Google plan to thwart government surveillance with encryption raises stakes

Strategy would make probing data flow expensive and hard, likely forcing the NSA to obtain a court order for targeted data

Google's strategy for making surveillance of user Internet activity more difficult for U.S. and foreign governments is as much about economics as data encryption, experts say.

Google recently told The Washington Post that it has stepped up efforts to encrypt data flowing between its data centers around the world. The move follows revelations over the summer of massive Internet surveillance by the U.S. National Security Agency (NSA).

Google's encryption initiative started last year, but was accelerated in June following the release of classified documents on NSA data collection. Whistleblower Edward Snowden, an ex-NSA contractor, supplied the documents to news media, which led to extensive reporting by The New York Times, The Washington Post, The Guardian and ProPublica.

With each new NSA revelation, Google and other Internet companies have come under increasing pressure to demonstrate that they are doing as much as is legally possible to protect customer data. Customer trust has been shaken by reports that Google, Facebook, Yahoo and Apple are among the U.S. Internet companies that have worked with the NSA in its efforts to monitor communications between suspected terrorists in and outside the U.S.

The NSA's anti-terrorist activities have become controversial because the Snowden documents indicate the agency is capturing huge amounts of information on Internet activity, searching it as needed for data related to specific cases. Google's encryption strategy would make casting a net into its data flow expensive and hard work, making it more likely that the NSA would obtain a court order for information on specific targets instead.

"This is a business strategy," Kevin Bocek, vice president of product marketing for certificate management vendor Venafi, told CSOonline on Monday. "A large part of Google's business is about [customer] trust."

The U.S. is only one of many governments that Google is trying to fend off by raising the stakes for siphoning information flowing over the Internet. Other countries with sophisticated hacking technology include China, Russia, Britain and Israel.

"It's an arms race," Eric Grosse, vice president for security engineering at Google, told The Washington Post. "We see these government agencies as among the most skilled players in this game."

The NSA reportedly has several methods for getting the information it wants. The agency has the ability to read significant amounts of Internet traffic, it has worked with tech vendors to bypass their products' cryptographic capabilities, and it has designed its own exploits for compromising computer systems.

However, the agency does evaluate the tactic it uses by weighing the cost with the value of the information obtained.

"The NSA has turned the fabric of the Internet into a vast surveillance platform, but they are not magical," Bruce Schneier, a renowned security technologist and cryptographer, wrote in The Guardian. "They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible."

[Also see: Schneier on NSA's encryption defeating efforts: Trust no one]

The NSA's capabilities for cracking encryption are not known outside the agency. However, the most secure part of an encryption system remains the "mathematics of cryptography," Schneier said. The greater weaknesses, and the ones mostly likely to be exploited by governments in general, are the systems at the start and end of the data flow.

"I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks," Schneier said in a blog post. "Those are where the real vulnerabilities are, and where the NSA spends the bulk of its efforts."

Bocek agreed, saying that the most serious vulnerabilities are often in the systems companies use to manage the keys and certificates for encrypting data.

"While encryption provides a significant barrier and certainly makes it economically expensive if I'm going to attack directly, it doesn't mean that I as the enterprise is invincible," he said.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies