Home / Blogs

Google’s Project Shield May Actually Be A Double-Edged Sword

Google has received a lot of press regarding their Project Shield announcement at the Google Ideas Summit. The effort is being applauded as a milestone in social consciousness. While on the surface the endeavor appears admirable, the long-term impact of the service may manifest more than Google had hoped for.

Project Shield is an invite-only service that combines Google’s DDoS mitigation technology and Page Speed service. The intent is to offer the service to (quoting from their site) “websites serving news, human rights or elections-related content.” The concept is to provide a voice to those that may be silenced via DDoS attacks.

The Possible Moral Dilemmas

As an example of a potential Project Shield user, Google spotlighted Aymta, a site that alerts Syrians to scud missile launches. In the past the site has been targeted by DDoS attacks, reportedly by the Syrian government.

So what happens when the Israeli and Palestinian conflict heats up again and a similar service is spun up on both sides of the border? Should Google choose who they feel is more “right” in the situation and worthy of their protection?
This is a huge moral question as people could literally live or die based on how they choose. Selecting either side in the conflict potentially draws fanatical anger from supporters on the other side. Doing nothing or supporting both potentially draws ire from both sides.

At the end of the day, Google is still a company looking to generate a profit. Certain choices could potentially impact their business model in large portions of the world. While Google’s mantra is “don’t be evil,” sometimes you are faced with no-win choices. Adding to the complexity is that Google also has a responsibility to their investors. Is it impossible to consider that profit margins will never factor into their selection for inclusion into this service?
If they do choose to throw caution to the wind, could that not affect their bottom line, thus negatively impacting their investors and their ability to perform this philanthropic work in the first place? To draw on a Star Trek moral dilemma, do the needs of the few outweigh the needs of the many, or is it the other way around?

Protecting The Rest Of Us

There is another more subtle issue here. By protecting sites that are drawing a passionate response, Google is effectively raising the bar on what is required to perform a successful DDoS attack. Further, they are doing so to people who are highly motivated to reach that bar and may have the financial means to do so. In the past, whenever we’ve developed technology or processes to thwart large scale DDoS attacks, the bad guys have upped their game to meet the challenge.

Unfortunately, leasing time on botnets to perform DDoS attacks is a thriving business. This offering may provide financial incentives to the bad guys to again scale up their operations. This may leave the rest of us, who are not invited into Google’s protected circle, that much more likely to be knocked offline.

Don’t get me wrong, I honestly think this Google endeavor is an effort to make the world a better place. I think Google is truly attempting to give a voice to “the little guy,” and should be applauded for the effort. However, philanthropy can sometimes be a double-edged sword. I’m really hoping someone at Google who is smarter than myself has plotted a clear path through the potential moral minefield that may lie before them.

By Chris Brenton, Director of Security at Dyn

Filed Under


I don't see the same issue Phillip Hallam-Baker  –  Oct 29, 2013 2:31 AM

Google could end up picking sides but by and large DDoS attacks are rarely the work of state actors and even more rarely state actors who are on the NATO forces side.

GCHQ and the NSA don’t spend their tim DDoSing Al Qaeda Web sites, they infiltrate them. Folk Who try to DDoS the sites are causing more problems for our side than theirs.

They might get into some difficulty if they offer the service to US political campaigns due to the rules on donations in kind. But I am pretty sure they would have the sense to offer the same service to all parties.

Google has fat enough pipes and servers to soak up the entire DDoS attack volume. Perhaps what they are planning is not to make a business stopping DDoS but just looking to strike a knock out blow.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

Domain Names

Sponsored byVerisign