Google's Encryption Plan To Stifle NSA's Dragnet Will Raise the Stakes

CWmike writes "Google's strategy for making surveillance of user Internet activity more difficult for U.S. and foreign governments — started last year, but accelerated in June following the NSA leaks — is as much about economics as data encryption, experts say. Eric Grosse, vice president for security engineering at Google, told The Washington Post: 'It's an arms race.' The crux of the issue with Google making the NSA dragnet harder (knowing if the government wants in, it will get in) is that the NSA evaluates the tactic it uses by weighing the cost with the value of the information obtained. However, the agency does evaluate the tactic it uses by weighing the cost with the value of the information obtained. 'The NSA has turned the fabric of the Internet into a vast surveillance platform, but they are not magical,' Bruce Schneier, a renowned security technologist and cryptographer, wrote in The Guardian. 'They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.' The NSA's capabilities for cracking encryption are not known outside the agency. However, the most secure part of an encryption system remains the 'mathematics of cryptography,' Schneier said. The greater weaknesses, and the ones mostly likely to be exploited by governments in general, are the systems at the start and end of the data flow. 'I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks.' Is this about citizen's rights, or a business decision (some might say an existential issue) for Google? Does it matter, and will it make a difference?"

Arms race

[udachny]

Eric Grosse, vice president for security engineering at Google, told The Washington Post: 'It's an arms race.' The crux of the issue with Google making the NSA dragnet harder (knowing if the government wants in, it will get in) is that the NSA evaluates the tactic it uses by weighing the cost with the value of the information obtained.

- yeah, it's an arms race alright. It's a kind of a race where if Google doesn't give the NSA what NSA wants, Google's employees and management will find itself on the wrong side of a gun.

Re:Arms race

[fuzzyfuzzyfungus]

Eric Grosse, vice president for security engineering at Google, told The Washington Post: 'It's an arms race.' The crux of the issue with Google making the NSA dragnet harder (knowing if the government wants in, it will get in) is that the NSA evaluates the tactic it uses by weighing the cost with the value of the information obtained.

- yeah, it's an arms race alright. It's a kind of a race where if Google doesn't give the NSA what NSA wants, Google's employees and management will find itself on the wrong side of a gun.

You might be underestimating the influence of the 'lobby furiously' step in American politics:

Team Google, or anybody else with nontrivial US presence(or who we feel like bag-n'-dragging, which we do sometimes), can't resist legal force; but if they can resist covert surveillance, they force the spooks to go to congress (Gen. Alexander's star trek paraphernalia and all) and slug it out with the representatives of all the major technology companies who are missing out on sweet foreign contracts because of (accurate) perceptions that they are the US government's little stooges. That isn't unwinnable; but it's a lot less comfortable than just slurping packets in the shadows, or basking in the warm glow of misplaced public confidence that you only go after 'bad people'.

It's not as though the civil libertarians can win this (either the legislative flavor, or the ones who think that their guns will save them); but the NSA has crossed the line into threatening shareholder value. That's serious business, probably Unamerican. We've installed brutal, CIA-backed, military juntas in countries we don't care about for pulling shit like that.

Re:Arms race

[Zemran]

Criminals and terrorists do not have a problem getting around the NSA, it is only ordinary people that are being spied on. Anyone organisation that does anything suspect will set up their own DNS with their own TLDs (just like the .onion network) and work away unnoticed, even some companies are already doing this so that they have their own intranet on the internet, all requests for a .com address etc. are just passed on the normal DNS server. They can use their own mail system with as much good encryption as they like and the NSA do not even know it is there or have access if it is in another country. The normal people who are using Hotmail, Yahoo, Gmail etc. are the ones being spied on, even Snowden said this. They say that they are fighting terrorism but that is only to justify what they are doing, they are spying on you and I.

That's a relief

[theweatherelectric]

Google's strategy for making surveillance of user Internet activity more difficult for U.S. and foreign governments

So.. the only organisation conducting invasive surveillance of my Internet activity will be Google? I'm most relieved.

Re:That's a relief

[PRMan]

I use NoScript to block Google Analytics. It's amazing how much faster the web is when you do that.

Not a solution.

[LWATCDR]

A technological solution will never work. The NSA had court orders and gag orders. While the NSA doing this does not shock or bother me the idea that you can stop them with technology is just silly. Human spies will get around that as they always have.

Re:Not a solution.

[JanneM]

"Human spies will get around that as they always have."

Security has never been about _absolute_ security, but simply about making it too expensive, dangerous or time consuming for an adversary to bother. We don't all live in bank vaults, after all; we don't need that much security for the kind of possessions we keep at home.

Schneiers point is the same: we don't need so much security the NSA could never get to our data. We just need enough security - and need enough of us to use it - that the effort to routinely record what we all are up to exceeds their capability of doing so. They do not have an infinite budget, or infinite man-hours.

Make routine surveillance not impossible but too expensive, that's the name of the game.

Becoming uncivilized

[Neo-Rio-101]

"Civilization is the progress toward a society of privacy. The savage's whole existence is public, ruled by the laws of his tribe. Civilization is the process of setting man free from men."

~ Ayn Rand

Re:Becoming uncivilized

[Samantha+Wright]

It's a good soundbite, the idea of mutual respect as a civilized accomplishment—but Rand oversteps. The very cornerstones of civilization are the same as the rules of that tribe; without it, you have something entirely more primitive: solitary animals and the complete abolishment of culture. It is alas a rather tawdry thought that betrays Rand's education, no matter how elaborate the clothes.

Strive for a balance. It's no more unattainable an ideal than an extreme like total freedom or total cooperation. There are, believe it or not, ways in which complete privacy is not optimal. Some small degree of intrusion is always necessary, both psychologically and for safety.

In this case, I am completely on the side of recovering privacy, as these violations are gross and driven by ignorance, paranoia, and greed. They are massively inexcusable, and if I were south of the border I would probably have turned to a career of being a crazy social activist when I was an undergrad.

Schneier hit the nail on the head last week when he pointed out the real issue, though, and I hope you'll agree with me that it is a much bigger priority than the collateral privacy loss itself. Bureaucratic and political need to save face and to manage risk has grown out of control. The post-9/11 culture of safety has led to oppression in every conceivable security-related corner, as well as moves of "me-too" safety fetishism in totally unrelated areas.

The enemy here isn't just a big government, though; it's the individuals in these organisations, departments, and legislative bodies trying to protect themselves and their careers. It's an insurrection of selfishness, regardless of who the campaign promises are designed to appeal to. Without arguing over the rightness of the system, it is at least plain that these people are horrifically mismatched to the jobs they hold, and they need to be very specifically shamed if the fundamental shift they caused is to be reversed. An Edward R. Murrow would really fit the bill right about now.

I will believe ...

[Taco+Cowboy]

I will believe Google is genuinely against NSA's encryption breaking scheme only when Google moves ALL their servers OUTSIDE of the United States of America.

No point of talking about "upping the stakes" when the same old thing - a secret warrant demanding full disclosure - can happen anytime.

Re:I will believe ...

[hutsell]

I believe that Google already has craploads of servers local to their customers. That is how they work. They have servers in America for ... Americans. They have them in Europe and many other places as well.

Google does have crap-loads of servers worldwide, localized into 7 different regions, 2 in North America; an eight region was recently activated during the last year or so. IIRC, the regionalization allows the data centers as a whole to never experience a sunset; also, the data itself being redundant, is optimized locally to minimize delays.

Who watches the watchers?

[gmuslera]

The real point here is not Google giving the NSA your information or not, they are an US based company, they must comply and give all the information requested by the NSA. And, if the used internal encryption is good enough, the only way to get that information will be directly from Google, then Google's will know what the NSA got from them, and they could eventually control (delaying, giving partial or even fake information) what they NSA gets, or store that information for future use (in the case that law gets curious about what is that justice that is everyone talking about)

That don't make Google a friend, but at least a potential enemy of our biggest enemy, and is something to be respected.

Am I missing something?

If my taxes pay for the NSA and using encryption will cost the NSA more money to decrypt. Then I'll have to give up more of my money to them decrypt my messages?

I'm putting all my money into...

[Jimbookis]

... factories that make $5 wrenchs. I heard they are set to make a killing soon.

Google is in partnership with the NSA

[seandiggity]

This is a joke and amounts to nothing but a smoke screen. We now know that Google is an active partner of the NSA and the U.S. government...we should treat them *as* the NSA. What does any of this matter when Google has whole division(s) dedicated to preparing data for use by the NSA. They'll give keys, they'll give data, they'll give metadata, they'll give educated guesses, they'll prepare 3D topographic maps about that data.

Re:Disinformation

[u38cg]

You had me up to the point where you seriously suggest the government could successfully run a billion+ dollar profitable business.