You would forgive Google for spending millions of dollars over the last decade to work harder than virtually any other tech company on the Internet to resist NSA surveillance, thanklessly and quietly, or, when not quietly, under the duress of thousands of shrill, under-informed detractors? For essentially orchestrating the worldwide deployment of TLS forward secrecy, for more or less inventing browser certificate pinning, for donating high-quality crypto code to NSS and OpenSSL --- by the way, also, for finding Heartbleed and publishing it, rather than holding it as a "competitive advantage" --- and for killing probably several thousand browser RCEs? And, in all of this, for spending god knows how much money on lawyers behind the scenes?
Working harder than others simply makes them the least bad. They may have struggled valiantly to keep data secured, but they failed often enough. Google did more than many to pioneer the model of centralised information-gathering as a commercial strategy, which is part of what made surveillance so rewarding. I think we expect far too little of companies that manage our data, and Google manages far more than most.
Client-side crypto, along a PGP model, would be a welcome admission that Google can't secure everyone's email within their network. It would be a step away from the idea that we simply have to trust utility-scale cloud providers with our data. I see that as putting right a mistake.
EDIT: To de-escalate the argument, I should say that we're probably perceiving 'Google' differently. Their security people are excellent people, and Google has undertaken many excellent security initiatives. Many people at Google are on the side of the angels. As you probably know these people and their work much better than I do, I can imagine that your picture of Google's activities is different to mine. But from a consumer's perspective, Google is much more ambiguous. As a matter of corporate strategy they have pooled vast amounts of customer data via the integration of their services, and they have created a security risk by doing so. When faced with a choice between doing something that might make users safer but might harm their ability to gather data on them, I don't believe Google as a company has often chosen the former.
The thing about privacy against a threat like PRISM and other mass-surveillance threats is that there is a threshold below which efforts don't actually protect.
End-to-end encryption is a pretty reasonable threshold. Skype proved it could be convenient enough for grandma (and yes I'm aware that user-controlled keys for store and forward is more difficult).
So, yeah. Below that threshold the best is just least bad. I don't see why you are so touchy about that. Many people here foresaw that the government would be so intransigent that, unless services implemented open and verifiable tools for enabling end-to-end encryption, anything short of that would be ineffective in restoring trust in the services we use.
End-to-end encryption is a pretty reasonable threshold. Skype proved it could be convenient enough for grandma
Err .. are you are aware they give out keys to certain governments and send different code to certain clients (eg. within China)? In privacy terms they are basically the same as Google now with its centralized model and SSL, just using some obfuscated vaguaries of P2P slash centralized communications paths (which they refuse to document openly) instead of centralized store and forward.
I usually respect your comments tptacek, but the fact is that Google have acted and continue to act to strongly effect a centralization of much personal information on the internet in an unencrypted form accessible to parts of the company and its host governments. That's just not cool, versus the traditional decentralized model.
All of their mitigation efforts are only lipstick on the fundamental pig here. Yes, they're not the only ones. Yes, ease of use. But that doesn't change the model.
Yea but they do all that to secure their services so they can harvest the information.
"Rather than holding it as a "competitive advantage""
Doing so gives them the "competitive advantage" by creating the illusion of some "white knight" protector of the internet and its users. I don't even mind Google as much as I mind the weird delusional back-flips people do in order to forget the fact that Google is an advertising/tracking company. They have no business plan if people stop trusting the internet or use browsers that can make tracking/analytic data harder for them to collect.
I agree that Google's efforts, as you have described, have been exemplary.
Have they not also gone along with the NSA in what appear to be violations of the 4th amendment?
I'm mostly ignorant of this stuff, but reading the quote below from the Guardian makes them look complicit. I think it's fine to be complicit when you're powerless, but Google is not powerless. What bad thing would have happened to Larry Page if he had said "Uh, we're not handing over the data." Would he actually have been arrested?
(Just to be clear, you've probably thought about this for 400 hours more than I have, so if I'm totally wrong, sorry.)
From the Guardian [1]:
"The senior lawyer for the National Security Agency stated on Wednesday that US technology companies were fully aware of the surveillance agency’s widespread collection of data.
Rajesh De, the NSA general counsel, said all communications content and associated metadata harvested by the NSA under a 2008 surveillance law occurred with the knowledge of the companies – both for the internet collection program known as Prism and for the so-called “upstream” collection of communications moving across the internet.
Asked during a Wednesday hearing of the US government’s institutional privacy watchdog if collection under the law, known as Section 702 or the Fisa Amendments Act, occurred with the “full knowledge and assistance of any company from which information is obtained,” De replied: “Yes.”"
Surely he means Google's anti-competitive and anti-employee pacts with other companies in the area, their desire to take away privacy via forcing people to use their real name across all of their products, and their commitment to forcing mobile paradigms into a desktop environment.
Perhaps. My interests and focuses are in Internet and application security and privacy; that's been my career for the past 15 years. I'm not sure what the incompatible other interest might be.
That's generous.