truths for other things all while thinking they are being clever.

JKCalhoun|2 years ago

Since U.S. public school districts and students under the age of 18 use Google Docs pretty much exclusively these days, this seems like a privacy lawsuit waiting to happen.

callalex|2 years ago

I’m sure they can just print out a little pamphlet to shove in the Chromebook box that says “by being in the same room as this computer you agree to blah blah blah”. US consumer protection laws are worthless.

userbinator|2 years ago

I encounter similar annoyances with things like "link previews" (impossible for an internal site, or one which requires authentication), and as a result have come to slightly "obfuscate" all links I send through such software. Sometimes I just don't send any links at all --- something like "HN item 37776492" suffices.

jabroni_salad|2 years ago

Where I work the onboarding sheet instructs you to make a custom search engine for servicenow because it's way faster to bang in the record number than to use a link in Teams.

diogenes4|2 years ago

Why is this added to exported documents tho? It should only add the redirect in the browser.

hackideiomat|2 years ago

And there it is not needed. You could implement this in JS.

tmpX7dMeXU|2 years ago

How does the fact that most links aren’t phishing links play into anything? Maybe we don’t need AV because most files aren’t viruses? You had enough of a point without this.

TeMPOraL|2 years ago

> Maybe we don’t need AV because most files aren’t viruses?

Since you used that example...

How would you feel if everyone in their neighborhood got assigned a private security officer that sits in their apartment doorway all day and notes who comes and goes? The company argues that it's to protect from the thieves and fraudsters, and indeed there are always some break-ins or grandparents scammed somewhere. Oh, and everyone gets an officer free of charge - it's paid for by the ads they wear on their vests and that play regularly on their walkie-talkies. Would you trust the security company that all the notes, taken by a person in the privileged position of observing everything in your home, will only be used to prevent crime and nothing else, ever?

Back to your example - AV companies are quite shady these days, and their products not all that useful relative to costs/damage and snooping they do.

srazzaque|2 years ago

I see your point, but comparing this with an off-line AV scanner with a regularly updated internal database (assuming that's what you meant) is not an apt comparison.

The analog would be an AV scanner that sends a list of your files/hashes to a centralised server somewhere, so that the company can target ads related to your file contents (or sell your data...), in addition to warning you about viruses.

Agreed that % true positive is not a factor in whether or not to have a given security feature. But it is merely convenient that the vast majority of the usage of this "link protection" feature would benefit Google/MS and not the customer/user (assuming that Google/MS are data mining, which is yet unproven in this use case).

agluszak|2 years ago

> I'm pretty sure the stated intent of the redirect is to prevent phishing (that is, provide an opportunity for Google to warn users about visiting a known dodgy site). The ability to track is just an added bonus!

How do you know it's not the other way round?