Google May Be Spinning Wheels With Drive Encryption Plans
Google may be tinkering with file encryption methods for data entrusted to its Drive cloud storage service, but any means it might devise to shield customers' information likely wouldn't be effective against government surveillance. Encryption "gives a false sense of security," said Denim Group CEO John Dickson. "Common user errors will defeat any sophisticated encryption approach."
07/18/13 2:33 PM PT
Google, which is fighting government requests for data in two courts and demanding greater transparency in the wake of the brouhaha over the NSA's PRISM program, is also experimenting with encrypting files on Google Drive, according to a CNET report.
Some files on Drive may already have been encrypted.
In related news, a coalition of civil liberties and privacy organizations, investors, trade groups and companies, including Google and Microsoft, sent a letter to the White House and various congressional bodies on Thursday calling for greater transparency regarding national security-related requests for information.
It's not clear whether encrypting files will protect the data they contain against surveillance, as there are ways around that. Further, the United States government reportedly has threatened to install its own eavesdropping devices on the networks of Internet companies that are reluctant to comply with its demands for information about their customers and subscribers.
"Encrypting files on Google Drive will likely protect information from certain attackers, but likely not from nation-state threats or intelligence agencies," John Dickson, principal at Denim Group, told TechNewsWorld.
There is an alternative to the RSA encryption that's commonly used, however, which might make surveillance more difficult.
Google declined our request to comment for this story.
Armor Is Not the Solution
"This is a step in the right direction by Google," Jieming Zhu, CEO of AlephCloud, told TechNewsWorld.
However, Google's approach falls short in two ways, he said. First, the data is being encrypted on Google servers and not the user's device, so it is vulnerable to insider attacks and can be intercepted by outsiders prior to encryption.
Second, "Google owns the encryption keys, so users must trust Google to manage the keys and their data properly," Zhu pointed out.
The encryption "gives a false sense of security," Denim Group's Dickson remarked. "Common user errors will defeat any sophisticated encryption approach."
Furthermore, encryption will raise Google's costs, and these ultimately will be passed on to users, he suggested.
Other companies that provide cloud-based storage might follow in Google's footsteps. Microsoft is one of the most obvious candidates, especially in light of claims that it has allowed direct governmental access to its SkyDrive service, a charge the company has denied.
However, other companies would face the same problems Google does in encrypting files on Drive, Zhu said.
One possible solution is to use forward security, an obscure feature of the SSL and TLS protocols. Instead of using a key exchange based on the RSA algorithm -- as is the case with both secure socket layer and transport layer security, forward security uses the Diffie-Hellman key exchange or a variant, the Elliptic curve Diffie-Hellman.
RSA's weakness is that it lets anyone with access to a copy of the server's private key decrypt everything. DHE generates session keys in such a way that only the two parties involved in the communication can obtain them. After a session is complete, both parties destroy the session keys, and the only way to decrypt the communication is to break the session keys for it.
ECDH is supported by all major modern browsers.
Fear and Loathing
The national outrage over the PRISM program was given fresh fuel on Wednesday, when NSA Deputy Director John C. Inglis disclosed that the agency sometimes conducts what's called "three-hop analysis." The first hop is studying the data of a suspect and that of the individual's contacts; the second is looking at the data of all the contacts' contacts; and the third is examining the data of all the contacts of those individuals.
That would lead to an exponential increase in the number of people under surveillance.
"If I were worried about law enforcement or national intelligence monitoring," said Dickson, "wouldn't I not use an American or U.S.-based company to host my data, just to be 100 percent sure?"