A couple weeks ago, Google announced that advertisers on its platforms will have to verify their identities and their businesses. They will have 30 days to comply.
On its face, this seems like common sense and a good idea. The internet has been rife with fraudulent Covid-19 schemes targeting stimulus checks, selling snake oil cures, and price gouging on hard-to-acquire products. The reality is less clear-cut.
Google's new policies seem like marketing more than security. While it's likely to make customers and businesses that use its online advertising platform feel safer, it could easily have the opposite effect. A company with Google's reach, resources, and oftentimes incredibly granular data isn't likely to be made any more secure by collecting and gathering digital documents from its clients. It might, however, be putting businesses at greater risk of fraud and data compromise.
The first issue here is Google's track record when it comes to data mining and privacy. The company is the most successful, and also one of the most appetitive compilers of personal information in digital media.
While it's fairly common knowledge that Google's Chrome browser is no stranger to controversy when it comes to tracking users and collecting data, there is more worrisome activity that gets far less attention. The company aggregates data from its phones, tablets, home media devices, personal assistants, website searches, analytics platform, and even offline credit card transactions. To say that it already has access to data about businesses and individuals would be an understatement and only serves to underscore what's wrong with this latest initiative.
There has been plenty of opportunity for Google put its vast stores of data to use in the identification of bad actors on its platforms with a greater level of sophistication than anything that could be gleaned from digital copies of personal and employee identification numbers or business incorporation documents. They already have everything they need to determine if someone is from the U.S. or Uzbekistan.
Occam's Razor points to two explanations. First, Google is doing what it does best: collecting more information. Or, two, Google is doing what it does best: using information to solve an information problem. Either way, it's not a very memorable solution.
Ignoring the Realities of Business Identity Theft
It seems naive to take the position that the submission of digital copies of documents can provide a reliable way to establish the identity of a particular business. In an era when Social Security numbers and tax IDs can be bought by the millions on the dark web and computers are capable of rendering real-time deepfakes on videoconference calls, faking a document or credentials is child's play for any scammer worth his or her bitcoin.
For starters, this easily flouted protocol engenders a false sense of security for internet users who assume Google's verification process works. If this sounds cynical, remember that Facebook tried something like this following the widespread manipulation of its platform during the 2016 election. It failed.
This practice also puts a target on businesses. At a minimum, it will require the widespread transmission of digital copies of potentially sensitive business documents, which opens the door to scammers trying to intercept that data. Business identity theft is a very real threat, and access to a business's credentials can leave it vulnerable to data breaches, fraud, cyberattacks, and worse. At a maximum, it could actually boost the market for illicit or compromised information on businesses as a means of supplying fake credentials to Google.
We've seen time and again that scammers are creative and extremely persistent when it comes to gaining access to sensitive data, and we can only assume any ill-considered move to protect data will be viewed as a growth opportunity for cybercriminals.