E+Co Alerts


Security and the cyber giants – The stoush between Google and Symantec

Whilst browsing the web you may have noticed that some URLs have little padlocks next to them. Although these symbols are often nondescript, they are significant components of our digital infrastructure that indicate a third-party Certificate Authority (‘CA’) has verified the website as legitimate and trustworthy. Without CAs and their padlocks it would be hard for us and our browsers to know what websites we can trust with our information – for example, inputting your payment details into a website without a padlock is not unlike using an Uber to send your wallet, in a see-through envelope, to an address you’re not sure about.

The underlying processes of digital certification have recently set the stage for a stoush between two of the world’s most significant software and tech companies, Google and Symantec.

So, what’s going on with Google and Symantec?

Since late January 2017 Google and Symantec’s relationship has become increasingly strained following the publishing of a Google Group post by Andrew Ayer, an independent researcher. Ayer discovered a number of digital certificates had been mis-issued by Symantec, and thus Symantec padlocks (and their notions of trustworthiness) had been incorrectly and misleadingly applied to corresponding websites.

Understandably, parties with commercial interests in providing and implementing meaningful digital certificates responded with concern, and subsequently Google launched an investigation into the matter. The investigation confirmed the security breaches arose from Symantec’s inability to maintain regulatory standards in respect of some of its sub-contracted Registration Authorities (‘RAs’) who act as intermediaries between users seeking certificates and the CAs that issue them. This was particularly concerning for Google given Symantec already conducted an audit in mid 2016 and undertook to remedy similar security flaws in respect of certificates it had issued itself.

Amongst continuing efforts to distance Google Chrome from any negative repercussions regarding digital security concerns, Ryan Sleevi, a Google Software Engineer, published a proposal to another Google Group. Specifically, Sleevi suggested Chrome should protect itself against Symantec’s security deficiencies by reducing and eventually removing trust in all existing Symantec-issued certificates. Symantec’s immediate response was to label Sleevi’s post as “exaggerated and misleading”, claiming it was being unfairly singled out from other CAs with similar practices. In late April Symantec published an official response to Sleevi’s post, explaining its position, as well as the steps it has taken and plans on taking to address the issues raised by the Google Group posts.

What are the consequences?

Without speaking to the particulars of the dispute or the appropriateness of Google or Symantec’s actions, this article looks briefly at the legal and commercial consequences of the relationship breakdown between the cyber giants.

Firstly, in the short term, there is a risk of significant business disruption to Symantec given the extensiveness of its CA operations (Symantec issues roughly 30% of new certificates worldwide) and the popularity of Google Chrome (Chrome is far and away the most used browser on the internet with roughly a 58% market share). However, the disruption will also be felt by customers who face the following specific consequences:

•Any existing certificates that are not set to expire in the next few months will need to be re-issued and re-installed.

• If customers have paid for a validity period longer than nine months (which is a very likely occurrence), they may face complications in respect of the services to be provided from month ten onwards.

• Customers who have purchased premium Extended Validation (‘EV’) certificates will be required to purchase relatively more expensive Domain Validated certificates – this is because under Sleevi’s proposal Google will not recognise Symantec issued EV certificates for at least one year.

It is possible the related costs will be absorbed by Symantec, either directly in re-issuing new Chrome-trusted certificates, or through pro rata adjustments to customers’ certificate fees during their renewal processes. Whilst these solutions may seem reasonable, large software companies have previously been resistant to adjusting the rights and obligations of their (typically) internationally written standard form contracts.

In Australia, certain contractual doctrines and provisions of the Australian Consumer Law (‘ACL’) could force Symantec to provide relief to customers if it can be shown there were unreasonable shortcomings in either their products, or the terms of contract by which they may seek to deny such relief. However, whether this is applicable will be determined by whether the Australian Competition and Consumer Commission (‘ACCC’) choose to act.

Protecting Chrome’s integrity or another agenda?

Some commentators have noted Sleevi’s proposal is curious as it appears more directed to punishing and damaging Symantec’s business operations rather than ensuring its regulatory compliance.

Whilst there is no conclusive evidence to suggest any wrongdoing, it is an interesting coincidence these events have occurred during the process of Google establishing and expanding its new venture, Google Trust Services. One of the functions of Google Trust Services is to operate Google’s own CAs in order to eventually achieve self-sufficiency in issuing certificates for products and services. However, it may also be the case that Google will eventually expand its operations and issue certificates to non-Google parties.

Relatedly, Google has also launched a public register of trusted certificates called Certificate Transparency. Google’s goal for now is to audit and monitor the use of Google certificates, but it is similarly foreseeable this service may one day be offered to third parties.

Whilst there are no issues in the current circumstances, it is also notable how Google’s constant expansion into internet infrastructure could form the basis of future breaches of Australian competition law as outlined by the Competition and Consumer Act 2010 (Cth) (‘Act’). Broadly speaking, such breaches would arise if Google’s actions lead to a ‘substantial lessening of competition’ within Australia. For example, Google could breach section 46 of the Act (“misuse of market power”) by using its size and dominance of internet infrastructure to undercut Symantec’s competing CA services. Similarly, Google may also engage in anti-competitive “exclusive dealing” (as defined by section 47 of the Act) by directly pressuring Chrome users, through pricing or service considerations, to preference Google’s CA services over those of Symantec. It is noted that a Russian court has recently fined Google for heavy handily encouraging Android smartphone manufacturers to install Google applications in exchange for access to the hugely popular Play Store app marketplace.

Concluding thoughts

Although the ‘battle lines’ between Google and Symantec have not quite been drawn yet, they are in a sense being traced and the circumstances highlight two significant issues.

Firstly, they serve as a clear reminder of our ‘blind’ dependence upon the standard security systems and software infrastructure that underpin our communications networks.

Secondly, this situation shows how consumers may get caught in the wake of shifting relationships between tech giants. For Australian consumers, economic loss can arise out of the need to readjust or renew frustrated service agreements, or more indirectly through being subject to uncompetitive behaviours.

We are happy to provide further legal guidance with protecting your interests in a digitised society and economy, and can be contacted as per below:

Kelly Tomasich
Senior Lawyer
02 8399 1043

Noyan Nalbantoglu
02 8399 1043

About James Edwards
James is the founder and principal of Edwards + Co, and advises businesses on legal and commercial issues in a world enabled, disrupted and re-assembled by the internet of everything.

Leave a Reply