Slashdot Mirror

← Back to Stories (view on slashdot.org)

Eric Schmidt: To Avoid NSA Spying, Keep Your Data In Google's Services

Posted by samzenpus on from the no-snooping-zone dept.

jfruh writes Google Chairman Eric Schmidt told a conference on surveillance at the Cato Institute that Edward Snowden's revelations on NSA spying shocked the company's engineers — who then immediately started working on making the company's servers and services more secure. Now, after a year and a half of work, Schmidt says that Google's services are the safest place to store your sensitive data.

57 of 281 comments (clear)

  1. Or better yet by NeoGeo64 · · Score: 5, Insightful

    Just keep everything on your hard drive on a computer that is *not* connected to the Internet.

    1. Re:Or better yet by nitehawk214 · · Score: 5, Funny

      Nope, that wont help you.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    2. Re:Or better yet by rvw · · Score: 2

      At the bottom of the ocean.

      On another planet

      In another dimension

    3. Re:Or better yet by Anonymous Coward · · Score: 3, Funny

      At the bottom of the ocean.

      On another planet

      In another dimension

      With voyeuristic intention

    4. Re:Or better yet by Zanadou · · Score: 4, Funny

      "Beware of the leopard."

    5. Re:Or better yet by Anonymous Coward · · Score: 2, Funny

      Yes. Scientologists dropping out of the ceiling and stealing one's data. We have to have a protocol to deal with this. Meeting in my office in one hour...

  2. Under US Jurisdiction? by xophos · · Score: 5, Insightful

    They will be immediately forced to hand over everything and be silent about it.
    Until US laws are fixed AND respected, data going to a US Corporation can by definition not be safe.

    1. Re:Under US Jurisdiction? by Overzeetop · · Score: 4, Informative

      Tell that to SpiderOak.

      --
      Is it just my observation, or are there way too many stupid people in the world?
    2. Re:Under US Jurisdiction? by Framboise · · Score: 4, Interesting

      Google is investing massively abroad, such as in Zurich, Switzerland, where privacy laws are especially strong. Expect that if US laws continue to have negative effects on Google income, the company is going to be more and more international.

    3. Re:Under US Jurisdiction? by Anonymous Coward · · Score: 5, Informative

      It's not going well for Microsoft. They are requesting data from the servers in Ireland.

    4. Re:Under US Jurisdiction? by bickerdyke · · Score: 2

      Well, at least according to the summary, he never spoke of "safe". He said "safest" Big difference.

      And I'd even go further and say that he might be right. Unless I'd go completly offline, I can't afford half the brainpower and expertise that Google buys for their datacenter to keep my desktop machine clean and safe. (to be honest. I couldn't afford hiring a single person from their security department)

      --
      bickerdyke
    5. Re:Under US Jurisdiction? by bickerdyke · · Score: 5, Insightful

      Thus far, the most popular way for companies to circumvent this pressure is to try and design encryption systems where they (the corporation) do not hold the ability to decrypt user data.

      At that point, law enforcement can ask all they want, legally or otherwise.

      The grey bearded nerds here may still remember the legend of yore about a company called lavabit and how they tried exactly that....

      --
      bickerdyke
    6. Re:Under US Jurisdiction? by Registered+Coward+v2 · · Score: 4, Insightful

      Google is investing massively abroad, such as in Zurich, Switzerland, where privacy laws are especially strong. Expect that if US laws continue to have negative effects on Google income, the company is going to be more and more international.

      Which is pretty much irrelevant when it comes to a US Court requiring them to turn over the data if they have it. It used to be, in the age of paper, that stuff could be kept off-shore making it essentially unreachable; especially since no one might even now it existed unless someone told the authorities. Now, a US corporations data is essentially one big collection of stuff to be made available on demand; and refusal to turn it over could result in fines and contempt charges. In the end, he with the biggest stick wins.

      --
      I'm a consultant - I convert gibberish into cash-flow.
    7. Re:Under US Jurisdiction? by tinkerton · · Score: 3, Insightful

      They will be immediately forced to hand over everything and be silent about it.

      Who says they need to be forced? They'll protect their interests but they seem to be fully in sync with the state. You know, the good guys.

    8. Re:Under US Jurisdiction? by kheldan · · Score: 4, Insightful

      Amplifying the OP here. I know people in general seem to be getting dumber and dumber with every passing decade, but have people reached the point where Google can say stupid shit like this and really expect everyone to believe it? You may as well just call the FBI, NSA, CIA, DHS, and whoever else wants to snoop on everyone, and ask them to create a share on their servers for your most-personal, most-important data, and store it in the clear, at least that way you'd save some tax dollars. For fuck's sake people, 'the cloud' is a bad joke. You want to keep your personal data safe from snooping? Do as at least one other commenter on this story has said: Put it on a storage device not connected in any way to the Internet. We do not live in a day and age where the government gives a flying fuck about your 'right to privacy', if these bastards had their way we'd all be living in a world where George Orwell's 1984 would look warm and fuzzy by comparison.

      --
      Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    9. Re: Under US Jurisdiction? by dhjdhj · · Score: 2

      Crashplan lets you use an encryption key that (I assume) they can't decrypt.

    10. Re: Under US Jurisdiction? by Anonymous Coward · · Score: 2, Interesting

      For the purposes of the US legal system, every person and corporation is American.

      For the purposes of the Constitution, none are.

    11. Re:Under US Jurisdiction? by oldmac31310 · · Score: 5, Funny

      They're after me lucky charms! - Bill Gates

      --
      http://www.acetonestudio.com
    12. Re:Under US Jurisdiction? by willy_me · · Score: 4, Insightful

      But Google makes money from targeted advertising - and they need to see your data for that. Google will always have the ability to view data stored on their servers because that is their basic business model. One has to pay for what you described. Apple claims to provide such a service. You pay for this indirectly by purchasing an Apple device.

      So unless you shell out some cash there is no way to get free stable encrypted storage. The idea is nice, but economically unfeasible.

    13. Re:Under US Jurisdiction? by shaitand · · Score: 3, Informative

      No but if you got a government request for your keys you'd know about it. If google gets such a request you wouldn't know you were compromised.

      It isn't like they are sending l33t hackers to break in and get the data.

    14. Re:Under US Jurisdiction? by Shadow+IT+Ninja · · Score: 2

      The fix could be legislation or it could be a firm Supreme Court decision. The Court could, at some point, decide that the Fouth Amendment applies to cloud services exacly the same way that it does to rental property in the physical world. Renters have the same rights as home owners under the Fourth Amendment. A landlord is not allowed to just let the police into your appartment to search without a warrant. So far, online storage has been treated as information in the possession of a third party rather than information in your possession using rented space.

      The other decision that needs to be clarified is that the government can't just use a third party to collect information that it could not legally collect itself. This would be anything analogous to hiring a private security firm to search someone's home and arguing that they are not subject to the Fourth Amendment because they are not part of the government. An argument like that, relating to the physical world, would never get past a court of law. We need a decision which says the same thing about the virtual world.

      Both arguments above, in my opinion, are things which should already be obvious under existing law and do not require additional legislation. Google and others, should understand that this is the only way that people will trust cloud storage.

    15. Re:Under US Jurisdiction? by Ash+Vince · · Score: 2

      Long ago for that AC to forget about it.

      And in a related note: If we have to discuss if and how to avoid supporting law enforcement, something went really, really wrong.

      Exactly.

      Who gives a shit about storing your data with google or anyone else, at this point we should be storming the Pentagon / White House / Senate en masse to demand and take real freedom. There is no terrorist threat that actually warrants this level of intrusion, our own police seem to be better at killing defenceless citizens than terrorists anyway over the last year.

      --
      I dont read /. to RTFA, I read /. to offend people in ignorance.
    16. Re:Under US Jurisdiction? by Shadow+IT+Ninja · · Score: 5, Informative

      As I remember, Lavabit was intended to not have the ability to decrypt user data but, in fact, there were at least two ways unanticipated by the designers. One way is to wait until a user logs on again and capture their key. The mistake here was that encryption is performed on the server and not on the user's own machine before sending to Lavabit. The other thing, which is apparently what was requested in the court order, was to give up their private SSL key which the government agencies would then use to decrypt previously captured network traffic and recover the keys of, potentially, every Lavabit user. One issue here is the same as before. They were sending keys over the internet when the only safe way to do it is to keep the storage encryption process entirely client side. The other thing was that they were not using Perfect Forward Secrecy, which would have created a different temporary key for each SSL session and discarded it after transfer. They were using traditional SSL where every transfer going to the server is encrypted with the one public key matching the site's SSL certificate.

      Levison (owner of Lavabit) also made the big mistake of trying to answer the court order himself without getting a lawyer first. He bolloxed the legal argument which is why he ended up getting finded.

    17. Re:Under US Jurisdiction? by non0score · · Score: 3, Interesting

      While the major providers can't talk about it, not all gov't requests get served. The point is that yes, there is always that possibility that your account gets handed a request, but at least with Google services, you won't get picked up in random dragnet-style surveillance. That's difficult to claim for all the other major providers, and is precisely what Eric Schmidt is claiming.

    18. Re:Under US Jurisdiction? by shaitand · · Score: 4, Informative

      The government doesn't need to request your account, they can request google's own keys and never tell google what they are actually looking at.

    19. Re:Under US Jurisdiction? by Stan92057 · · Score: 2

      But Google makes it living spying/ collecting of our data and emails so they must be able to decrypt user data. Plus they do store everything for at least 18-24 months. So if they have the ability to decrypt then the government will also. I have 3 hard drives I store and save everything on my own PC its not that expensive to add multi hard drives AND I don't waste any internet bandwidth uploading. so it just boggles my mind why people use theses services its a waste of bandwidth, its not save, its not private.

      --
      Jack of all trades,master of none
    20. Re: Under US Jurisdiction? by vux984 · · Score: 2

      Google is not a US corporation. Last I heard they were Irish.

      All the employees and assets within US borders are under US jurisdiction.

      Renting a mailbox in ireland and calling it your primary residence doesn't give you the equivalent of diplomatic immunity.

      (Although it does give you some tax advantages if your big enough, until / unless they close the loophole.)

    21. Re:Under US Jurisdiction? by Grishnakh · · Score: 4, Interesting

      at this point we should be storming the Pentagon / White House / Senate en masse to demand and take real freedom. There is no terrorist threat that actually warrants this level of intrusion, our own police seem to be better at killing defenceless citizens than terrorists anyway over the last year.

      The problem is that most Americans are perfectly happy with the police acting this way. Yes, there's a minority of Americans who are outraged, but most of them thing it's just fine. Just look at the online comments any time one of these incidents happens; most Americans think the victim got what he deserved.

    22. Re: Under US Jurisdiction? by aaaaaaargh! · · Score: 2

      They also have unrestricted root/administrator access to your machine.

    23. Re:Under US Jurisdiction? by IamTheRealMike · · Score: 2

      The point of forward secrecy is there are no such keys to seize. The "master keys" are only used for identification, not encryption. So whilst a gov could theoretically seize Google's keys, this does not help them decrypt wire traffic. They'd have to do a large MITM attack, and to get everything? They'd have to decrypt and forward ALL Google's traffic. Not feasible.

      Good use of applied cryptography means that realistically the only way for a government to get data out of it means requesting it specifically from the providers. In places where the warrant system has been vapourised (which certainly includes the USA and UK), this might not seem like much, but it does help prevent fishing expeditions.

  3. For sure. by ruir · · Score: 5, Insightful

    Why not keep the data in the police station? I am sure it would work better than at googles. Is this article a freaking joke? It is not the 1st of April yet last time I checked.

    1. Re:For sure. by TheGratefulNet · · Score: 5, Insightful

      google: "we're upping our doublethink. so, up yours!"

      this is a 'trust me, the sky is green' moment for google. they have had lots of those, lately, too.

      --

      --
      "It is now safe to switch off your computer."
  4. Under US Jurisdiction? by Anonymous Coward · · Score: 2, Insightful

    That just shows how evil google is. Eric Schmidt is lying throught his teeth when he is saying sensitive data is safe with him.

  5. As Bender would say... by Anonymous Coward · · Score: 5, Funny

    To quote Bender:

    HA HA HA HA HA HA!

    Oh wait! You're serious. Then let me laugh even harder!

    HAAAHAAAAHAAAAAAAAAAAAAAAAA

  6. The cloud is... by Anonymous Coward · · Score: 5, Insightful

    ...about control.

    Them moment you put ANYTHING in the cloud, you are relinquishing control of your data. PERIOD.

    Who gives a shit if they are reading your stuff....if you are that concerned about it, it does not take much to make it unreadable via encryption....

    The real issue is you are basically giving the keys of your kingdom to somebody else.....Encrypted or not, they can block your access to it and shut you down. Any time they want. PERIOD. And if/when it happens THERE WILL BE NOTHING YOU CAN DO ABOUT IT. Sure you can sue and spend years in court, but I do not know any company that can survive years and years without producing/selling anything until this mess is sorted out.

    Offline copies you say? Then you basically got suckered into paying for services for a cloud provider AND keep your own infrastructure.....
    Pay 2 cloud providers? At that point I think it is cheaper to simply not pay anybody and build your own infrastructure.....

    The cloud is an interesting idea, hardly new concept though: we are essentially transitioning back to the days of big powerful central mainframes that companies such as IBM had a stranglehold on and had their clients paying "protection" money that would make the mafia green with envy....

    1. Re:The cloud is... by mlts · · Score: 3, Interesting

      The cloud is more than just storage, but usually people use the storage functionality for this.

      Realistically, the cloud needs to be treated as another storage medium, just like optical, tape, floppy disks, HDDs, SSDs, and everything else. You plan for media failure, and you build in anti-compromise measures.

      The cloud is the same way. If you are an enterprise, you turn on encryption in NetBackup or other program, create a storage pool, and have a mirror on other media (be it an Avamar, a tier 3 disk, or a LTO-6 silo.)

      If you are a home user, you encrypt your cloud backups, either by storing things in an encrypted container (TrueCrypt, BitLocker protected windows image, Mac Disk Image, LUKS, PGP Disk volume, etc.), or using a backup program that encrypts. At the worst, there are utilities like BoxCryptor which act similar to CryptFS and map an encrypted layer on top of the cloud drives. Any of this is better than nothing.

      Of course, with encryption comes the major bugaboo -- key management. You may have the data securely stashed on the cloud... but without keys, it will be inaccessible. I like having several printed out physical notebook with keys in it, as well as archive grade optical media, and a USB flash drive. Each copy of the notebook goes with a key person (corporate officer), and there is one kept in the local tape safe. This way, if the data center gets completely flattened, it may take days to weeks, but data is still recoverable. This also helps if there is an audit or motion of discovery.

      The cloud has its big issues... but treat it as its own piece of media, and it can come in handy. To be more specific, treat each cloud offering as its own media. Amazon Glacier is great for long term archiving, but one needs to well index it, to minimize the stuff retrieved, and Glacier should be the absolute last resort if data is needed, due to the charges for fetching data.

  7. Do no evil, right? by Noryungi · · Score: 5, Insightful

    Here is my problem: Google has a long history of cooperating with NSA.

    Don't believe me? Fine: read these links instead... Yahoo News article about cooperation between Google and NSA, Guardian article, Tom's Guide article.

    Even if Google does not/did not/will not cooperate with NSA, Eric Schmidt himself has been cooperating with the US Government, which cast serious doubts about his desire to protect the private information of Google clients.

    Again, don't believe me? Fine, read this instead: Julian Assange on Eric Schmidt. Or (even better) this transcript.

    Even if Eric Schmidt does not cooperate with the US Government, he has said himself, repeatedly, that privacy is dead and that it's something for hackers.

    Don't believe me? Fine, read this instead: EFF article, Gawker article.

    In other words, a company that cooperated with the NSA, led by a man who does not care about your privacy (but cares very much about his) is telling you that there is nothing to see here, sure we are protecting your privacy, please buy our products, we are safe and professionals and there is nothing to be afraid of.

    Seriously? How come this gasbag is a freaking CEO, paid millions of dollars a year?

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  8. No - Keep Your Data Home by pubwvj · · Score: 5, Insightful

    No, if you want to avoid NSA spying then keep your data out of the cloud and off the web. Keep your data at home. It's that easy.

    1. Re:No - Keep Your Data Home by Anonymous Coward · · Score: 3, Interesting

      Actually it's not. If they really wanted to, they can still access it. It's just much more expensive to do so because they would need to send a team to monitor your movements, figure out when you are not home, break in, copy and analyze at HO.

      That is assuming your hardware such as keyboard and mouse was not already compromised and already sending data back wireless to them.....

      They are quite good at what they do, they have been at it for a long time and got all the angles covered.

      We, as a people, can only defend ourselves by keeping the cost of monitoring all of us prohibitively expensive....

    2. Re:No - Keep Your Data Home by oldmac31310 · · Score: 2

      Are you...an angel?...God? My morning has been transformed. Speak to us, anonymous deity.

      --
      http://www.acetonestudio.com
  9. comments like that... by Cardoor · · Score: 5, Interesting

    can discredit anything and everything you have ever said before publicly. then again, i wonder if it's reached the point of kabuki theatre such that he's trying to deliberately be ridiculous to communicate in the only way he can. kind of like when a hostage deliberately oversells his 'newfound devotion' to his captors' cause to try and communicate that there's a gun pointed at his head.

  10. Absurd by artlu · · Score: 2

    As anyone knows, Google receives several federal subpoenas, and it attempts to cooperate with as many as possible. It has to as a public, U.S. based entity. It seems ludicrous that Schmidt would make this claim, but unless someone has gone through this system like I have (read my story here The Market is not Random), I guess they wouldn't know everything the governments are capable of doing.

    Careful, Mr. Schmidt.

    --
    -------
    artlu.net
  11. the more i think about it by Cardoor · · Score: 2

    the more i think that maybe eric shmidt is trying to do the right thing, and so making such an outrageous statement to communicate the OPPOSITE. in other words, 'to avoid NSA spying, NEVER store ANYTHING in google services.' this might be the only way he can 'say' it with a gun at his head.

  12. I feel safer with NSA than Google by david.emery · · Score: 4, Insightful

    All things considered, I trust the NSA more with my data. At least they're not in the business of selling it.

    1. Re:I feel safer with NSA than Google by Kardos · · Score: 3, Insightful

      Google won't torture you by mistake. Well, as far as we know, anyhow.

    2. Re:I feel safer with NSA than Google by david.emery · · Score: 2

      Neither will NSA. You have your Three Letter Agencies mixed up.

    3. Re:I feel safer with NSA than Google by greg1104 · · Score: 2

      Google won't torture you by mistake.

      That's what I used to think, until I tried to decipher my first AdWords bill.

    4. Re:I feel safer with NSA than Google by digitig · · Score: 2

      I want to avoid Google spying on me. Does the NSA have some servers I can use?

      --
      Quidnam Latine loqui modo coepi?
  13. Re:"safe" by rossdee · · Score: 5, Funny

    "Ah, this is obviously some strange use of the word safe that I wasn't previously aware of.” - Arthur Dent

  14. Here's a clue by jbrown.za · · Score: 3, Insightful

    From the original article:

    Back doors are a bad idea, Schmidt said. “It’d be great, if you’re the government, to have a trap door, but how do we at Google know that the other governments are not taking over the trap door from you?” he said.

    He is not saying the government (presumably the US government) shouldn't have a backdoor. He is only expressing a concern that other governments might find ways to exploit it.

    Bottom line ... it still seems like Google will hand over any data the US government wants.

  15. Re:He's telling the truth by king+neckbeard · · Score: 2

    The CIA and NSA are bosom buddies who only withhold information from each other when there's an actual threat. But if it's just an ordinary citizen, they'll be more than happy to double-team you.

    --
    This is my signature. There are many like it, but this one is mine.
  16. Great News! by neurovish · · Score: 3, Funny

    I was wondering what I could do to keep the NSA from spying on me. I'm glad that Google has it figured out. Time to upload all of the documents I have stored locally on my desktop to the Google servers so that they can keep a watchful eye on them. I was worried that this was going to be hard and require a lot of dilligence.

    I'm going to tell my boss that we need to move away from all of these Microsoft products to and only use Google cloud services for security.

  17. Is it safe? by matbury · · Score: 5, Interesting

    It's worse than most people seem to realise. Schmidt isn't just lying, he's willingly getting Google in deeper with the NSA because, you know, the bottom line: It's very, very profitable (tax payers dollars are always the most profitable source) and the market insists that corporations go where the money is. Google appear to be doing everything they can to get into the international espionage business via their departments like "Google Ideas", which is effectively a department within the US State Department. They consult with governments and corporations to help them with their commercial and political "issues." You know, the kinds of issues that some governments and corporations don't like, such as popular protest movements, environmental campaigning, human rights protection and enforcement, exposing political corruption, etc. Google can provide such governments and corporations with very helpful data on who these "trouble makers" are, where they've been, who they've talked to, and what they may be planning to do next.

    Perhaps we should be more insistent when interviewing Schmidt about our data: Is it safe? https://www.youtube.com/watch?... I mean, it's the kind of thing that he's endorsing, enabling, and promoting by getting into bed with the current NSA, CIA, DoJ, and State Department. It's only fair that he should be treated equally.

  18. Ha hee hee ha ha ha by EmperorOfCanada · · Score: 3, Insightful

    And then they are one court order away from being unlocked.

    Seeing that it turns out that nobody's tinfoil hat was big enough, I am going to make a prediction. It will turn out that Google was sharing data with the NSA as part of a deal where the NSA would share software patent data from potential foreign competitors with google so that google could keep the market on just about anything it wanted.

    I wonder how many foreign companies went to file a patent only to find that an American company that was friends with the NSA had filed the patent days before? Siemens filing patents only find that GE had done so the day before?

    The NSA would only have had to monitor a very few IP lawyers' offices to vacuum up a huge number of patents. This would then give the NSA something that they could afford with which to trade and it would "Protect" US commercial interests; as it would be a complete disaster for the next facebook or Google to be in a country that isn't friendly with the NSA.

    Even within the US I suspect that it would be easier to not have to negotiate a new data access deal with even domestic companies so why not hand their patents over as well.

    Think of it this way. If a company were to come up with a better search algorithm (one that didn't always bring up yellow page directories for every damn search, or spammy product sales sites) and I said you should try boobla.com (I made that up) as a search engine and you tried it and it was so much better, would you ever use google search again? How fast would you tell all your friends about boobla? Thus how long before google was seeing 40% month on month drops in search traffic? Unlike companies like Ford where a better car coming along doesn't get you to dump your ford and immediately buy the better car google can see the rug swept out from under them. If they lost search then all their other services combined would not be able to prop up the company. Plus there is no reason that boobla.com can't be Chinese, Korean, Icelandic, German, or Tanzanian?

    1. Re:Ha hee hee ha ha ha by EmperorOfCanada · · Score: 2

      I am thinking of a whole new algorithm; just like Google did to lycos, yahoo, altavista, etc. Basically with those search engines you looked up gravel and got porn, looked up bird watching and got porn, looked up pictures of cute pandas and got porn. Then suddenly google came along and you would search gravel and get gravel. Now with google you search gravel and get a wiki page on gravel (which any idiot could build) and then you get things like yellow pages and other aggregate sales sites; basically SEO porn.

      But most importantly if I search a very specific search for things like local pizza places I am unlikely to find their poorly SEO'd sites while aggregators will dominate for page after page.

      So it I don't see someone beating google by a slightly better system but an aha system that is fundamentally different and completely blows aggregators out of the equation.

  19. Re:"safe" by TheGratefulNet · · Score: 2

    "you either die a hero, or live long enough to turn into one of the bad guys"

    yet another Dent quote that is quite fitting for this subject.

    google is not going to die a hero.

    --

    --
    "It is now safe to switch off your computer."
  20. distributed raid by delvsional · · Score: 2

    Can someone design me a distributed raid app that encrypts and splits the data between all the major cloud options? It would be pretty hard to decrypt if they only have a fifth of it.

    --
    Oh Crap, I'm an optimist.....