Without best security practices, the privacy-preserving policies of a company become irrelevant if faced with a motivated threat actor. This is why GDPR holds companies accountable for their data breaches.
I expect many big companies to rethink their security practices in light of GDPR, which will be one of the major privacy benefits for citizens under the new regulation. But Google, who are considered among the worst offenders against privacy, already achieve digital security far surpassing industry best practices, while employing many of the most capable and renowned security professionals.
Maciej Cegłowski and Tech Solidarity argue that most citizens, journalists, and even activists are best protected with certain Google products like Gmail and ChromeOS if paired with good personal security practices like U2F security tokens. The core assumption here seems to be that your threat model should not include personalised attacks by NSA if that would mean weakening your security posture against hackers.
Having tried out Google Advanced Protection and having made an effort to tighten my other web accounts’ authentication, I can say that Google certainly offer the best account security I’ve seen. For example, there seems to exist no other email provider that offers U2F or a comparably phishing-resilient authentication method. Even ProtonMail, who position themselves with a focus on privacy and security, only offer regular 2FA. Cegłowski also specifically distrusts their security.
While I continue to support ProtonMail, the problem is much worse with smaller indie players. The friendly no-nonsense domain registrar I used to use, iwantmyname.com, only allows for Authy-based 2FA, susceptible to attacks on SMS infrastructure. Micro.blog only has email-based login without any additional account security. And Google Drive and Dropbox are the only cloud storage providers that support U2F.
The point about ChromeOS is also hard to refute. It is the only desktop OS that, like iOS, authenticates hardware using chain of trust, has a read-only system partition, prevents OS rollback to old and insecure versions, and prevents non-trusted code execution. By design, it is even more secure than macOS. A similar point seems to hold true for the Chrome browser, which still has better sandboxing than Safari. Firefox and Tor Browser are even worse.
So, what’s the way forward? Google products track you by default, but every alternative has worse account security. I often try out beautiful indie web projects, but abandon them because they value freedom and decentralisation over security engineering. Many of them couldn’t live up to my security expectations if they tried because securing some platforms requires either the resources or knowledge only companies like Google have. There are privacy products that succeed and don’t have these problems, such as DuckDuckGo and Signal. Projects by EFF like Privacy Badger and HTTPS Everywhere also work inside the Chrome browser to make a difference toward privacy. But I fear that other areas make competition all but impossible, leaving us only with the option of regulating companies like Google.