Will cyberthugs exploit Google Plus 'identity service' for spear phishing attacks?

While some people thought Facebook wanted to issue your Internet driver's license, Google's insistence for real names in G+ profiles as an "identity service" seems to be shooting for the right to be your "trusted" online ID passport. But using a pseudonym in a Google Plus profile doesn't immediately imply you are evil, although it might to Google since it's all about marketing and making Google even more money. What if, to cyberthugs with no-to-low ethics, all that publicly available Google info is a giant spear phishing opportunity waiting to happen?

NPR's Andy Carvin has a red-hot Google Plus post on G+ about asking former Google CEO Eric Schmidt how Google justifies its Google profile real name policy. Schmidt admitted that G+ is meant to be "primarily an identity service." Carvin summed up Schmidt's other remarks as:

Regarding people who are concerned about their safety, he said G+ is completely optional. No one is forcing you to use it. It's obvious for people at risk if they use their real names, they shouldn't use G+. Regarding countries like Iran and Syria, people there have no expectation of privacy anyway due to their government's own policies, which implies (to me, at least) that Schmidt thinks there's no point of even trying to have a service that allows pseudonyms. Unfortunately, the way the Q&A was conducted, I wasn't in a position to ask him a followup on this particular point.

He also said the internet would be better if we knew you were a real person rather than a dog or a fake person. Some people are just evil and we should be able to ID them and rank them downward. 

In regard to Google Plus profile as a real name 'identity service' and if Google is being evil, a comment on Hacker News said, "the root motivation most people including myself see is that it's about control. And things that try and control other things are evil."

If you recall, Google has facial recognition capabilities to use on social network photos and even now G+ profiles suggest, There are no photos of JaneDoe (whoever, insert name). Upload a photo of JaneDoe and tag them now! Adding Google's +1 button on websites is optional too, but sites that choose not to use it may very well lose ranking in Google search results. While Schmidt pointed out that G+ is optional, this funny video may perhaps have nailed the situation quite accurately.

So are you less trustworthy under a pseudonym, as if that means you will give into your secret online dark side under a shadowy personality? Despite the Google Plus backlash after banning users for not using 'real names,' Google seems to have no intentions of backing down from this loss of privacy and freedom. This mindset creates a type of constant surveillance that we willing buy into by posting too much personal information — cause that's what social networking is about. When addressing the "slippery slope" of what happened to your constitutional rights, the loss of privacy via social media, Michael "theprez98" Schearer said at DefCon, "just because we can share, don't mean we have to." 

Security guru Bruce Schneier once wrote:

Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance. We do nothing wrong when we make love or go to the bathroom. We are not deliberately hiding anything when we seek out private places for reflection or conversation. We keep private journals, sing in the privacy of the shower, and write letters to secret lovers and then burn them. Privacy is a basic human need.

If it's not about privacy, then what if we look at Google Plus and real name profiles in terms of security? Matthijs R. Koot blogged about pulling 35 million Google Profiles into one database without his connection being blocked. Koot mentioned how Google profiles warned that your email address is publicly discoverable. He added:

With no apparent download restriction in place for connections to https://profiles.google.com and Google users disclosing their profession, employer, education, location, links to their Twitter account, Picasa photoalbums, LinkedIn accounts et cetera this seems like a large-scale spear phishing attack waiting to happen?(**) But hey, the users HAVE been warned."

Unless Google personnel are using a guaranteed mind reading hack, how can a real name policy identify if a person is evil? Ah, but it does tie the delicious data dossiers to your real life world — the better to target ads and sell you stuff. Just look at the Justice Department news about Google's recent forfeit of $500 million due to posting illegal Canadian pharmacy ads. Did Google know it was wrong or perhaps 'evil'? It was a gamble Google lost, but the temptation must have been too strong to pass by without trying it.

Regardless of the 'free' service, don't forget Google is a business motivated by profit. $ome people might $ay, Google ha$ lo$t all concept of Don't Be Evil.

Copyright © 2011 IDG Communications, Inc.

Shop Tech Products at Amazon