Google Services Don't Guarantee Privacy

Journalists aren't the only ones who should take stronger security measures with online services, security researcher warns--and Google counsel agrees.
10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Anyone with information they want to keep private, especially from the government: Don't use Google products or services.

"Google's products do not meet the privacy needs of journalists, bloggers, small businesses (or anyone else concerned about government surveillance)," said Christopher Soghoian, a fellow at the Open Society Foundations, and a doctoral candidate in security informatics at Indiana University in a blog posted Wednesday.

Here's Soghoian's reasoning: Google's business model is predicated on tracking what users do, to serve them advertising, which pays Google's bills.

"Google's services are not secure by default, and, because the company's business model depends upon the monetization of user data, the company keeps as much data as possible about the activities of its users," he said. "These detailed records are not just useful to Google's engineers and advertising teams, but are also a juicy target for law enforcement agencies."

[The report that Google Says Government Requests For Data Rising--and it complies with 93% of the requests--seems to prove Soghoian's point.]

Google could encrypt the data that it stores in the cloud so that it couldn't be retrieved, even with a court order. But it doesn't. After Soghoian made this point while on a recent Internet Governance Forum workshop panel, Google chief Internet evangelist Vint Cerf--another panelist--concurred. "We couldn't run our system if everything in it were encrypted because then we wouldn't know which ads to show you. So this is a system that was designed around a particular business model," he said.

This isn't the first time that Soghoian has warned about the data security or privacy practices of Internet businesses. Earlier this year, notably, he filed a complaint with the Federal Trade Commission, accusing filesharing service Dropbox of misleading customers about the security and privacy of their files.

As that highlights, when it comes to keeping sensitive information private, it's not just Google's services that people should beware, but virtually any online service provider. As one accused member of LulzSec recently learned the hard way, even a service named specifies its own terms of service and must comply with court orders or itself face legal penalties. Skype, Google Chat, or any other VoIP-based communications provider is arguably no different.

Of course when it comes to maintaining privacy, life is more difficult for some people than others. People in countries with oppressive regimes are often forced to use state-controlled telecommunications services, for example, which may censor or restrict the sites people can use. People's communications in Iran were exposed to interception this year after an attacker managed to generate a fake digital certificate for such services as Gmail and Tor. Furthermore, while the anonymized service Tor will help disguise who's communicating with whom, even it occasionally sees flaws discovered which can make it susceptible to deanonymization attacks, at least until a patch gets issued.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
But news organizations should also get a clue about security, said Soghoian, and do right by their confidential sources. The Wall Street Journal, for example, launched a WikiLeaks knockoff, SafeHouse, in May. But privacy experts blasted the site for a string of security shortcomings, including poor SSL implementation, as well as Adobe Flash as a choice of uploader, since it would defeat anonymizing technologies such as Tor. In addition, the site's terms of service further break that "safe house" metaphor, saying that "we reserve the right to disclose any information about you to law enforcement authorities or to a requesting third party, without notice."

Besides Google and its ilk, as well as media organizations, Soghion also singled out journalists for failing to practice proper privacy, for example by not using secure communications. "Many major media organizations have distanced themselves from WikiLeaks, which, they tell us, is reckless, and does not engage in real journalism," said Soghoian in an op-ed published last week in The New York Times. "But if the hallmark of quality journalism is the ability to protect confidential sources, then WikiLeaks should, in fact, be seen as a beacon of best practices."

Will DeVries, policy counsel at Google, concurred with that piece. "Journalists (and bloggers, and small businesses) need to take a couple hours and learn to use free, widely available security measures to store data and communicate," he said via Google+. In other words, don't trust in Google to keep your data secure.

What could journalists--or businesses owners concerned with blocking industrial espionage attacks--do better? Start by encrypting stored data and transmitting sensitive information in encrypted format.

In addition, when it comes to protecting confidential sources and securing transmitted information, look to the standard set by WikiLeaks, said Soghoian. "Whatever one thinks of Mr. Assange, he is a skilled data security expert. He knows an awful lot more about information security than even the most tech-savvy journalist," he said. "His platform appears to have worked: none of WikiLeaks' confidential sources have ever been exposed by the organization. (Bradley E. Manning, the detained Army private who has been accused of the leak, was exposed by an acquaintance.)"

"Until journalists take their security obligations seriously, it will be safer to leak something to WikiLeaks--or groups like it--than to the mainstream press," he said.

Editors' Choice
Evan Schuman, Contributing Writer, Dark Reading
Tara Seals, Managing Editor, News, Dark Reading
Jeffrey Schwartz, Contributing Writer, Dark Reading