The Washington Post
Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.
The move by Google is among the most concrete signs yet that recent revelations about the National Security Agency’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs.
Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information amid controversy about the NSA’s PRISM program, first reported in The Washington Post and the Guardian that month. PRISM obtains data from American technology companies, including Google, under various legal authorities.
Encrypting information flowing among data centers will not make it impossible for intelligence agencies to snoop on individual users of Google services, nor will it have any effect on legal requirements that the company comply with court orders or valid national security requests for data. But company officials and independent security experts said that increasingly widespread use of encryption technology makes mass surveillance more difficult – whether conducted by governments or other sophisticated hackers.
“It’s an arms race,” said Eric Grosse, vice president for security engineering at Google, based in Mountain View, Calif. “We see these government agencies as among the most skilled players in this game.”
Experts say that, aside from the U.S. government, sophisticated government hacking efforts emanate from China, Russia, Britain and Israel.
The NSA seeks to defeat encryption through a variety of means, including by obtaining encryption “keys” to decode communications, by using super-computers to break codes, and by influencing encryption standards to make them more vulnerable to outside attack, according to reports Thursday by The New York Times, the Guardian and ProPublica, based on documents provided by former NSA contractor Edward Snowden.
But those reports made clear that encryption – essentially converting data into what appears to be gibberish when intercepted by outsiders – complicates government surveillance efforts, requiring that resources be devoted to decoding or otherwise defeating the systems. Among the most common tactics, experts say, is to hack into individual computers or other devices used by people targeted for surveillance, making what amounts to an end run around coded communications.
Security experts say the time and energy required to defeat encryption forces surveillance efforts to be targeted more narrowly on the highest-priority targets – such as terrorism suspects – and limits the ability of governments to simply cast a net into the huge rivers of data flowing across the Internet.
“If the NSA wants to get into your system, they are going to get in … . Most of the people in my community are realistic about that,” said Christopher Soghoian, a computer security expert at the American Civil Liberties Union. “This is all about making dragnet surveillance impossible.”
The NSA declined to comment for this article. The Office of the Director of National Intelligence issued a statement Thursday saying: “Throughout history, nations have used encryption to protect their secrets, and today terrorists, cybercriminals, human traffickers and others also use code to hide their activities. Our intelligence community would not be doing its job if we did not try to counter that.”
The U.S. intelligence community has been reeling since news reports based on Snowden’s documents began revealing remarkable new detail about how the government collects, analyzes and disseminates information – including, in some circumstances, the e-mails, video chats and phone communications of American citizens.
Many of the documents portray U.S. companies as pliant “Corporate Partners” or “Providers” of information. While telecommunications companies have generally declined to comment on their relationships with government surveillance, some have reacted with outrage at the depictions in the NSA documents released by Snowden. They have joined civil liberties groups in demanding more transparency and insisting that information is turned over to the government only when required by law, often in the form of a court order.
In June, Google and Microsoft asked the Foreign Intelligence Surveillance Court to allow them greater latitude in reporting how much information they turn over to the government. On Friday, Yahoo issued its first “government transparency report,” saying it had received 12,444 requests for data from the U.S. government this year, covering the accounts of 40,322 users.
Google has long been more aggressive than its peers within the U.S. technology industry in deploying encryption technology. It turned on encryption in its popular Gmail service in 2010, and since then has added similar protections for Google searches for most users.
Yet even as it encrypted much of the data flowing between Google and its users, the information traveling between its data centers offered rare points of vulnerability to potential intruders, especially government surveillance agencies, security officials said. User information – including copies of e-mails, search queries, videos and Web browsing history – typically is stored in several data centers that transmit information to each other on high-speed fiber-optic lines.
Several other companies, including Microsoft, Apple and Facebook, increasingly have begun using encryption for some of their services, though the quality varies by company. Communications between services – when an e-mail, for example, is sent from a user of Gmail to a user of Microsoft’s Outlook mail – are not generally encrypted, appearing to surveillance systems as what experts call “clear text.”
Google officials declined to provide details on the cost of its new encryption efforts, the numbers of data centers involved, or the exact technology used. Officials did say that it will be what experts call “end-to-end,” meaning that both the servers in the data centers and the information on the fiber-optic lines connecting them will be encrypted using “very strong” technology. The project is expected to be completed soon, months ahead of schedule.
Grosse echoed comments from other Google officials, saying that the company resists government surveillance and has never weakened its encryption systems to make snooping easier – as some companies reportedly have, according to the Snowden documents detailed by the Times and the Guardian on Thursday.
“This is a just a point of personal honor,” Grosse said. “It will not happen here.”
Security experts said news reports detailing the extent of NSA efforts to defeat encryption were startling. It was widely presumed that the agency was working to gain access to protected information, but the efforts were far more extensive than understood and reportedly contributed to the creation of vulnerabilities that other hackers, including foreign governments, could exploit.
Matthew Green, a Johns Hopkins University cryptography expert, applauded Google’s move to harden its defenses against government surveillance, but said recent revelations make clear the many weaknesses of commonly used encryption technology, much of which dates back to the 1990s or earlier. He called for renewed efforts among companies and independent researchers to update systems – the hardware, the software and the algorithms.
“The idea that humans can communicate safely is something we should fight for,” Green said.
But he said he wasn’t sure that would happen: “A lot of people in the next week are going to say, this is too hard. Let’s forget about the NSA.”