Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Google Encryption

Google Will Let Enterprises Store Their Google Workspace Encryption Keys (techcrunch.com) 26

As ubiquitous as Google Docs has become in the last year alone, a major criticism often overlooked by the countless workplaces that use it is that it isn't end-to-end encrypted, allowing Google -- or any requesting government agency -- access to a company's files. But Google is finally addressing that key complaint with a round of updates that will let customers shield their data by storing their own encryption keys. From a report: Google Workspace, the company's enterprise offering that includes Google Docs, Slides and Sheets, is adding client-side encryption so that a company's data will be indecipherable to Google. Companies using Google Workspace can store their encryption keys with one of four partners for now: Flowcrypt, Futurex, Thales or Virtru, which are compatible with Google's specifications. The move is largely aimed at regulated industries -- like finance, healthcare and defense -- where intellectual property and sensitive data are subject to intense privacy and compliance rules.
This discussion has been archived. No new comments can be posted.

Google Will Let Enterprises Store Their Google Workspace Encryption Keys

Comments Filter:
  • I was going to make a comment about how this was only for corporations, but it isnâ(TM)t even for them- the other companies that hold the keys may offer google some protection, but this is far from a solid cloud solution, and totally worthless when it comes to freedom.

    I guess it shows how it would be technically possible for them and they refuse to do it, I suppose.

  • ...there are business customers who have NOT learned that you never depend on Google services/products for anything you care about?

  • The way things are headed, in a short few years Google will be the only one eating Google Dog Food. Google is mostly useful for ads and spam, what a joke Google is in 2021.

  • by ras ( 84108 ) <russell+slashdot ... au minus painter> on Monday June 14, 2021 @07:47PM (#61487714) Homepage

    The Australian government has passed the Assistance and Access Bill (2018) [homeaffairs.gov.au] precisely to circumvent this very thing.

    If the code Google runs isn't open source with a reproducible build [0] Google can replace it at any time without you knowing. With the aforementioned bill the government gave themselves the power to direct Google (well, not just Google - any software developer) to replace their software on any device the government targeted.

    The government once they realised because everything (backups, http, phone calls) is moving towards being encrypted. (To be fair, Google led the charge is making this happen.) Once it's encrypted they can't spy on it. Solution: spy on it when the human eyeballs are looking at it, because at that moment it can't be encrypted. How? Give themselves the power to demand the software developers put their spy bugs in the programs that display the data to the humans. In fact the bill goes a step further. The word "assistance" is in the bills name because the bill also allows the government demand they develop the spy bug for them.

    [0] A reproducible build ties whatever obfuscated binary Google delivers to the browser to its source, so you are 100% guaranteed the stuff you are running is derived from that source. The point of that is humans can't check binaries do what they say they will do, but they can check the source code. (In fact that is now the accepted definition of source code - it's a comupter program in the form a human can understand and modify.) But they can only check it if they can see it - so it has to be open source. There is a lot more infrastructure require to make it practical of course, but open source and reproducible builds are the foundation stones.

    TL;DR - if Google doesn't open source it's docs platform, this is pointless gesture.

    • TL;DR - if Google doesn't open source it's docs platform, this is pointless gesture.

      It's not necessary to open source the entire platform, just the part that does the client-side encryption/decryption, and maybe the Javascript libraries that do the rendering, though that part isn't strictly necessary as long as it can be instrumented to verify that it's not sending any plaintext data back. And it would also be necessary to enable the client side to refuse updates to both the encryption code and the rendering/presentation code.

  • The move is largely aimed at regulated industries -- like finance, healthcare and defense -- where intellectual property and sensitive data are subject to intense privacy and compliance rules.

    EA could have used this. ;-)

  • ...why would you put anything really sensitive up into somebody else's cloud?

  • The problem with any internet-enabled, online, or cloud-based software is, it can send the password, decryption keys, or even decrypted data down the 'data' pipe for distribution to anyone who wants it. This is why always-online applets (eg. browser, "Ebay"), common to iOS and Android platforms (mostly for advertising) are by default, untrustworthy and high-risk.

    Cloud computing is the worst because one is trusting the key-storage and local executable (eg. Google Chrome) don't contain any spyware. With

  • The whole concept of cloud apps is that the app is running on a remote server, therefore works on clear-text documents. Meaning Google has access to my data - and Google is by far the worst threat for data misuse and abuse there is.

    The only cloudiness I personally use is storage, and whatever I store is encrypted locally by yours truly before it even touches a network interface. Of course, that means no online app can do anything with it, which is why the only online thing I can do with my encrypted data is

Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.

Working...