×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google To Encrypt All Keyword Searches

Soulskill posted about 6 months ago | from the did-you-mean-*8ahd2$-#-I3oEf7? dept.

Google 224

Hugh Pickens DOT Com writes "Danny Sullivan reports that in the past month, Google has quietly made a change aimed at encrypting all search activity to provide 'extra protection' for searchers, and possibly to block NSA spying activity. In October 2011, Google began encrypting searches for anyone who was logged into Google. The reason given was privacy. Now, Google has flipped on encryption for people who aren't even signed-in. In June, Google was accused of cooperating with the NSA to give the agency instant and direct access to its search data through the PRISM spying program, something the company has strongly denied. 'I suspect the increased encryption is related to Google's NSA-pushback,' writes Sullivan. 'It may also help ease pressure Google's feeling from tiny players like Duck Duck Go making a "secure search" growth pitch to the media.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

224 comments

Illusion of privacy (5, Insightful)

NoImNotNineVolt (832851) | about 6 months ago | (#44941143)

Encrypting the connection between Google and the users isn't going to accomplish anything when the NSA already has full access to Google's servers.
Too little, too late. Way too late.

Re:Illusion of privacy (5, Insightful)

geek (5680) | about 6 months ago | (#44941315)

Encrypting the connection between Google and the users isn't going to accomplish anything when the NSA already has full access to Google's servers.

Too little, too late. Way too late.

Google has been very adamant that the NSA does not have access to their servers. I don't know if I believe them or not but that is the premise Google is working off of.

It also means nothing when they cowtow to the national security letters like they do.

Re:Illusion of privacy (4, Insightful)

thetoadwarrior (1268702) | about 6 months ago | (#44941407)

Doesn't really matter. If they're encrypting it then they can decrypt it so if the NSA wants it then they'll have it.

Re:Illusion of privacy (2, Insightful)

dreamchaser (49529) | about 6 months ago | (#44941489)

Not to mention that the NSA probably has backdoors at most major ISP's and can man-in-the-middle decrypt anything they want. As another poster said, it's more or less over.

Re:Illusion of privacy (2, Insightful)

LordLimecat (1103839) | about 6 months ago | (#44941549)

I dont think you understand how SSL works. Its entire purpose is to defeat MITM.

Re:Illusion of privacy (3, Informative)

dreamchaser (49529) | about 6 months ago | (#44941565)

I understand how it works, and there are plenty of devices that do exactly that with SSL traffic. If they can intercept the traffic and have compromised the certificates, which is certainly possible if not definite, they can decrypt it without the user ever knowing. There are even commercial devices that do exactly that.

Re:Illusion of privacy (4, Informative)

jafiwam (310805) | about 6 months ago | (#44941605)

I dont think you understand how SSL works. Its entire purpose is to defeat MITM.

And YOU don't understand what would happen if "the man" in the middle has access to the certificates, either the masters or the actual certificates themselves.

Do you really think "mysecretdomain.com" certificate from shitty ass low cost certificate provider doesn't have a duplicate key on file at Comodo, Network Solutions, GoDaddy or TwoCows or whatever?

They don't have to brute force or hack anything if they have an appliance in the middle that automatically grabs the certificate from the certificate issuer and spoofs both sides of the connection.

If you want your traffic encrypted, you need to generate your own certificates using software you compiled after you reviewed the code.

Re:Illusion of privacy (2, Insightful)

Anonymous Coward | about 6 months ago | (#44942047)

If you want your traffic encrypted, you need to generate your own certificates using software you compiled on multiple independent compilers to counter "trusting trust" after you reviewed the code.

Re:Illusion of privacy (4, Informative)

icebike (68054) | about 6 months ago | (#44942091)

I dont think you understand how SSL works. Its entire purpose is to defeat MITM.

And YOU don't understand what would happen if "the man" in the middle has access to the certificates, either the masters or the actual certificates themselves.

Do you really think "mysecretdomain.com" certificate from shitty ass low cost certificate provider doesn't have a duplicate key on file at Comodo, Network Solutions, GoDaddy or TwoCows or whatever?

They don't have to brute force or hack anything if they have an appliance in the middle that automatically grabs the certificate from the certificate issuer and spoofs both sides of the connection.

If you want your traffic encrypted, you need to generate your own certificates using software you compiled after you reviewed the code.

Was going to post exactly this!.

But to further the point, it is strongly suspected that SSL is already broken by the NSA, and having certificates is no longer necessary.

Google publishes its own certificate. I don't think its signed by anyone but Google, a sign they have totally given up on corrupt certification companies.
They also have changed it occasionally. I notice this when my more selective operating systems prompt me to accept new certificates for some Google Services, that they were happy to use yesterday. (These are always sort of scary events that warrant close inspection).

Re:Illusion of privacy (2, Insightful)

Jah-Wren Ryel (80510) | about 6 months ago | (#44942357)

But to further the point, it is strongly suspected that SSL is already broken by the NSA, and having certificates is no longer necessary.

That is outright false. I challenge you to provide a citation to a reasonably authoritative site saying that - basically anybody who isn't a kook. You can't.

The best you can come up with is that RSA-1024 is easy enough to brute-force with modern equipment. But moving to RSA-2048, as google has already done, [blogspot.com] still provides very strong protection.

Re:Illusion of privacy (2)

headhot (137860) | about 6 months ago | (#44942499)

if the RNG that the RSA encryption is based on is compromised, the encryption is compromised.

Re:Illusion of privacy (1)

Anonymous Coward | about 6 months ago | (#44942755)

Only RSA used that PRNG. It was suspicious in origin and orders of magnitude slower. There was no compelling reason for anyone to use it.

Also something everyone on this seems to be missing is that SSL certificates are generated by the certificate holder on their local machine NOT the Certificate Authority's. The CA never get's the private key half of the certificate, it never leaves the control of the owner.
That being said a CA could generate a new certificate for the domain, but it would not be the same certificate. Software like certificate-patrol for FireFox would explode with a suspicious change alert. If you are paranoid you can do certificate pinning, or just verify the chain yourself by opening the info box in your browser.

The only difference between a self-signed certificate and a CA signed one is who is vouching for it being held by the rightful owner of the domain. In both cases the private part is handled the same way and CA's are never getting anything other than the public part of the certificate (e.g. the same part given out to every client connecting to the server).

Re:Illusion of privacy (0)

Anonymous Coward | about 6 months ago | (#44941697)

You mean eavesdropping, not MitM. SSL by itself does not defeat MitM - in fact, MitM is the most straightforward way to attack SSL. The popular way to prevent this is to use certificates verified by a CA.

Re:Illusion of privacy (0)

Anonymous Coward | about 6 months ago | (#44941731)

SSL's biggest problem is that it has three trust levels:

100% trust.
No trust.
100% distrust.

These trust levels are forced on you. If you use an iPhone, either you trust what Apple trusts, or you don't use the device. Same with Android unless you cook your own ROM. In fact, you don't even know what CAs are on your phone most likely, nor be able to find out.

In recent years, there have been a number of CA compromises. A compromised CA and a packet sniffer that can watch the key exchange can completely compromise SSL.

If you want a proof of concept, BlueCoat will be happy to sell you a device that decrypts and logs all SSL transactions (it does this by forcing people on one side to use its SSL CA or else it won't allow the SSL transaction to complete.)

Re:Illusion of privacy (1)

icebike (68054) | about 6 months ago | (#44942287)

These trust levels are forced on you. If you use an iPhone, either you trust what Apple trusts, or you don't use the device. Same with Android unless you cook your own ROM. In fact, you don't even know what CAs are on your phone most likely, nor be able to find out.

In my phone, under
Settings / Security I find an entry called Trusted Credentials

Its divided into two categories, System and User. (There are no user certs, but you can add them).

There are a boat load of certs in there on the system side. Including Microsoft, every Cert company you've (n)ever heard of.

Who knows what might be lurking. (There is one listed as "Government Root Certificate Authority". Apparently something
out of Taiwan, but it has no CN or OU).

Who's to say there aren't a few more hidden from this list.
I can disable any of these that I want. I suppose I could disable all of them.

Re:Illusion of privacy (4, Interesting)

usuallylost (2468686) | about 6 months ago | (#44941797)

Do not put to much confidence in SSL. I have tested several firewall products that allow corporations to decrypt SSL traffic coming into their networks. Basically all they need is the ability put a trusted cert on the machine and force you to use a proxy. On a lot of corporate networks your SSL traffic is being decrypted and scanned. My guess is the NSA can do the same thing to you pretty much anytime they want.

Re:Illusion of privacy (0)

Anonymous Coward | about 6 months ago | (#44942785)

The NSA can do this only if they have a trusted CA in your browser. Odds are they do.

That being said the NSA doing that would be anything but silent. The SSL Observatory or local software like Certificate Patrol will see it and raise alarms. CA's can not hide which CA signed the certificate or the fingerprint of the certificate that was signed. Swapping certificates is very visible if one just looks at the info shown in their browser. This is how diginotar was exposed. Various people and organizations around the world saw that certificates being used, while "trusted", were not the expected ones for google.

Re:Illusion of privacy (1)

interval1066 (668936) | about 6 months ago | (#44942391)

I guess the point is Google isn't giving them, or anyone else, an open-door to its users activities. It may not mean much, but its going to play well in the press. Which is the whole point, isn't it?

Re:Illusion of privacy (1)

skribe (26534) | about 6 months ago | (#44942443)

It depends. If Google has managed to implement one of the theoretical crypto magic solutions they may not need to decrypt to return a valid search result.

Re:Illusion of privacy (1)

gagol (583737) | about 6 months ago | (#44941499)

They may not agree with it, or even be aware of it, but it still is a very string possibility.

Re:Illusion of privacy (0)

Anonymous Coward | about 6 months ago | (#44942055)

I'm knot seeing how your comment ties in to all this.

Re:Illusion of privacy (3, Insightful)

AlphaWolf_HK (692722) | about 6 months ago | (#44941555)

Even if Google wanted to tell you that the NSA has access to their servers, knowing full well it would kill their bottom line (assuming it would), they'd be forbidden from telling you the truth anyways.

That's actually the scariest thing.

Re:Illusion of privacy (4, Insightful)

swillden (191260) | about 6 months ago | (#44942323)

Even if Google wanted to tell you that the NSA has access to their servers, knowing full well it would kill their bottom line (assuming it would), they'd be forbidden from telling you the truth anyways.

True... but I'm not so certain that they could be compelled to lie. When I look at the pattern of public statements and later revisions from all of the big players (telcos and tech companies), I don't see a single case of anyone actually contradicting an earlier statement. It seems to me that they've all been careful to tell the truth, though they've often been careful about how much truth they've told. Government agencies have been caught lying, but they don't have the same legal requirements to citizens as publicly-traded companies have to shareholders.

Based on that, and on my viewpoint as a Google employee who builds some of the internal security systems that the NSA would have to compromise to snoop, I am completely convinced that Google is telling the truth when it says that it has not given the NSA any sort of direct or indirect access. I'm not certain that the NSA hasn't managed to insert snooping equipment into Google data centers or on Google fiber lines without Google's knowledge. But that's why Google is making a push to get everything encrypted, internally and externally.

Just to quiet the obvious retort: Yes, I know that won't prevent the government from serving Google with warrants and NSLs and obtaining user data that way. But if they have to do it through the front door, with a request that satisfies Google's attorneys with respect to its propriety and narrow scope, then I think we (as a society) have a much more manageable problem. Still a problem, but one that can be addressed with legislation and better oversight. If the NSA is silently devouring the whole Google data stream... that's an entirely different kettle of fish.

Re:Illusion of privacy (1)

icebike (68054) | about 6 months ago | (#44942351)

How many Google Employees can the Federal Prisons hold?

I'd like to see the entire Board of Directors, All corporate officers, and All top and Middle management employees
and Directors from each of their world wide offices come out on the steps of their headquarters and issue a statement
with published facts, naming explicit government employees and the orders they gave.

Just call the Government's bluff. And do the same for China while they are at it.

Then demand jury trials, and watch how fast they get acquitted.

Re:Illusion of privacy (1)

Seumas (6865) | about 6 months ago | (#44941835)

When your executives are so flippant about privacy issues (hello, Schmidt!), it's hard to take them at their word.

When their actions match their words, I'll take it.

Re:Illusion of privacy (1)

sexconker (1179573) | about 6 months ago | (#44941859)

Encrypting the connection between Google and the users isn't going to accomplish anything when the NSA already has full access to Google's servers.

Too little, too late. Way too late.

Google has been very adamant that the NSA does not have access to their servers. I don't know if I believe them or not but that is the premise Google is working off of.

It also means nothing when they cowtow to the national security letters like they do.

1: The NSA doesn't need access to Google's servers. They can MITM any connection that touches a major telco.

2: Google wouldn't even know if the NSA did have access to their servers. NSA has hardware-level backdoors in CPUs, NICs, etc., and of course they also employ meat-level espionage to get people on the inside.

So even if you took Google's statements as honest, they'd be worthless.

Re:Illusion of privacy (2)

X0563511 (793323) | about 6 months ago | (#44941977)

The NSA doesn't have to have access to the servers if all network traffic is also sent into the NSA's special rack...

Back when I worked in a hosting center the FBI had a little group of machines that were theirs and we were hands-off. Our network admin would occasionally get requests to have traffic to/from particular IPs routed to their "playpen" and he would comply - while this meant they got everything they wanted, nobody was granted any access to someone's server.

Re:Illusion of privacy (0)

Anonymous Coward | about 6 months ago | (#44941381)

The only consolation I can think of is that the NSA has to ask google. That means hopefully we'll get an independent accounting from google of how many requests there are. With unencrypted traffic the NSA can just gather up the unencrypted data stream anywhere in between. No one needs to ever know how much that is, not even google, and the NSA is only accountable to itself and the rubber-stamp FISA court for it.

You are right that the change doesn't make nefarious activities any safer from legitimate/legal requests to google (which I have no problem with, if there are individual court-approved warrants rather than blanket ones), but it would limit the casual and invisible "get everything without even having to ask" approach. It's not worth much, I agree, but I suppose that's something because it forces the NSA or anyone else to go through proper channels to get the access rather than just taking it with no one to question the legality except the (already complicit) phone companies.

Re:Illusion of privacy (0)

Anonymous Coward | about 6 months ago | (#44941445)

I can't blame google if and when U.S. is going to use the millitary/police on them colonialize their severs!

Re:Illusion of privacy (1)

abroadwin (1273704) | about 6 months ago | (#44941495)

I consider any machine I don't control unsafe, especially servers run by any corporation. Machines I do control are still suspect. At this point the only guarantee is the one that the government has long known to be the best option... air gap. Even that isn't 100%, as evidenced by ip/thumbdrive as with stuxnet, but it's the only way you can consider something private.

Re:Illusion of privacy (1)

vadim_t (324782) | about 6 months ago | (#44941575)

The important thing isn't Google's servers, but the Certificate Authorities.

All that the NSA has to do is to get some CA to emit certificates for Google's domains. Then they can easily place themselves as a man in the middle, and the user won't notice.

No access to Google's servers necessary, then.

Re:Illusion of privacy (0)

Anonymous Coward | about 6 months ago | (#44942019)

You are wrong. The CA does not hold the private key. Common misunderstanding of their purpose.

Re:Illusion of privacy (2)

vadim_t (324782) | about 6 months ago | (#44942325)

It's got nothing to do with the private key.

NSA goes to Verisign (for instance). Says "please sign our key for google.com". Verisign signs it. NSA intercepts traffic between google.com and you. Browser deems cert as valid, as Verisign signed it, and you seem to be connecting to google.com.

The CA system is weak because so long the connection is signed by a CA in the browser's list, the browser doesn't care which it is, even if it changes on a daily basis. If you can convince any CA in the list to sign what you need, you have a way to set up a MITM attack the browser won't warn you about.

Plus Five (0)

Anonymous Coward | about 6 months ago | (#44942137)

Encrypting the connection between Google and the users isn't going to accomplish anything when the NSA already has full access to Google's servers.

Too little, too late. Way too late.

Plus five on this. Furthermore, Google is trying to make you feel like your searches are private, not recorded and fed to advertisers.

'Ooh, I'm safe because the channel between me and the WORST PRIVACY OFFENDER, outside of Facebook, is encrypted by a technology that recent stories say might be broken by the NSA.'

Re:Illusion of privacy (0)

Anonymous Coward | about 6 months ago | (#44942421)

This sucks, should I stop advertising on in the internet then?

Any different from https://google.com ? (3, Insightful)

Valdrax (32670) | about 6 months ago | (#44941159)

How is this different from just using HTTPS Everywhere or typing https://google.com/ [google.com] into the URL bar?

Re:Any different from https://google.com ? (0)

Anonymous Coward | about 6 months ago | (#44941415)

It happens automatically for everyone, without installing a plugin or typing the extra "https://".

Seriously, at least read the damn summary.

Re:Any different from https://google.com ? (1)

Valdrax (32670) | about 6 months ago | (#44942435)

Neither you nor the summary answers my question: Does it do anything different from doing that and provide any extra security?

Re:Any different from https://google.com ? (1)

odie5533 (989896) | about 6 months ago | (#44942511)

Does it implement asymmetric cryptography in JavaScript on the client? No, but it should.

Re:Any different from https://google.com ? (1)

ArcadeMan (2766669) | about 6 months ago | (#44941487)

Nobody types "google" in the URL bar these days, the URL bar sends your search requests directly to Google/Yahoo!/Bing/etc.

Re:Any different from https://google.com ? (0)

Anonymous Coward | about 6 months ago | (#44941795)

I removed Google from my search and bookmarks in favor of another engine after the NSA surveillance news. Occasionally I use it for a search that doesn't work elsewhere, or images or maps. Then I type "google.com" into the address bar. This helps me avoid it unless I really explicitly want it.

Dumb question ... (0)

Anonymous Coward | about 6 months ago | (#44941183)

So even if Google encrypts all keyword searches, what's to prevent the NSA from pulling an MiTM? Isn't this really just one big false sense of security?

If the goal is to provide privacy for end users in day-to-day browsing from onlookers on a private network or WiFi, I can see this making some sense. To prevent NSA snooping. Not so much.

Re:Dumb question ... (1)

Agent ME (1411269) | about 6 months ago | (#44941353)

NSA would need a CA under their control, and MITM requires a bit more hardware than their mass-eavesdropping setups. It's a lot of effort to go through when they already "ask" Google for access to their servers.

Re:Dumb question ... (0)

Anonymous Coward | about 6 months ago | (#44941417)

So even if Google encrypts all keyword searches, what's to prevent the NSA from pulling an MiTM? Isn't this really just one big false sense of security?

If the goal is to provide privacy for end users in day-to-day browsing from onlookers on a private network or WiFi, I can see this making some sense. To prevent NSA snooping. Not so much.

Man in The Middle attacks are exactly what this encryption protects against.

What it does not protect against is law enforcement going to Google and saying "will you please give us the data we want" to which Google will most likely say "here you go officer". Nor does it protect against someone pretending to be Google with a look alike site (phishing), or the classic $5 wrench vulnerability.

As a professor of mine used to say: "Using encryption on the Internet is like transporting money between a guy on a bench and a child's lemonade stand via armored car."

Power Implications (4, Interesting)

Anonymous Coward | about 6 months ago | (#44941213)

I'm highly interested in the power consumption implications of this move. I remember reading somewhere that Facebook faced a nontrivial increase in power usage when they switched to https for everything, and for a website like Google, those extra cycles are definitely going to add up.

Anyone from a data center care to comment on this?

Re:Power Implications (0)

Anonymous Coward | about 6 months ago | (#44941483)

Encryption adds very little to the power consumption usage - a hell of a lot less than
running javascript or a single popup ad - even an embedded ad.

Re:Power Implications (5, Informative)

Anonymous Coward | about 6 months ago | (#44941491)

According to one of the head Google staffers responsible for their SSL/TLS operations, it's pretty much a non-issue: https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

It basically ended up adding less than 1% to the CPU overhead for their servers, didn't require special hardware, and didn't involve any new systems.

Re:Power Implications (0)

Anonymous Coward | about 6 months ago | (#44941821)

I'm running several servers that do SSL/TLS. They all got hardware AES crypto modules embedded in the processor, which means encryption flows through like it never existed. As mentioned before, the required CPU resources really are trivial, especially compared to the gains.

These days I force encryption on all of my hosted websites. A lot of people ask 'why do it?' when in fact they should be asking 'why not do it?'.

Re:Power Implications (0)

Anonymous Coward | about 6 months ago | (#44941925)

Yes, the 1990's called and we bought a second Pentium III to offload all those extra cycles. Disaster averted.

Too Late Google... (0)

Anonymous Coward | about 6 months ago | (#44941217)

Too Late Google, Trust is like a Mirror, Once Broken, It can Never Be as it Once Was...

no one will trust any corporate web again (0)

Anonymous Coward | about 6 months ago | (#44941235)

sorry, ya blew it!

And this will protect exactly nothing (0)

Anonymous Coward | about 6 months ago | (#44941241)

And how this will protect privacy.
Google knows it. NSA shows up at the doors, or dedicated link and gets what it wants.
This may protect against ISP, and other than NSA organizations from getting your searches by old fashionable wire taping.

One down... (5, Insightful)

93 Escort Wagon (326346) | about 6 months ago | (#44941243)

Thing about DuckDuckGo is... they promise I'm anonymous to them. There's value in that, at least to me.

Google's move is certainly welcome, but all it means is - going forward - only Google will be collecting my information as opposed to Google + NSA.

Re:One down... (0)

Anonymous Coward | about 6 months ago | (#44941455)

Advertisers also promise to voluntarily respect the due not track flag too. So what?

DuckDuckGo can promise what ever they like. And they are required to lie about their promise under court order, just like everyone else.

Re:One down... (0)

Anonymous Coward | about 6 months ago | (#44941473)

DuckDuckGo does not use their own hardware, so the NSA can retrieve your records by monitoring their hosting service, which includes extracting their private keys. DuckDuckGo provides no more protection from NSA spying than any other service.

Re:One down... (1)

dcollins (135727) | about 6 months ago | (#44941879)

As others have said, the NSA documents say they have access to Google's servers. Encrypting the connection between the user and Google doesn't change that, right? Very puzzling.

Re:One down... (1)

swillden (191260) | about 6 months ago | (#44942337)

As others have said, the NSA documents say they have access to Google's servers.

No, they don't. The PRISM slides were extremely vague about how the data was collected; the idea that they have direct access is speculation which Google has consistently and clearly denied. And it's worth noting that they claimed they started getting data from Google back before Google went SSL for nearly everything.

Re:One down... (0)

Anonymous Coward | about 6 months ago | (#44941969)

How is this not modded 5, Funny. They promise?

Re:One down... (2)

ortholattice (175065) | about 6 months ago | (#44941993)

Doesn't DuckDuckGo have US servers? I would trust ixquick.com more.

Re:One down... (0)

Anonymous Coward | about 6 months ago | (#44942229)

Yes, based in the US and yet advertising that they keep you anonymous.
I do not believe them for a second. The NSA would be on their ass like it was for secure email services based in the US.

I wonder if they're a honeypot?

Bullshit PR is Bullshit (5, Insightful)

Guppy06 (410832) | about 6 months ago | (#44941253)

Google has quietly made a change aimed at encrypting all search activity to provide 'extra protection' for searchers, and possibly to block NSA spying activity.

What would encryption do when the NSA has access to the servers?

'I suspect the increased encryption is related to Google's NSA-pushback,'

Except that pushback itself is also pure political theater. Funny how these court challenges only started happening when stuff started to become public.

Google has made their bed. Let them lie in it.

Re:Bullshit PR is Bullshit (2, Informative)

Anonymous Coward | about 6 months ago | (#44941537)

STFU and do your research,

>Funny how these court challenges only started happening when stuff started to become public.

https://www.eff.org/who-has-your-back-2013

Why don't you read about the companies that were pushing back before this even got announced. There are similar tables for 2012 and 2011. You'll note that Google was up there, but few others were.

The moderators need to be sacked again... Any by sacked, I also mean "kicked in the balls".

Re:Bullshit PR is Bullshit (1)

Guppy06 (410832) | about 6 months ago | (#44941679)

STFU and do your research,

Your source (emphasis mine):

In the category of protecting user privacy in the courts, Google deserves special recognition this year for challenging a National Security Letter.

My source [theguardian.com] :

No telecommunications company has ever challenged the secretive Foreign Intelligence Surveillance court's orders for bulk phone records under the Patriot Act, the court revealed on Tuesday.

Now, do you want to split hairs and argue that "maybe Google isn't a 'telecommunications company'" or "maybe the orders they got weren't for 'bulk phone records'," or do you want to maybe acknowledge that the industry in the US doesn't give a flying fuck if nobody is looking (or is even allowed to look)?

Re:Bullshit PR is Bullshit (2)

Seumas (6865) | about 6 months ago | (#44941919)

The whole Google/Yahoo/Facebook/Whoever + NSA thing is like this:

You're making out with a chick that is maybe not so hot. You're having a good time and you're both getting your rocks off, but you wouldn't want your friends and family to catch you.

One day, your buddies drop on by early and catch you mac'n on said girl. Startled, you push her away and are very vocally all "eeew yuck! Get off me! what are you doing?!" and telling your friends (who keep teasing you about it for the next month) about how you two totally were not making out and how you totally are not into her and you didn't want to make out with her and would never do so in a million years.

But you go back to making out with her, anyway. You're just way more careful about making sure you don't get caught.

Re:Bullshit PR is Bullshit (0)

Anonymous Coward | about 6 months ago | (#44942331)

One day, your buddies drop on by early and catch you mac'n on said girl. Startled, you push her away and are very vocally all "eeew yuck! Get off me! what are you doing?!" and telling your friends (who keep teasing you about it for the next month) about how you two totally were not making out and how you totally are not into her and you didn't want to make out with her and would never do so in a million years.

man up.

Re:Bullshit PR is Bullshit (1)

swillden (191260) | about 6 months ago | (#44942405)

Google has quietly made a change aimed at encrypting all search activity to provide 'extra protection' for searchers, and possibly to block NSA spying activity.

What would encryption do when the NSA has access to the servers?

Nothing, if they have access to the servers, which Google denies giving them, and which none of Snowden's documents have claimed. The documents only said that they were getting Google data, not how, and they say the take started back before Google went SSL for nearly everything, which may be a clue as to how they were getting the data. Or maybe the NSA managed to sneak some hardware in to get it on the sly; that possibility is why Google has accelerated their plans to encrypt all internal traffic as well.

Given what I know about the incredibly flexible and dynamic nature of servers in Google's data centers (I work for Google), I think it would be virtually impossible to snoop at the machine level without actual support being built into the system, and given what I know about Google employees, that is virtually impossible. I think any data the NSA is getting (without legal due process) has to be network traffic, and encrypting all of the traffic will shut that off.

Magicians Have A Phrase For This (0)

CanHasDIY (1672858) | about 6 months ago | (#44941257)

It's called "sleight of hand" [wikipedia.org]

All the same spying equipment is still in use, except now Google has them stuffed up their sleeves instead of in their hands.

Different reason cited in TFA (3, Informative)

dkleinsc (563838) | about 6 months ago | (#44941263)

Google may be doing this not for privacy reasons at all, but because they intend to sell the exclusive organic click information and don't want third parties having access to the same information they have about those clicks.

Better than nothing, I suppose. (2)

gallondr00nk (868673) | about 6 months ago | (#44941269)

Still, half of the reason to use Duck Duck Go or some other privacy oriented search engine is not just HTTPS but the fact they don't feed everything you search for into an enormous data mining effort.

Anyway, doesn't the alleged NSA backdoor into Google as part of the PRISM program make any supposed "anti-NSA" stance a completely empty gesture?

The intense backtracking that the PRISM providers have done since the revelations seems very disingenuous.

Re:Better than nothing, I suppose. (1)

PRMan (959735) | about 6 months ago | (#44941687)

Google claims they have only responded to warrants and NSLs and would be really happy to show you the numbers, but NSA won't let them. Based on their continued statements to this effect, I think I believe them.

DuckDuckGo but even then (0)

WillAffleckUW (858324) | about 6 months ago | (#44941287)

Look, the actual encryption itself already has an NSA backdoor, both on the sender (you) and receiver end (Google).

Not including the chipset traps built into the waypoints.

This is just so you don't feel like gullible trusting fools while the NSA steals your copywritten information without a court order permitting it to quarter troops (NSA bots) in your house (mobile device, home computer, game console).

But you'll still be gullible trusting fools.

The main reason they did this was the recent hack attacks, actually.

Re:DuckDuckGo but even then (0)

Anonymous Coward | about 6 months ago | (#44941481)

DuckDuckGo in the subject, but not even a related word in the content. Is this google story just a setup for DuckDuckGo advertising?

Re:DuckDuckGo but even then (1)

WillAffleckUW (858324) | about 6 months ago | (#44941611)

Good question. We only have their word for it that they don't have the backdoors that we know that Google does, but in reality the letter they are presented with does not allow them to admit or even talk about what the NSA or other agency forced them to do.

You'd still be insecure on the client end, of course, and all the hops, since the keys have backdoors.

Market signals are only as strong as the investors noting shifts of users think they are.

It's a joke (0)

Anonymous Coward | about 6 months ago | (#44941291)

Google is already making my searches https, which is a cruel joke. Google and the NSA have the search on the other side of that https. All it does is make my CPU run hotter. I wonder if Intel asked them to do that.

Too little too late (2)

intermodal (534361) | about 6 months ago | (#44941309)

I've switched to https/ssl DDG, and am much more comfortable searching there because I know that my Google account - which has tentacles everywhere - is not going to magically forget my "don't track my browsing history" setting. The idea that Google could still store the search and connect it to my account is a problem.

Re:Too little too late (1)

ubrgeek (679399) | about 6 months ago | (#44941391)

With one of the earlier stories this week there was talk that NSA had gotten "involved" with the standards-setting working groups. I'm confused how any encryption Google's using wouldn't/couldn't be affected by that. Is there any "guarantee" that they haven't been able to insert something into the technology behind PFS?

Re:Too little too late (2)

intermodal (534361) | about 6 months ago | (#44941463)

it's crazy to me that I'm left thinking how much better off we were when we had pre-Microsoft hotmail and geocities, all from public terminals. I was basically untraceable, as I didn't even have Internet at home. At best, they could have come up with a city...if the hosts even had enough storage devoted to logs for that data to even exist.

window dressing (0)

Anonymous Coward | about 6 months ago | (#44941335)

so what are Google going to do when the NSA come to them and demand that they decrypt that data? unless they commit themselves to giving the spooks the finger then this reassurance is worthless.

ixquick (0)

Anonymous Coward | about 6 months ago | (#44941363)

ixquick already does that with google without any login.

Keyword$ on AdWords (1)

michaelmalak (91262) | about 6 months ago | (#44941443)

The cynical amongst web analytics professionals accuse Google of hiding organic keyword searches from website operators in order to force them into paying for AdWords with its paid keywords.

Re:Keyword$ on AdWords (1)

mackil (668039) | about 6 months ago | (#44942141)

The cynical amongst web analytics professionals accuse Google of hiding organic keyword searches from website operators in order to force them into paying for AdWords with its paid keywords.

I was wondering this myself, as someone who is very annoyed with the "(not provided)" entry in my Keywords list in Analytics. I know, hardly a big deal in the grand scheme. Call me selfish.

Well, that's all peachy then. (0)

Anonymous Coward | about 6 months ago | (#44941493)

When you no longer trust the endpoints, how exactly does this help? Not to mention that SSL itself isn't looking too trustworthy any more.

The real story... (0)

Anonymous Coward | about 6 months ago | (#44941515)

Many don't know https:// from Google is available, and many advertisers banked on this
to perform deep packet inspection, basically pulling from Google's revenue stream.

This simply stops that from happening; it's not about privacy for Google's user base.
The NSA already has cooper to Goole's servers after things are decrypted.

Just sayin'

Will they hide search info from 3d party sites? (1)

RGRistroph (86936) | about 6 months ago | (#44941527)

Will they make it so that if you arrive on a web page via a google search, the operator of that web page cannot see the search terms that lead you there ? I think that would be an improvement.

Re:Will they hide search info from 3d party sites? (1)

jafiwam (310805) | about 6 months ago | (#44941639)

You can do that manually by copying the URL or (in some cases) selecting the URL in the description below and right clicking "go to this address"

Lots and lots of small time "web site operators" would absolutely hate it if they stripped those search terms off, a whole industry of SEO scammers would disappear overnight.

THEY SHOULD DO IT!

Re:Will they hide search info from 3d party sites? (1)

RGRistroph (86936) | about 6 months ago | (#44942207)

Or that could be done with a plugin . . . it would also deprive google of the data of what links were clicked in searches.

Re:Will they hide search info from 3d party sites? (1)

dcollins (135727) | about 6 months ago | (#44941949)

Yes, that's what they say, and actually it's the only functional change I can really see from this. Follow the 2nd link in the OP.

"When you search from https://www.google.com, websites you visit from our organic search listings will still know that you came from Google, but won't receive information about each individual query. They can also receive an aggregated list of the top 1,000 search queries that drove traffic to their site for each of the past 30 days through Google Webmaster Tools."

That's nice (0)

Anonymous Coward | about 6 months ago | (#44941623)

I'll still stick with Startpage/Ixquick/Gibiru

Duck Duck Go (0)

Anonymous Coward | about 6 months ago | (#44941631)

Duck Duck Go will never take off until it replaces its absurdly dumb name.

"Yeah just go on the computer and Duck Duck Go that restaraunt"

umm....yeah right.

Actually... (4, Interesting)

fahrbot-bot (874524) | about 6 months ago | (#44941669)

...what it does is prevent my proxy/filter (Proxomitron) from altering queries and result pages, like stripping out the link redirects, disabling the Toolbar, Suggestions, Instant, etc...

They do provide a work-around if you define www.google.com as a CNAME for nosslsearch.google.com (for schools, etc, that need to filter things). I implemented this w/o updating DNS or my hosts file by adding a proxy rule that alters the "Host" field in outgoing headers to nosslsearch.google.com to be "www.google.com". It's not perfect, but along with disabling Javascript for Google, it helps a lot.

FWIW, I'm switching to use Startpage and DuckDuckGo - not because of extra privacy, but because they let me customize my results to remove all the crap that Google adds.

Not going to help (1)

davydagger (2566757) | about 6 months ago | (#44941825)

So long as google creates profiles based on those searches, they are still accessable to the Feds, either by purchasing them, even through a strawman if needbe, or by force via subopenea, or other legal sanctions.

I feel better already... (0)

Anonymous Coward | about 6 months ago | (#44942085)

"... and possibly to block NSA spying activity."

Take that NSA !

duckduckgo is no different from google or facebook (-1)

Anonymous Coward | about 6 months ago | (#44942147)

they are all jew owned and operated and don't give a shit about goy privacy.

All result links route back through Google (0)

Anonymous Coward | about 6 months ago | (#44942277)

I notice that all Google search results are actually links that route back through Google before forwarding you to the final target page.

Is there a way to disable that, and have the links go directly to the final target page?

And how can Google possibly claim to offer any privacy as long as the result links go to Google first? Even with encryption, your entire result click history is still sitting on Google servers waiting to be abused by someone.

Meaningless until legal fiat also blocked (0)

Anonymous Coward | about 6 months ago | (#44942315)

Google store all searchs in their databases.

Agencies of the US Goverment (NSA, FBI, etc) can access those databases by legal fiat.

So what difference does it make if you encrypt the search as it goes to/from Google?

Well, it's a step in the right direction. If legal fiat can be blocked, then snooping - which the NSA would most likely continue - is also already blocked.

I was going to post something anonymously (0, Funny)

Anonymous Coward | about 6 months ago | (#44942365)

but then I realized I was using chrome :sigh: sometimes I feel like a cat lapping up anti-freeze.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...