Posted by: Jessica Scarpati
cloud legal issues, cloud provider security, cloud servers, Google, Microsoft, PRISM
CNET got an interesting scoop this week about Google that, if valid and depending on your level of cynicism, could represent the first step by a major cloud provider to attempt to circumvent the U.S. government’s domestic surveillance program and other law enforcement attempts to spy on cloud-based data. Or it could be a day-late-dollar-short response to allegations that Google gave the feds back-door access to its servers to comply with the classified PRISM surveillance program — a charge the company that lives by the phrase “do no evil” flatly denies.
Citing two anonymous sources, CNET reported that Google is testing out server-side encryption for pockets of its cloud-based consumer and business storage service, Google Drive. The report did not state whether the two sources were Google employees; a Google spokesperson declined to comment on the story.
While the report also doesn’t explicitly state that this project is a direct response to recent allegations by former National Security Agency (NSA) contractor Edward Snowden, the timing and implications are uncanny. CNET‘s Declan McCullagh writes:
The move could differentiate Google from other Silicon Valley companies that have been the subject of ongoing scrutiny after classified National Security Agency slides revealed the existence of government computer software named PRISM. The utility collates data that the companies are required to provide under the Foreign Intelligence Surveillance Act — unless, crucially, it’s encrypted and the government doesn’t possess the key.
Major Web companies routinely use encryption, such as HTTPS, to protect the confidentiality of users’ communications while they’re being transmitted. But it’s less common to see files encrypted while stored in the cloud, in part because of the additional computing expense and complexity and the difficulties in indexing and searching encrypted data.
Interestingly, a recent report from The Guardian alleged that documents Snowden leaked revealed Microsoft “collaborated closely with U.S. intelligence services to allow users’ communications to be intercepted, including helping the National Security Agency to circumvent the company’s own encryption.” The report alleges that Microsoft enabled the feds to intercept Skype calls and read encrypted Outlook.com messages. Microsoft General Counsel Brad Smith insisted in a recent blog post that The Guardian report contained “significant inaccuracies,” denying that the company provides warrantless access.
But is the damage already done for not only Microsoft, but also Google and other cloud providers? I’m not entirely convinced. Yes, security and privacy have long been top barriers to cloud adoption, and this whole debacle is one serious nail in that coffin. But if all of the revelations that have come out about PRISM haven’t yet neutered the cloud services market, I find it hard to believe the damage is irreparable. That said, it will be interesting to see how much of a difference something like Google’s reported server-side encryption project will make for consumers, as well as how business customers will react (with their wallets) over the coming months.