Google Asks 'Who Cares Where Your Data Is?'

← Back to Stories (view on slashdot.org)

Google Asks 'Who Cares Where Your Data Is?'

Posted by timothy on Thursday June 9, 2011 @11:39AM from the dumbwaiter-for-bits dept.

mask.of.sanity writes "The chief security officer for Google Apps, Eran Feigenbaum, said popular concerns over data sovereignty in outsourced environments are unwarranted. He said businesses should worry about security and privacy of data, rather than where it is stored. The comments clash with those made by IT pros including Gartner, who said cloud providers like Google can't be trusted with sensitive data."

14 of 241 comments (clear)

Min score:

Reason:

Sort:

Encrypt it then by Anonymous Coward · 2011-06-09 11:42 · Score: 5, Insightful

If the data is sensitive, you should be encrypting it anyway before passing it along to a third party thatr has no business looking at it. If the data isn't sensitive enough to encrypt, why do you care where Google keeps it?
1. Re:Encrypt it then by shadowfaxcrx · 2011-06-09 11:45 · Score: 4, Insightful
  
  Your post fails to consider the completely reasonable choice of not handing your data off to a third party in the first place. . .
  
  --
  "I disagree with you" does not equal "flamebait."
2. Re:Encrypt it then by hawguy · 2011-06-09 11:51 · Score: 4, Insightful
  
  But if it's sensitive, it should still be encrypted, even if it's in your datacenter.
3. Re:Encrypt it then by 0123456 · 2011-06-09 11:52 · Score: 4, Insightful
  
  Your post fails to consider the completely reasonable choice of not handing your data off to a third party in the first place. . .
  That is not a reasonable choice if you're a manager who's going to get a big bonus for shipping your data off to 'The Cloud' so you can close down your own data center.
4. Re:Encrypt it then by martin-boundary · 2011-06-09 12:04 · Score: 5, Interesting
  
  If the data isn't sensitive enough to encrypt, why do you care where Google keeps it?
  
  Sensitive or no, Google has no right to snoop on your data.
  Besides, what may not be sensitive when you've got it, can become sensitive when someone else has got it.
  For example: you and a friend both own half of a secret password. One piece alone is worthless, so you don't mind if Google knows your half. Similarly, your friend doesn't care if Google knows his half. Result: Google knows both halves.
  What's true for passwords is also true for people's information profiles in general. Company A might know where you buy diapers, company B knows what movies you watch, company C knows your address, etc.
5. Re:Encrypt it then by hawguy · 2011-06-09 12:15 · Score: 4, Informative
  
  If the data is sensitive, you should be encrypting it anyway
  Sure, because if the data is encrypted, the only people who can get into it are those with gigantic server farms. (Like Google)
  Besides, who would be interested in random encrypted data? It would be cost prohibitive to decrypt data to peek at it, unless there are advances in supercomputing. (Which google is actively working on)
  The only company which would want to do that is one which has a business model built on collecting and monetizing private data (See: Google)
  Yep. I can't see any reason why people should care about where they store cloud data.
  AES256 is crackable with a complexity of 2^99.5: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
  So, if Google's advanced supercomputer can crack a billion keys/second and they have 1 billion computers at their disposal to do the cracking, it would only take them around 1 x 10^17 years to crack your data.
  Of course, now that you've figured out their plan, they're going to have to kill you, and they will surely do so within 1 x 10^2 years.
6. Re:Encrypt it then by 0123456 · 2011-06-09 12:29 · Score: 4, Interesting
  
  Even if the data is encrypted, if you're using a virtual server in The Cloud, then the server requires the key to decrypt it, and anyone with access to that virtual machine can then read the data.
  Encryption would only make the data safe if you're reading it back from The Cloud, processing it, and sending updates back to The Cloud. Which would seem an odd way to do things unless you want to have access to the same data from multiple sites around the world.
Re:Gartner says this? by fuzzyfuzzyfungus · 2011-06-09 11:55 · Score: 4, Insightful

The problem here is that, while Gartner is indeed utterly useless, their opinion is also unnecessary to determine that Google is oozing nonsense.

Different jurisdictions have different laws on the books about what data are considered specially protected, what data are an open book for the local feds, and what data require some sort of judicial approval(and to what degree that approval is a serious consideration or a simple rubber-stamp). Therefore, the jurisdiction in which your data are located(or where your outsourcing partner has offices large enough that the local feds can motivate them to comply) is part of rather than opposed to worrying about the privacy and security of your data.

Google certainly doesn't seem to be the worst when it comes to rolling over and wagging their tail for any jackboots who come calling; but anybody who thinks that they put up extra-legal resistance to any of the major powers in which they operate is, shall we say, under the influence of excessive optimism...
Re:Gartner says this? by mellon · 2011-06-09 11:55 · Score: 4, Insightful

Um, but Google *is* definitely lying to you. You don't need to compare reputations. What Google is saying is simply, obviously wrong: that you can trust them with read/write access to your data. Sure, if your data is something that would be of minimal value, there's no harm in it leaking. But if your data is sensitive, then unless Google is willing to indemnify you for whatever damages you'll be liable for if the data leaks, you have a fiduciary responsibility not to store your data on a Google server. And as far as I understand it, Google is not willing to indemnify you for that (realistically, how could they?).
So independent of anything Gartner says, what Google is saying is at the very least misleading for the application they are talking about. The sense in which Google is right is that if you aren't taking any precautions to protect the security of your data, either because you can't afford to or because you don't know how to, then it may well be no *worse* for you to store your data on a Google server. But if that's the case, you don't care about security anyway, so Google's entire claim is moot.
Either or? by eepok · 2011-06-09 11:57 · Score: 5, Insightful

Why should we be concerned only with security/privacy of data OR the actual location of the storage? Can't we care about both?
They don't believe it themselves by mrjatsun · 2011-06-09 12:05 · Score: 5, Insightful

How much are they willing to compensate me if they lose my data? What, they won't? Don't trust themselves?
Google seems to be ignorant of the law by gweihir · 2011-06-09 12:19 · Score: 4, Insightful

First, it may actually be a legal requirement keeping the date in a certain jurisdiction. And second, any law enforcement or TLA access to the data will be governed by the laws of the place the date is physically stored. If the Google people do not understand that, one more reason to not hand your data to them.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
PATRIOT ACT by Anonymous Coward · 2011-06-09 12:34 · Score: 5, Insightful

I care because I'm Canadian. If I keep my data up here it's not subjected to the almighty Patriot Act. Case Closed.
Why this "story" is terrible by traindirector · 2011-06-09 12:49 · Score: 5, Insightful

*sigh*. Okay. I thought it was obvious why this "story" is not quality discussion material, but I'll explain.
The article is presented as if its subject is Eran Feigenbaum's claim that "Professionals should worry about security and privacy of data, rather than where it is stored." But instead the article is a potpourri of quotations and facts unrelated to the main problem with the claim, which the article totally ignores. Any article on the subject of this claim needs to in some way establish that security and privacy can make location irrelevant, and I would expect the supporting statements of the article to do this, but nothing in the story even approaches this basic aspect of the claim. Instead, it is filled with a number of superficially-seemingly-related-but-ultimately-off-topic anecdotes.
After presenting Feigenbaum's main claim, the article presents a "supporting argument" by Feigenbaum: "He cited a meeting in Europe where he had tracked an email sent within an office as it bounced through five countries. In this circumstance, Feigenbaum said, security trumps data sovereignty." So email currently goes through a lot of countries when it is sent from one person in an office to another, where it is likely in plain text and can be read by any number of corporate and government entities. The only way this could possibly be construed as supportive of Feigenbaum's point is if read as "Email currently goes through many nations and it is secure enough". If read with any understanding of how the email system works, it undermines Feigenbaum's point.
Then the article has Michael Cloppert "support" the argument with the same type of claim: "I'm not convinced that the data location issue is a problem - after all, packets are routinely routed around the world irrespective of the export status of their content". Again, the argument is "this is what we're doing now, therefore it is secure enough". Actual security of information going through various nations is not addressed.
Then it presents the "other side" of the argument: There is no way you can know how Google is handling your data even though they assure you they are doing it well. And their contracts have lots of language that could excuse them from legal liability if that is not the case.
Then we go back the argument supporting Feigenbaum's main point. "He said customer data can only be accessed on a need-to-know basis". This does not support 5he argument that privacy and security make location irrelevant. "[L]ess than two per cent of Google staff had entered its top secret data centres". This does not support the argument that privacy and security make location irrelevant. "Google also stamped each hard drive with unique barcodes that allowed the company to track the lifecycle of data stored on each disk." This does not support the argument that privacy and security make location irrelevant.
Then we are presented with this: "But it did not encrypt data at rest, and had no immediate plans to introduce the protection." This makes it sound like location is very important to security and privacy--that someone could entire a facility by force and read the data.
The article acheives nothing other than quoting a single-sentence, questionable claim. It presents the claim, then a number of partially related statements that are presented as "discussion" of the claim but that actually have very little to do with it. I wouldn't be surprised if the article twists what Feigenbaum actually said for sensationalistic purposes.
This article represents the worst type of "journalism".