Google reportedly working on encrypting user files on Google Drive

Jul 19, 2013 by Bob Yirka weblog
Google headquarters

CNET, the online tech magazine has apparently found two sources inside of Google who are claiming that the company is embarking on a plan to encrypt user data on Google Drive. Doing so would mean that the U.S. government (read the NSA) could not legally force Google to give up the files if requested.

According to the sources, Google is taking this tact in response to information provided to the public by the now famous Edward Snowden (who is still hiding in Russia). Specifically, it was revealed that the NSA has a program called PRISM that uses software to collect data off corporate servers that hold client data as required by the Foreign Intelligence Surveillance Act. Noting a loophole in that act which says such data need only be provided if it's not encrypted, Google is apparently considering encrypting every user file on Google Drive in a way that prevents it from being opened by anyone other than the client—which includes Google too. Thus, if the NSA or other government agency (local, state or federal) submits a legal request for data on Google Drive, not only will Google not be legally bound to provide access to the files, but they wouldn't be able to open them themselves anyway—only the user will hold the key.

Currently, files saved onto Google Drive are encrypted while being transferred. While residing on the servers, they are not encrypted and easily read by anyone who gains access to them. Encrypting files on servers would cost Google more, but in this case, it appears the company is willing to eat that cost in hopes of gaining the confidence of users.

Users do have other options—they can encrypt files themselves if they wish before storing on a cloud server. Microsoft Word has a facility for doing just that. But history has shown that users are either unwilling or uneducated on how to encrypt files. Generally it means buying or downloading free software, configuring it, and then using it when desired. Another option is to avoid Google Drive and other big name cloud servers altogether and go with one of the smaller companies that already offer encryption as one of their services.

For its part, Google has remained mum on the whole topic, which means customers won't know for sure if the company is serious about offering encryption until it actually happens.

Explore further: Protecting infrastructure with smarter CPS

Related Stories

Google asks US secret court to lift gag order (Update)

Jun 18, 2013

Google on Tuesday sharply challenged the U.S. government's gag order on its Internet surveillance program, citing what it described as a constitutional free speech right to divulge how many requests it receives ...

Google Drive sports new view and scan enhancements

May 23, 2013

(Phys.org) —Google Drive has a new look and functions. The makeover in Google Drive features scanning and interface enhancements that put the user into "card" mode. The enhancements make it easy for the ...

Recommended for you

Protecting infrastructure with smarter CPS

4 hours ago

Security of IT networks is continually being improved to protect against malicious hackers. Yet when IT networks interface with infrastructures such as water and electric systems to provide monitoring and control capabilities, ...

Apple helps iTunes users delete free U2 album

17 hours ago

Apple on Monday began helping people boot U2 off their iTunes accounts after a cacophony of complaints about not wanting the automatically downloaded free album by the Irish rock band.

Habitual Facebook users: Suckers for social media scams?

23 hours ago

A new study finds that habitual use of Facebook makes individuals susceptible to social media phishing attacks by criminals, likely because they automatically respond to requests without considering how they are connected ...

YouTube to go offline in India on Android phones

Sep 15, 2014

YouTube users in India will soon be able to save videos from the Google-owned service, making it possible to watch them offline, and the feature will eventually be available globally, the company said Monday.

Facebook vs. loneliness

Sep 15, 2014

Are people becoming lonelier even as they feel more connected online? Hayeon Song, an assistant professor of communication at UWM, explored this topic in recent research.

User comments : 20

Adjust slider to filter visible comments by rank

Display comments: newest first

Grallen
5 / 5 (4) Jul 19, 2013
Haha. Awesome response to the spying.
ValeriaT
1 / 5 (13) Jul 19, 2013
I don't understand what this posture is good for. If the Google files would be safe against external intruders, nobody could access them from outside anyway. If NSA will ask the Google for decrypting, the Google is obliged to cooperate.
rug
3.5 / 5 (8) Jul 19, 2013
If they encrypt them correctly Google will not be able to decrypt them.

"Google not be legally bound to provide access to the files, but they wouldn't be able to open them themselves anyway—only the user will hold the key."
dirk_bruere
1 / 5 (5) Jul 19, 2013
As if anyone trusts Google not to include an NSA back door.
The only way this will work is if the encryption is done client side and uses open source s/w
sennekuyl
5 / 5 (1) Jul 20, 2013
Google has been pretty good at appropriating opensource for their tasks. I don't see any reason why they wouldn't do so here --- assuming they actually do it. How are they going to harvest data if they can't read the data? They still have search and gmail, I guess, but that begs as to why they haven't implemented s/mime today. While my preference is for gpg, s/mime would be satisfactory.
sennekuyl
5 / 5 (1) Jul 20, 2013
I don't understand what this posture is good for. If the Google files would be safe against external intruders, nobody could access them from outside anyway. If NSA will ask the Google for decrypting, the Google is obliged to cooperate.

As rug says, if the encryption is done client-side then Google can't access them without user intervention. They would however lose all ability to recover user data in an 'emergency'.
ECOnservative
1 / 5 (5) Jul 20, 2013
Google could use an expiring key with a length of 4k or above. When the key expires (on a certain date, or by a specific event, etc.) nothing and no one can decrypt the data.
ValeriaT
1.4 / 5 (8) Jul 20, 2013
they wouldn't be able to open them themselves anyway—only the user will hold the key
Do you really believe in it? And what prohibits me to encrypt the files in my own way before I upload them to the Google drive?
alfie_null
5 / 5 (4) Jul 20, 2013
Google could use an expiring key with a length of 4k or above. When the key expires (on a certain date, or by a specific event, etc.) nothing and no one can decrypt the data.

There is no such thing as an "expiring" key. Whenever you read of such, you are reading of an artificial attribute layered on top of some encryption technique (e.g. PKI).
Grallen
4.5 / 5 (2) Jul 20, 2013
How are they going to harvest data if they can't read the data?


While storing but before encrypting that scan it to find tags. Then they store just the tags.

The file is then encrypted but has tags on it so they can show the right advertisements to you.
indio007
1 / 5 (3) Jul 20, 2013
Just use Mega.nz
sennekuyl
not rated yet Jul 21, 2013
they wouldn't be able to open them themselves anyway—only the user will hold the key
Do you really believe in it? And what prohibits me to encrypt the files in my own way before I upload them to the Google drive?

Nothing. If you are uploading sensitive data with encrypting, this would create a scenario that delays cracking by a significant time in an easy to use, ubiquitous manner. Current encryption methods of widely-used services have to be done per data segment* by the user for any semblance of security. By being available at Google would mean significant uptake and automatic implementation.

@Grallen: Yeah, assuming the special sauce computations aren't too significant.

* TrueCrypt not withstanding
rah
1 / 5 (4) Jul 22, 2013
If you are seeking real security online, you can relax. It does not exist. There are some good ways to confuse and slow down the seekers of your info, but ultimately it's all there.
VendicarE
1 / 5 (1) Jul 22, 2013
The only safe form of encryption is client side encryption.

If google wants to offer encryption it should be as a plugin on the client side.

This will allow me to write my own encryption/decryption plugin and know that my trade secrets are safe from American Government/Corporate spies.
VendicarE
5 / 5 (1) Jul 22, 2013
"As if anyone trusts Google not to include an NSA back door." - Foofie

The problem is not really Google or Microsoft or whomever here.

The real problem are American and Israeli secret laws that compel people to act and then bar them from publicly admitting that they were legally bound to do so.

Those laws are fundamentally opposed to freedom of expression, and should be impossible to implement.

Once you have laws that prohibit the public from talking, you have laws that bar the public from exposing all manner of corruption.
jscroft
1 / 5 (4) Jul 22, 2013
It is an interesting day indeed when I wake up and find myself in agreement with Scott Nudds, but there it is: proof positive that even a blind squirrel can find a nut once in a while if only his mom's basement is big enough.
antialias_physorg
not rated yet Jul 22, 2013
How are they going to harvest data if they can't read the data?

This is for google drive - not the regular batch of google apps (mail, calendar, google plus, search results, etc. which are harvested for data)

They would however lose all ability to recover user data in an 'emergency'.

Why? The encrypted stuff is backed up by them just as any non-encrypted stuff is. The only emergency that could jeopardize your data in this case is if you yourself lost the key for decrypting it.

This will allow me to write my own encryption/decryption plugin and know that my trade secrets are safe from American Government/Corporate spies.

That depends on where you live, as some nations have disclosure laws that can force you to give out the key under various circumstances.
http://en.wikiped...sure_law
sennekuyl
not rated yet Jul 22, 2013
How are they going to harvest data if they can't read the data?

This is for google drive - not the regular batch of google apps (mail, calendar, google plus, search results, etc. which are harvested for data)
It would take the drives out of the potential data harvesting unless client side categorisation wasn't terribly slow. My following comment did allude to the other [more popular] services.
They would however lose all ability to recover user data in an 'emergency'.

Why? The encrypted stuff is backed up by them just as any non-encrypted stuff is. The only emergency that could jeopardize your data in this case is if you yourself lost the key for decrypting it.
If it is done correctly, it is done client-side. If it isn't done client-side then it is just for security theatre or non-government intrusion. If it is done client-side, the user must manage the passphrases or there is no reason for it to exist. For forgotten passwords, backups won't help. [cont]
sennekuyl
not rated yet Jul 22, 2013
There are possibilities of One Time Passwords (OTP) being able to decrypt the files, however that adds another vector to be found and adversely used. The most secure system we have to slow down unauthorized decryption is Public Key Infrastructure(PKI) + symmetrical encryption of the actual files for speed, but that is dependent on users managing the private key. One of PKI's biggest problems is users upload the private key and keep the public key private. The other is popularity --- it is seen as something for basement dwelling nerds and the CIA-type secrecy.
sennekuyl
not rated yet Jul 22, 2013
Gah, messed up quotations 2 above while editing. AA was quoted then my comment started from the "If it is done..." The above comments should have been one comment.

@VendicarE: You want to be very sure you got the encryption and implementation right. That's why I prefer TrueCrypt & PKI schemes. Been tested many times and no evidence they are broken implementations.