Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


NSA Fallout: Google Speeds Data Encryption Plans

Google's initiative to encrypt data in its internal data centers will slow -- but not prevent -- sophisticated government hackers from surreptitiously monitoring traffic.

In the wake of leaked documents offering new details about the National Security Agency's surveillance capabilities, Google has accelerated plans to encrypt all traffic flowing between its data centers.

The move isn't aimed at resisting government-ordered requests for information about Google's users, or data that Google stores, with which the company must legally comply. Rather, the initiative is aimed at making it more difficult for government intelligence agencies -- or anyone else -- to surreptitiously eavesdrop on data handled by Google.

"It's an arms race," Eric Grosse, VP for security engineering at Google, told The Washington Post. "We see these government agencies as among the most skilled players in this game."

[ How much do you know about Bullrun, the NSA's decryption program? Read NSA Crypto Revelations: 7 Issues To Watch. ]

According to information security experts, Britain, China, Israel and Russia run highly sophisticated government hacking programs, the Post reported. But theoretically, anyone from foreign governments to criminal syndicates might take an interest in the data being handled by a company such as Google.

Sean Sullivan, security advisor at F-Secure Labs, said via email that Google's encryption plan makes good security sense, given all the different types of information that the company stores. "I think it's a very good idea, considering its Google Docs business," he said.

A Google spokesman, reached by email, declined to comment on the press reports, or on whether the encryption initiative had an internal working name.

Google reportedly began planning to encrypt all traffic between its data centers last year. But the company decided to accelerate the plan in June, after NSA whistle-blower Edward Snowden released details on the NSA's Prism program, which appeared to use APIs installed on servers at Google, Facebook and Microsoft, among other technology giants, that allowed the intelligence agency to intercept and store metadata relating to communications and phone calls.

In the wake of the latest NSA revelations -- specifically, that the agency had worked to build back doors into unnamed commercial products and weaken unnamed encryption systems -- that surfaced Friday, Google has gone public with its end-to-end data center encryption plan. No doubt, that's an attempt by the company to improve its image, after leaked Prism documents detailed a secret U.S. surveillance program that targeted large quantities of data stored by Google. Cloud businesses have said that they stand to lose up to $40 billion as a result of the NSA's monitoring.

Google's Grosse also emphasized that the company has never purposefully weakened its encryption to allow for easier snooping. "This is a just a point of personal honor," Grosse said. "It will not happen here."

To be clear, Google's data center encryption effort wouldn't stop foreign governments or anyone else with the requisite hacking power to intercept and decrypt the traffic flowing between Google's data centers. But as the latest leaked NSA documents have shown, cracking -- or routing around -- strong encryption is a resource-intensive endeavor. Accordingly, Google will be making it difficult for anyone to surreptitiously intercept and retrieve vast quantities of data in one go.

Google's unveiling of its data center traffic encryption initiative comes as Google and Facebook have continued to petition the U.S. Foreign Intelligence Surveillance Court. The latest salvo fired by the technology companies, which want to be allowed to release more details about how they must comply with government-ordered requests for sharing data or accessing systems, came Monday in the form of an amended petition.

"This petition mirrors the requests made to Congress and the President by our industry and civil liberties groups in a letter earlier this year," wrote Richard Salgado, Google's director of law enforcement and information security, and Pablo Chavez, Google's director of public policy and government affairs, Monday in a related blog post. "Namely, that Google be allowed to publish detailed statistics about the types (if any) of national security requests we receive under the Foreign Intelligence Surveillance Act, including Section 702. Given the important public policy issues at stake, we have also asked the court to hold its hearing in open rather than behind closed doors. It's time for more transparency."

Facebook's general counsel, Colin Stretch, said in a blog post Monday that after details of Prism became public, the White House allowed businesses such as Facebook to detail the number of government requests for user data with which they'd been legally required to comply. "It allowed us to make clear that a vanishingly small number of people who use Facebook -- a tiny fraction of 1% -- were the subject of any kind of U.S. government request in the past year," Stretch said.

But since then, any moves toward greater transparency have stalled. "As a result, today we are joining others in the industry in petitioning the Foreign Intelligence Surveillance Court to require the government to permit companies to disclose more information about the volume and types of national security-related orders they receive," Stretch said.

On that front, Google's Salgado and Chavez said they also planned to meet with the President's Group on Intelligence and Communications Technologies on Tuesday. "We'll reiterate the same message there: that the levels of secrecy that have built up around national security requests undermine the basic freedoms that are at the heart of a democratic society."


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/11/2013 | 6:15:19 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
Looks like it's back to building Private Data Centers and Private Clouds with strong encryption for data that is both on the move and at rest.
User Rank: Apprentice
9/11/2013 | 4:46:36 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
I think any self respecting company will be searching for new way to transmit valuable info that isn't subject to NSA access which can be available to any smart NSA employee who could be coerced or bribed for access to anyone's info. Any company proving it is not involved can make mucho pesos
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
9/11/2013 | 1:31:36 AM
re: NSA Fallout: Google Speeds Data Encryption Plans
It's vital for the business community to come across as trustworthy or cloud computing will lose clients with anything serious to protect.
User Rank: Apprentice
9/10/2013 | 9:21:18 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
Interesting development: NIST today defended its process for creating encryption standards -- "NIST would not deliberately weaken a cryptographic standard" -- but said it's reopening the public comment period for publications involving specific cryptographic standards.
User Rank: Apprentice
9/10/2013 | 5:12:20 PM
re: NSA Fallout: Google Speeds Data Encryption Plans
What's the point of encryption if they're just going to give the keys to the NSA. Most of the NSA snooping was not as a result of mathematical cracking but rather they simply asked for the keys and collaborated with companies to put in backdoors.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to bypass authentication mechanisms via unspecified vectors.
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to read files on the system via unspecified vectors.
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...