Insights + Resources

May 1, 2017

Security and the cyber giants: The stoush between Google and Symantec

Whilst browsing the web you may have noticed that some URLs have little padlocks next to them. Although these symbols are often nondescript, they are significant components of our digital infrastructure that indicate a third-party Certificate Authority (‘CA’) has verified the website as legitimate and trustworthy. Without CAs and their padlocks, it would be hard for us and our browsers to know what websites we can trust with our information – for example, inputting your payment details into a website without a padlock is not unlike using an Uber to send your wallet, in a see-through envelope, to an address you’re not sure about.

The underlying processes of digital certification have recently set the stage for a stoush between two of the world’s most significant software and tech companies, Google and Symantec. 

So, what’s going on with Symantec and Google?

Since late January 2017 Google and Symantec’s relationship has become increasingly strained following the publishing of a Google Group post by Andrew Ayer, an independent researcher. Ayer discovered a number of digital certificates had been mis-issued by Symantec, and thus Symantec padlocks (and their notions of trustworthiness) had been incorrectly and misleadingly applied to corresponding websites.

Understandably, parties with commercial interests in providing and implementing meaningful digital certificates responded with concern, and subsequently Google launched an investigation into the matter. The investigation confirmed the security breaches arose from Symantec’s inability to maintain regulatory standards in respect of some of its sub-contracted Registration Authorities (‘RAs’) who act as intermediaries between users seeking certificates and the CAs that issue them. This was particularly concerning for Google given Symantec had already conducted an audit in mid-2016 and undertook to remedy similar security flaws in respect of certificates it had issued itself.

Amongst continuing efforts to distance Google Chrome from any negative repercussions regarding digital security concerns, Ryan Sleevi, a Google Software Engineer, published a proposal to another Google Group. Specifically, Sleevi suggested Chrome should protect itself against Symantec’s security deficiencies by reducing and eventually removing trust in all existing Symantec-issued certificates. In response, Symantec labelled Sleevi’s post as “exaggerated and misleading”, and claimed that it was  being unfairly singled out from other CAs with similar practices.

What are the consequences?

Without speaking to the particulars of the dispute or the appropriateness of Google or Symantec’s actions, this article looks briefly at the legal and commercial consequences of the relationship breakdown between the cyber giants.

Firstly, in the short term, there is a risk of significant business disruption to Symantec given the extent of its CA operations (Symantec issues roughly 30% of new certificates worldwide) and the popularity of Google Chrome (Chrome is far and away the most used browser on the internet with roughly a 58% market share). However, the disruption will also be felt by customers who face the following specific consequences:

  • Any existing certificates that are not set to expire in the next few months will need to be re-issued and re-installed.
  • If customers have paid for a validity period longer than nine months (which is very likely), they may face complications in respect of the services to be provided from month ten onwards.
  • Customers who have purchased premium Extended Validation (‘EV’) certificates will be required to purchase relatively more expensive Domain Validated certificates – this is because under Sleevi’s proposal Google will not recognise Symantec-issued EV certificates for at least one year.

It is possible the related costs will be absorbed by Symantec, either directly in re-issuing new Chrome-trusted certificates, or through pro rata adjustments to customers’ certificate fees during their renewal processes. Whilst these solutions may seem reasonable, large software companies have previously been resistant to adjusting the rights and obligations of their (typically) internationally written standard form contracts.

In Australia, certain contractual doctrines and provisions of the Australian Consumer Law (‘ACL’) could force Symantec to provide relief to customers if it can be shown there were unreasonable shortcomings in either their products, or the terms of contract by which they may seek to deny such relief. However, whether this is applicable will be determined by whether the Australian Competition and Consumer Commission (‘ACCC’) chooses to act.

 

Protecting Chrome’s integrity or another agenda?

Some commentators have noted that Sleevi’s proposal is curious, since it appears more directed to punishing and damaging Symantec’s business operations rather than ensuring its regulatory compliance.

Whilst there is no conclusive evidence to suggest any wrongdoing, it is an interesting coincidence these events have occurred during the process of Google establishing and expanding its new venture, Google Trust Services. One of the functions of Google Trust Services is to operate Google’s own CAs in order to eventually achieve self-sufficiency in issuing certificates for its own products and services. However, it may also be the case that Google will eventually expand its operations and issue certificates to non-Google parties.

Relatedly, Google has also launched a public register of trusted certificates called Certificate Transparency. Google’s present goal is to audit and monitor the use of Google certificates, but it is similarly foreseeable this service may one day be offered to third parties.

Whilst there are no issues in the current circumstances, it is also notable how Google’s constant expansion into internet infrastructure could form the basis of future breaches of Australian competition law as outlined by the Competition and Consumer Act 2010 (Cth) (‘Act’). Broadly speaking, such breaches would arise if Google’s actions lead to a ‘substantial lessening of competition’ within Australia. For example, Google could breach section 46 of the Act (“misuse of market power”) by using its size and dominance of internet infrastructure to undercut Symantec’s competing CA services. Similarly, Google may also engage in anti-competitive “exclusive dealing” (as defined by section 47 of the Act) by directly pressuring Chrome users, through pricing or service considerations, to preference Google’s CA services over those of Symantec. It is noted that a Russian court has recently fined Google for heavy handily encouraging Android smartphone manufacturers to install Google applications in exchange for access to the hugely popular Play Store app marketplace.

 

Concluding remarks

Although the battle lines between Google and Symantec have not quite been drawn yet, they are being traced. The certification case highlight two significant issues.

Firstly, they serve as a clear reminder of our blind dependence upon the standard security systems and software infrastructure that underpin our communications networks.

Secondly, this situation shows how consumers may get caught in the wake of shifting relationships between tech giants. For Australian consumers, economic loss can arise out of the need to readjust or renew frustrated service agreements, or more indirectly through being subject to uncompetitive behaviours.

The information above is general in nature. If you would like to learn more about data law, please contact us below.

Close Btn Created with Sketch.

THE DISRUPTIVE LAW REPORT by Edwards + Co

Want news and insights about legal and business developments set to disrupt and transform? Get our free monthly newsletter straight to your inbox.