11:52 AM

NSA Fallout: Google Speeds Data Encryption Plans

Google's initiative to encrypt data in its internal data centers will slow -- but not prevent -- sophisticated government hackers from surreptitiously monitoring traffic.

In the wake of leaked documents offering new details about the National Security Agency's surveillance capabilities, Google has accelerated plans to encrypt all traffic flowing between its data centers.

The move isn't aimed at resisting government-ordered requests for information about Google's users, or data that Google stores, with which the company must legally comply. Rather, the initiative is aimed at making it more difficult for government intelligence agencies -- or anyone else -- to surreptitiously eavesdrop on data handled by Google.

"It's an arms race," Eric Grosse, VP for security engineering at Google, told The Washington Post. "We see these government agencies as among the most skilled players in this game."

[ How much do you know about Bullrun, the NSA's decryption program? Read NSA Crypto Revelations: 7 Issues To Watch. ]

According to information security experts, Britain, China, Israel and Russia run highly sophisticated government hacking programs, the Post reported. But theoretically, anyone from foreign governments to criminal syndicates might take an interest in the data being handled by a company such as Google.

Sean Sullivan, security advisor at F-Secure Labs, said via email that Google's encryption plan makes good security sense, given all the different types of information that the company stores. "I think it's a very good idea, considering its Google Docs business," he said.

A Google spokesman, reached by email, declined to comment on the press reports, or on whether the encryption initiative had an internal working name.

Google reportedly began planning to encrypt all traffic between its data centers last year. But the company decided to accelerate the plan in June, after NSA whistle-blower Edward Snowden released details on the NSA's Prism program, which appeared to use APIs installed on servers at Google, Facebook and Microsoft, among other technology giants, that allowed the intelligence agency to intercept and store metadata relating to communications and phone calls.

In the wake of the latest NSA revelations -- specifically, that the agency had worked to build back doors into unnamed commercial products and weaken unnamed encryption systems -- that surfaced Friday, Google has gone public with its end-to-end data center encryption plan. No doubt, that's an attempt by the company to improve its image, after leaked Prism documents detailed a secret U.S. surveillance program that targeted large quantities of data stored by Google. Cloud businesses have said that they stand to lose up to $40 billion as a result of the NSA's monitoring.

Google's Grosse also emphasized that the company has never purposefully weakened its encryption to allow for easier snooping. "This is a just a point of personal honor," Grosse said. "It will not happen here."

To be clear, Google's data center encryption effort wouldn't stop foreign governments or anyone else with the requisite hacking power to intercept and decrypt the traffic flowing between Google's data centers. But as the latest leaked NSA documents have shown, cracking -- or routing around -- strong encryption is a resource-intensive endeavor. Accordingly, Google will be making it difficult for anyone to surreptitiously intercept and retrieve vast quantities of data in one go.

Google's unveiling of its data center traffic encryption initiative comes as Google and Facebook have continued to petition the U.S. Foreign Intelligence Surveillance Court. The latest salvo fired by the technology companies, which want to be allowed to release more details about how they must comply with government-ordered requests for sharing data or accessing systems, came Monday in the form of an amended petition.

"This petition mirrors the requests made to Congress and the President by our industry and civil liberties groups in a letter earlier this year," wrote Richard Salgado, Google's director of law enforcement and information security, and Pablo Chavez, Google's director of public policy and government affairs, Monday in a related blog post. "Namely, that Google be allowed to publish detailed statistics about the types (if any) of national security requests we receive under the Foreign Intelligence Surveillance Act, including Section 702. Given the important public policy issues at stake, we have also asked the court to hold its hearing in open rather than behind closed doors. It's time for more transparency."

Facebook's general counsel, Colin Stretch, said in a blog post Monday that after details of Prism became public, the White House allowed businesses such as Facebook to detail the number of government requests for user data with which they'd been legally required to comply. "It allowed us to make clear that a vanishingly small number of people who use Facebook -- a tiny fraction of 1% -- were the subject of any kind of U.S. government request in the past year," Stretch said.

But since then, any moves toward greater transparency have stalled. "As a result, today we are joining others in the industry in petitioning the Foreign Intelligence Surveillance Court to require the government to permit companies to disclose more information about the volume and types of national security-related orders they receive," Stretch said.

On that front, Google's Salgado and Chavez said they also planned to meet with the President's Group on Intelligence and Communications Technologies on Tuesday. "We'll reiterate the same message there: that the levels of secrecy that have built up around national security requests undermine the basic freedoms that are at the heart of a democratic society."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/11/2013 | 6:15:19 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
Looks like it's back to building Private Data Centers and Private Clouds with strong encryption for data that is both on the move and at rest.
User Rank: Apprentice
9/11/2013 | 4:46:36 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
I think any self respecting company will be searching for new way to transmit valuable info that isn't subject to NSA access which can be available to any smart NSA employee who could be coerced or bribed for access to anyone's info. Any company proving it is not involved can make mucho pesos
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
9/11/2013 | 1:31:36 AM
re: NSA Fallout: Google Speeds Data Encryption Plans
It's vital for the business community to come across as trustworthy or cloud computing will lose clients with anything serious to protect.
User Rank: Apprentice
9/10/2013 | 9:21:18 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
Interesting development: NIST today defended its process for creating encryption standards -- "NIST would not deliberately weaken a cryptographic standard" -- but said it's reopening the public comment period for publications involving specific cryptographic standards.
User Rank: Apprentice
9/10/2013 | 5:12:20 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
What's the point of encryption if they're just going to give the keys to the NSA. Most of the NSA snooping was not as a result of mathematical cracking but rather they simply asked for the keys and collaborated with companies to put in backdoors.
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.