CA Security Council
District of Columbia
Hearing #1 On Competition and Consumer Protection in the 21st Century - Sept. 13-14 at Georgetown University Law Center
The CA Security Council (CASC), www.casecurity.org, submitted Public Comments to the FTCs Hearings on Competition and Consumer Protection in the 21st Century on August 31, 2018. There have been important new developments since that time, and so CASC is hereby submitting Supplemental Public Comments to the FTC. Most importantly and in summary, Google is moving faster than expected to remove website identity information from consumers in Chrome: In our previous submission, we stated the following about Googles plan to remove all identity information about websites from consumers in the Google Chrome user interface (UI) address bar: Google has announced that Chrome 72 in January 2019 will remove all positive UI security indicators, probably including the EV UI (company name, country, and corporate serial number) shown in the screen shots below for bankofamerica.com. If this happens, this will mean consumers will no longer be able to tell the difference between their banks real website with an EV certificate (containing confirmed identity and location information), and a fake phishing site with an anonymous DV certificate (containing no confirmed identity or location information) pretending to be their bank. They will be tricked. In fact, Google did not wait for Chrome 72 next year to start making website identity information harder for consumers to see, but has already started this month by altering its Extended Validation (EV) UI to make it less visible to consumers in Chrome version 69. Here are the facts. Google is systematically following a path to remove all strongly verified identity information in its web browser UI. Googles plan, announced in May 2018, is to gradually reduce the information it presents to consumers in the Chrome UI over the balance of the 2018: What should the FTC do in response? We repeat our conclusion from the first Public Comments we submitted last month: In the coming weeks, ask Google to pause in its plans to remove all positive UI security indicators (including removal of identity information) until the FTC has time to gather information and consider the additional actions below (and until the FTC has a chance to respond to Congress). Positive security indicators indicating the identity and location of the website owner should not be allowed disappear from Google Chrome this January in fact, fast action by the FTC is needed because it may be difficult for Google to reverse course once it announces definitively that its removing the EV UI in Chrome 72 next January. Google is by far the dominant browser in the US, with a market share of nearly 68% and growing any action Google takes to remove website identity information next January could degrade website security for the majority of consumers. We strongly urge the FTC to take action now, before more consumers are harmed by phishing attacks using deceptive URLs and fake websites in Google Chrome.