Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Speeding Up New Encryption Project After Latest Snowden Leaks

samzenpus posted about 10 months ago | from the keep-your-eyes-on-your-own-paper dept.

Privacy 248

coolnumbr12 writes "In a new leak published by the Guardian, New York Times and ProPublica, Edward Snowden revealed new secret programs by the NSA and GCHQ to decrypt programs designed to keep information private online. In response to NSA's Bullrun and GCHQ's Edgehill, Google said it has accelerated efforts to build new encryption software that is impenetrable to the government agencies. Google has not provided details on its new encryption efforts, but did say it would be 'end-to-end,' meaning that all servers and fiber-optic lines involved in delivering information will be encrypted."

cancel ×

248 comments

I take a leak on the leaks (-1)

Anonymous Coward | about 10 months ago | (#44796317)

piss on this.

The relationship between Google and Uncle Sam (4, Insightful)

Taco Cowboy (5327) | about 10 months ago | (#44796589)

When I read TFA, and it states that ...

In response to NSA's Bullrun and GCHQ's Edgehill, Google said it has accelerated efforts to build new encryption software that is impenetrable to the government agencies

... I laugh !

As if nobody knows the cozy relationship between the founders of Google (and Google Inc. itself) and Uncle Sam.

The only way we can be sure that something that is truly important to us does not fall into the hands of NSA is to NOT put it online, period.

Re:The relationship between Google and Uncle Sam (3, Informative)

i kan reed (749298) | about 10 months ago | (#44796909)

Well, you can encrypt it yourself, with a private key you don't give to NSA lovers like RSA, and give your public key to your friends(and vice-versa, naturally).

Re:The relationship between Google and Uncle Sam (4, Insightful)

LordLimecat (1103839) | about 10 months ago | (#44797005)

Google has been one of the best in this regard, both in the consistency and the tenacity of their resistence. For instance, unlike Yahoo and MS, Google famously has repeatedly refused to work with the Chinese government when they request details on dissidents.

I dont want to sit here advocating for Google as if they have no faults, but I find it hillariously counterproductive that people would go after Google of all things for not being "for the consumer" enough. Who besides google works closely with the EFF, particularly with the ChillingEffects site? Who besides google has shown the guts to say "get a warrant" to unofficial government requests?

People seriously are going to read "Government compels businesses to disclose information via FISA court order", and take away "gee these businesses sure have a cozy relationship with the govt"?

Re:The relationship between Google and Uncle Sam (1)

93 Escort Wagon (326346) | about 10 months ago | (#44797373)

Well, only if you ignore that early Snowden-leaked slide from the NSA presentation that showed Google to be one of the earlier companies they had direct access to....

Re:The relationship between Google and Uncle Sam (1)

denmarkw00t (892627) | about 10 months ago | (#44797537)

And we still have the issue of just how complicit the companies were - just b/c the slides mention many a big-name company as being sourced, does not mean they willingly said "Here, have our data." I think we should probably treat it as if they had cooperated until we have evidence that suggests otherwise (beyond them saying "We didn't"). Still, most of what we've heard implies that the NSA planted capture devices on or near-site and captured whether the companies wanted them to or not.

Re:The relationship between Google and Uncle Sam (4, Insightful)

gmuslera (3436) | about 10 months ago | (#44797645)

The problem is that no matter how good intentions you are willing to attribute to the Google company (or that they really have), how good is that encryption, they are under US law, they must follow their (secret laws) orders, and don't tell us that they are following them. In practice, from the outside, is almost as bad as i.e. Microsoft, you can only trust in what they release in fully open source form (Chromium, android AOSP), but not web services or binary programs like Chrome. Adding a level of encryption more a placebo than something that does a real difference.

Want to recover lost market? Move to other country, one outside US and snooping allies laws. That will do more on giving the impression that you care about your users privacy than adding encryption in a place where you have the give the unencrypted content anyway.

Re:I take a leak on the leaks (0)

Anonymous Coward | about 10 months ago | (#44796631)

Don't get SCROOGLED!

Not impenetrable to Google (4, Insightful)

riT-k0MA (1653217) | about 10 months ago | (#44796341)

Although impenetrable to Government spying I doubt it would be impenetrable to Google, who would not think twice of harvesting all data sent though this encryption method.

Re:Not impenetrable to Google (4, Insightful)

ArsenneLupin (766289) | about 10 months ago | (#44796351)

... and then hand it on to the NSA.

Don't forget, gmail.com is part of Prism!

Re:Not impenetrable to Google (2, Insightful)

Anonymous Coward | about 10 months ago | (#44796515)

... and then hand it on to the NSA.

Don't forget, gmail.com is part of Prism!

google == bigbrother

Re:Not impenetrable to Google (3, Informative)

Big Hairy Ian (1155547) | about 10 months ago | (#44796437)

Yep always remember google is the man in the middle

End-to-end (5, Insightful)

DrYak (748999) | about 10 months ago | (#44796579)

If the "end-to-end" is correctly implemented, i.e.: not like in the bad definition in the summary (fiber optics and server encrypted), but like usually understood for privacy (i.e.: decrypted form only exist on end-point totally controlled by end users), google, nsa or any other man in the middle doesn't matter.

That requires 2 important details:

- sound encryption.
The maths behind current encryption seem sound. But the implementation must be good too. NSA has notoriously interfered undercover with lots of software development team, leading to bad implementation which could leak data or have predictible key due to broken random generator, etc.
Opensource is a lot less likely to be tainted as errors are much easier to spot. You don't know what NSA could have hidden in closed source software whithout the knowledge of the software vendors themselves.

- secure environment.
There's no point in having the most perfect encryption ever if the NSA could simply bypass it and use a hidden backdoor or abuse an exploit to break into and simply tap the clear message from one of the end points.
Skype EULA clearly states that they are ready to conform with local law about collaboration with law enforcement (could probably be even implementing wire-taping point). Also I think by now backdoors inside Windows are more or less accepted to be existing in our post-Snowden world.
Again, opensource software, both user application and the OS on which they are running, would be more difficult to abuse, as backdoors and exploitable bugs would be easier to observe.

But in a theoretical pefrect wold of rainbow, unicorns, perfect crypto implementation and secure machine, you can then use safely an untrusted network and untrusted servers: data that will transit through them will be always encrypted and meaningless.

Re:End-to-end (2)

chihowa (366380) | about 10 months ago | (#44796705)

Besides being gibberish, I don't think they used the word "servers" on accident. However sound the encryption is, expect it to be deployed as a big star network with Google's servers in the middle. What benefit does Google gain from making traffic hidden from their prying eyes?

Re:End-to-end (3, Informative)

petermgreen (876956) | about 10 months ago | (#44796759)

But in a theoretical pefrect wold of rainbow, unicorns, perfect crypto implementation and secure machine

And properly verified key management.

If the system works by having some authority tell clients both what network addresses they should connect to and which keys are and aren't valid for which other clients then the system is only as secure as that authority is.

Re:End-to-end (3, Informative)

LordLimecat (1103839) | about 10 months ago | (#44797043)

Opensource is a lot less likely to be tainted as errors are much easier to spot.

This is speculation. Not having the source to closed-source, we can only assume that theyre tainted, but we know for a FACT this has happened with open-source via public commits; and in a number of instances the bogus code remained undetected for years.

Re:End-to-end (0)

Anonymous Coward | about 10 months ago | (#44797349)

but didn't the NSA infect C compilers to insert a backdoor on linux when it's being complied?

Re:End-to-end (1)

gmuslera (3436) | about 10 months ago | (#44797733)

Something in the Google's end decrypts the information to send it to you, is not like they send you an encrypted file and you manually decrypts it with pgp (you can store there only pgp encrypted files, but for that don't matter if google encrypts or not). So if ordered, they can do the decryption without user intervention, or even send it to the NSA at the same time they send it to you. They are still in US, still have to follow its (secret) laws, still have to give anything to the NSA if they ask, no matter if how theoretially perfect encryption scheme they use. Thats the problem with secrecy and being ordered to not tell or directly lie, there is no possible trust ever unless you get outside those laws.

But end-points is still known (1)

jopsen (885607) | about 10 months ago | (#44797775)

But the end-points would still be known... Essentially, leaking your entire address book...
Sure, there's TOR and similar ideas, but requires trusting third party servers, that might very well be NSA hubs as well...

And forget about running your own TOR instance unless you want the police to come knocking on your door, we've heard about that on slashdot before... :)

Re:Not impenetrable to Google (0)

Anonymous Coward | about 10 months ago | (#44797007)

While our government is able to take data from any source, and also require them to keep silent about it, who gives a shit what anyone comes up with the "encrypt" data? Don't store the data at all. Oh wait, they're required to. Ok, so just don't do anything stupid online. Fixed.

Re:Not impenetrable to Google (1)

gl4ss (559668) | about 10 months ago | (#44796539)

it's either penetrable for both or neither...

if they have some master key, some inbetween possibility or some such, then it is as good as government having it, since they'll appear with a secret court order at the office and the only way to battle it is to somehow prove that they can't comply.

naturally such would end up on export restrictions too? or are they developing this in zurich?

Re:Not impenetrable to Google (1)

LordLimecat (1103839) | about 10 months ago | (#44797023)

If its end-to-end encryption, then it would be impenetrable to anyone who was not one of the endpoints; thats sort of the point.

Re:Not impenetrable to Google (0)

Anonymous Coward | about 10 months ago | (#44797067)

It is to prevent the NSA backdoor used by OTHER nations to spy on Americans, not to prevent NSA from getting the data from google.

"....impenetrable to the government agencies". (0)

Anonymous Coward | about 10 months ago | (#44796349)

Google said it has accelerated efforts to build new encryption software that is impenetrable to the government agencies.

Ahhhh hahahah hahaaaaaaaaaaaaaa!

Re:"....impenetrable to the government agencies". (1)

hebertrich (472331) | about 10 months ago | (#44796723)

rofl .. lmao .. cheers mate :DDDD

Re:"....impenetrable to the government agencies". (0)

Anonymous Coward | about 10 months ago | (#44797667)

Ahhhh hahahah hahaaaaaaaaaaaaaa!

Bless you

first... (-1)

Anonymous Coward | about 10 months ago | (#44796353)

first post

-NSA

Re:first... (1)

hebertrich (472331) | about 10 months ago | (#44796731)

old and derelict .. that's not being done anymore . just an annoyance specially since you contribute nothing to the discussion. grow up . those days are over.

If Google cares about security... (2, Interesting)

Anonymous Coward | about 10 months ago | (#44796357)

If Google cares about security, then why does it insist that companies synchronize passwords with their Google Apps domains using unsalted MD5 checksums?

ALREADY KNEW !! (-1)

Anonymous Coward | about 10 months ago | (#44796361)

So this is a little, a little too late !! G should have expressed High Anxiety long ago !! You are being spoon fed the same baby food of mushed plumbs only with a different label !! And you will eat it up all the same !! Suckas !!

Meaningless ... (5, Insightful)

gstoddart (321705) | about 10 months ago | (#44796363)

Google said it has accelerated efforts to build new encryption software that is impenetrable to the government agencies

Unless Google is going to devise a crypto system they don't have any access to the keys, this is meaningless.

Because when those government agencies can walk in the door with a secret warrant and demand the keys, there is nothing Google can do.

The US lawmakers have essentially made crypto in America irrelevant when any party knows the keys.

The rest of the world needs to be stepping up their game, but all of their governments want the same ability to spy.

I fear the US has more or less decided that the entire world should be operating on less security to protect their interests. And I'm not sure why everybody is playing along with that.

Re:Meaningless ... (0)

Anonymous Coward | about 10 months ago | (#44796451)

Because all government's want to spy on their citizens. European governments used to be the best at fascism but have been playing catch up to the US for a while now.

Re:Meaningless ... (5, Informative)

FriendlyLurker (50431) | about 10 months ago | (#44796493)

Because all government's want to spy on their citizens. European governments used to be the best at fascism but have been playing catch up to the US for a while now.

But do all government's of the world wish to permit industrial espionage on their soil, or is it political power first over protecting national business interests...

Statement by Director of National Intelligence James R. Clapper on Allegations of Economic Espionage [tumblr.com]

"...It is not a secret that the Intelligence Community collects information about economic and financial matters, and terrorist financing...."

Re:Meaningless ... (4, Informative)

cold fjord (826450) | about 10 months ago | (#44796849)

Your excerpt stops before it gets to the good bit. I will add a bit more, and suggest that anyone that is interested read the whole thing. The link below that is from a former head of the CIA that discusses aspects of the same topic.

Statement by Director of National Intelligence James R. Clapper on Allegations of Economic Espionage [tumblr.com]

What we do not do, as we have said many times, is use our foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of - or give intelligence we collect to - US companies to enhance their international competitiveness or increase their bottom line.

Why We Spy on Our Allies [cryptome.org] - By R. James Woolsey, former Director of the Central Intelligence Agency

Re:Meaningless ... (3, Insightful)

FriendlyLurker (50431) | about 10 months ago | (#44797409)

Ahh, so Clapper says they only collect the data [1] but do not actually inhale it.

Next you will be trying to convince us all that access to the gathered intelligence data is strictly controlled and only after [secret] court approval [slashdot.org] , for terrorism related reasons only.

[1] Probably because American's have been expelled from various countries various [nytimes.com] times [nytimes.com] for economic spying, so James Clapper cannot very apply the default PR script which is to deny it ever happens... as you are trying to lead us to believe applies in this case... cold fjord.

Re:Meaningless ... (1)

fustakrakich (1673220) | about 10 months ago | (#44797469)

Statement by Director of National Intelligence James R. Clapper...

"What we do not do, as we have said many times, is use our foreign intelligence capabilities to steal the trade secrets..."

Quoting a know liar... You're funny

Re:Meaningless ... (1)

FriendlyLurker (50431) | about 10 months ago | (#44797557)

Even if you believe what Clapper/Woolsey et. all say (and quite frankly who does now after so many lies cover-ups and partial hangouts have been exposed in such quick succession regarding the Snowden leaks?), Edward Snowden walked out with all that data and we only know about it because he went public and was not in it for industrial espionage. How many before him had been doing the same only working for some company or other, we will never know.

Does any country want all their home grown companies data stored at the NSA even if the best case your proposing is "Well, yes the NSA cracks, collects and stores your industrial and economic secrets... but trust us we don't pass that data on to American companies."

Re:Meaningless ... (1)

gmuslera (3436) | about 10 months ago | (#44797853)

Must be the reason why they spied on Petrobras oil firm [reuters.com] . The reason everyone lost their privacy and the trust on internet as a whole is in part that some US oil corporations wanted to steal information on where are oil reserves to other foreing oil companies.

Re:Meaningless ... (1)

gmuslera (3436) | about 10 months ago | (#44797795)

They must spy on their citizens because between US cyber efforts there is a big (foreign) social engineering component, or at the very least there is a big perception on that. Rebels start with the right push to the right people, is the perfect environment to push later a puppet or a trojan horse in the government.

Re:Meaningless ... (5, Interesting)

Xest (935314) | about 10 months ago | (#44796485)

Not really meaningless.

The problem is that the NSA/GCHQ have been farming literally everything that goes in and out of these companies whether it's relevant to their investigations or not. If Google succeed in implementing end-to-end encryption then they wont be able to do this.

Yes you're right they can still walk through the door with a warrant and demand the key but that forces them to be far more targeted in their investigations. It means they have to be able to justify, even if only to a secret court, that the person in question should have a warrant served against their data.

If nothing else that means no more "accidental" gathering of the data of Americans in breach of the 4th amendment. It also means the NSA can no longer rely on GCHQ to gather data on US citizens to bypass the 4th amendment because GCHQ doesn't get to use America's secret courts to serve warrants on US citizens, and nor do we have secret courts in the UK through which it could do it.

So this sort of thing does matter. It matters in that at least the spying they do is all logged down on paper somewhere and has to be justified to at least some degree rather than done automatically against everyone with fuck all oversight.

It's far from perfect, but at least Google are trying to do something and it's better than the current status quo.

Re:Meaningless ... (5, Insightful)

six025 (714064) | about 10 months ago | (#44796591)

It's far from perfect, but at least Google are trying to do something and it's better than the current status quo.

It's an admirable goal, but it comes down to trust. How does Google know, or more importantly how do we know, that someone from the NSA has not embedded themselves in the implementation team in order to weaken the encryption or insert a back door?

At this point it's kinda like introducing time-travel as a plot device to the Star Trek cannon. Once time travel is introduced, absolutely anything is possible. In terms of encryption, hence forth it will be very difficult to trust anything related to computing.

Peace,
Andy.

Re:Meaningless ... (4, Insightful)

Xest (935314) | about 10 months ago | (#44796881)

Agreed but if you're of the opinion that nothing can be trusted anymore so there's no point trying then you might as well just resign yourself to the fact that it's all over, the spy agencies have won and just let all your data be public.

But I think it's still worth fighting, and every little bit of effort no matter how small - such as forcing them to get someone into Google, and getting that person to risk detection puts a lot of extra pressure on these agencies and contrary to popular belief they do not have infinite resources. There are only so many developers they can afford to buy off, only so many spies they can train to plant, and the more they have the more chance there is of one getting caught red handed further embarrassing the shit out of the agencies and their programmes.

The point is simply that there is far more of us, and far fewer of them, and every attempt at frustration no matter how small, every successful encryption attempt that they can't deal with no matter how trivial is something that takes up their relatively limited manpower. Just one person producing a blob of what they deem suspicious or interesting data is potentially enough to take out a number of their analysts for a few days at a time as they try to deal with it.

There are far more people with far more skills capable of producing far more data that frustrates their operations than they can possibly hope to deal with, hence why sitting down crying defeat and doing nothing is exactly what they want. This effort by Google no matter how much of a token gesture is just one simple example of something that has the scope to greatly frustrate the NSA's efforts and if all tech company's and a bunch of individuals to boot followed their lead then it'd have a measurable impact on the ability of their program to perform blanket spying.

Even the requirement to obtain just one warrant is going to take an agent out of the field and into the realm of paperwork for likely a half day or day.

Then at the end of it all, when it turns out that billions are being poured into this program yet the likes of Boston are still happening, there's going to reach a point where someone says "We need to stop funding this white elephant", because that's how politics works.

Re:Meaningless ... (1)

Jawnn (445279) | about 10 months ago | (#44796627)

Yes you're right they can still walk through the door with a warrant and demand the key but that forces them to be far more targeted in their investigations.

Hasn't yet, so WTF are you on about?

Re:Meaningless ... (5, Insightful)

Xest (935314) | about 10 months ago | (#44796653)

You're obviously unaware of what's been going on so I'll give you a brief summary.

The NSA and GCHQ have been spying on absolutely everyone by listening in on and intercepting all data going to and from companies like Google. They haven't been going into these companies with a warrant for everyone, they've been doing all this without a warrant.

If this no longer works such that they're forced to go in with a warrant then that's still forcing them to take an extra costly and time consuming step that they don't take currently.

That's WTF I am on about.

Meaningless if (4, Interesting)

Anonymous Coward | about 10 months ago | (#44796643)

Sure, NSA has been farming Google's queries and emails and all the other stuff unencrypted. And for Google's PRISM link, they need a warrant if its for a USA citizen. (Well at least if they think it is, at least 51%). That means nothing to us non US citizens. (I'm a brit, my countries spy agency even spies on me for the NSA and the politician who signed off on it, William Hague, traitor to his country, is 'Sir William Hague' not 'Traitor William Hague'!).

So Google's encrypting data forces them to get a warrant, well sort of, and only for USA people.

Except NSA has also been getting warrants that let it get the keys to the certs, and also has access to the cert authorities, and it also has backdoors into the encryption itself, making the encryption meaningless. A PR stunt. "Accidental" gathering of American data still continues and for most of the world the same "massive deliberate" capturing of our data, private, political, news, business secrets the lot, continues unabated.

Android is still rooted, MS Phone is still rooted. Google's services are still part of the surveillance machine, willing or not.

It's a token response, but the real solution is to avoid letting your important communications transit the US, or US based services.

I've cancelled VPN's, webservers, Skype, stopped using Google, email has been moved. These are *real* measures that can be taken, not *PR Stunt* measures.

You still believe in fairy tales ? (0)

Anonymous Coward | about 10 months ago | (#44796649)

... If nothing else that means no more "accidental" gathering of the data of Americans in breach of the 4th amendment ...

Oh c'mon, baby, don't tell me that you still believe in the fairy tales they tried to feed us !!

When they walk into Google's office with a warrant, that's the end of it.

It won't be used for a "targeted snooping", but rather, the warrant will be one that requires Google to hand over every-single-thing they have.

It's a secret court, and every-single-thing is clouded under national secrecy. You think them spooks gonna be satisfied with a warrant that asked for snooping on ONE GUY ?

Please man, please wake the fuck up !

The situation we are facing right now is way WAY worse than what George Orwell could ever think of when he wrote "1984".

Yes. Meaningless. (5, Informative)

Cid Highwind (9258) | about 10 months ago | (#44796663)

TFA is pretty short on technical details, but this sounds like it's end-to-end between Google datacenters, not customers. So when the NSA comes a-knocking with the inevitable secret court order to hand over keys, they'll be right back to capturing everything and filtering on the NSA side.

Re:Yes. Meaningless. (2)

Xest (935314) | about 10 months ago | (#44796729)

...and if Google change the keys regularly?

The point is it may be a token gesture but no matter how small it's still going to create a headache for the NSA and still cause them to not be able to gather some data.

Or to put it another way, it's still better than doing nothing.

Re:Yes. Meaningless. (2)

fustakrakich (1673220) | about 10 months ago | (#44797571)

...t's still better than doing nothing.

Ah, you're one of those, eh? Yes, let's play charades. That will make us feel good enough to end any resistance.

Re:Yes. Meaningless. (0)

Anonymous Coward | about 10 months ago | (#44797623)

Doing the wrong thing or a random thing or a fake thing might not be better than doing noting. Just saying.

Re:Meaningless ... (0)

Anonymous Coward | about 10 months ago | (#44796745)

you assume that a warrant is needed. a kindly worded letter is all it takes, unless the company wants to fight an expensive battle in a secret court, and be compelled for national security reasons.

your premise is faulty, your conclusions are as well. Google can't have the keys if you want it better than status quo.

Re:Meaningless ... (2)

chihowa (366380) | about 10 months ago | (#44796963)

It's far from perfect, but at least Google are trying to do something and it's better than the current status quo.

I don't see how this really follows. There is lots that Google could be doing right now, without some new encryption project, that they aren't doing. For example, play around with "openssl s_client" and try connecting to Google's servers. They automatically degrade the cipher used to the weakest cipher that the client will allow (bottoming out at RC4-MD5, it seems). I know that's a fast cipher that has good hardware accelerators available, but they could raise their lower limit or use the strongest common cipher by default.

This just seem like a lot of talk, when their actions don't back it up.

Re:Meaningless ... (1)

Peristaltic (650487) | about 10 months ago | (#44797407)

It's far from perfect, but at least Google are trying to do something and it's better than the current status quo.

In my opinion, it's little more than theater. Turn the map around for a second and look at it from the NSA's side. They have shown absolutely no hesitation to do whatever it takes to access literally everything, and from what I've read, they (or the FBI, or whoever it is that handles their direct interaction with civilians) can be damned intimidating. Do you honestly think that they would allow themselves to be cut out of a datastream as valuable as Google's? If I was them, -I- sure as hell wouldn't. It's not unreasonable to assume that they'll just go deeper and quieter, while Google tells us to pay no attention to the man behind the curtain.

Re:Meaningless ... (1)

fustakrakich (1673220) | about 10 months ago | (#44797513)

It means they have to be able to justify, even if only to a secret court...

No, it doesn't. The secret courts are a rubber stamp and must be abolished unconditionally. We need zero tolerance for this kind of thing.

Re:Meaningless ... (1)

Xest (935314) | about 10 months ago | (#44797711)

If you only deal in absolutes you'll get nothing you want.

I agree that secret courts must go, but I'm quite happy to see other bits of the problem dealt with or frustrated in the meantime. You have to chip away at these things bit by bit, frustrate their efforts and highlight reasons why they're bad, costly, and don't work. If you just sit there and say "Secret courts must go or nothing" then you'll be given nothing.

Is Google allowed to do this? (3, Insightful)

mschaffer (97223) | about 10 months ago | (#44796513)

Is Google even allowed to pursue such an undertaking? What's to stop the NSA from requiring access by design? It's not as if Google could say anything about it if this were the case.

Re:Is Google allowed to do this? (1)

wvmarle (1070040) | about 10 months ago | (#44797259)

As long as Google were true to their case, they'd drop development in such a case (or intentionally stall it, or whatever). With or without stating the true reason.

You mean contradictory (2)

gr8_phk (621180) | about 10 months ago | (#44796543)

Unless Google is going to devise a crypto system they don't have any access to the keys, this is meaningless. Because when those government agencies can walk in the door with a secret warrant and demand the keys, there is nothing Google can do. The US lawmakers have essentially made crypto in America irrelevant when any party knows the keys.

You mean "any third party". For peoples communication to be "secure" they need to keep a private key and others need to use their public key to send data. This of course blocks Google from reading it as well. This is a problem for Google because they like to have the machines read your email to build a profile for targeted advertising. Using secure crypto not only blocks governments, it blocks Google. Unless their plan is as you suggest where Google has the keys, in which case you are correct that it does nothing to prevent spying.

Re:You mean contradictory (1)

gstoddart (321705) | about 10 months ago | (#44796585)

And I have little reason to believe Google is looking at doing anything but encrypting the traffic, not preventing themselves from being able to see the content.

This could prevent some snooping, but it doesn't fundamentally change the fact that the NSA would just come in and say "OK, put us where it isn't encrypted".

Re:Meaningless ... (1)

intermodal (534361) | about 10 months ago | (#44796553)

If Google delivers what they actually claim to be working on here, that would go a long way toward restoring some of their credibility.

Re:Meaningless ... (1)

Bob9113 (14996) | about 10 months ago | (#44796575)

Unless Google is going to devise a crypto system they don't have any access to the keys, this is meaningless.

From the synopsis:

Google has not provided details on its new encryption efforts, but did say it would be 'end-to-end,'

"End-to-End" means Google will not have access to the keys, unless Google is attempting to redefine that term. Here's the definition from Wikipedia [wikipedia.org] :

End-to-end encryption (E2EE) is an uninterrupted protection of the confidentiality and integrity of transmitted data by encoding it at its starting point and decoding it at its destination. It involves encrypting clear (red) data at source with knowledge of the intended recipient, allowing the encrypted (black) data to travel safely through vulnerable channels (e.g. public networks) to its recipient where it can be decrypted (assuming the destination shares the necessary key-variables and algorithms).

It would be pretty bold for Google to claim that something is end-to-end encrypted if they can recover the keys. It would be like saying they're building a new kind of airplane that travels exclusively on the ground.

Re:Meaningless ... (1)

andy.ruddock (821066) | about 10 months ago | (#44797669)

The definition says nothing about who has access to keys, other than to say that the destination requires keys and knowledge of algorithms used.
It's still end-to-end encryption if a third party is responsible for generating keys and handing them out.
Think S/MIME and e-mail, a certificate authority generates keys for users to encrypt mail to each other. The mail is encrypted from end to end, but the keys are controlled by another party.

Re:Meaningless ... (1)

rvw (755107) | about 10 months ago | (#44797783)

Google said it has accelerated efforts to build new encryption software that is impenetrable to the government agencies

Unless Google is going to devise a crypto system they don't have any access to the keys, this is meaningless.

Because when those government agencies can walk in the door with a secret warrant and demand the keys, there is nothing Google can do.

They could setup an independent organisation, funded by them, outside US jurisdiction, like in Iceland, and work from there.

Oh come on! (0)

Anonymous Coward | about 10 months ago | (#44796373)

Google, the very company swinging the door wide open for the NSA, implementing a program to lull people into the illusion that their data is secure. Yeah, like I'd trust anything they'd produce.

They'll never regain the trust of their users, along with Microsoft, Apple and all of the other bend-over-backwards in the US.

Re:Oh come on! (4, Insightful)

jones_supa (887896) | about 10 months ago | (#44796687)

They'll never regain the trust of their users, along with Microsoft, Apple and all of the other bend-over-backwards in the US.

Give it a year or two, and no one will even remember the NSA/Google scandal anymore. Sadly.

Here comes the real test: (3, Interesting)

fuzzyfuzzyfungus (1223518) | about 10 months ago | (#44796393)

For an entity like Google (large, technically sophisticated; but most of their worthwhile data probably count as 'business records' for the purposes of nigh-limitless subpoena-under-cover-of-darkness powers, do the feds really bother sucking on the fiber when they could just flash a badge and get what they want?

If so, actually-working-encryption should create an interesting little jump in the number of information demands (whether they are the kind that Google is allowed to talk about, and whether it will be 'Google received 123,345 demands last year, and only one this year! (The one demand was "We want all of it.") are different questions).

If they already aren't sucking on the fiber because doing it through Legal is easier, this probably isn't bad security practice; but won't really slow the feds down much. They certainly don't have an aversion to genuinely covert behavior; but they also have crazy expansive 'legal' abilities to obtain information (and, especially when paid, often plenty of help from the companies who have the data...)

Re:Here comes the real test: (4, Informative)

bmo (77928) | about 10 months ago | (#44796447)

>do the feds really bother sucking on the fiber

Haven't you been paying attention to the articles here and elsewhere?

They have been.

--
BMO

Re:Here comes the real test: (1)

fuzzyfuzzyfungus (1223518) | about 10 months ago | (#44796673)

I know that they have been in locations that wouldn't be so easily subpoenaed into submission (peering points that focus on cost/bit, not storing data, infrastructure in areas they don't technically have jurisdiction in, etc.); but (as best I can figure out from the poor-to-nebulous description in TFA) this sounds like Google attempting to secure their own LANs/private WANs, and possibly the SSL/TLS connections that users use to access their already-trivially-subpoenaed material on Google's servers). I have not heard reports of the NSA bothering to tap company networks that they can already own by legal means, though I'd be interested to hear any if there are some.

Why would we believe Google twice? (2)

ggraham412 (1492023) | about 10 months ago | (#44796461)

Since Snowden’s leaks about PRISM, Google has been leading the charge for legal rights to disclose information about government requests with users.

I don't see how a new encryption effort helps. Anytime you trust a third party to handle your data in the cloud, you are open to having that data compromised because somebody else codes it, somebody else builds it, somebody else deploys it, somebody else administers it, etc. Many who fell for the charming upstart company with the motto "Don't be evil" the first time around feel burned, and there is no technical solution to that problem.

Re:Why would we believe Google twice? (1)

wvmarle (1070040) | about 10 months ago | (#44797313)

Honestly I doubt Google (and the others) were really voluntarily helping the NSA, because if anything providing data to the NSA means work (and more work to keep it secret), and that costs money. Bad for business.

These taps are generally enforced onto them by the NSA, be it directly or via the courts. The companies directly involved are all American companies - companies in other countries invariably were forced into cooperation by their national secret service (who in turn was "asked" by the NSA).

Re:Why would we believe Google twice? (1)

gl4ss (559668) | about 10 months ago | (#44797715)

Honestly I doubt Google (and the others) were really voluntarily helping the NSA, because if anything providing data to the NSA means work (and more work to keep it secret), and that costs money. Bad for business.

These taps are generally enforced onto them by the NSA, be it directly or via the courts. The companies directly involved are all American companies - companies in other countries invariably were forced into cooperation by their national secret service (who in turn was "asked" by the NSA).

..if it's "voluntary" or not just saves the feds one trip to the judge. it's voluntary in the sense that they help them do it - it's also good business because the government has to pay for their time(it's not a tax, so it's paid for with tax money...), it's very good business also due to the fact that the expenses are not checked by anyone and the government side of the budget is also secret so nobody can really question the expenses....

Skip TFA (5, Insightful)

SirGarlon (845873) | about 10 months ago | (#44796467)

I read TFA, and I wish I hadn't. It's just a fanboi gushing about how awesome Google is.

What it fails to mention is the fundamental tension between developing encryption technology and Google's business model of pervasive surveillance.

Quotations from Google executives such as:

"This is a just a point of personal honor," Grosse said. "It will not happen here."

fail to convince me. I am sure Mr. Grosse means what he says, but his actual ability to follow through on his personal honor is limited. It's the Almighty Dollar that is ultimately calling the shots at Google, or any company.

Re:Skip TFA (0)

Anonymous Coward | about 10 months ago | (#44796581)

But they're going to be switching to encrypted fiber-optic lines, that's an incredible technical feat in itself.

Why believe this? (2)

rumpledoll (716472) | about 10 months ago | (#44796477)

Given that the reports of the Snowden NSA documents indicate that the NSA worked with willing private sector companies, why should anyone believe that this is nothing more than a public relations push by Google? I think Google is trying to restore trust by appearing to be doing something while in fact being just as open and cooperative with the NSA as it has always been. I will believe that there is some pushback by private companies when there are actual public (not secret) court cases brought by the government to force them to do something. Until then I call shenanigans.

"impenetrable to the government agencies" (1)

mschaffer (97223) | about 10 months ago | (#44796491)

Does this include subpoenas and disavowed backdoors for the NSA?
I will believe it when it really gets tested.

Subpoena or National Security Letter or wrench? (2)

sjbe (173966) | about 10 months ago | (#44796527)

Google has not provided details on its new encryption efforts, but did say it would be 'end-to-end,' meaning that all servers and fiber-optic lines involved in delivering information will be encrypted."

Which is meaningless in the face of a subpoena or national security letter or a a wrench [xkcd.com] . Anything Google does suffers from the problem of trusting a third party. Even if Google's solution were 100% effective technologically, they still are a third party and cannot be trusted 100% to not give the keys out.

Re:Subpoena or National Security Letter or wrench? (1)

Anonymous Coward | about 10 months ago | (#44797677)

Google has not provided details on its new encryption efforts, but did say it would be 'end-to-end,' meaning that all servers and fiber-optic lines involved in delivering information will be encrypted."

Which is meaningless in the face of a subpoena or national security letter or a a wrench [xkcd.com] . Anything Google does suffers from the problem of trusting a third party. Even if Google's solution were 100% effective technologically, they still are a third party and cannot be trusted 100% to not give the keys out.

It is not meaningless.

Currently all data send from a Google data centre (DC) in one part of the world sent to a Google DC in another part is in the clear. Intelligence agencies can "tap glass" and suck down everything without a warrant or any other paper work. By encrypting this inter-DC traffic it forces governments to go to Google and ask for the data.

Yes, they can get a subpoena or NSL without too much trouble, but this forces extra effort and the creation of a paper tray. If all companies encrypted encrypted their traffic, and if all users used encryption (e.g., HTTPS) for everything, this forces these agencies to go to the end points because they can't do trawling of this traffic.

Any extra effort is worthwhile. We're all tiny, but an avalanche is made of many, many tiny snowflakes. If we can work together in concert and all put in a little effort, we can hopefully change the balance of work required to infringe on our privacy to the point that these agencies have to be more focuses in their efforts.

Google is doing their part to help with privacy. Instead of whiny about it why not make some kind of effort to join in the effort. Rosa Parks did the small effort of not standing up and walking to the back of the bus, and look at what that caused. Google is expending much more energy than that, and hopefully it will have ripple effects as well.

Don't Forget... (3, Informative)

gabrieltss (64078) | about 10 months ago | (#44796535)

Let me get this straight (1)

stevez67 (2374822) | about 10 months ago | (#44796557)

It's bad for Google to allow the NSA to mine the data passing through their servers but it's OK for Google to mine that data to spoon feed me ads they deem more relevant so they can charge their advertisers more?

Already Compromised (0)

Anonymous Coward | about 10 months ago | (#44796559)

So let me get this straight....

Google are a party to this whole Prism et al. spying network. They lie in the same bed.
And now they're going to work on new encryption. Yeah, right.

Google are compromised from the word go. Starting from the top three people in the company.

Untrustworthy two-faced liars.

Google, Money, Mouth (5, Interesting)

Greyfox (87712) | about 10 months ago | (#44796565)

If Google wanted to impress me, they'd include a spot to paste a GPG public key in gmail and auto-encrypt all mails with it on the client side for gmail users or at the entry point of their network for all other mail users. As it stands Google is very much part of the problem, not very much part of the solution.

Re: Google, Money, Mouth (0)

Anonymous Coward | about 10 months ago | (#44796779)

There is a chrome plugin now, called Mailvelope, soon for Firefox. Complete gpg in client-side. Not by google, though. Seems to work but as ever, can you get all friends and family to use it?

Re: Google, Money, Mouth (1)

Burz (138833) | about 10 months ago | (#44797291)

There is a chrome plugin now, called Mailvelope, soon for Firefox. Complete gpg in client-side. Not by google, though. Seems to work but as ever, can you get all friends and family to use it?

Regular PGP over email still leaves the message metadata out in the open. The messages have to be transmitted over an anonymized layer using something like I2P-Bote if the who, when, where of the messages is to be secured-- at that point PGP becomes moot.

Re:Google, Money, Mouth (4, Insightful)

CRCulver (715279) | about 10 months ago | (#44796945)

If Google wanted to impress me, they'd include a spot to paste a GPG public key in gmail and auto-encrypt all mails with it on the client side for gmail users or at the entry point of their network for all other mail users.

Auto-encrypting it on the client side would be extremely insecure, because Google or an adversary could inject Javascript code to capture the message while it is still plaintext. The only way to securely use GPG with webmail is to type the message in a text editor, encrypt and only then paste the cipertext into your webbrowser. Ideally people would stop using webmail and go back to dedicated e-mail applications, but the cat's already out of the bag (and even e-mail has been superseded in many people's lives by Facebook messages).

funny, says the company that... (2)

etash (1907284) | about 10 months ago | (#44796569)

uses the obselete since a decade RC4 as the encryption algorithm for its httpS.

First thing I noticed (0)

Anonymous Coward | about 10 months ago | (#44797811)

When the NSA scandals came out and I started actively criticizing the NSA, the first thing I noticed was my Google's default https connection changed to be http. I'm sure it previously switched to https (and my country domain) instead it now switches to unencrypted http.

So now when I visit Google it redirects me to an unencrypted search, instead of the encrypted one. I wonder if that's the experience of everyone? If you type google.com into the URL bar do you get a http: or https connection?

Even if its an error of my memory, it's made me aware that my searches are being logged in a giant database by a crook in a military uniform.

Screening Required (0)

Anonymous Coward | about 10 months ago | (#44796571)

Potential would-be leakers of top secret government data should be required to undergo ongoing in-depth screening tests and at all times should have testicles plugged into a high voltage circuitry that could be immediately switched on for anyone attempting to leak documents.

End to End (2)

jools33 (252092) | about 10 months ago | (#44796583)

You'll be on one end and the NSA is on the other, ready to forward to your intended receiver. Seriously can we still trust google with anything?

ROFLCOPTER (0)

Anonymous Coward | about 10 months ago | (#44796611)

It bet a fiver that its no real encryption. Lock the front door, but the back door is wide open. Literally back door. 1000:1 that the NSA will read all "encrypted" traffic as if it wouldn't be encrypted via a master key or such a weak encryption that it is laughable.

NEVER TRUST GOOGLE. NEVER. NOT ONCE.

This is securing you business..... (1)

Anonymous Coward | about 10 months ago | (#44796655)

Re-secure customer trust, new backdoor provided eventually, that is how it goes!
That is it..... there is no reason to trust them about anything they say.... anyone that knows history and what they did should know this!

keyboard sniffing (0)

Anonymous Coward | about 10 months ago | (#44796777)

Why does this matter if they put wedge layers in all of the OS's and capture plaintext keystrokes?

US Trust is gone (5, Insightful)

EmperorOfCanada (1332175) | about 10 months ago | (#44796857)

I don't think people outside the US really care if US companies use 10,000 bit quantum spiral elliptical gluon encryption with a half twist of lemon. If the NSA comes to those companies with the Open Sesame court orders then it doesn't matter. This is a massive opportunity for non-US companies to say, "We ignore any pressure from the US." Along with their governments to say, "If a local company gives data to the US government then they go to jail." Put these two together and people will start flocking to their service (assuming it is roughly equal to the US one) so create euromail.eu or whatnot and you've got customers.

Right now is the time to have a marketing shtick where you tell people that you spend all day every day thinking up ways to keep the NSA away from their data.

Also this is the time for Linux to strike. The key is that there are two assumptions being made by most people out there. First is that any US company with closed source software has been strong-armed into leaving a back door. Second is that the NSA have broken any common encryption scheme. So if you use the common ones they might as well be plaintext. But if you are able to use opensource obscure encryption schemes then you stand a chance.

Just forget it (0)

Anonymous Coward | about 10 months ago | (#44796863)

d00ds and d00dettes : forget it . totally .
forget about there be ever privacy on the net. it's a washout. the only way we'll ever see a semblance of privacy is by throwing the governments out and putting new people in there that will change the laws and the ways of the country. In other words we need to clean the house and that will never happen.
Forget it , forget about your privacy , you elected the scum to office and they f***** you right up the a**. There's no way out of this , the net is totally compromised there is neither any way to make it even reasonably secure to use. Companies will try to convince you otherwise , but they are the spies opening your mail.
Trust them ? " I wont spy on you , promised " . it's over .. just forget it . .

So they're just starting NOW? (0)

Anonymous Coward | about 10 months ago | (#44797037)

So we are led to believe that up to this point they were writing everything on a postcard and mailing from one server to another?

Why are they suddenly so concerned about people or the NSA reading that postcard?

End to end? (1)

PPH (736903) | about 10 months ago | (#44797179)

So, Google is voluntarily giving up the ability to scan our e-mail for adwords?

Re:End to end? (1)

93 Escort Wagon (326346) | about 10 months ago | (#44797485)

Nope. This doesn't appear to be encryption for the end user at all - just between their own datacenters.

If they wanted to help the end user, they could've incorporated a GnuPG plugin into Gmail years ago.

Re:End to end? (1)

andy.ruddock (821066) | about 10 months ago | (#44797701)

Whereas they actually changed their APIs so frequently that the author of the one good plugin (FireGPG) gave up.

Consequences for the Internet at large (4, Insightful)

wvmarle (1070040) | about 10 months ago | (#44797433)

I wonder what the consequences could be for the Internet at large.

Apparently there are backdoors in popular encryption software programs. That in itself should be alarming: if the NSA knows about it, who says the underworld hasn't found out about it already? Or is now directly searching for backdoors, knowing that they exist?

The NSA is after your privacy - which is a very bad thing, but something that doesn't hit most people directly.

Cybercriminals are usually after your money. If encryption is not secure, they can easily start listening in on credit card transactions done "securely" over HTTPS.

They can also start to intercept financial orders, decrypt them, alter them (i.e. payment redirected to another recipient, while still sending the intended recipient a "transaction accepted" reply), and sending them on correctly encrypted so the payment processor is none the wiser; after all it's encrypted so it's true. And it's going to be really hard for the intended recipient to file a complaint.

It won't be the end of the Internet as we know it, but there are some serious considerations to make.

Smoke... (0)

Anonymous Coward | about 10 months ago | (#44797591)

Without actual concrete... well *anything*, we can't ascertain how useful/useless their situation is.

By and large, existing cryptographic schemes and protocols are also resilient against government surveillance. The fundamental problem is that one of the 'trusted' parties is generally not to be trusted. It's actually remarkably similar to why DRM is an utterly unfeasible beast if the consumer is really set on compromising the 'protection'. Cryptography allows Alice and Bob to talk without Carol being able to snoop. But if Bob and Carol are working together, there is no scheme that allows Alice to safely talk to Bob. This is the 'compromise' NSA has achieved, not some technical feat, and one that cannot be effectively mitigated by technical advances beyond what is currently available. This is about behavioral/procedural issues, not cryptographic ones at this point.

Right... (0)

Anonymous Coward | about 10 months ago | (#44797673)

Because Google can be trusted.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...