Google plan to thwart government surveillance with encryption raises stakes

Google's strategy for making surveillance of user Internet activity more difficult for U.S. and foreign governments is as much about economics as data encryption, experts say.

Google recently told The Washington PostÃ'Â that it has stepped up efforts to encrypt data flowing between its data centers around the world. The move follows revelations over the summer of massive Internet surveillance by the U.S. National Security Agency (NSA).

Google's encryption initiative started last year, but was accelerated in June following the release of classified documents on NSA data collection. Whistleblower Edward Snowden, an ex-NSA contractor, supplied the documents to news media, which led to extensive reporting by The New York Times, The Washington Post, The Guardian and ProPublica.

With each new NSA revelation, Google and other Internet companies have come under increasing pressure to demonstrate that they are doing as much as is legally possible to protect customer data. Customer trust has been shaken by reports that Google, Facebook, Yahoo and Apple are among the U.S. Internet companies that have worked with the NSA in its efforts to monitor communications between suspected terrorists in and outside the U.S.

The NSA's anti-terrorist activities have become controversial because the Snowden documents indicate the agency is capturing huge amounts of information on Internet activity, searching it as needed for data related to specific cases. Google's encryption strategy would make casting a net into its data flow expensive and hard work, making it more likely that the NSA would obtain a court order for information on specific targets instead.

"This is a business strategy," Kevin Bocek, vice president of product marketing for certificate management vendor Venafi, told CSOonline on Monday. "A large part of Google's business is about [customer] trust."

The U.S. is only one of many governments that Google is trying to fend off by raising the stakes for siphoning information flowing over the Internet. Other countries with sophisticated hacking technology include China, Russia, Britain and Israel.

"It's an arms race," Eric Grosse, vice president for security engineering at Google, told The Washington Post. "We see these government agencies as among the most skilled players in this game."

The NSA reportedly has several methods for getting the information it wants. The agency has the ability to read significant amounts of Internet traffic, it has worked with tech vendors to bypass their products' cryptographic capabilities, and it has designed its own exploits for compromising computer systems.

However, the agency does evaluate the tactic it uses by weighing the cost with the value of the information obtained.

"The NSA has turned the fabric of the Internet into a vast surveillance platform, but they are not magical," Bruce Schneier, a renowned security technologist and cryptographer, wrote in The Guardian. "They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible."

[Also see:Ã'Â Schneier on NSA's encryption defeating efforts: Trust no one]

The NSA's capabilities for cracking encryption are not known outside the agency. However, the most secure part of an encryption system remains the "mathematics of cryptography," Schneier said. The greater weaknesses, and the ones mostly likely to be exploited by governments in general, are the systems at the start and end of the data flow.

"I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks," Schneier said in a blog post. "Those are where the real vulnerabilities are, and where the NSA spends the bulk of its efforts."

Bocek agreed, saying that the most serious vulnerabilities are often in the systems companies use to manage the keys and certificates for encrypting data.

"While encryption provides a significant barrier and certainly makes it economically expensive if I'm going to attack directly, it doesn't mean that I as the enterprise is invincible," he said.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags The Washington PostNational Security AgencyThe New York TimesapplicationsnsaU.S. National Security Agencywashington postData Protection | Data PrivacyFacebookAppleYahoonew york timesGooglesecuritysoftwareencryptiondata protection

More about AppleFacebookGoogleNational Security AgencyNSAYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place