Wednesday, November 02, 2011

Two honest Google employees: our products don't protect your privacy

Two senior Google employees recently acknowledged that the company's products do not protect user privacy. This is quite a departure from the norm at Google, where statements about privacy are usually thick with propaganda, mistruths and often outright deception.

Google's products do not meet the privacy needs of journalists, bloggers, small businesses (or anyone else concerned about government surveillance).

Last week, I published an op-ed in the New York Times that focused on the widespread ignorance of computer security among journalists and news organizations. Governments often have no need to try and compel a journalist to reveal the identity of their sources if they can simply obtain stored communication records from phone, email and social networking companies.

Will DeVries, Google's top DC privacy lobbyist soon posted a link to the article on his (personal) Google+ page, and added the following comment:

I often disagree with Chris, but when he's right, he's dead right. Journalists (and bloggers, and small businesses) need to take a couple hours and learn to use free, widely available security measures to store data and communicate.

Let me first say that I really respect Will. Many of the people in Google's policy team default to propaganda mode when questioned. Will does not do this - he either speaks truthfully, or declines to comment. I wish companies would hire more people like him, as they significantly boost the credibility of the firm among privacy advocates.

Regarding Will's comment: If Google's products were secure out of the box, journalists would not need to "take a couple hours" to learn to protect their data and communications. Will does not tell journalists to ditch their insecure Hotmail accounts and switch to Gmail, or to ditch their easily trackable iPhones and get an Android device. Likewise, he does not advise people to stop using Skype for voice and video chat, and instead use Google's competing services. He doesn't do that, because if he described these services as more secure and resistant to government access than the competition, he'd be lying.

Google's services are not secure by default, and, because the company's business model depends upon the monetizaton of user data, the company keeps as much data as possible about the activities of its users. These detailed records are not just useful to Google's engineers and advertising teams, but are also a juicy target for law enforcement agencies.

It would be great if Google's products were suitable for journalists, bloggers, activists and other groups that are routinely the target of surveillance by governments around the world. For now, though, as Will notes, these persons will need to investigate the (non-Google) tools and methods with which they can protect their data.

Google business model is in conflict with privacy by design

At a recent conference in Kenya, Vint Cerf, one of the fathers of the Internet and Google's Chief Internet Evangelist spoke on the same panel as me. We had the following exchange over the issue of Google's lack of encryption for user data stored on the company's servers (I've edited it to show the important bits about this particular topic - the full transcript is online here).

Me:

[I]t's very difficult to monetize data when you cannot see it. And so if the files that I store in Google docs are encrypted or if the files I store on Amazon's drives are encrypted then they are not able to monetize it....And unfortunately, these companies are putting their desire to monetize your data over their desire to protect your communications.

Now, this doesn't mean that Google and Microsoft and Yahoo! are evil. They are not going out of their way to help law enforcement. It's just that their business model is in conflict with your privacy. And given two choices, one of which is protecting you from the government and the other which is making money, they are going to go with making money because, of course, they are public corporations. They are required to make money and return it to their shareholders.

Vint Cerf:

I think you're quite right, however that, we couldn't run our system if everything in it were encrypted because then we wouldn't know which ads to show you. So this is a system that was designed around a particular business model.

Google could encrypt user data in storage with a key not known to the company, as several other cloud storage companies already do. Unfortunately, Google's ad supported business model simply does not permit the company to protect user data in this way. The end result is that law enforcement agencies can, and regularly do request user data from the company -- requests that would lead to nothing if the company put user security and privacy first.

21 comments:

Anonymous said...

Thanks you for sharing, Chris. I never understood why Google et al do not encrypt our data. I see your point from business perspective. How hard is it to change the way they are doing it? I do not see how hard this can be. For example, if I have 100 documents stored in google doc, they could extract very basic information that help them figure out what Ad to present and keep the documents encrypted when stored. We all know from IR perspective that you do not need the entire document after you extract the necessary information to classify it and run your business model. If this is the case and Google was ordered to release those data they can release only what they know which at that time is not much. It will be a general classification about the user data but not his data since it is encrypted.

Maybe I am wrong but I do not think that Google et al are taking the privacy issue seriously. I am sure they can come up with a way to run their business model and keep their users data secure.

NIC1138 said...

I find it really hard to understand why people don't use PGP more often. People: the solutions are out there, just pick it up and use it!

You may choose to rely on companies to protect your privacy. But if you are really concerned, you really should learn to use PGP, and take care of it by yourself. It is safer, and will let to keep using any other service you like (e.g. gmail, dropbox...)

I don't know how these services you mention work, but it looks to me just that they have a great set of applications that automate the process of encrypting stuff with a key that is generated in your machine. So it's really not different that using any other encryption solution. It's just a good application that help you out...

I don't think we should demand e.g. Google to care about this. It is not reasonable. As it is not right to hope that ISPs don cooperate with governments. The more you take care of your digital security yourself, the better for your.

Anyway, it's crazy that journalists and protesters and whistle-blowers and the like just don't seem to care about that. The tech is in the reach of their hands, but they don't seem to realize they should be using it!

Peter J. Cranstone said...

The solution - a browser that allows you to selectively opt-in/opt-out of sending private data.

Anonymous said...

TL;DR

Alternative News said...

Does anyone else find the fact that this is hosted by Google at all ironic?

How can we use PGP to secure gmail? If they have it on their servers wouldn't it make no difference to encrypt our home PCs? What secure web mail companies are out there?

Kimberley D said...

I'm becoming increasingly frustrated by the number of well-written articles in mainstream media about how Google, Facebook, etc. don't protect private data.

People are not completely unaware that isn't keeping their data secure. What they do lack awareness about is what alternative options exist for non-technical people.
Their other choices don't tend to be similarly sized companies with a large advertising budget.

You have the ability to get a sizable audience to read your words. Use that power for good. They already know that problems exist. What they need is concrete suggestions and steps they can use today to take action.

Anonymous said...

How about paid google accounts, e.g. google apps users. Does Google encrypt mails and docs that I use on paid corporate account since there are no ads on those?

Yinten said...

lol Peter you've missed the boat.

Jack Templin said...

Terrific post. It's not discussed enough that the ad-based business model that underpins the Google, Facebook, etc is non-compatible with their customers' privacy.

At Lockify.com we use client-side encryption & decryption (among many other measures) to ensure that our users' private info stays private. We believe it's a model we're be seeing a lot more of in the coming years.

Happy to expedite early access to any one who mentions this post.

Jack
jtemplin at lockify.com dotcom

Anonymous said...

I spoke with a Google engineer back around 2006 who was working on a solution to this problem: a way to encrypt the data so Google couldn't see what they were using.

I don't know what he's doing now, but the product he described (a sort of Google file repository where all your files are encrypted to elliminate consumer distrust) has not launched and appears to have been cancelled.

Angus said...

JTemplin pushes his "Lockify.com" in an earlier comment, but it seems to me it's not invulnerable to the same trap that GMail and other unencrypted hosted mail solution are. From the Lockify page:
"Using our web application, our browser extension, or our forthcoming smartphone and desktop apps, your sensitive information is encrypted on your computer. The decryption key is embedded into a link that you share with your recipient using your existing communication tools (email, chat, SMS, etc.). The result? Even we can't view your private communications."

The way I read this, anyone who can get hold of the unencrypted email (e.g. the FBI using an NSL or the cops using a court order) can get both the link and the encryption key. This means your "private" communications are now open to them as well as to your intended recipient.

True encryption using both your own private/public key pair and the recipient's key pair is one of the only solutions I know of that will work. And right now that's a PITA to implement.

Anonymous said...

@Alternative News:

no, not at all..

clearly you do not understand how PGP works. If you only ever transmitted ciphered data using gmail and distributed your public key over the internet, as long as you had reliable public keys of your intended recipients your mail would only ever be stored in a computationally secure format on google's servers, and still readable by the intended recipient.

David Herzog said...

Chris, you are right on with this post and the Times piece.

I've been telling professional and student journalists for a couple of years now that they really need to keep their sensitive documents and email off Google and other cloud-based software services.

A Google rep visited the Missouri School of Journalism to show students the company's services (many of which are great and I use daily). I asked him what Google would do if law enforcement asked for a reporter's notes stored in Google Docs. He said he would have to get back to me, but never did.

That didn't inspire a lot of trust.

Anonymous said...

Try this: upload a rar to google docs with the password "google", and you can see the file contents on docs itself. They TRY dictionary passwords even for your stored data.

rojer said...

first, the problem with encrypting your mail is post-processing, namely - search.
if you encrypt your mail, you won't be able to search it.

second, all existing encryption schemes (pgp, gpg, s/mime) leave headers open, which in practice means that recipients and exact date are known. sometimes this is all or at least a large part of that authorities or whoever is snooping at your mail is after.

Dudeman said...

my gmail is a means for people to tell me they need to speak to me in person :). ill never have a facebook, twitter, or other social media account as we live in a nebulizing police state, and i fear that a harmless conversation about a baked potato or a surfboard will lead to an invasion of my privacy and dehumanization of myself into an electronic asset. id rather not be consumed.

thanks for this blogpost.

Anonymous said...

Hello people. Encrypt everything. Have any of you heard of Truecrypt?

Anonymous said...

>...dehumanization of myself into an electronic asset. id rather not be consumed.


Beautifully put, Dudeman.

Anonymous said...

@Anonymous claiming Google Docs guess rar passwords - please demonstrate your claim. Doesn't work for with with zip or 7z archives.

@NIC1138: Please read "Why Johny Can't Encrypt", all the answers are there.

@Kimberley D - Very well said. Other than policy reform, we need concrete, easy to use solutions that people can use now.

@David Herzog Would love to have that on video :-)

Anonymous said...

@Anonymous said:Encrypt everything. Have any of you heard of Truecrypt?

Unfortunately that does not solve the issue of a web based email system. Truecrypt only encrypts your local hard drive, and there are also some incompatibilities with some of the newer file systems. It's a good program, but it does not solve the issue being addressed here.

Arun said...

For documents, Google should implement a password protection facility to individual Google drive files. That would be the ultimate solution. Till then intermediate solutions like using google scritps for password protected google docs could be used.