Sophos Cloud Optix
In the one and a half years since Edward Snowden first revealed the extent of government spying, Google has locked security down so tightly that Google services are now the safest place to store your sensitive data, according to Google Chairman Eric Schmidt.
Places that aren’t so safe? “Anywhere else”, Schmidt said at a conference on surveillance at the Cato Institute on Friday.
Schmidt told conference goers that Google first learned about Edward Snowden’s revelations about the National Security Agency’s (NSA’s) surveillance programs from a 2013 Washington Post article that shocked the company’s engineers.
When reporters showed the engineers a diagram detailing the methods employed by the intelligence agency, Washington Post journalist Craig Timberg reportedly said that they reacted with a
fusillade of words that we could not print in our family newspaper.
Schmidt told the audience that Google immediately got to work securing the company’s servers and services, ITWorld reports.
The Post at the time had published a slide from an NSA presentation on “Google Cloud Exploitation”.
The drawing depicted where data resides, between where the “Public Internet” meets the internal “Google Cloud”, eliciting what the Post called an explosion of profanity from two engineers with close ties to Google.
According to the Post, the surveillance operation, codenamed MUSCULAR, was a partnership between the NSA and British counterpart GCHQ in which “entire data flows” were copied from fiber-optic cables connecting corporate data centers.
US News quotes Schmidt’s remarks to the conference audience:
The fact that it had been done so directly and documented in the documents that were leaked was really a shock to the company. When it [comes] to monitoring data traffic between Google servers, they’re clearly monitoring traffic for people who are in the US, which as I understand - and I’m not a lawyer - is not their mission.
The legal basis for such collection is actually found in Executive Order 12333 – a controversial Reagan-era decree that granted broad surveillance authority to the president.
Whistleblower John Napier Tye, former section chief for internet freedom in the State Department’s Bureau of Democracy, Human Rights and Labor and now a legal director of Avaaz, a global advocacy organization, participated in a conference panel earlier in the day, during which he warned that Executive Order 12333 can be used by the NSA to collect vast amounts of US communications from overseas servers and cables without a warrant and with neither court nor congressional oversight.
Last week, Congress for the first time codified that order in a bill that appears to condone such data collection, imposing a five-year limit for data retention on most communications but allowing for indefinite retention under certain conditions, including if such communications are “enciphered” or otherwise suspected of pertaining to secrets.
Schmidt said Google reacted to the NSA news by “massively” encrypting its systems to protect users from warrantless surveillance, to the extent that we’ll all probably be dead before anybody manages to crack the company’s 2,048-bit data encryption to get at our data.
ITWorld quotes him:
We massively encrypted our internal systems. It's generally viewed that this level of encryption is unbreakable in our lifetime by any sets of human beings in any way. We'll see if that’s really true.
Schmidt also touted the incognito browsing feature in Google’s Chrome browser and Google’s Dashboard feature: a mode that’s found in all modern browsers, sometimes referred to as “private”, and which makes it much more difficult for websites to track us.
(To find out more about browsing without being tracked, check out this quick fix. It details how to clear out cookies and the cookie-like things that can be used to track you online.)
Chris Soghoian, principal technologist with the American Civil Liberties Union, was not impressed. Chrome’s incognito mode will “do nothing” to protect users from government surveillance, he said.
At issue, of course, is the fact that any data saved on Google servers is subject to being turned over to law enforcement.
In fact, as Soghoian said, Schmidt has commented in the past about retaining user information to comply with law enforcement surveillance requests.
Schmidt said that Google complies with legal law enforcement requests, and retains user data for a year because of government mandates.
As far as collecting private user data to fuel its business model, Schmidt said that people “don’t understand how Google works”.
In fact, he said, Google’s here to tickle us pink, not to trample on our privacy:
Google's job is build stuff that delights customers. When governments illegally invade their privacy, that's like a negative. It's easy to understand why we'd make these systems stronger.
If Google’s claims to be the safest spot in the world sound hyperbolic, bear in mind that Schmidt was talking to a suspicious crowd.
According to US News, Cato Institute fellow Julian Sanchez had earlier in the day described Schmidt as “the NSA’s best frenemy”.
What do you think? Is Google the safest spot to store your sensitive data?
Can anywhere in the cloud be safe to keep sensitive information away from government surveillance, given that all US companies are subject to US mandates, warrants, or even warrantless grabs, as well as being at risk of interception by non-government entities, including cyber crooks?
Please share your thoughts in the comments section below.
Image of Eric Schmidt licensed under Creative Commons, from Guillaume Paumier, CC-BY.
This coming from the same guy and company that got exclusive landing rights and discounted fuel at Moffett field and now is taking over the field operations. It would seem that Eric has a lot of gain from his dealings with the gov’t and a lot they can take away if he won’t play ball. This guy is about the least trustworthy guy in tech.
Right now, I trust the Chinese and Russians more than I trust the U.S. and Google. At least I can use China and Russian based services and not care what they’re collecting while I know they’ll never cooperate with a rubber stamped U.S. warrant. I’ll never step on Russian or Chinese soil.
Big Brother is watching you
Lisa, I can rationalize the practices of the NSA because I can see intelligence workers approaching their mission like a machine. I have mixed feelings regarding Google and remember the internet before it existed. But then you mentioned the ACLU and my brain felt like it just ingested Ipecac.
“…you mentioned the ACLU and my brain felt like it just ingested Ipecac.”
Bill, what a cliffhanger! Why these feelings about the ACLU?
Google’s motive is money. They are restricted by the laws that are in place, and negative publicity affects them like any other company. They are not invulnerable.
The government ignores its own laws without any consequences. Clapper and Alexander are still free and profiting from their illegal activities. Google can not throw you in jail indefinitely by declaring you a terrorist (which the definition of is flexible to meet the needs of any person the government wants imprisoned).
As for the NSA being a machine, that is where I agree with you. It is unfeeling, incapable of making ethical choices without being considered defective and being disposed of (Drake, Binney, etc). The people controlling this machine have proven to be out of control and working for their own interests.
I am MUCH more fearful of my goverment having this power than Google any day.
Unless Google controls every device between my desktop and it’s servers there is no way to guarantee security.
.. this is the purpose of using Browser-to-Server encryption (SSL). That protects your data while it travels the open internet. They are saying they started encrypting everything while it travels around what they believe to be their private (protected) network in case the gov’t is stealing it from there while it travels.
Google “Man in the Middle”
That’s all well and good but what’s with Google’s own tracking with their new Inbox app. Unable to see it in list of apps to turn off Geo tracking so deleted it.
I worked with fiber-optics, you can’t tap into a fiber-optic cable without someone seeing the tap the first time a test is run to find light degradation, you can’t tap in without degrading the light signal. you then have a exact location of the tap (to within inches) on the cable. Someone failed or didn’t know what they were doing.
Sorry Richard you do not need to physically tap into a fibre to read the data.
The basic’s of fibre transmission is total internal reflection within the core and cladding of the fibre.
If you remove the outer protective layers and slowly bend the fibre in a radius some light will leak from the cladding, this is all you need to read the data.
Yes this damages the cable but after you are finished you can tape up fibre up and the losses while are less then a join, only a very skilled operator will pick up the slight bend, also you have not broken the link at anytime.
Any Government agency will have taps placed for monitoring as required at interception points.
Mark
After Snowden’s revelations both the US government and the US tech companies are trying to do their best to protect their own interests, so nothing of this should come as a surprise.
According to Snowden the government was spying on, umm, everybody, with the acquiescence (at least, or maybe happy consent) and help of the tech companies. When this was exposed, that was bad for:
– the government: hey, spying is best kept secret
– tech companies: bad publicity
So tech companies had to do something about it in order to not lose customers. They claim(ed) to not know about government involvement and have tightened security, so the government cannot continue doing what it was doing. And the government has publicly complained about that.
But, what has really happened behind the scenes? Have the companies improved security but given a copy of the new master key to the government? and then have they publicly just played a pantomime in order to make the world believe what they need so US companies can continue making money and the US government can continue spying?
Oh yes, surely all this looks like a conspirationist theory, pretty much as what Snowden said before he said it…
“security Theatre”
Supposing hypothetically that Google actually sent all documents directly to the NSA in unencrypted form, while still claiming its the most secure anti-NSA service out there, what difference would you notice?
If you’re talking about personal data (as opposed to company or shared data), encrypted offline storage is probably best. Throw it on a password/PIN-protected encrypted external HDD that is only powered on when in use, and even if there is a warrant, memorized passwords are protected by the Fifth Amendment (unless a search warrant finds the password written down elsewhere).
If Google is protecting us from the NSA, who’s protecting us from Google?
{
Do you think Google is not fully indexing all of your content before they slap a 2k key on it?
How else can they pop up those “relevant” ads that “tickle you pink”?
Are those indexes “safe”?
What are Google’s controls against internal breach? /* opaque */
Is there any US regulatory oversight of Google’s use of your data besides
the requirement to give cleartext to the authorities on demand? /* No */
}
I’m willing to believe that Schmidt would go the extra mile to keep the government from spying into their data without permission from Google. It would make sense. Yes, he does work closely with the government, however he has no bargaining chips to use with the government if they reach in and take what they need anytime they want. It benefits him to keep them out of the cookie jar. Of course, the government only needs to produce a warrant to get the data, but at least that takes some time and formality, and probably significantly reduces the amount of data they get. But in this day and age, if you have data to protect from any government, you better be encrypting it yourself before you upload it anywhere. And I fear things are going to get much worse before they get better.
usa no Germany yes
there are no safe places, and privacy is a myth