Google - Defensive Computing

GOOGLE

September 8, 2024: Gmail Account Takeover: Super Realistic AI Scam Call by Sam Mitrovic. The story of a super realistic AI scam phone call that could trick a vast number of people. The scam starts with a fake notification to approve a Gmail account recovery attempt. This was shortly followed by a missed phone call where the number showed as being a valid Google phone number. Never forget, callerid can be faked. A week later, another fake notification to approve the potential victims Gmail account recovery. Again, this was shortly followed up with a phone call that the victim, this time, answered. Scammer on the phone says there is suspicious activity on the account. Note that this is a very common claim in the world of scams. Scammer on the phone says someone logged in to the victim account from Germany (victim is not in Germany). Scammer on phone says that someone has had access to the victims account for a week and that they have downloaded the account data. Scammer sends an email, and I note again, that spoofing an email address is possible. Turns out the voice on the phone was an AI. Bad guys were using Salesforce CRM which allows you to set the sender to whatever you like and send email using Gmail/Google servers. Had the victim approved the account recovery notification, the bad guys would have gained control of the account. Note that Google does not call Gmail users if you don’t have Google Business Profile connected. Also know that you can verify if someone else has logged into your account: click on your Gmail profile photo in top right corner -> Manage your Google Account -> Security -> Recent security activity.

Defending against Google tracking involves changing options in your Google account, which can be done on a website, as well as configuring options on your mobile device(s), when doing Google searches, in Google Assistant and in Nest devices. There is a lot to it.

Nifty trick: If you use Windows and Google Drive, then you can make your Google Drive files appear to Windows as a drive letter. This offers a faster and more familiar interface. The first step is to install Google Drive for Desktop. A detailed description of installing and configuring this is here: How to Add Google Drive to File Explorer by Mahesh Makvana for How To Geek (May 2022). Note however that the article implies Google can not read you files. Google can read your files.
Normally Google spying is invisible. But, in February 2024, my family ran into a new quite visible aspect of their spying while planning a trip overseas. Details are in my blog: A new aspect of Google's spying. In brief: Google keeps a profile of your public IP address.
You can customize Google ads in two ways - either disable personalization completely or tell Google the topics you are interested in. Both changes can be made at adssettings.google.com.
Google Account: Set up a recovery phone number and recovery email address ASAP. Do it here: Manage your Google Settings
Google Account: Most tracking is configured at Activity Controls
Google Account: Data and Privacy has settings for Search Customization, YouTube Search and Watch History, Ad settings and Opting out of Google Analytics.
Google Account: Web & App Activity is a major privacy setting. More from Google in this undated writeup: Find & control your Web & App Activity. Quoting: "If Web & App Activity is turned on, your searches and activity from other Google services are saved in your Google Account, so you may get more personalized experiences ..." It is on by default, turn it off for more privacy.

Google has faced multiple lawsuits over location tracking. When a Google account is configured to not save Location History, the location is still being tracked if Web & App Activity is enabled. This was seen as false advertising and first came to light in this August 2018 report from the AP, AP Exclusive: Google tracks your movements, like it or not by Ryan Nakashima. Part of the fallout from that article was a Nov. 2022 fine paid by Google. See Google to Pay $391 Million Privacy Fine for Secretly Tracking Users' Location. In response to this fine/settlement Google issued this statement: Managing your location data (Nov. 2022).

Google Account: Account settings -> People & sharing -> About me (under Choose what others see). Good is "Only you". Bad is "Anyone"
Google Account: Do a Google Privacy Checkup
Google Account: November 3, 2024: You're overexposed online. This service fixes 223 privacy settings for you. Geoffrey A. Fowler for the Washington Post. The article is about an extension/service from a startup called Block Party. It is available on the Windows, macOS and Linux versions of Chrome, Firefox, and Edge. It works on the websites of Facebook, Instagram, Google, YouTube, X, LinkedIn, Reddit, Strava and Venmo. For these 9 companies, it reviews your privacy settings, recommends changes and can make the changes for you. There is a 7 day trial, after which the service is $20/year. I would add to the article that you might want to disable the extension when you are not using it. Quoting: "Tech companies want to collect as much of your data as possible, and, often, to share it widely. So they present privacy and other settings with so many confusing knobs and buttons that it feels like flying a 747. There are 44 different privacy settings on Facebook alone. Worse, apps move around settings - and keep adding new ones that find more ways to exploit your personal data."
Google Account: See what Google knows about your travels using their Maps Timeline. Sometime in Oct or Nov 2019, Google will introduce a new Incognito mode in the Google Maps app. To turn it on: tap on the account icon in the upper-right corner, then click Turn on Incognito mode.
Google Account: See what Google is tracking of your activity at myactivity.google.com/myactivity. As of May 2021, we can password protect this page so a borrowed device does not leak this data. On the page: click "Manage My Activity verification" -> "Require extra verification". From How to password-protect your Google activity history (May 2021)
Google Account: periodically check on security at myaccount.google.com/security. There is a lot here, including: Recent Security Activity, Recovery phone, Recovery email. In the "Your Devices" section make sure you recognize all the devices. Review the saved passwords. Review the section for "Your Connections to third-party apps and services" The more secure result there is nothing. See also How to revoke third-party app access from your Google Account by Jack Wallen for ZDNet (June 8, 2023). The article suggests: myaccount.google.com -> Security -> Manage third-party access.
Google privacy settings to change now by Heather Kelly for the Washington Post. (September 2021)
This May 2019 article in Wired: All the Ways Google Tracks You - And How to Stop It, touches most of the bases, configuring: a Google account, Android, iOS and searching. A must read. Similar: Are you ready? Here is all the data Facebook and Google have on you by Dylan Curran for The Register (March 2018)
AUTOMATIC DELETING
1. Start at myaccount.google.com /activitycontrols
  Note that if something is in a Paused status, it is still keeping a history. To set it to auto-delete, you will have to enable it first. Several Google products, including YouTube, can be set to auto-delete here. As of Oct. 2019 the only choices are auto-delete after 3 or 18 months. To auto-delete search history, use Web & App Activity.
2. April 26, 2024: How to delete the data Google has on you by David Nield for The Verge. The article starts with manual deletions, then goes into automatic deletions. The manual process starts at
  myaccount.google.com
  Look for Data and privacy (on the left) -> History settings. More details are in the article.
3. August 2020: You Should (Probably) Delete Your Google Data - Here’s How by Brendan Hesse for Lifehacker
4. October 2019: Google's auto-delete tools are practically worthless for privacy by Jared Newman for Fast Company
Turn off ad personalization at adssettings.google.com
Google Maps: is full of fake business listings. Big June 2019 story in the Wall Street Journal. More here and here. Hundreds of thousands of fake listings are created each month. Total scam businesses estimated at 11 million. In 2018, Google removed more than 3 million fake businesses. Google's PR response included this: "it's important that we make it easy for legitimate businesses to get their business profiles on Google". Translation: nothing will change. Here is where to report a fake.
Google Maps: How to blur your house on Google Street View (and why you should) by Jack Morse (Sept 2020). Enter your home address into Google maps, look at your home in street view, click "Report a problem". And, do the same thing on Bing Maps. No mention of Apple maps.
Browsing: Here is another reason not to be logged on to Google all the time - the latest version of their reCaptcha might be logging every web page you visit.
Browsing: Maybe install the Google Analytics opt-out browser add-on. This a browser extension for Chrome, Safari, Firefox and Edge. It lets you prevent your data from being used by Google Analytics.
SEE ALSO
1. The Voice Assistants section has a sub-section with Google Assistant defenses
2. The Location Tracking topic has a lot of defenses for Android and Google users
3. For Google Search, see the Search Engines page
4. See the Gmail topic
If you have Nest Cam or Nest thermostat be aware that according to this April 2019 article in the Washington post, Nest security is sub-optimal. The article suggests using a unique password (always a good idea) and two factor authentication with the device. Taking a step back ... Google? Really? In a camera in your home? Really?
Speaking of Nest: the Nest camera, Nest Hello doorbell and Dropcam cameras no longer (as of Aug 2019) let owners disable the status light that indicates the camera is on. Google did this for privacy reasons but some people don't like advertising the camera's existence to intruders in a dark room. Just cover the light with tape. And, be sure to apply bug fixes to the Nest Cam IQ (Aug 2019).
Google Calendar: A new type of SPAM. Bad guys can email invites to scam events and Google will add them to your calendar without your confirmation. To stop this, go to calendar.google.com, login, click the gear icon, go to Settings, then Event settings, then "Automatically add invitations" and select "No, only show invitations to which I have responded". Maybe also disable automatically adding events from Gmail to your calendar.
September 2023: How to Delete Your Google Account Permanently by Leo Notenboom. His suggestions: Use Takeout to create a backup of the account contents first, then maybe secure the account against being hacked and then simply abandon it. This way, if you forgot something you need, it is possible to sign back in to get it.on The actual Delete option is under Data & privacy.
Google avoidance: The complete list of alternatives to all Google products by Sven Taylor of Restore Privacy (last updated October 2019). How to replace each Google service with a more privacy-friendly alternative by Ed Bott of ZDNet (October 2019). French software company Framasoft created the De-google-ify Internet website.
ADVANCED PROTECTION
1. From Google: The Advanced Protection Program safeguards users with high visibility and/or sensitive information from targeted online attacks. New protections are automatically added to defend against today’s wide range of threats. Advanced Protection requires you to use a security key to verify your identity and sign in to your Google Account. Note that while the use of Advanced Protection is free, the security keys are not.
2. March 20, 2024: Google's Advanced Protection Program is great, it's a shame the company rarely mentions it by Runa Sandvik. Most of the article is a gripe (that I share) that too many articles about spyware lack guidance about defensive steps.
TIPS
1. If bad guys have taken control of your Google account, start here: Tips to complete account recovery steps
2. You can download all your photos from Google with: go to takeout.google.com -> Sign in if prompted -> Deslect All -> Find Google Photos in the list and click the checkbox -> Blue Next step button -> Default of send download link via email is fine -> default of Export Once is fine -> chose zip or tgz file type -> Default maximum file size of 2GB is fine -> Blue Create Export button. Google warns that it might take hours or days before its ready. When I tested this, the download required multiple files and the file names were in this format: takeout-yyyymmddT999999Z-001, where the date was the date of the request, I don't know what the time format was and 001 was the sequence number for the first file. The generated download(s) are available for about a week.