Slashdot Mirror
Google To Encrypt Cloud Storage Data By Default
jfruh writes "Worries about snooping are now a permanent part of our computing landscape, but Google is attempting to ameliorate those fears by encrypting all data on its Google Cloud Storage service by default. Data is encrypted with 128-bit AES, and you can manage the keys yourself or have Google do it for you. A Google spokesperson said that the company "does not provide encryption keys to any government."" (Also at SlashCloud.)
Just like how they already lied the first time. Lies Lies Lies. But I don't care. Go ahead and do that NSA thing.
And we have what guarantee, exactly, that they're telling the truth?
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
A Google spokesperson said that the company "does not provide encryption keys to any government.""
As Google is a U.S. based company, I'm pretty sure this is a bald faced lie due to the "Patriot Act".
Until they receive a National Security Letter and a gag order to boot.
They don't provide any keys. They provide the decrypted data.
"A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law."
What does this mean, exactly? That they would provide encryption keys in accordance with the law? That they could?
A robust system would mean the hosting company wouldn't be more able to decypher encrypted damage than anyone else. Are they offering that?
"If you require encryption for your data, this functionality frees you from the hassle and risk of managing your own encryption and decryption keys," Barth wrote. "We manage the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing."
That sounds meaningless.
All that it prevents is interception of data to/from your computer.
It does nothing to stop the NSA from requesting your data from Google, who would control your encryption keys.
A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law.
Which is exactly my point. If they control your key, they have access to your data.
[Fuck Beta]
o0t!
Of course, if you prefer to manage your own keys then you can still encrypt data yourself prior to writing it to Cloud Storage.
Which is how it should all be done. Relying on Google's honesty, or some Google employee who doesn't want his fingers broken one by one, is just false security.
Have gnu, will travel.
Given what we know about the NSA, NSLs, and Lavabits, " [we do] not provide encryption keys to any government" is a worthless statement. With an NSL, Google will turn over everything and won't be able to say anything about it. With an NSL, Google will be required to lie (like claiming data is encrypted when it's not). Lavabits received an NSL and chose to shut down rather than honor it and sell out their customers. Google compiles with their NSLs.
You cannot trust Google or the cloud with your data.
Do you even lift?
These aren't the 'roids you're looking for.
Fool me once..
"I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
This is not Google Drive that's getting automatic encryption, it's their Cloud Storage, which is only available to developers.
Hail Eris, full of mischief...
E pluribus sanguinem
If your data is worth encrypting, do you really want it in the cloud at all? The internet never forgets. Given the rapid advances in both raw compute power and cryptography, something that takes unimaginably long to brute force today, might be trivial to crack in just a few years.
Loading...
In other news leaked internal NSA documents show that they only begin to have trouble cracking AES at 256-bit key sizes and higher.
The summary leaves out a critical bit of the company spokesperson's quote from the article: they won't give anyone your encryption keys directly, but they'll happily USE the encryption keys they're managing for you to decrypt your data and give the decrypted data to anyone who makes a legal request.
All this buys you is a tiny bit of defense in depth in case someone tracks down the Google server(s) that are storing your data, breaks into the data center, and physically yanks the hard drive out of the machine. Doesn't do anything to prevent a government from getting access by asking politely, and doesn't do anything to address the wide-open front door of someone guessing your account password.
If you care at all, you should be using client-side encryption. If you don't, this is just adding extra latency.
When I first read the summary I thought Google was going to provide me a way to manage my own keys in a practical sense. I would like for my browser to automatically decrypt when I download from Google Drive using private keys stored on my local store (with a pass phrase, of course).
Obama killed the cloud star. Google must comply with legislation, they could deny (at least till NSA summons another secret law that essentially says all your data are belong to us), but at least for citizens of other countries, or americans that contacts them they must give the data anyway. Once they put in the tables laws that force you to do something and not speak about it you can't trust in anything they say, you just can't decide if its true or is a lie that is forced to say (even assuming their best good will in this topic).
That's funny, because here I thought that Google's Cloud Storage was going to be hosted in NSA's new data center. Brilliant really. Why bring the NSA to you when it's less trouble to let the NSA host your shit for you.
Google complies with local laws and regulations. Remember their previous venture in China:
"The new local Google site, expected to be launched Wednesday at Google.cn, will include notes at the bottom of results pages that disclose when content has been removed, said Andrew McLaughlin, senior policy counsel for Google. "Google.cn will comply with local Chinese laws and regulations," he said in a statement. "In deciding how best to approach the Chinese--or any--market, we must balance our commitments to satisfy the interest of users, expand access to information, and respond to local conditions.""
http://news.cnet.com/Google-to-censor-China-Web-searches/2100-1028_3-6030784.html
When a legal order to turn over info is received they will do it. The only question is what constitutes a legal order.
According to TFA and the blog post it's server side encryption. Which, of course, does absolutely nothing for security as the NSA will just get the data before it's encrypted.
If you don't want your data read you encrypt it before sending it to someone else.
Its AES. Its a symmetric-key algorithm. The encryption key is the decryption key. Whats with all the jokes about decryption keys?
And the fact the keys are symmetric and held by Google renders the entire exercise entirely worthless. If Google have the key to encrypt/decrypt data then they can just hand it to the NSA or whomever at the same time they hand over the data.
The proper and correct thing to do is to provide a pluggable API in their client apps that allows an extension running client side to manage the key and encrypt / decrypt the data. And similarly for their cloud APIs for languages like Java.
Google would have absolutely no idea what the data contains and absolutely no way to retrieve it either. It might mean certain functionality in their apps / services is affected in some ways (e.g. encrypted folders are inaccessible via a browser) but I assume they could spell out the consequences and people motivated to encrypt data would recognize those limitations.