Encryption is being tested to armor user files stored on Google Drive, sources say, a move that could curb surveillance attempts by the U.S. and other governments. Google has begun to experiment with encrypting Google Drive files, a privacy-protective move that could curb attempts by the U.S. and other governments to gain access to users' stored files. Two sources told CNET that the Mountain View, Calif.-based company is actively testing using encryption to armor files stored on Google Drive, a cloud-based file storage and synchronization service. One source who is familiar with the project said a small percentage of Google Drive files is currently encrypted. The move could differentiate Google from other Silicon Valley companies that have been the subject of ongoing scrutiny after classified National Security Agency slides revealed government computer software named PRISM. The utility collates data that the companies are required to provide under the Foreign Intelligence Surveillance Act -- unless, crucially, it's encrypted and they don't possess the key. "Mechanisms like this could give people more confidence and allow them to start backing up potentially their whole device," said Seth Schoen, senior staff technologist at the Electronic Frontier Foundation in San Francisco. Major Web companies routinely use encryption such as HTTPS to protect the confidentiality of users' communications while they're being transmitted. But it's less common to see files encrypted while stored in the cloud, in part because of the additional computing expense and complexity, and in part because of the difficulties in indexing and searching encrypted data. Google has previously said that user files were transmitted in encrypted form, but stored in its data centers in an unencrypted manner. In an April 2012 post on a Google product forum, a community manager said that "Google Drive does not currently encrypt files on the server." Jay Nancarrow, a Google spokesman, declined to answer questions about Google Drive encryption. Secure encryption of users' private files means that Google would not be able to divulge the contents of stored communications even if the NSA submitted a legal order under the Foreign Intelligence Surveillance Act, or if police obtained a search warrant for domestic law enforcement purposes. By contrast, secret NSA documents leaked by Edward Snowden show Microsoft worked with the NSA to "circumvent the company's own encryption" as part of PRISM, according to a report last week in the Guardian. Microsoft general counsel Brad Smith said yesterday that there are "significant inaccuracies" in last week's news reports. He added in a blog post, referring to Outlook.com: "When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency." Some smaller companies already provide encrypted cloud storage, a concept that's sometimes called "host-proof hosting." SpiderOak says its software, available for Windows, OS X, Linux, iOS, Android, and Nokia N900 platforms, uses "zero-knowledge" encryption techniques that allow it to store data that's "readable to you alone." SpiderOak also offers a Web access option because of "overwhelming customer demand," but suggests the client application is more secure. Wuala is an application for Windows, OS X, Linux, iOS, and Android created by Zurich-based LaCie AG that also uses client-side encryption. "LaCie employees have very limited access to your data," the company says. "They can only see how many files you have stored and how much storage space they occupy." While details about Google's experiments with Drive encryption were not immediately available, the company may be taking a different approach by performing the encoding and decoding on its own servers. If that's the case, a government agency serving a mere search warrant or subpoena on Google would be unable to obtain the unencrypted plaintext of customer files. But the government might be able to convince a judge to grant a wiretap order forcing Google to intercept and divulge the user's passphrase the next time the user types it in. Vancouver-based Hush Communications was required to take a similar step in 2007 -- though that was under Canadian law, not in the United States. "This is an unanswered legal question" in the United States, says Jennifer Granick, director of civil liberties at Stanford University's Center for Internet and Society. "I think the answer would depend in part on whether decryption could be called a current capability of the provider -- or requires reengineering of the service." Google has aggressively litigated in the past to protect users' privacy. CNET disclosed in May that the company is fighting the Justice Department over secret national security letter requests in two different federal courts. It fought the government over a subpoena for search logs, and has an active case currently before the Foreign Intelligence Surveillance Court. It also was the first major company to adopt perfect forward secrecy for Web encryption, a technology that protects the confidentiality of user communications even if a government is eavesdropping on the network. Alan Butler, appellate advocacy counsel at the Electronic Privacy Information Center, says a user typing in the passphrase might "be considered an electronic communication and subject to interception" under federal surveillance law. CNET reported in an article last Friday that the U.S. government has used the threat of installing custom eavesdropping hardware on companies' networks to compel cooperation in aiding surveillance demands. The article disclosed that Verizon Business was required to install surveillance gear that the government had purchased and provided. Disclosure: McCullagh is married to a Google employee not involved with Google Drive.
Encryption is being tested to armor user files stored on Google Drive, sources say, a move that could curb surveillance attempts by the U.S. and other governments.
Google has begun to experiment with encrypting Google Drive files, a privacy-protective move that could curb attempts by the U.S. and other governments to gain access to users' stored files.
Two sources told CNET that the Mountain View, Calif.-based company is actively testing using encryption to armor files stored on Google Drive, a cloud-based file storage and synchronization service. One source who is familiar with the project said a small percentage of Google Drive files is currently encrypted.
The move could differentiate Google from other Silicon Valley companies that have been the subject of ongoing scrutiny after classified National Security Agency slides revealed government computer software named PRISM. The utility collates data that the companies are required to provide under the Foreign Intelligence Surveillance Act -- unless, crucially, it's encrypted and they don't possess the key.
"Mechanisms like this could give people more confidence and allow them to start backing up potentially their whole device," said Seth Schoen, senior staff technologist at the Electronic Frontier Foundation in San Francisco.
Major Web companies routinely use encryption such as HTTPS to protect the confidentiality of users' communications while they're being transmitted. But it's less common to see files encrypted while stored in the cloud, in part because of the additional computing expense and complexity, and in part because of the difficulties in indexing and searching encrypted data.
Google has previously said that user files were transmitted in encrypted form, but stored in its data centers in an unencrypted manner. In an April 2012 post on a Google product forum, a community manager said that "Google Drive does not currently encrypt files on the server."
Jay Nancarrow, a Google spokesman, declined to answer questions about Google Drive encryption.
Secure encryption of users' private files means that Google would not be able to divulge the contents of stored communications even if the NSA submitted a legal order under the Foreign Intelligence Surveillance Act, or if police obtained a search warrant for domestic law enforcement purposes.
By contrast, secret NSA documents leaked by Edward Snowden show Microsoft worked with the NSA to "circumvent the company's own encryption" as part of PRISM, according to a report last week in the Guardian.
Microsoft general counsel Brad Smith said yesterday that there are "significant inaccuracies" in last week's news reports. He added in a blog post, referring to Outlook.com: "When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency."
Some smaller companies already provide encrypted cloud storage, a concept that's sometimes called "host-proof hosting." SpiderOak says its software, available for Windows, OS X, Linux, iOS, Android, and Nokia N900 platforms, uses "zero-knowledge" encryption techniques that allow it to store data that's "readable to you alone." SpiderOak also offers a Web access option because of "overwhelming customer demand," but suggests the client application is more secure.
Wuala is an application for Windows, OS X, Linux, iOS, and Android created by Zurich-based LaCie AG that also uses client-side encryption. "LaCie employees have very limited access to your data," the company says. "They can only see how many files you have stored and how much storage space they occupy."
While details about Google's experiments with Drive encryption were not immediately available, the company may be taking a different approach by performing the encoding and decoding on its own servers.
If that's the case, a government agency serving a mere search warrant or subpoena on Google would be unable to obtain the unencrypted plaintext of customer files. But the government might be able to convince a judge to grant a wiretap order forcing Google to intercept and divulge the user's passphrase the next time the user types it in. Vancouver-based Hush Communications was required to take a similar step in 2007 -- though that was under Canadian law, not in the United States.
"This is an unanswered legal question" in the United States, says Jennifer Granick, director of civil liberties at Stanford University's Center for Internet and Society. "I think the answer would depend in part on whether decryption could be called a current capability of the provider -- or requires reengineering of the service."
Google has aggressively litigated in the past to protect users' privacy. CNET disclosed in May that the company is fighting the Justice Department over secret national security letter requests in two different federal courts. It fought the government over a subpoena for search logs, and has an active case currently before the Foreign Intelligence Surveillance Court. It also was the first major company to adopt perfect forward secrecy for Web encryption, a technology that protects the confidentiality of user communications even if a government is eavesdropping on the network.
Alan Butler, appellate advocacy counsel at the Electronic Privacy Information Center, says a user typing in the passphrase might "be considered an electronic communication and subject to interception" under federal surveillance law.
CNET reported in an article last Friday that the U.S. government has used the threat of installing custom eavesdropping hardware on companies' networks to compel cooperation in aiding surveillance demands. The article disclosed that Verizon Business was required to install surveillance gear that the government had purchased and provided.
Disclosure: McCullagh is married to a Google employee not involved with Google Drive.
