Google to automatically encrypt Cloud Storage data, but this shouldn't ease NSA fears
To be clear: encryption is definitely a good thing, and it can help guard against information getting out if a server is hacked or otherwise compromised. But, it's unclear how Google's new system would guard against the NSA's legal (albeit disturbingly Orwellian) tactics for obtaining data. And, most importantly, this new method only applies to Google Cloud Storage data, which is designed more for developers and enterprise. This new policy doesn't change how consumer data is handled in Gmail, Drive, or Google+.
Encryption and keys
Google's new automatic encryption would use the 128-bit Advanced Encryption Standard (AES); and, data would be encrypted on Google's end "before it's written to disk." The encryption takes on three phases: first, user data and metadata would be encrypted using a unique key, that key is then encrypted using a second key associated with the data owner, that is finally encrypted using a "regularly rotated" master key.
The trouble with this method is that Google still holds the keys to the data, which means that when the NSA comes calling for data with legal authority, Google can still hand over the data after removing the encryption from it. Google says that the master encryption keys will be changed “regularly” and that they will be stored in the same way that Google stores encryption keys for its own data.
Why Google can't go all the way
1. PK1983 (Posts: 130; Member since: 08 Aug 2012)
What the NSA does might be legal under the letter of the law, it is certainly not under the spirit of the law. The people who supervise this intrusion are the ones writing the laws, the people who are under them truly have very little to no say. When a govt. is more concerned with say someone selling unpasteurized milk on their farm then the illegal immigrants and drug cartels that pass freely across our borders daily, that govt. needs to go asap.
2. Droid_X_Doug (Posts: 5150; Member since: 22 Dec 2010)
As long as any product (including Apple's iCloud mail) does the encryption at the server level, it will not be secure. The exploit is called man-in-the-middle. NSA (through its national security letters) tells the server owner (Google, Apple, MS, etc.) to give it the data it wants, and the server owner complies.
There is no more 4th amendment to the U.S. Constitution! The legislative (Congress) branch has passed a law (USA Patriot Act), the executive (POTUS) branch actively uses and abuses the law, while the judiciary (FISA court, whose judges are all appointed by John Roberts the Chief Judge of the Supreme Court) rubber stamps the abuses. All 3 branches of the U.S. 'democracy' have been perverted.
At least Snowden decided to expose the perversion. As a contractor, he has NONE of the protections that would be afforded a whistleblower (to claim whistleblower protection, you have to be an employee of the U.S. govt.).
3. Napalm_3nema (Posts: 567; Member since: 14 Jun 2013)
True, even iCloud mail is compromised, but at least the messaging systems are not. FaceTime and iMessage encryption is a good thing. All of the mobile OSes should strive for as much protection from prying eyes as possible.
4. Droid_X_Doug (Posts: 5150; Member since: 22 Dec 2010)
iMessage is only encrypted for iMessage to iMessage sessions. SMS to iMessage is not encrypted. Not making an issue; just clarifying.
5. CipherCloud (Posts: 1; Member since: 18 Aug 2013)
Everyone knows that that server side encryption cannot protect your date from any threats i.e. an account hijacker can still download all your info, a disgruntled sysadmin at Google can still access your keys and your data etc. Also, in the case of a business their compliance for HIPAA, PCI, etc. remain unsolved as Google is not taking any legal liability, in the event of a data breach. As a result the business will end up paying for all legal liability including breach notifications. The ever important Data residency issue is also not solved with Google’s approach as your data and keys to encrypt/decrypt are both in the Google cloud. And last but definitely least – especially in the spotlight of government disclosures i.e. NSA Prism is also not addressed by Google’s approach.
6. MyJobSux (Posts: 70; Member since: 01 Apr 2012)
Rule of thumb is this, if its accessible to the internet its not secure. You could run your own mail, storage, etc server on your own personal network and even then your still vulnerable if not more so depending on your knowledge of networking, security and administraion. The best way to protect your personal info and data is to simply not put it out there anywhere. Maybe you can get a computer stripped of network abilities and store data there. Of course you would want to lock it up in a safe, then inside a secured room, which is alarmed, under camera surveilance but would that be enough? You would want to watch it and make sure no one tried to access the room so your life would be watching a sealed door wondering if someone is tunneling under the floor and into the safe to get your data. Paranoia is a virtue, because the enormous growth in vulnerability reports really does show that attackers are out to get you!