Thursday, April 24, 2014

Bruce Scheier: Why Google's assurances are hollow

Google, in trying to reassure its customers that their data is secure from NSA spying, recently announced that it was encrypting all the data on its servers, and data that moves from one Google server to another will always be encrypted.  Only Google has the ability to decrypt that data.  Not the NSA.  Feel better now?

Well, security expert, cryptographer, and author Bruce Schneier explained in his Crypto-Gram newsletter why this is nothing but more smoke being blown up our skirts:

Google, and by extension, the U.S. government, still has full access to your communications on Google's servers.

Google could change that. It could encrypt your e-mail so only you could decrypt and read it. It could provide for secure voice and video so no one outside the conversations could eavesdrop.

It doesn't. And neither does Microsoft, Facebook, Yahoo, Apple, or any of the others.

Why not? They don't partly because they want to keep the ability to eavesdrop on your conversations. Surveillance is still the business model of the Internet, and every one of those companies wants access to your communications and your metadata. Your private thoughts and conversations are the product they sell to their customers. We also have learned that they read your e-mail for their own internal investigations.

But even if this were not true, even if – for example – Google were willing to forgo data mining your e-mail and video conversations in exchange for the marketing advantage it would give it over Microsoft, it still won't offer you real security. It can't.

The biggest Internet companies don't offer real security because the U.S. government won't permit it.

This isn't paranoia. We know that the U.S. government ordered the secure e-mail provider Lavabit to turn over its master keys and compromise every one of its users. We know that the U.S. government convinced Microsoft – either through bribery, coercion, threat, or legal compulsion – to make changes in how Skype operates, to make eavesdropping easier.

What once sounded like paranoia, like crazy conspiracy theory ("the US government is spying on Americans, without warrants, all the time") has been proven true.  

What have we learned in the past year?  We've learned that the US government cannot be trusted on matters of respect for constitutional or civil rights, human dignity, or basic liberty.  We've learned that America's corporations cannot be trusted to act independently of that government.  

That's frightening knowledge, yes ... but what we know about all this isn't nearly as scary as what we don't know.  This is only the tip of the iceberg.

Thank you, Edward Snowden.