GSoC is a well known way to get people working on valuable open source projects. It's not some sort of sketchy business deal where Tor Project signs itself over to Google employees and developers. The reality is, Google does a lot for the FOSS world, and especially for security.

It's bad to think of Google as one big monolithic entity. It's true that many of Google's activities are bad (targeted advertising, malicious use of big data, monopolistic practices, skewing search results for political purposes), but it's so large that many other activities are entirely beneficial. Many of the bugs found and fixed in Tor may not have been found if lcamtuf had not been hired to work on AFL by Google. The secure Copperhead OS for Android would absolutely not be as secure as it is now if it weren't for Google. Many security improvements in Linux would not exist today if it weren't for Google pushing for them.

GSoC is no different. Google benefits from FOSS. They see the entire ecosystem as important, so they promote it. There's no conflict of interest when both Tor Project and Google mutually benefit from a more free and open source ecosystem. There's no conflict of interest when both Tor Project and Google mutually benefit from a more secure world.

As a side note, this is true for pretty much all companies. Google puts a lot of money into effort into improving the security of free and open source software. They put a lot of money into fuzzing research and fuzzing popular open source projects (OSS-fuzz). Microsoft puts a lot of money into researching new mitigations for memory safety and memory allocation hardening (their malloc rivals OpenBSD's), and even formally verifies some of their core code (HTTP.sys for example). Intel puts significant money into research for security techniques that can be implemented in hardware (RDRAND, RDSEED, SMEP, SMAP, UMIP, SGX, MPX, CET, MPK, VT-x, VT-d, and, of course, NX). Apple puts a lot into... uh... Well at least they keep a lot of things open source even if they don't really contribute to the FOSS ecosystem, and at least they hired LegbaCore to harden their UEFI, but I can't say much more for them on that front.

You should never assume that a company is entirely monolithic and all evil. I do not mean to defend Google. I think it is, overall, a rather nasty company. But you should not make the implicit assumption that any project which Google runs or funds is going to cause a conflict of interest for Tor Project to participate in.


  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <em> <strong> <cite> <code> <ul> <ol> <li> <b> <i> <strike> <p> <br>

More information about formatting options

Syndicate content