I recently discovered that Google has released a new guidance document for passkeys in Google Ads. This move couldn’t have come at a better time, considering how frequent account hacks have become.
Understanding how passkeys work within Google Ads is crucial, particularly with the uptick in phishing attempts targeting advertisers like us.
What’s Happening. According to the new help page, passkeys offer a password-free and phishing-resistant login method in Google Ads. Google outlines when these keys are essential, such as during user access changes and account linking updates.
The document guides us through the necessary device requirements, setup steps, and other security considerations to ensure we’re fully protected.
Why We Care. In today’s digital age, our ad accounts are prime targets for cyber attackers. These threats can lead to budget theft, disruptions in campaigns, and even data loss. Having clear guidance from Google is incredibly valuable, offering us a straightforward path to fortify our account security just when it’s needed the most.
The Bottom Line. With the increasing frequency of account takeovers, learning how to effectively use security tools like passkeys is a smart move. It’s all about securing our access and minimizing risks.
I recently discovered an exciting update from Google Ads that promises to enhance the security of high-risk account changes. They have silently introduced a multi-party approval feature that ensures a second administrator must approve specific actions before they are finalized. This step adds a critical layer of protection against unauthorized or malicious changes, enhancing the overall safety of our accounts.
This new feature is particularly important as our ad accounts grow larger and carry more value. A single unauthorized change can quickly disrupt campaigns and even affect our billing. By requiring approval from another administrator, this feature effectively reduces such risks without hindering our regular campaign management processes.
For agencies and large teams like mine, this tool becomes invaluable. It helps us avoid costly mistakes and significantly bolsters our account security. I appreciate how Google is responding to the increasing necessity for robust access control.
Here’s how it works: when I, as an admin, initiate a sensitive change, Google Ads automatically sends an approval request to other eligible admins. This request is delivered as an in-product notification, requiring an action within 20 days—either approval or denial—otherwise, it simply expires, and the change will not be implemented.
Moreover, tracking the status of these requests is hassle-free. Each change request is tagged as Complete, Denied, or Expired, allowing my team to easily monitor and review our account changes.
To manage these approval requests, we can head over to the Access and security section within the Admin menu. It’s quite straightforward and keeps us in the loop with all ongoing requests.
This update points to a growing concern about account security, especially for advertisers managing large teams with multiple user permissions. With reports of expensive hacks escalating, this added security is a much-welcomed relief for us.
In the end, although multi-party approval may add a bit of friction to the process, it’s definitely a good kind. It grants us more control over who can make vital changes to our accounts, thus protecting them from unauthorized access. In my opinion, it’s a prudent step towards safer, more secure ad management.
I’ve always been fascinated by how companies navigate complex regulatory landscapes. Recently, TikTok made headlines with the launch of a new U.S.-controlled joint venture, a decisive move aimed at aligning with American national security rules.
To ensure that TikTok can continue serving its vast user base of over 200 million Americans, the company established TikTok USDS Joint Venture LLC. This step was officially taken following an executive order from President Trump on September 25, 2025.
The big picture. This joint venture stands out because it’s primarily owned by American interests, functioning independently concerning U.S. user data, content moderation, and algorithm security. While ByteDance maintains a 19.9% stake, this remains under the level that’s often scrutinized for national security.
This initiative leverages TikTok’s already established U.S. Data Security (USDS) program, aiming to protect sensitive information from foreign interference.
Why it matters to me. As someone who appreciates the dynamic between technology and regulation, this joint venture is a significant test of whether TikTok can continue its operations in the U.S. without facing bans or demands to sell its U.S. assets. It effectively transfers control of key operational areas to American oversight, addressing long-standing security concerns.
For creators and advertisers like me who rely on TikTok, this development signifies a potential blueprint for future regulations of foreign tech by the U.S.
Understanding the safeguards. User data from the U.S. will be securely stored in Oracle’s cloud infrastructure in the U.S., with rigorous audits and third-party cybersecurity certifications to ensure adherence to federal and industry standards like NIST, ISO 27001, and CISA.
The content recommendation algorithm for U.S. users will also be adapted and tested using U.S. data within Oracle’s systems, ensuring robust security through continuous source code evaluations under software assurance protocols.
Trust, safety, and content moderation at the forefront. The joint venture now holds the decision-making power over trust, safety policies, and content moderation for U.S. users, further reducing foreign influence over crucial decisions.
Balancing global reach with U.S. control. While U.S.-based security and safety controls are tightened, TikTok’s global entities still handle interoperability and commercial activities like advertising and e-commerce, supporting worldwide visibility for American creators and businesses.
Governance and leadership. The joint venture is led by a seven-member board predominantly composed of Americans, including executives from Silver Lake, Oracle, Susquehanna International Group, and MGX. Adam Presser serves as CEO, with Will Farrell as Chief Security Officer, and Raul Fernandez, CEO of DXC Technology, chairs the board’s security committee.
Ownership details. Silver Lake, Oracle, and MGX are the cornerstone investors, each with a 15% stake. Other investors include entities linked to Michael Dell, General Atlantic, Dragoneer, and Xavier Niel. These safeguards also cover CapCut, Lemon8, and other TikTok-associated apps in the U.S.
What comes next. TikTok USDS Joint Venture positions itself as a definitive response to U.S. regulatory pressures. It remains to be seen whether it will fully placate lawmakers and security agencies, ultimately securing TikTok’s future in the U.S. as scrutiny begins.
Catch-up. A $14 billion arrangement keeps TikTok operational in the U.S.
As I delve into the recent statements from Google, I am struck by the urgency in Elizabeth Reid’s affidavit. She warns us that if Google is compelled by the court to share its search index and ranking data, it could seriously jeopardize user privacy, potentially inviting spam abuse.
Reid, who heads Google’s Search department, presented her affidavit as part of Google’s motion to pause the implementation of some antitrust remedies. Her warning highlights the potential “immediate and irreparable harm” that such data sharing could cause to both Google and its users.
What strikes me is how Reid articulates the danger of exposing Google’s sensitive Search assets, which could lead to reverse engineering and an escalation in spam.
Imagine, for a moment, how revealing the web search index could become problematic. Under the court’s Section IV ruling, Google might have to provide competitors with crucial web index data. This includes every URL in Google’s index, a DocID-to-URL map, and more. For us at Google, this just seems like handing over the results of 25 years of meticulous work.
Reid explains that the web index is born from proprietary systems that decide the inclusion of pages in Google Search. Knowing which URLs are indexed by Google could allow potential competitors to bypass comprehensive crawling, thereby gaining undue advantage.
Further adding to the complexity, metadata like crawl frequency offers insight into how Google prioritizes content, which again, could provide competitors with unfair advantages if unveiled.
Reid’s affidavit includes images illustrating Google’s processes. One notably shows most webpages labeled as “Spam, Duplicates, & Low Quality Pages,” an insight into how meticulous our web crawling is. It’s fascinating to think that as of 2020, Google’s index boasted around 400 billion documents.
There is also a dire warning about exposing spam scores. Such a leak could greatly weaken Google’s spam-fighting mechanisms, making it harder to protect users from low-quality content.
In terms of user data, the transparency required by the judgment would mean sharing extensive search logs used by Google’s Glue and RankEmbed models, including detailed user interactions. This suggests a large-scale disclosure of Google’s proprietary data signals, something Reid is quite concerned about.
Finally, the requirement to syndicate Google’s core search results to competitors for five years poses a significant challenge. Despite contractual limits, our control over our systems would diminish, with possible data misuse or leaks.
Reid’s testimony underscores her knowledge and dedication as she stands by Google’s motion to stay antitrust remedies while the appeal is pending. If you’re interested, you can explore Reid’s affidavit further.
Since July 1, I’ve been closely following Cloudflare’s battle against AI bots. Our CEO, Matthew Prince, recently shared that we have successfully blocked 416 billion AI bot requests for our customers during this time.
This insight sheds light on Google’s significant advantage in AI. They’re currently capable of viewing 3.2 times more web pages than OpenAI, underlining the challenge smaller AI companies face.
Why this matters. The flood of AI systems consuming vast amounts of web content is concerning, especially without a mechanism for publishers to counteract this. Our statistics at Cloudflare show just how aggressively these AI bots are searching for data.
The current scenario. Ever since we launched our pay-per-crawl initiative on July 1, our clients have been automatically blocking AI crawlers. At the recent WIRED Big Interview event, Prince highlighted that so far, 416 billion AI bot requests have been turned away.
Analyzing Cloudflare’s data reveals that Google sees:
3.2 times more webpages than OpenAI.
4.6 times more than Microsoft.
4.8 times more than Anthropic or Meta.
As Prince mentioned, Google enjoys “this incredibly privileged access.”
The bigger picture. As it stands, Google offers publishers a difficult choice: either block AI training and risk disappearing from Google Search or allow it and accept AI scraping.
Prince said, “You can’t opt out of one without opting out of both, which is crazy. You shouldn’t get to use your monopoly of yesterday to secure a monopoly of tomorrow.”
Cloudflare aims to prevent market consolidation, ensuring the web remains open while assisting creators and businesses in adapting to this shift.
Encouragingly, publishers that already block AI crawlers report positive results, Prince noted.
Looking ahead. As AI models pursue superior training data, the worth of “creative, original human thought” will climb, potentially leading to opportunities in paid licensing, Prince forecasted. Meanwhile, Cloudflare is advocating for AI giants, particularly Google, to distinguish between search and AI crawling.
Prince asserted, “Google is the problem here. It is the company that is keeping us from going forward on the internet, and until we force them – or hopefully convince them – that they should play by the same rules as everyone else and split their crawlers up between search and AI, I think we’re going to have a hard time completely locking all the content down.”