Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google To Encrypt Cloud Storage Data By Default

timothy posted about a year ago | from the praise-be-to-google dept.

Encryption 217

jfruh writes "Worries about snooping are now a permanent part of our computing landscape, but Google is attempting to ameliorate those fears by encrypting all data on its Google Cloud Storage service by default. Data is encrypted with 128-bit AES, and you can manage the keys yourself or have Google do it for you. A Google spokesperson said that the company "does not provide encryption keys to any government."" (Also at SlashCloud.)

cancel ×

217 comments

what about decryption keys (0)

Anonymous Coward | about a year ago | (#44590795)

or the government's non-power-of-2 computers

Re:what about decryption keys (5, Funny)

Anonymous Coward | about a year ago | (#44590847)

They don't provide any keys. They provide the decrypted data.

Re:what about decryption keys (5, Funny)

Anonymous Coward | about a year ago | (#44591341)

That's funny, because here I thought that Google's Cloud Storage was going to be hosted in NSA's new data center. Brilliant really. Why bring the NSA to you when it's less trouble to let the NSA host your shit for you.

Re:what about decryption keys (1, Insightful)

Anonymous Coward | about a year ago | (#44591431)

Its AES. Its a symmetric-key algorithm. The encryption key is the decryption key. Whats with all the jokes about decryption keys?

Anyway, you can already do this for Chrome's sync data. I setup a pass phase for my sync data thats only known to my browser, and never sent to Google. Of course, that means I trust Chrome, but at least I don't have to trust them to protect the data on their end.

This (letting the user hold the keys) is exactly what we should be rooting for. I'm amazed how negative the posts here are.

Re:what about decryption keys (-1)

Anonymous Coward | about a year ago | (#44591521)

Its AES. Its a symmetric-key algorithm. The encryption key is the decryption key. Whats with all the jokes about decryption keys?

Anyway, you can already do this for Chrome's sync data. I setup a pass phase for my sync data thats only known to my browser, and never sent to Google. Of course, that means I trust Chrome, but at least I don't have to trust them to protect the data on their end.

This (letting the user hold the keys) is exactly what we should be rooting for. I'm amazed how negative the posts here are.

Whoa, oh, ohWhoa, oh, ohWhoa, oh, ohWhoa
I'm waking up to ash and dust
I wipe my brow and I sweat my rust
I'm breathing in the chemicals
I'm breaking in, shaping up, then checking out on the prison bus
This is it, the apocalypse
WhoaI'm waking up, I feel it in my bones
Enough to make my systems blow
Welcome to the new age, to the new age
Welcome to the new age, to the new age
Whoa, oh, oh, oh, oh, whoa, oh, oh, oh, I'm radioactive, radioactive
Whoa, oh, oh, oh, oh, whoa, oh, oh, oh, I'm radioactive, radioactive
I raise my flags, don my clothes
It's a revolution, I suppose
We're painted red to fit right inWhoa
I'm breaking in, shaping up, then checking out on the prison bus
This is it, the apocalypseWhoa
I'm waking up, I feel it in my bones
Enough to make my systems blow
Welcome to the new age, to the new age
Welcome to the new age, to the new age
Whoa, oh, oh, oh, oh, whoa, oh, oh, oh, I'm radioactive, radioactive
Whoa, oh, oh, oh, oh, whoa, oh, oh, oh, I'm radioactive, radioactive
All systems go, the sun hasn't died
Deep in my bones, straight from inside
I'm waking up, I feel it in my bones
Enough to make my systems blow
Welcome to the new age, to the new age
Welcome to the new age, to the new age
Whoa, oh, oh, oh, oh, whoa, oh, oh, oh, I'm radioactive, radioactive
Whoa, oh, oh, oh, oh, whoa, oh, oh, oh, I'm radioactive, radioactive
anonherewe rlegioniwillonlybeablesaythison cesinkingproxyshipsonmywayoutafterpos tingsubmissthencsucha gencihasalready crakedalphaechosierragppglehasthegoaheadto allowtheusertoholdthekeysontheirendbcurdataisnolongerprivateanywhereregardl essifyouentryptornot gameoverhidenowifyoustillc ancnowtencanconfrmover

Re:what about decryption keys (2)

maxwell demon (590494) | about a year ago | (#44591631)

Where are the keys generated? If they are generated at Google and then transmitted to you, then this doesn't really give additional security. Only if the key is generated on your computer and provably never goes to Google, it gives better security than just trusting Google. Of course that means you have to manage it yourself (back it up — not on the cloud, of course —, copy it onto all of your devices — again, not per cloud synchronization, but either through a direct encrypted connection like ssh, or in a way not involving the internet (e.g. per LAN or USB stick). Any solution that doesn't give you that burden also doesn't give you the associated security.

Re:what about decryption keys (2)

rtfa-troll (1340807) | about a year ago | (#44591633)

If you manage your own keys and you use a client that isn't written by Google, how does Google get at the decrypted data? As I understand the system there's nothing they could do and they do allow third party clients?

If so it would be a very good reason to insist your cloud data provider is not the same as your OS vendor. In the end though it's your OS vendor you have to trust for everything since they clearly do have (indirect) access to the keys. Another good reason to use Ubuntu rather than Windows or Cyanogenmod/Replicant rather than Android I guess.

How do you know? (1)

Ralph Spoilsport (673134) | about a year ago | (#44591751)

You say "They don't provide any keys." But if they did, you would have no ability to tell. WOULD YOU? Very simply the internet can no longer be trusted. At all. Ever. It's effectively enclosed and dead.

Lies Lies Lies (5, Insightful)

Anonymous Coward | about a year ago | (#44590805)

Just like how they already lied the first time. Lies Lies Lies. But I don't care. Go ahead and do that NSA thing.

Re:Lies Lies Lies (0)

Anonymous Coward | about a year ago | (#44591143)

Of course it WILL be encrypted, no lie. Though..

Why should we trust you? (4, Insightful)

Mr. Freeman (933986) | about a year ago | (#44590809)

And we have what guarantee, exactly, that they're telling the truth?

Re:Why should we trust you? (0)

Anonymous Coward | about a year ago | (#44590837)

its the decryption keys i worry about most.

Re:Why should we trust you? (0)

Anonymous Coward | about a year ago | (#44591293)

AES is symmetric
decryption key = encryption key

Re:Why should we trust you? (0)

Anonymous Coward | about a year ago | (#44590839)

You have the keys. Simple enough.

Re:Why should we trust you? (3, Insightful)

maxwell demon (590494) | about a year ago | (#44591635)

Well, the question is whether only you have the keys.

Re:Why should we trust you? (1)

Anonymous Coward | about a year ago | (#44590853)

They still hand data over to the government.

From the article:
A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law.

"Our legal team reviews each and every request, and we frequently push back when the requests appear to be fishing expeditions or don't follow the correct process," she wrote. "When we are required to comply with these requests, we deliver it to the authorities. No government has the ability to pull data directly from our servers or network."

Goggle complies with local laws ... (4, Interesting)

perpenso (1613749) | about a year ago | (#44591395)

Google complies with local laws and regulations. Remember their previous venture in China:
"The new local Google site, expected to be launched Wednesday at Google.cn, will include notes at the bottom of results pages that disclose when content has been removed, said Andrew McLaughlin, senior policy counsel for Google. "Google.cn will comply with local Chinese laws and regulations," he said in a statement. "In deciding how best to approach the Chinese--or any--market, we must balance our commitments to satisfy the interest of users, expand access to information, and respond to local conditions.""
http://news.cnet.com/Google-to-censor-China-Web-searches/2100-1028_3-6030784.html [cnet.com]

When a legal order to turn over info is received they will do it. The only question is what constitutes a legal order.

Re:Why should we trust you? (0)

Anonymous Coward | about a year ago | (#44591859)

... because if they're not, that's fraud and they could get into some serious shit?

Re:Why should we trust you? (1)

hutsell (1228828) | about a year ago | (#44591881)

And we have what guarantee, exactly, that they're telling the truth?

Following up on your rhetorical question: None really; that's why the expression "Trust, but verify." exists. Without some type of enforceable checks and balances in place, our only hope is for the operators to be benevolent. Even then, we're not in the decision making process; they may think their decisions are in our best interests and we might be lucky enough once in awhile for it to be the right one. Usually though, without informed personal experiences to temper the outcome, it won't; especially if there aren't any incentives to be benevolent.

What would happen if someone figured out a perfectly enforceable verifiable transparency without creating any compromise — and they still don't want to do it? For myself, it would confirm what I've always strongly suspected: Any modicum of accountability has disappeared. There're too many disinterested well financed draft exempt connected families in government, snickering behind our backs about what they do and say to the rest of us. Someone will probably yawn out, "We're not doing it. Your problems are none of our business. Love it or leave it."

of course not (1)

Anonymous Coward | about a year ago | (#44590825)

Of course they don't provide encryption keys to any government, they just hand over the plaintext.

Encrypt your own data ... (1)

perpenso (1613749) | about a year ago | (#44591401)

Of course they don't provide encryption keys to any government, they just hand over the plaintext.

Now how are they going to do that if one encrypts the data before sending it to the cloud service? Don't give your cloud service the plain text.

Patriot act? (5, Insightful)

hilather (1079603) | about a year ago | (#44590833)

A Google spokesperson said that the company "does not provide encryption keys to any government.""

As Google is a U.S. based company, I'm pretty sure this is a bald faced lie due to the "Patriot Act".

Re:Patriot act? (-1)

Anonymous Coward | about a year ago | (#44590897)

You'd be wrong if you believed that. There's no law that says they can't encrypt a users data. The Communications Assistance to Law Enforcement Act might be amended to cover this but it seems it hasn't happened yet.

Re:Patriot act? (0)

Anonymous Coward | about a year ago | (#44590983)

Read what he quoted again; it has nothing to do with encryption being legally forbidden.

Re:Patriot act? (2)

Darkness404 (1287218) | about a year ago | (#44590991)

Since when does the FBI/CIA/NSA care about laws? As long as there isn't another Snowden, the media will ignore it and anyone who says otherwise will be dismissed as a mere conspiracy theorist.

Re:Patriot act? (1)

rahvin112 (446269) | about a year ago | (#44591435)

Conspiracy theorists give people that expose real conspiracies a bad name. When you have crackpots out there claiming the moon landing never happened and other such BS the real conspiracies are lost in the noise.

There could even be a government conspiracy to hide real conspiracies in the noise of fake ones. Or it could just be a bunch of nut jobs with paranoia, I put my money on the nut jobs..

Re:Patriot act? (1)

maxwell demon (590494) | about a year ago | (#44591787)

But I can prove the moon landing never happened! Because otherwise they would have found the Nazis hiding on the moon and waiting for the chance to come back! And BTW, the Nazis have made a contract with the aliens which guarantees them exclusive access to the moon. Any attempted landing by anyone but a Nazi on the moon would cause an alien attack. That's the true reason why the Americans hired Wernher von Braun: They tried to convince the aliens that it would actually be the Nazis landing if the US land on the moon. But the aliens are not that easy to trick. Kennedy was the driving force behind the moon landing plans and couldn't be convinced to stop the efforts, therefore the aliens arranged him to be shot (yes, it was aliens who were on that hill). The following president had a problem: They knew a landing was no option, but they couldn't just tell the people that the aliens won't allow it, given that the existence of aliens was top secret. But they also couldn't think of a good public reason to stop it. Thus they decided to fake it. The Russians came to similar conclusions. The reason why the USA won the "moon race" was that while the Russians had the superior rocket technology, the USA had the better filming technology, thanks to Hollywood. The aliens helped with the fake by actually sending the pre-recorded signals from the position where they had to originate, so everything looked real. The rocket starts were real, but the space ships actually entered an earth orbit and switched to silence on earthly communication channels; they could still communicate using alien communication technology which was not detectable by amateurs. The aliens took the part of sending the pre-recorded messages and images, as well as as relaying any live communication as needed for keeping the illusion, from exactly the places where they should have come from had the moon landing actually been performed. That's why nobody could notice the fake by checking the origin of the signals.

SCNR ;-)

(And for those who didn't get it: None of the above is meant seriously, of course.)

does not provide encryption keys (5, Insightful)

Anonymous Coward | about a year ago | (#44590845)

Until they receive a National Security Letter and a gag order to boot.

Re:does not provide encryption keys (0)

Anonymous Coward | about a year ago | (#44591843)

The Patriot Act(tm) does away with the need for a National Security Letter, and the gag order is automatic.

What does it matter... (1)

Anonymous Coward | about a year ago | (#44590851)

What does it matter if they encrypt it all and then give the keys to the government?

What does this mean exactly? (5, Insightful)

synir (731266) | about a year ago | (#44590857)

"A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law."

What does this mean, exactly? That they would provide encryption keys in accordance with the law? That they could?

A robust system would mean the hosting company wouldn't be more able to decypher encrypted damage than anyone else. Are they offering that?

The fix (0)

sgt scrub (869860) | about a year ago | (#44590883)

A Google spokesperson said that the company "does not provide encryption keys to any government... yet.""

fify

Call me paranoid (5, Insightful)

TubeSteak (669689) | about a year ago | (#44590887)

"If you require encryption for your data, this functionality frees you from the hassle and risk of managing your own encryption and decryption keys," Barth wrote. "We manage the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing."

That sounds meaningless.
All that it prevents is interception of data to/from your computer.
It does nothing to stop the NSA from requesting your data from Google, who would control your encryption keys.

A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law.

Which is exactly my point. If they control your key, they have access to your data.

128bits of secure storage (1)

Anonymous Coward | about a year ago | (#44590989)

As long as your store your data in as the AES key, Google will not sure it with the government.

Re:128bits of secure storage (2, Funny)

Anonymous Coward | about a year ago | (#44591101)

128 bits should be enough for anybody.

Re:Call me paranoid (1, Interesting)

Chalnoth (1334923) | about a year ago | (#44591027)

It will be difficult to avoid such requests entirely, but this technology, implemented well, prevents the NSA or others from intercepting the data en route and reading it without a court order.

I'd also point out that Google has, in the past, pushed back against data requests.

Re: Secret court order or just a letter/// (0)

Anonymous Coward | about a year ago | (#44591133)

... but this technology, implemented well, prevents the NSA or others from intercepting the data en route and reading it without a court order.

Where have you been - your mom's basement doesn't have TV? NSA can either get a secret-court order (which you cannot challenge or even hear about) or just write a "national security letter" themselves. No need to bother with a real court/judge that might let someone know what they were doing.

Re:Call me paranoid (1)

TheGratefulNet (143330) | about a year ago | (#44591205)

I'd also point out that Google has, in the past, pushed back against data requests.

and you know that, exactly, how?

oh right, they said so. yeah. ok. we're done here.

Re:Call me paranoid (1)

Anonymous Coward | about a year ago | (#44591147)

This offer is still pretty sure to make a good impression on the mainstream for PR moderate damage control... some people are now on the fence but locked in. They will look the other way with right buzzwords and a pat in the back.

The reluctant geek will more easily move to offshore alternatives knowing what you've mentioned. I mistrust the OS I'm typing this in, and even if it were clean, google probably still installs a system service or two with some non-Chrome programs ("just" for auto-updates).

Even with a clean OS, those of us who would encrypt data before handing it for storage have a big problem. The cloud these days means daily use and post-processing more than storage. There's lots of syncing for on-the-fly music playing, spreadsheet editing, calendar processing, file attachment handlers for pictures and video, etc. I heard Apple does tons of stuff that way too. Real encryption on my side means they'd just have a blob that is useless to my android device.

I'm not too confident in their well-meaning NSA-backed intentions. There's no mention of how middleware would take my pre-encrypted data, decrypt it and hand it to my phone for that cloud-y on-the-fly processing. Will Google throw in some half-baked offer with a flawed process that sneaks my keys away from me with the guise of convenience?

Re:Call me paranoid (1)

Mitreya (579078) | about a year ago | (#44591309)

A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law.

And once US starts to publicize their laws, that would maybe mean something

For now, "in accordance with the law" means nothing because of all the secret laws or secret law-interpretations that are out there.

Re:Call me paranoid (2)

smhsmh (1139709) | about a year ago | (#44591393)

Ummm, if you want to store your data in Google's cloud, or anyone else's, then all you need do is encrypt it before uploading. Then the responsibility for keeping the key secret is yours. If Google reencrypts your data, there is usually no significant gain or loss of security. You can even share documents with anyone else who has the key, perhaps delivered by carrier pigeon. (Surprisingly, multiple different encryptions can sometimes be weaker than any of the individual encryptions - read that somewhere on Usenet long ago -- but I don't think this matters much in practice, otherwise a standard cracking technique would be to try reencrypting the encrypted data.)

Of course, this strategy won't work with Google's application suite (Google Docs, etc.) because your thin client talks unencrypted data with the application running in Google's cloud, even if the connection is ssh -- the data is unencrypted in the server until saved under encryption. Someone should explain to me again why accessing cloud-based apps from a thin client is such a win...

Re:Call me paranoid (1)

Tr3vin (1220548) | about a year ago | (#44591539)

The thin client can be a little bit fatter, though. Since Google provides a web browser, why not add support to it to use your key to decrypt the data on your end? That way, the data on the server is always encrypted. They could provide similar functionality for other browsers via a plugin.

TFA (5, Interesting)

PPH (736903) | about a year ago | (#44590893)

Of course, if you prefer to manage your own keys then you can still encrypt data yourself prior to writing it to Cloud Storage.

Which is how it should all be done. Relying on Google's honesty, or some Google employee who doesn't want his fingers broken one by one, is just false security.

All decryption must be done offline (0)

Anonymous Coward | about a year ago | (#44590895)

The only way to secure the cloud is to have a private key on a portable device with limited network ability. Use the thing as a proxy, with an app that runs on the offline machine.

No keys, no issues.

Fool me once.... (5, Informative)

larry bagina (561269) | about a year ago | (#44590899)

Given what we know about the NSA, NSLs, and Lavabits, " [we do] not provide encryption keys to any government" is a worthless statement. With an NSL, Google will turn over everything and won't be able to say anything about it. With an NSL, Google will be required to lie (like claiming data is encrypted when it's not). Lavabits received an NSL and chose to shut down rather than honor it and sell out their customers. Google compiles with their NSLs.

You cannot trust Google or the cloud with your data.

Re:Fool me once.... (5, Insightful)

tftp (111690) | about a year ago | (#44590995)

You cannot trust Google or the cloud with your data.

If you store your data in the cloud, it means that:

  • The 3rd party knows that you have some data stored, and they know its size, and they know how often you modify it or add to it. The observer does not need to have access to your private key to see that.
  • You can never be sure that the data that you deleted was in fact deleted. In most cases, due to existence of tiered backups, it will take a long time to purge your data from an honestly operated system. If the system is ran by a Google-like entity, nothing ever gets deleted.
  • If the observer wishes to decrypt your data, they can always use the $5 wrench, or (if they want to stay undetected) they can send people to duplicate your HDD or to install a keylogger.

The best way to store your data is on your own HDD, encrypted. The observer still can break into your house, but they would have to do it without any information leading to that. (Such as they wouldn't know that you even have a computer, let alone how often you modify certain files.) Modern terabyte drives (USB 3.0 or eSATA) remove every reason to bother with cloud storage - unless you want an additional bottleneck in form of the Internet link and a bunch of additional vulnerabilities, often for a small extra fee. Most people would be perfectly happy with an encrypted USB Flash disk (IronKey etc.) that they can always carry with them.

Re:Fool me once.... (1)

TubeSteak (669689) | about a year ago | (#44591131)

http://www.foreignpolicy.com/articles/2013/07/16/the_cias_new_black_bag_is_digital_nsa_cooperation [foreignpolicy.com]

During a coffee break at an intelligence conference held in The Netherlands a few years back, a senior Scandinavian counterterrorism official regaled me with a story. One of his service's surveillance teams was conducting routine monitoring of a senior militant leader when they suddenly noticed through their high-powered surveillance cameras two men breaking into the militant's apartment. The target was at Friday evening prayers at the local mosque. But rather than ransack the apartment and steal the computer equipment and other valuables while he was away -- as any right-minded burglar would normally have done -- one of the men pulled out a disk and loaded some programs onto the resident's laptop computer while the other man kept watch at the window. The whole operation took less than two minutes, then the two trespassers fled the way they came, leaving no trace that they had ever been there.

It did not take long for the official to determine that the two men were, in fact, Central Intelligence Agency (CIA) operatives conducting what is known in the U.S. intelligence community as either a "black bag job" or a "surreptitious entry" operation. Back in the Cold War, such a mission might have involved cracking safes, stealing code books, or photographing the settings on cipher machines. Today, this kind of break-in is known inside the CIA and National Security Agency as an "off-net operation," a clandestine human intelligence mission whose specific purpose is to surreptitiously gain access to the computer systems and email accounts of targets of high interest to America's spies.

Stealing passwords with a key logger or phishing e-mail undoubtedly involves less paperwork than using the rubber hose.

Re:Fool me once.... (1)

Anonymous Coward | about a year ago | (#44591171)

I use dropbox with encfs; it's nice for files that I'm currently working on, as it gives me automated off-site encrypted backup.

Re:Fool me once.... (1)

fast turtle (1118037) | about a year ago | (#44591613)

I also use dropbox but don't bother with encryption simply because I don't trust em to not share the data with everyone at the drop of a letter. If I need it encrypted, then I keep it off-line completely because the old saying about "a Secret is only secret if No One Else Knows it" applies.

Re:Fool me once.... (2)

Sperbels (1008585) | about a year ago | (#44591119)

You cannot trust Google or the cloud with your data.

Doesn't this really boils down to, you can't trust your government? Nothing is safe.

Re:Fool me once.... (4, Funny)

TheGratefulNet (143330) | about a year ago | (#44591201)

Google compiles with their NSLs.

interesting. the rest of us use gcc. does nsl optimize better?

Red riding hood (4, Insightful)

TheP4st (1164315) | about a year ago | (#44590903)

When I was 8 years old Red Riding Hood seemed convincing enough to be true.

Fool me once..

Re:Red riding hood (0)

Anonymous Coward | about a year ago | (#44591215)

ha ha ha ha....is there anyone but an absolute newbie going to think that this is actually going to help??

Possible Benefits? (2)

az1324 (458137) | about a year ago | (#44590923)

Server side encryption is only potentially beneficial for limited data breaches where the attacker gains access to the data but not the keys. In the case of government requests, they have the same rights to ask for the keys as for the data. Perhaps if there is a seizure of entire disks then having encryption may oblige them to ask for specific keys and therefore protect your data from snooping when you are not the target. It is also unclear exactly how unique/granular the keys are.

does not provide encryption keys to any government (0)

Anonymous Coward | about a year ago | (#44590925)

only the decrypted copy

THIS IS NOT GOOGLE DRIVE (5, Informative)

Nimey (114278) | about a year ago | (#44590947)

This is not Google Drive that's getting automatic encryption, it's their Cloud Storage, which is only available to developers.

Re:THIS IS NOT GOOGLE DRIVE (0)

Anonymous Coward | about a year ago | (#44591823)

To encrypt Google Drive use something like Syncdocs to do encryption on the client before uploading file to the cloud.

Give and Take (0)

Anonymous Coward | about a year ago | (#44590953)

Of course they don't provide the government with keys. The government provides itself with those keys. That's the whole point. Google doesn't give. NSA takes. The result is the same. I would be highly suspicious of their promise to provide key management to the end user. How will they demonstrate that it isn't back doored? Will they provide open source for the client? Will it be vetted? Will it run without patents? Isn't it just easier to buy a TB pocket drive?

Don't trust the cloud, period. (4, Insightful)

C3ntaur (642283) | about a year ago | (#44590957)

If your data is worth encrypting, do you really want it in the cloud at all? The internet never forgets. Given the rapid advances in both raw compute power and cryptography, something that takes unimaginably long to brute force today, might be trivial to crack in just a few years.

Mixed Messages (0)

Anonymous Coward | about a year ago | (#44590975)

http://www.cbsnews.com/8301-205_162-57598496/google-gmail-users-have-no-expectation-of-privacy/

Google lawyers say otherwise. NSA black hats say who cares, we take what we want, Google doesn't give a damn (thing).

Convenient (4, Informative)

elysiuan (762931) | about a year ago | (#44590977)

In other news leaked internal NSA documents show that they only begin to have trouble cracking AES at 256-bit key sizes and higher.

... only in accordance with the law. (3, Insightful)

Anonymous Coward | about a year ago | (#44591009)

The summary leaves out a critical bit of the company spokesperson's quote from the article: they won't give anyone your encryption keys directly, but they'll happily USE the encryption keys they're managing for you to decrypt your data and give the decrypted data to anyone who makes a legal request.

All this buys you is a tiny bit of defense in depth in case someone tracks down the Google server(s) that are storing your data, breaks into the data center, and physically yanks the hard drive out of the machine. Doesn't do anything to prevent a government from getting access by asking politely, and doesn't do anything to address the wide-open front door of someone guessing your account password.

If you care at all, you should be using client-side encryption. If you don't, this is just adding extra latency.

wasted CPU cycles (0)

Anonymous Coward | about a year ago | (#44591023)

A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law.

In accordance with the law, they are required to turn over what ever is asked of them.
In accordance with the law, they are not allowed to speak about what they have turned over.

It's just wasted CPU cycles at this point.

does not provide encryption keys (0)

Anonymous Coward | about a year ago | (#44591037)

A Google spokesperson said that the company "does not provide encryption keys to any government."

Of course, they just need to send a clear copy to NSA before any of stuff got encrypted.

Does anybody still believes that ANY that passes through any server in the US can be safe from NSA snooping, unless the stuff is being encrypted on client side before it leaves your PC? Even then, NSA would still collect all the metadata about it (when, where, who).

still evil (0)

Anonymous Coward | about a year ago | (#44591039)

meh, google still works with the NSA to copy all traffic in and out of their network.

I will do it myself (1)

Reliable Windmill (2932227) | about a year ago | (#44591059)

I will encrypt my data myself, that is the only way I can keep it private. But hey, thanks for the free storage. Maybe you'll manage to trick someone else with this?

The bad news is... (0)

Anonymous Coward | about a year ago | (#44591083)

the encryption password is "trustno1"

does not provide encryption keys to any government (1)

hottoh (540941) | about a year ago | (#44591103)

"does not provide encryption keys to any government."

Means, "we provide encryption keys to the whim of any government." Guessing this is true.

bullllllshit! cloud computing is dead... (0)

Anonymous Coward | about a year ago | (#44591109)

and the government killed it.

What is wrong with people? (0)

Anonymous Coward | about a year ago | (#44591137)

Why are people so quick to give up control of their data to anyone? Especially a corporate entity? I am baffled by this. I know the reasons why and they all suck. Control your own data, people. Data is the new oil, and people are too quick to share it, give it away -- whatever -- for nothing much in return.

Re:What is wrong with people? (1)

glenebob (414078) | about a year ago | (#44591621)

Data might be the new oil, but the data of any one average person is worth almost exactly nothing. Should I charge Google almost exactly nothing for my data?

I want my browser to manage my keys (3, Interesting)

aviators99 (895782) | about a year ago | (#44591141)

When I first read the summary I thought Google was going to provide me a way to manage my own keys in a practical sense. I would like for my browser to automatically decrypt when I download from Google Drive using private keys stored on my local store (with a pass phrase, of course).

Re: I want my browser to manage my keys (0)

Anonymous Coward | about a year ago | (#44591185)

I'm sure Google will write something to do that.

But it will only run under chromium.

Re: I want my browser to manage my keys (0)

Anonymous Coward | about a year ago | (#44591543)

Do we dare trust the browser? Mozilla's wallet is in bed with Google, chrome IS Google, MSIE and Apple are American, Opera is NON-American... who is safe? do we turn to some obscure extension writer who could be a plant sneaking in NSA backdoors?
What the US has done is pretty much say, oh hi, now you SEE me watching you and I dare you to keep doing exactly the same you were doing this whole time. The cloud itself is useless if it's encrypted. I can use a local storage for that. Will anyone dare put up crypto interfaces just to hide their right to listen to their own encrypted, legally obtained music privately?

When Push Comes to Shove, they'll bend over (1)

Anonymous Coward | about a year ago | (#44591161)

"No Legitimate Expectation of Privacy," Says Google, Quoting the Supreme Court

http://reason.com/blog/2013/08/14/no-legitimate-expectation-of-privacy-say

  “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith v. Maryland, 442 U.S. 735, 743-44 (1979).

Google Drive is not Google Cloud Storage (0)

Anonymous Coward | about a year ago | (#44591167)

Summary: Google is deliberately trying to confuse customers and users into believing their files are secure. US company, data hosted in the US, your files belong to the NSA.

words, words (2)

mbone (558574) | about a year ago | (#44591175)

"does not provide encryption keys to any government."

Based on recent evidence these words mean absolutely nothing* and you would be a fool to trust them.

* That doesn't mean they are technically a lie. Maybe 128 bit AES has a hidden weakness. Maybe there is NSA sponsored back door to their code. Who knows?
Who, except for the forensic types, cares?

Same google (1)

ceoyoyo (59147) | about a year ago | (#44591189)

This is the same Google that insists in court: of COURSE we read your email... why would you expect anything else, right?

Sing the song (4, Insightful)

gmuslera (3436) | about a year ago | (#44591207)

Obama killed the cloud star. Google must comply with legislation, they could deny (at least till NSA summons another secret law that essentially says all your data are belong to us), but at least for citizens of other countries, or americans that contacts them they must give the data anyway. Once they put in the tables laws that force you to do something and not speak about it you can't trust in anything they say, you just can't decide if its true or is a lie that is forced to say (even assuming their best good will in this topic).

Re:Sing the song (1)

cornholed (1312635) | about a year ago | (#44591597)

Judging by your uid, you must not be from around here.

Verboten (0)

Anonymous Coward | about a year ago | (#44591211)

"'Once a pillar of innovation' at Google, now verboten."

Mathematics and those who know mathematics are ... verboten @ Google.

Anyone with a Ph.D. in Mathematics and Physics @Google are ... Verboten.

20 month time frame for Google now shows employees evolving to ... 'technicians.'

Page likes employees who are without high school diplomas who have gender confusion, cocaine and viagra dependencies.

Ha ha @Google

Sounds like somebody is getting a bit desperate (1)

fustakrakich (1673220) | about a year ago | (#44591235)

Anybody else think that this cloud business is taking a hit? Maybe they should try a different angle and tell us that NSA is good for us and is perfectly safe [adweek.com] ...

Google IS the fucking NSA, you idiots. (0)

Anonymous Coward | about a year ago | (#44591325)

God damn, you motherfuckers are so devoid of intelligence
you need to be told when Dracula has his fangs in your throat.

Bottom line :

If you want to keep it secret, do NOT send it via electronic means, period.

google is a jew operation (-1)

Anonymous Coward | about a year ago | (#44591333)

so they don't give it to the nsa they give it to the mossad who give it to the nsa

And? (1)

no-body (127863) | about a year ago | (#44591377)

The encryption master keys are subpoenaed under a NSL by our good friends looking out for us, so nothing bad happens.

In Soviet Russia, all us belong to your base. (1)

Thor Ablestar (321949) | about a year ago | (#44591379)

The only really secure data are the ones written to your own HDD in your safe in your basement, encrypted with opensource program, with part of encryption key entrusted to some friend who is instructed to return it to you when he is satisfactorily ensured that you are not under coercion.

Transparent PR Stunt (2)

FuzzNugget (2840687) | about a year ago | (#44591381)

OK, so you have the option to manage your own keys, but we're trusting that Google doesn't copy your keys when you create them and that they don't have a backdoor. Based on recent revelations, I wouldn't put either past them.

Once Google unequivocally tells the feds to fuck off the next time they come sniffing around for user data, I'll put some stock into such supposed privacy measures.

Re:Transparent PR Stunt (1)

swillden (191260) | about a year ago | (#44591683)

Once Google unequivocally tells the feds to fuck off the next time they come sniffing around for user data, I'll put some stock into such supposed privacy measures.

Google refuses ~30% of government requests for user data.

Keep in mind that most requests are subpoenas (which can only get extremely limited data; name and IP address, basically), court orders (which can get a bit more, but not e-mail contents) and search warrants, and I think it's quite likely that if you were in a position to look at the requests and their rationale, you'd agree that most of them are legitimate and not only legally must be respected, but should be respected, because it's the right thing to do.

http://www.google.com/transparencyreport/userdatarequests/

http://www.google.com/transparencyreport/userdatarequests/legalprocess/

Too late (1)

sugarmotor (621907) | about a year ago | (#44591423)

It might have been. But too late now.

If Google is able to give up your keys... (0)

Anonymous Coward | about a year ago | (#44591547)

... then you are doing it (encryption) wrong.

Useless security without direct control of the box (1)

assemblerex (1275164) | about a year ago | (#44591551)

What they will do is snoop your connection for when you input the password. Https connection? They will have the cert keys already.

You might as well be using open to send the password.

Unless you are uploading locally encrypted files to the cloud (for convenience I suppose) and never sharing keys except in person you should be fine.

Until they kick your door in that is.

Proof of security would add value (1)

jcasey (264935) | about a year ago | (#44591579)

If Google had a way to PROVE that their service was secure, then that might be worth entertaining. Such PROOF would need to satisy concerns about the handling and passing of data and keys, and securely deleting information when the user requests it to be deleted. Unless they can prove that they are secure, this is an utter joke. Their reputation has been trashed as a result of their unfortunate run in with the three letter orgs. Its a pity.

Why are people worried about the government? (1)

cyn1c77 (928549) | about a year ago | (#44591641)

I don't understand all the cynical comments about the government forcing Google to decrypt everyone's data.

Would 128-bit AES encryption really bother the NSA that much? Would it even bother a committed hacker that much? If anything, this will just provide Google with a little ass coverage in case they every get hacked by someone other than the NSA.

But seriously, if this is something that you're really worried about, you should be encrypting your online storage yourself. Or better yet, don't store anything online. Even better, don't network a computer that you aren't willing to have hacked. The level of inconvenience goes up with the level of security; everyone needs to decide what will work for themselves.

I'll still use Tahoe-LAFS instead, thanks. (1)

Anonymous Coward | about a year ago | (#44591685)

Tahoe-LAFS is just as free-as-in-beer, yet also free-as-in-speech. Encryption is automatic and I can install it on any workstation.

Dear Gov, (0)

Anonymous Coward | about a year ago | (#44591733)

These are all the keys possible that the user is 'not' using. Dear user, We did not give them any keys you use.

Don't be good... (1)

eviljav (68734) | about a year ago | (#44591769)

I don't see how anybody could trust them at this point.

False Sense of Security by the bits... (1)

NeoStrider69 (2777567) | about a year ago | (#44591791)

AES-128? Really? Why not higher at least? If you want to provide a false sense of security at least up the magic numbers and make it sound harder than just handing over the decrypted data since they obviously have the public and the secret keys.

128bit AES is insecure (1)

flyingfsck (986395) | about a year ago | (#44591795)

Google doesn't need to give the keys to anyone if the algorithm is insecure.

Too late google. (1)

lapm (750202) | about a year ago | (#44591927)

So they finally desided to encrypt users data? So its been unencrypted upto this point? I tough googles prime policy was do no evil? Considering who is looking to spy on you,i would not consider only 128 bit AES secure by any standard. Not to mention google can get unencrypted data to them anyways... Always wondered why every encryption standard in use on internet need to be accepted by NSA first? Most likely becouse NSA wants to make sure they can brake it.

Worthless. (0)

Anonymous Coward | about a year ago | (#44591931)

Unless the decryption is done on your own computer and your key never leaves your own computer, this is utterly worthless since of course the NSA can intercept anything in transit. And _if_ the encryption is on your computer only with software under your own control (not "updated" by Google ever), you don't need Google for anything but plain unencrypted storage. They might be annoyed that your data compresses lousily, but that's it.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...