It’s been more than six years since Google launched the Advanced Protection Program, a free security feature designed for high-risk individuals. The goal of the program, which anyone can sign up for, is to make it harder for an attacker to gain access to your account. To achieve this, Google requires that you use physical keys for two-factor authentication, such as the YubiKey. The use of physical keys helps defend against phishing too, since there’s no SMS message or notification that you can be tricked into sharing or taking action on. The program also provides extra protection from harmful files, malicious third-party apps, and impersonation attempts.
The Advanced Protection Program is great. It’s a shame Google rarely mentions it.
When I worked for The New York Times in 2017, I told a journalist that “I don’t see a reason why you shouldn’t turn this on.” I stand by that. The program is especially helpful for people targeted by government-based attackers. Meduza, a Russian independent media outlet exiled in Europe, shared last week that Google recently alerted staff of multiple, targeted attempts to compromise their accounts. In September, Access Now and Citizen Lab reported that Meduza’s co-founder and publisher, Galina Timchenko, had been targeted with the Pegasus spyware, though neither attributed the attack to a specific government.
I think too many articles about spyware lack guidance for high-risk communities. The same can be said about posts from Google’s Threat Analysis Group. Don’t get me wrong, the research is good, but the posts often stop short of recommending any defensive measures. For example, it would have been easy for Google to mention Apple’s Lockdown Mode in this post about 0-days exploited by a surveillance vendor in Egypt. Or mention the Advanced Protection Program in this post about a Russian actor focused on phishing against high-profile individuals in NGOs. I think both are missed opportunities to raise awareness of these features.
One could argue that the Threat Analysis Group writes for a technical audience: the analysts, researchers, and technologists whose job it is to stay informed and suggest next steps in their own organizations. But, as I argued in my keynote at MITRE’s ATT&CKcon last year, the challenge is that high-risk individuals and communities often don’t have these people. It falls to the individuals themselves to learn about potential threats and necessary mitigations, on top of doing their day jobs. That’s an incredibly difficult task.
Those who risk harassment by government-based attackers would greatly benefit from learning about Lockdown Mode and the Advanced Protection Program, ideally before they are first targeted. I’d love to see Google consider these people part of the audience that they write for and include not just the technical nitty gritty, but also information about the very good, very usable defenses that exist today. I’m confident that’ll go a long way in helping high-risk individuals secure themselves and continue to do their work safely.