Google Will Let Enterprises Store Their Google Workspace Encryption Keys (techcrunch.com) 26
As ubiquitous as Google Docs has become in the last year alone, a major criticism often overlooked by the countless workplaces that use it is that it isn't end-to-end encrypted, allowing Google -- or any requesting government agency -- access to a company's files. But Google is finally addressing that key complaint with a round of updates that will let customers shield their data by storing their own encryption keys. From a report: Google Workspace, the company's enterprise offering that includes Google Docs, Slides and Sheets, is adding client-side encryption so that a company's data will be indecipherable to Google. Companies using Google Workspace can store their encryption keys with one of four partners for now: Flowcrypt, Futurex, Thales or Virtru, which are compatible with Google's specifications. The move is largely aimed at regulated industries -- like finance, healthcare and defense -- where intellectual property and sensitive data are subject to intense privacy and compliance rules.
First comment = best comment! Agree! (Score:2)
Re: (Score:2)
Because that other company may operate in a different jurisdiction than Google
Re: (Score:2)
Storage space is expense, that's why we limit keys to 24bits.
Re:First comment = best comment! Agree! (Score:4, Insightful)
The real magic lands later in the year when Google will publish details of an API that will let enterprise customers build their own in-house key service, allowing workplaces to retain direct control of their encryption keys. That means if the government wants that company’s data, they have to knock on their front door — and not sneak around the back by serving the key holder with a legal demand.
oh uh, never mind.
Re: (Score:2)
Re: (Score:3)
Why wouldn't Google fight that? The service isn't worth the electrons it's written on if people know Google will do something like that. And by dint of us sitting here talking about it, they know people would find out.
Re: (Score:2)
Gubernmint requests key from Flowcrypt, Futurex, Thales or Virtru instead, obtains incriminating documents anyway.
There's a word to describe putting incriminating shit in a cloud that is easily associated with a specific person.
Deserving.
Re: Pretty worthless (Score:1)
Absurd (Score:2)
I was going to make a comment about how this was only for corporations, but it isnâ(TM)t even for them- the other companies that hold the keys may offer google some protection, but this is far from a solid cloud solution, and totally worthless when it comes to freedom.
I guess it shows how it would be technically possible for them and they refuse to do it, I suppose.
Riddle me this... (Score:2)
...there are business customers who have NOT learned that you never depend on Google services/products for anything you care about?
Re: Riddle me this... (Score:2)
Re: (Score:2)
For the 2006 fiscal year, the company reported $10.492 billion in total advertising revenues and only $112 million in licensing and other revenues.
Re: Riddle me this... (Score:2)
Re: (Score:2)
You'd rather trust Microsoft or Amazon's "cloud"? hahahaha
Re: Riddle me this... (Score:1)
Re: (Score:2)
Or just don't trust ANY Cloud product. If your data is not really important and you have money to burn, go with the Cloud.
Dog Food (Score:1)
The way things are headed, in a short few years Google will be the only one eating Google Dog Food. Google is mostly useful for ads and spam, what a joke Google is in 2021.
A complete waste of time (Score:4, Informative)
The Australian government has passed the Assistance and Access Bill (2018) [homeaffairs.gov.au] precisely to circumvent this very thing.
If the code Google runs isn't open source with a reproducible build [0] Google can replace it at any time without you knowing. With the aforementioned bill the government gave themselves the power to direct Google (well, not just Google - any software developer) to replace their software on any device the government targeted.
The government once they realised because everything (backups, http, phone calls) is moving towards being encrypted. (To be fair, Google led the charge is making this happen.) Once it's encrypted they can't spy on it. Solution: spy on it when the human eyeballs are looking at it, because at that moment it can't be encrypted. How? Give themselves the power to demand the software developers put their spy bugs in the programs that display the data to the humans. In fact the bill goes a step further. The word "assistance" is in the bills name because the bill also allows the government demand they develop the spy bug for them.
[0] A reproducible build ties whatever obfuscated binary Google delivers to the browser to its source, so you are 100% guaranteed the stuff you are running is derived from that source. The point of that is humans can't check binaries do what they say they will do, but they can check the source code. (In fact that is now the accepted definition of source code - it's a comupter program in the form a human can understand and modify.) But they can only check it if they can see it - so it has to be open source. There is a lot more infrastructure require to make it practical of course, but open source and reproducible builds are the foundation stones.
TL;DR - if Google doesn't open source it's docs platform, this is pointless gesture.
Re: (Score:3)
TL;DR - if Google doesn't open source it's docs platform, this is pointless gesture.
It's not necessary to open source the entire platform, just the part that does the client-side encryption/decryption, and maybe the Javascript libraries that do the rendering, though that part isn't strictly necessary as long as it can be instrumented to verify that it's not sending any plaintext data back. And it would also be necessary to enable the client side to refuse updates to both the encryption code and the rendering/presentation code.
Google Condoms. (Score:2)
The move is largely aimed at regulated industries -- like finance, healthcare and defense -- where intellectual property and sensitive data are subject to intense privacy and compliance rules.
EA could have used this. ;-)
On prem cloud storage has never been cheaper... (Score:2)
...why would you put anything really sensitive up into somebody else's cloud?
Cloud computing is worst (Score:2)
Cloud computing is the worst because one is trusting the key-storage and local executable (eg. Google Chrome) don't contain any spyware. With
Who cares about end-to-end encryption (Score:2)
The whole concept of cloud apps is that the app is running on a remote server, therefore works on clear-text documents. Meaning Google has access to my data - and Google is by far the worst threat for data misuse and abuse there is.
The only cloudiness I personally use is storage, and whatever I store is encrypted locally by yours truly before it even touches a network interface. Of course, that means no online app can do anything with it, which is why the only online thing I can do with my encrypted data is
Re: (Score:3)
Check the usage numbers: Google Docs is ubiquitous in business as of about two years ago. Last I saw, something close to 50 percent of businesses in USA use Google Docs for at least one official something, and I have no idea how many unofficial "hey, let me just put that in a Google doc for us" uses there are, but I bet they are legion. Globally, in 2019, Google counted 5 million paying business customers for their Google Suite [google.com], and I'm sure that number has only gone up during the pandemic-work-from-home se