Most people who follow technology news are familiar with the media’s conception of Microsoft as the Big Bad Corporation while portraying Google as the heroic underdog that has come to save the day. Google’s motto of “Do No Evil” has garnered a lot of good press for them, but over the years (and billions of dollars later), they are seeming more and more like the other big players in tech software. Despite their increasingly underhanded actions, though, they continue to get good press.
I was a bit shocked at the article I read on ZDNet this morning about a study that said silent patching is more secure and Google was awesome for doing it. Recognizing that I often rip on ZDNet for their writing, I want to state up front that this article is almost everything that is right about journalism. It stayed fairly neutral, presenting the facts and letting the reader reach their own conclusion. However, even the minimal back-patting I perceived towards Google set me on edge. What’s more, the study the author is using to defend the premise that silent patching (which Google apparently did recently with their web browser, Google Chrome) was co-authored by Google.
It’s amazing how positive your company’s security practices can look when you write your own security papers that state that what you are doing is The Right Thing™.
A couple of years ago, Microsoft performed a similar stealth update that caused many to pull ye olde pitchfork out of the hay pile and begin gleefully brandishing it at the sky, railing at their over-confident god. Torches were lit and the ground shook under the tramp of the marching masses, though in reality nothing much came of it. People complained and posted online and that was that. Linux perhaps won a few more converts (I had already left Microsoft completely by that time, but it certainly boosted my self-satisfaction).
There are certain things I agree to when using free software, and I recognize that I grant the company providing that software some liberties in exchange for services. I expect and accept that Google mines my email so they can better sell me advertisements–if I really cared about my email being private, I’d run my own encrypted server and that would be that. But I like GMail and I’m willing to part with certain liberties for its use. When I install a piece of software on my personal computer though (rather than just running it through a web browser), I come away with a set of expectations. Even though I downloaded the software, it still asked me if I wanted it to be installed. When my word processor or music applications release updates, they ask if I want to upgrade. Similarly, when my web browser needs an update, I expect it to prompt me.
What’s more, software updates can and do break things. This is why we turn Automatic Updates off for all of our servers. Yeah, updates are important and need to be installed, but you don’t just put that stuff on willy-nilly. If an update breaks an existing service, that needs to be sorted before you roll it out. IE 8 is now a critical update for Windows XP, but if it didn’t work with our software, there’s no way we would install it. Just the same, we need to test all updates before installing them, and that ability is taken away when the company pushes a stealth update. Silent patches risk the integrity of our work and the services we provide, and should simply never happen.
In the end, this is my computer, not yours. You don’t just install stuff on it without asking me. That’s not what we agreed to, and if you think it is, then I’ll just have to walk away. You can be sure, Google Chrome won’t be installed on another computer by me in the future.