> It is my impression that modern companies that care about security assume that all networks are compromised and act accordingly.
I think more to the point, Google et al assume that all networks are compromised by state level actors. As in NSA. As in the people who wrote this "Clean" policy.
Reminds me of when Google security engineers...ahem...reacted...to the Snowden leak that the NSA was spying on internally decrypted traffic. [1]
It's insane to me that the US spied on an American company's internal traffic, got busted, and the only viable response was "well, I guess we have to make HTTPS mandatory in the protocol now".
Not that it was the wrong response. Just that it wasn't even on the table to say "hey, NSA, wtf..."
Unless you see the NSA as some sort of weird, legally protected black hat blue team.
I'm not defending this thought process, and I disagree with it, but I can at least understand.
You basically have two levels of recourse against the state for redress of grievances: elections and litigation. You absolutely can, and I believe every major corporation should have, sued the NSA and the larger federal government post-Snowden. I'm not a lawyer so I don't know the specifics of what that would have looked like but it seemed like a pretty egregious violation of a whole list of rights. But litigation, especially against an intelligence agency, seems a little quixotic in this context.
Elections don't seem like they'd have much impact against the NSA. They're not elected officials, and only the top leadership is appointed. Most of them are career bureaucrats (I don't necessarily mean that in a negative way) and scientists/mathematicians. You could replace a third of the Senate and the entire House every 24 months and you're not going to get sweeping changes throughout the NSA. From a national security, somewhat hawkish perspective, that might be a feature rather than a bug? But from a civil liberties/freedom perspective it's definitely a concern.
Probably after NSA, with "banned" devices from at least Juniper (who got caught for shipping NSA backdoor that was repurposed by IIRC China, but only because there was an NSA backdoor to utilize), and probably ban Ericsson due to well-known rogue state with penchant for messing with telecoms in order to do industrial espionage.
Said rogue state is, of course, United States of America.
I think more to the point, Google et al assume that all networks are compromised by state level actors. As in NSA. As in the people who wrote this "Clean" policy.