DOJ Vs. Google: How Google Fights On Behalf of Its Users

Lauren Weinstein writes: While some companies have long had a "nod and wink" relationship with law enforcement and other parts of government -- willingly turning over user data at mere requests without even attempting to require warrants or subpoenas, it's widely known that Google has long pushed back -- sometimes though multiple layers of courts and legal processes -- against data requests from government that are not accompanied by valid court orders or that Google views as being overly broad, intrusive, or otherwise inappropriate. Over the last few days the public has gained an unusually detailed insight into how hard Google will fight to protect its users against government overreaching, even when this involves only a single user's data. One case reaches back to the beginning of 2011, when the U.S. Department of Justice tried to force Google to turn over more than a year's worth of metadata for a user affiliated with WikiLeaks. While these demands did not include the content of emails, they did include records of this party's email correspondents, and IP addresses he had used to login to his Gmail account. Notably, DOJ didn't even seek a search warrant. They wanted Google to turn over the data based on the lesser "reasonable grounds" standard rather than the "probable cause" standard of a search warrant itself. And most ominously, DOJ wanted a gag order to prevent Google from informing this party that any of this was going on, which would make it impossible for him to muster any kind of legal defense.

Less suspect than the others

[SpaghettiPattern]

IMHO Google remains less suspect than other corporations, when it comes to defending privacy. I would never trust MS or Apple with my data. Not that they would gladly hand over data. But the corners they cut in order to achieve their own goals and the negligible contributions to OSS show that they're only in it for the money. I know, purely subjective but we as commoners will only be able to judge through indirect perception. Much like you can judge by lack of code quality that software is unlikely to be well developed.

Re:Less suspect than the others

[AmiMoJo]

To be fair, Apple's contributions to open source have been significant. Also in the interests of fairness, their locked down walled garden approach is one of the worst and most open-source hostile.

As TFA points out, a lot of this comes from confusion of the leaked NSA slide showing that Apple, MS, Google and others had been infiltrated. Doubtless they do have some illegal hooks into those companies, but actually the slide was saying that they were monitoring traffic between data centres belonging to their victims. Google was one of the quickest to respond to this by encrypting traffic between data centres and ensuring that there were no effective MITM attacks.

That alone we should be eternally thankful to Snowden for. That encryption vastly cut down the amount of data that the NSA was able to steal from Google users. Unfortunately MS and Apple have not been nearly as transparent about how their networks were monitored and what they did to fix the problem, so props to Google.

Re:Less suspect than the others

[moronoxyd]

Apple does not only sell hardware but also digital goods and ads. And to target said goods and ads they need what? A good profile of the user.

Apple does pretty much the same Google does. But Tim Cook dares to go on stage and pretend they don't. That makes him a liar in my book.

Over the years there were enough cases where we could see that apple does in fact collect data from their users without telling them (and without protecting said data properly).
Apple is neither better or worse than Google in that respect.

And neither of them is very interested in giving the information about their users to third parties. Their advantage in the ad/targeting business is that THEY have the profile of their users and the third parties do not.

Re:Less suspect than the others

[swillden]

But one of the vulnerabilities I've pointed out recently to proxy maintainers is that it's become quite commonplace to host SSL based traffic on an external router or load balancer, and carry it entirely unencrypted between that load balancer and the local server. It often eases maintenance of SSL keys and allows far less expensive, small servers to handle the actual traffic and allows the cost of robust SSL services to be shared more effectively.

Google's encryption is end-to-end. It's also not SSL-based, but instead much simpler and more robust (and more efficient), though there's nothing proprietary or custom about the encryption ciphers or protocols used (Google employs lots of cryptographers who would quickly stomp on any questionable designs). I work for Google and used to do stuff related to internal network encryption though I worked on a different aspect of it, focused on securing payments data (credit card numbers, etc.).

I think it would be awesome if Google were to publish the details of its security infrastructure, which is dramatically better than anything I saw in my 15 years as a security consultant, but AFAIK that hasn't been done so I have to keep my comments vague and high-level.

I'll also point out, since I know it has been mentioned publicly, that Google didn't actually start doing all of the link encryption in response to Snowden's revelations. It was a project that was already well under way. Snowden's information did cause the project to be accelerated, though.

From what I saw, the main effect was that the tolerance for exceptions to the encryption requirement dropped basically to zero. In an enormous and complex infrastructure like Google's there are always dozens of corner cases where anything you'd like to do is really hard for one reason or another, and so big infrastructure changes tend to take years to fully deploy, to avoid requiring project teams to drop all their productive work in order to avoid breakage from the change. Snowden's data changed the encryption mandate from "You need to get this done as soon as you can" to "Encryption will be on 100% by date X, no exceptions. If you can't see how to make it work, come talk to us and we'll help." (X was single-digit weeks away).

I know one team who had to deploy a spit-and-baling-wire construction to enable their protocol to be encrypted, and then had to fight with serious performance degradation until they got a well-designed and tested replacement in place. They begged for permission to turn off encryption for a while so they could focus on building the solid replacement rather than spending their time fighting production fires caused by the interim solution... and they were denied. This was for an important production service related to financial systems, too, which gives you a good idea of how serious Google was about the encryption mandate.

Thank you, Edward Snowden!

(I want to be sure no one thinks that last line is sarcastic. It's not. At all. I think Edward Snowden is one of the great American heroes, and I think that history will eventually give him his considerable due. I don't know anyone on the team I mentioned who would disagree, either, even though it caused them some weeks of long hours and stress.)

Quasi-journalism at it's zenith

[Overzeetop]

Note that I didn't say finest. It's a personal blog post rather than actual reporting, and contains little more than the summary. You are entreated to go read https://drive.google.com/file/... - the 300+ pages of filings yourself in lieu of a journalistic treatment with more substantive information. A noble academic endeavor, but not really a "first cup of coffee" piece.

Re:Let's not pat them on the back

[N1AK]

When other firms have decided that protecting their bottom line is best done by giving the government everything and anything they ask for I'm willing to cut them a little slack and give them the credit for fighting to protect user data even if, heaven forbid, that might be in their best interests.

It's not your data, folks.

Leaving things laying around on the network is dumb. Keep repeating till the light bulb goes on.

I am Google

[Trogre]

I fight... for the users.

Re:Horseshit.

[Demonoid-Penguin]

Thanks to Snowden and Greenwald, we know Google, and its 800lb gorilla friends Apple and Microsoft actively participated with the NSA and its PRISM program.

Bullshit. You lie and you've been called out. We do not know anything of the sort. Feel free to link to a single released document from Snowden (or any of the NSA leakers) that shows, or claims otherwise.

We know that Powerpoint slides purportedly from Snowden, that he proportedly stole from the NSA, show NSA boasting of having broken into Google. If they had to break in where was the "active participation"? And why the rapid restructuring to stop the data breach?

We know Google has lead and participated in major campaigns that threaten the wholesale spying by the NSA. And we know that despite the usual "gravitate towards evil in the name of short-term profits" that shareholder owned companies succumb to - that Google remains a company that mostly practices "enlightened self-interest" (probably helped by the type of people they employ). We believe it's more productive to cheer good work and criticise bad than the reverse (we, in this instance, does not include you).

You on the other-hand, demonstrably - know nothing (Yeah - that Bill Gates is an altruist and Google only implements security after the Snowden leaks). The reason you smell shit everywhere is not because of your superior vision and intellect - it's that your head is up your arse.

You seem like the fanboi face-painter type who refuses to consider it possible not to worship at a particular altar of commerce or technology (like shopping at a range of retailers instead of recalcitrantly spending at one only, while singing their jingle).

Re:I'm a bit confused

[AmiMoJo]

They were forced to turn over the data they had, but then carried on fighting for four years just for the right to inform the victim of what had happened. Hopefully by making it slow, expensive and time consuming for the DoJ they discouraged other such requests too.

Re: FTFY

[VirginMary]

because this is their business model, selling as much information about you as possible.

Utterly wrong. This is not their business model. Their model is it to, via algorithms, identify people who are most likely to respond positively to a given ad and then to show them the ad. Nowhere does this involve selling any information about even a single individual to a third party. You are simply ill informed. Also, whatever Apple does or does not claim is entirely irrelevant. After all they're a competitor. Finally, to my knowledge, there is not a single documented case of Google ever selling personal data about anybody they're tracking.