Google races to keep out government spies

Net firm hopes encryption will stump global spooks

The Washington Post

Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the U.S. National Security Agency and the intelligence agencies of foreign governments, company officials said Friday.

The move is among the most concrete signs yet that revelations about the NSA’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs.

Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information amid controversy about the NSA’s PRISM program. PRISM obtains data from U.S. technology companies, including Google, under various legal authorities.

Encrypting information flowing among data centers will not make it impossible for intelligence agencies to snoop on individual users of Google services, nor will it have any effect on legal requirements that the company comply with court orders or valid national security requests for data. But company officials and independent security experts said that increasingly widespread use of encryption technology makes mass surveillance more difficult — whether conducted by governments or other sophisticated hackers.

“It’s an arms race,” said Eric Grosse, vice president for security engineering at Google. “We see these government agencies as among the most skilled players in this game.”

Experts say that, aside from the U.S., sophisticated government hacking efforts emanate from China, Russia, Britain and Israel.

The NSA seeks to defeat encryption through a variety of means. These include obtaining encryption keys to decode communications, using supercomputers to break codes and influencing encryption standards to make them more vulnerable to outside attack, according to reports Thursday based on documents provided by former NSA contractor Edward Snowden.

But those reports made clear that encryption — converting data into what appears to be gibberish when intercepted — complicates government surveillance efforts, requiring that resources be devoted to decoding or otherwise defeating the systems. Among the most common tactics, experts say, is to hack into individual computers or other devices used by people targeted for surveillance, making what amounts to an end run around coded communications.

According to security experts, the time and energy required to defeat encryption forces surveillance efforts to be targeted more narrowly on the highest-priority targets — such as terrorism suspects — and limits the ability of governments to simply cast a net into the huge rivers of data flowing across the Internet.

“If the NSA wants to get into your system, they are going to get in,” said Christopher Soghoian at the American Civil Liberties Union. “This is all about making dragnet surveillance impossible.”

The U.S. intelligence community has been reeling since news reports based on Snowden’s documents began revealing remarkable new details about how the federal government collects, analyzes and disseminates information — including, in some circumstances, the emails, video chats and phone communications of American citizens.

Many of the documents portray U.S. companies as pliant “corporate partners” or “providers” of information.

While telecommunications companies have generally declined to comment on their relationships with government surveillance, some have reacted with outrage at the depictions in the NSA documents leaked by Snowden. They have joined civil liberties groups in demanding more transparency and insisting that information is turned over to the government only when required by law, often in the form of a court order.

In June, Google and Microsoft asked the Foreign Intelligence Surveillance Court to allow them greater latitude in reporting how much information they turn over to the government. On Friday, Yahoo issued its first “government transparency report,” saying it had received 12,444 requests for data from the U.S. government this year, covering the accounts of 40,322 users.

Google has long been more aggressive than its peers within the American technology industry in deploying encryption technology. It turned on encryption in its popular Gmail service in 2010, and since then has added similar protections for Google searches for most users.

Yet even as it encrypted much of the data flowing between Google and its users, the information traveling between its data centers offered rare points of vulnerability to potential intruders, especially government surveillance agencies, security officials said. User information — including copies of emails, search queries, videos and Web-browsing history — typically is stored in several data centers that transmit information to each other on high-speed fiber-optic lines.

Several other companies, including Microsoft, Apple and Facebook, increasingly have begun using encryption for some of their services, though the quality varies. Communications inside services such as Gmail and Outlook mail are not generally encrypted, appearing to surveillance systems as “clear text.”

Google officials declined to provide details on the cost of its new encryption efforts, the number of data centers involved, or the exact technology used. The officials did say that it will be what experts call “end-to-end,” meaning that both the servers in the data centers and the information on the fiber-optic lines connecting them will be encrypted using “very strong” technology. The project is expected to be completed soon.

Security experts said news reports detailing the extent of NSA efforts to defeat encryption were startling. It was widely presumed that the agency was working to gain access to protected information, but the efforts were far more extensive than understood and reportedly contributed to the creation of vulnerabilities that other hackers, including foreign governments, could exploit.