Google's Encryption Plan To Stifle NSA's Dragnet Will Raise the Stakes 216
CWmike writes "Google's strategy for making surveillance of user Internet activity more difficult for U.S. and foreign governments — started last year, but accelerated in June following the NSA leaks — is as much about economics as data encryption, experts say. Eric Grosse, vice president for security engineering at Google, told The Washington Post: 'It's an arms race.' The crux of the issue with Google making the NSA dragnet harder (knowing if the government wants in, it will get in) is that the NSA evaluates the tactic it uses by weighing the cost with the value of the information obtained. However, the agency does evaluate the tactic it uses by weighing the cost with the value of the information obtained. 'The NSA has turned the fabric of the Internet into a vast surveillance platform, but they are not magical,' Bruce Schneier, a renowned security technologist and cryptographer, wrote in The Guardian. 'They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.' The NSA's capabilities for cracking encryption are not known outside the agency. However, the most secure part of an encryption system remains the 'mathematics of cryptography,' Schneier said. The greater weaknesses, and the ones mostly likely to be exploited by governments in general, are the systems at the start and end of the data flow. 'I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks.' Is this about citizen's rights, or a business decision (some might say an existential issue) for Google? Does it matter, and will it make a difference?"
Arms race (Score:5, Insightful)
Eric Grosse, vice president for security engineering at Google, told The Washington Post: 'It's an arms race.' The crux of the issue with Google making the NSA dragnet harder (knowing if the government wants in, it will get in) is that the NSA evaluates the tactic it uses by weighing the cost with the value of the information obtained.
- yeah, it's an arms race alright. It's a kind of a race where if Google doesn't give the NSA what NSA wants, Google's employees and management will find itself on the wrong side of a gun.
That's a relief (Score:5, Insightful)
Google's strategy for making surveillance of user Internet activity more difficult for U.S. and foreign governments
So.. the only organisation conducting invasive surveillance of my Internet activity will be Google? I'm most relieved.
Not a solution. (Score:5, Insightful)
A technological solution will never work. The NSA had court orders and gag orders. While the NSA doing this does not shock or bother me the idea that you can stop them with technology is just silly. Human spies will get around that as they always have.
Re:Not a solution. (Score:5, Insightful)
Security has never been about _absolute_ security, but simply about making it too expensive, dangerous or time consuming for an adversary to bother. We don't all live in bank vaults, after all; we don't need that much security for the kind of possessions we keep at home.
Schneiers point is the same: we don't need so much security the NSA could never get to our data. We just need enough security - and need enough of us to use it - that the effort to routinely record what we all are up to exceeds their capability of doing so. They do not have an infinite budget, or infinite man-hours.
Make routine surveillance not impossible but too expensive, that's the name of the game.
Disinformation (Score:3, Insightful)
To me it was obvious from the start that Google was founded with borrowed search algorithms that had been honed for a different purpose: finding connections in intercepts. So now they are trying to sell that they will have crypto that is out of reach from an agency that they are in bed with? They PAY Google some undisclosed excessive amount to provide information. It is a profit center. I'm not even sure if Google is really a public company. (The name may have come from a joke about 'G'overnment 'OOGLing' )
Why would anyone believe they are on the publics side?
Comment removed (Score:5, Insightful)
It's a PR effort (Score:2, Insightful)
"Eric Grosse, vice president for security engineering at Google, told The Washington Post: 'It's an arms race.'"
No it isn't. China wanted you to backdoor in China and you left China, USA wanted you to backdoor in the USA and you complied Eric. It's not an arm race when a secret letter is all it takes to get your data. Just after PRISM leaks, we learned they started to demand the keys too. In effect expanding surveillance of your services to 100% coverage while reducing the use of PRISM. Is *that* an arms race? No, it's a PR scam. It would let you Google, Microsoft, Facebook, Yahoo pretend surveillance had reduced (in PRISM) when in fact it had become total (via intercept).
Also don't kid us that it's only for terrorism. All the NSA does when it wants to spy on anyone, is stick an agent provocateur on the form to post a threat. That gives it the excuse it needs to then spy on everyone in the forum, and their friends and families using the 3-steps deep rule. Twenty million queries a month!
How about you come clean on Cloud Print? That data goes through your servers and can be matched to users data, I bet you give NSA that too?
It's entirely about PR, trying to regain lost trust, WHILE THE STASI ARE STILL LIVING IN YOUR HOUSE. The best defense is to not visit your house!
I will believe ... (Score:5, Insightful)
I will believe Google is genuinely against NSA's encryption breaking scheme only when Google moves ALL their servers OUTSIDE of the United States of America.
No point of talking about "upping the stakes" when the same old thing - a secret warrant demanding full disclosure - can happen anytime.
Re:That's a relief (Score:4, Insightful)
Re:Becoming uncivilized (Score:5, Insightful)
It's a good soundbite, the idea of mutual respect as a civilized accomplishment—but Rand oversteps. The very cornerstones of civilization are the same as the rules of that tribe; without it, you have something entirely more primitive: solitary animals and the complete abolishment of culture. It is alas a rather tawdry thought that betrays Rand's education, no matter how elaborate the clothes.
Strive for a balance. It's no more unattainable an ideal than an extreme like total freedom or total cooperation. There are, believe it or not, ways in which complete privacy is not optimal. Some small degree of intrusion is always necessary, both psychologically and for safety.
In this case, I am completely on the side of recovering privacy, as these violations are gross and driven by ignorance, paranoia, and greed. They are massively inexcusable, and if I were south of the border I would probably have turned to a career of being a crazy social activist when I was an undergrad.
Schneier hit the nail on the head [slashdot.org] last week when he pointed out the real issue, though, and I hope you'll agree with me that it is a much bigger priority than the collateral privacy loss itself. Bureaucratic and political need to save face and to manage risk has grown out of control. The post-9/11 culture of safety has led to oppression in every conceivable security-related corner, as well as moves of "me-too" safety fetishism in totally unrelated areas.
The enemy here isn't just a big government, though; it's the individuals in these organisations, departments, and legislative bodies trying to protect themselves and their careers. It's an insurrection of selfishness, regardless of who the campaign promises are designed to appeal to. Without arguing over the rightness of the system, it is at least plain that these people are horrifically mismatched to the jobs they hold, and they need to be very specifically shamed if the fundamental shift they caused is to be reversed. An Edward R. Murrow would really fit the bill right about now.
Google is in partnership with the NSA (Score:5, Insightful)
Re:Arms race (Score:3, Insightful)
That's one of the (unofficial) goals, population control. For that they track connections (so called metadata), in realtime can track and activate cellphones. So if there occupy-something is going on it easy to track who participates and who may be connected. Simply by checking phone locations and calls, and history. More important having private data NSA (or whatever agency or individual has access) can convince key person to "cooperate". It can be CEO or ordinary engineer. And yes, no way to complain, secret court and pocked judges are for this. System "works" and lives its own life. There is probably no one in charge, but many who use and abuse it. The way it evolves soon it will be used for targeted crowd control. To take out the leaders like ruling parties do in Russia and China, and many other countries.
Re:Disinformation (Score:5, Insightful)
Re:Arms race (Score:4, Insightful)
tech companies are fighting furiously to report the "total number of NSA requests" they complied with.
Considering that those requests are "extras" on top and in addition to the NSA's always on access to the backend servers (as per Prism docs), then even if they win that fight it will be little comfort. All the "total number of NSA requests" tell us is that after looking through all the users stored emails and search profiles the NSA then decided to put in an extra request to track a users search keystroke and other front end data.
Re:I will believe ... (Score:2, Insightful)
So now they just have to partition the data.
US customer data is present ONLY on US based servers.
Non-US data is not ever touching the US servers.
NSA can go snoop the US servers as much as the US citizens allow. I couldn't care less.
NSA can try to snoop out-of-US servers as much as local govt. allows but most likely can't just waltz in invoking national security yadda yadda.
Not expecting them to do this. And they really cannot prove that they would be doing this, even if they claimed so.
Any company that has any server presence inside US is currently going to be assumed to be leaking all that data directly to US spooks. Enjoy. US = Nazi Germany.
Yes and no (Score:4, Insightful)
Google is against anything that makes people not trust Google, including the NSA. Google would happily keep all your data secret, except from their own advertising algorithms. but Google would also sell your data to the NSA for what they consider "fair market value", which given the preceeding is a lot higher than the NSA wants to pay for it.
Google pays a computational price for encrypting your data, but it's worth it if either
(a) the NSA is now forced to buy your data from Google, instead of stealing it like they currently do, or
(b) people trust Google more as a result.
Google wants to publish the number of NSLs it receives to (a) make people feel more confident and (b) make the NSA, DEA, FBI, etc. evaluate more carefully the data they request. Why is (b) good for Google's bottom line? I think, if the agencies are spending more personnel time on the data they request, that data appears even more important, so Google can charge more for the data the agencies really want, while incurring less risk.
Google is still a company, but it's a company run by a founder. Founders almost always make them behave much less like psycopaths than Wall St CEOs.