Google

What NSA spying on Google means for your business

The NSA has been revealed to be collecting data from the communication links used by Google and Yahoo data centers. What does this mean for you and your business?

a_smatteson_nsa_spying.png.jpg
I'll admit I'm not a subscriber to conspiracy theories. I believe Oswald acted alone, 9/11 wasn't an inside job, and the Titanic just plain hit an iceberg and sank. That being said, the revelation by Edward Snowden that the National Security Agency (NSA) has been spying on Google and Yahoo wasn't a particular surprise to me - nor to many other people either. It wasn't a matter of a conspiracy; it was only a matter of time.

The purpose of the NSA is to gather information that might be vital to United States interests. My goal isn't to discuss whether the NSA should or should not engage in this kind of activity, but rather what it might mean for you or your business if you are a Google user or customer.

What have they been up to?

The story was reported in the Washington post on October 30th. "According to a top-secret accounting dated Jan. 9, 2013, the NSA's acquisitions directorate sends millions of records every day from internal Yahoo and Google networks to data warehouses at the agency's headquarters at Fort Meade, Md. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records - including 'metadata,' which would indicate who sent or received e-mails and when, as well as content such as text, audio and video."

Basically, the NSA has been looking at data in motion - network traffic - between Google's data centers. This took place overseas where the NSA is permitted to conduct these operations. The full implications have yet to unfold but Google's past and future may well be divided by this line crossing its history.

Google has condemned this activity and explicitly stated "We do not provide any government, including the U.S. government, with access to our systems."

In turn, the NSA has defended their actions (PDF) by stating: "NSA conducts all of its activities in accordance with applicable laws, regulations, and policies." They assert they are looking for "terrorists, weapons proliferators, and other valid foreign intelligence targets" and that "our focus is on targeting the communications of those targets, not on collecting and exploiting a class of communications or services that would sweep up communications that are not of bona fide foreign intelligence interest to us."

Regardless of intent or results, if you or your business has data on Google's servers – whether in the form of Gmail, documents stored in Drive, or company information kept on private Sites, I'm sure you're wondering exactly what you should do to protect your data from unwanted interception from any third party or agency.

So, what can I do?

First I want to state that my advice applies to individuals and businesses engaging in legal activities who are concerned about their privacy. I feel you have less to worry about if you aren't a desirable target for government spying, but I understand we all have different definitions and opinions of what the feds may have planned or what constitutes a "desirable target."

Now, this may sound shocking or cavalier, but if you're a Google customer and you transmit confidential information to their systems, you shouldn't be doing anything differently - with one special exception which I'll discuss below. Why is that? Because you've had your data in the hands of others all along and safeguarding it to the best of your ability, not to mention your level of comfort, has been a priority from the get-go. Hopefully it's an ingrained habit.

This means not sending messages through Gmail containing information which might ruin your organization if leaked (such as an announcement about an impending buyout offer).

b_smatteson_nsa_spying.png

Yes, your browser connection to Gmail is encrypted via certificate as shown above, but that protects you against someone sniffing traffic between you and Google. In this case the NSA was monitoring data between Google data centers, meaning they were already inside the perimeter.

Good security practices also mean not storing information on anyone else's servers unless it's protected by strong encryption. For instance, I use TrueCrypt to create virtual encrypted disks (also known as containers) which I can mount as a drive by entering my password (which is over 18 characters). Nothing I don't wish to share with the world is kept online other than within these TrueCrypt containers. This certainly gave me peace of mind when I lost a smartphone in New York City last summer which had copies of my TrueCrypt containers on it.

c_smatteson_nsa_spying.png
If you encrypt your data with a long, random 256-bit key (some feel 128-bit is sufficient, but the key to that is the length of the key!) it is virtually impossible for someone to guess the password via "brute force" computation. Upload this encrypted information to Google Drive and you can rest easy. Yes, it may be a pain having to mount and unmount the TrueCrypt container to add or change information - not to mention resynchronizing the saved file up to your Drive account. However, that's simply the price tag for keeping sensitive material off-site.

As for passwords, you are changing those on a regular basis, right? Same goes for your encryption keys (I realize I just stated it's impossible for someone to guess the password but how many of your ex-employees might know it?). What about ensuring your company workstations are free of malware, keystroke loggers, and other threats which can impact your privacy? How about making sure your wireless networks are locked down and your routers aren't using the default passwords? Hopefully you can see where I'm going with this. Threats will always be present whether inside or outside, and require the same measures.

Now, I need to talk about that special exception of what you should do differently, which I mentioned above. Be forewarned that encryption isn't necessarily a magical shield. The NSA is working hard to defeat or reduce the complexity of encryption. For instance, not all encryption products are ironclad; the NSA has engaged security vendors to devise back doors which they can exploit. Open source products are your best bet - and TrueCrypt is one such example. Best of all, it's free.

It should also be noted that in response to this incident Google is encrypting the connections between data centers, meaning that the traffic within their systems will be more difficult to snoop on. Google is making it clear their priority is to maintain the security of their customers.

Going forward from here

I don't believe this issue is sufficient cause for concern to compel companies to opt out of using Google products. In-house systems and services can pose similar risks and you can never guarantee with 100% certainty your data won't fall into the wrong hands. What you can do is tie those hands so your data isn't extractable no matter where it lives.

In the end, what with Google fighting back against the NSA, this episode may end up meaning little or nothing at all to you, so long as you've been following smart guidelines and safe habits.


Also read:

About

Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.

16 comments
tulaipaul
tulaipaul

Though such intrusions may dismay others, but the history unravels many such instances, whereby the intrusion or such attempts have come in the broad day light. It is also true that Google analyzes the links and back links seriously, though we would never consider them as intrusion. The recent Google update including Google Panda will emphasize more on such analysis.   http://www.knowledgemart.org/internet/google-panda-a-boon-in-disguise/

veeja1972
veeja1972

Honestly this is why i started using a private cloud solution a while ago for all my stuff...I found this product to be the most capable:

http://www.vivedrive.com


Erick Lawler
Erick Lawler

So, honestly, why are we acting soooo surprised? Response either "we" are stupid or embarrassed

monsuco
monsuco

I fail to see how NSA spying has any impact on my business. The NSA isn't spying on corporate information so that they can deliver it into the hands of corporate competitors nor are they in the business of stealing people's identities. Corporations are worried about the same IT threats they've always worried about: hackers, malware, identity thieves, corporate espionage, etc.


A lot of corporate data should be encrypted anyway. The Fair Credit Reporting Act requires customer financial data encryption. HIPPA and Obamacare require healthcare data to be encrypted. Various other privacy laws in the US and abroad require various other customer and corporate information be encrypted. Nearly every corporation has a policy that requires proprietary corporate data like balance sheets and merger information to be encrypted.


The NSA changes none of this. You should keep using the "best practices" you should've been using all along and worry about the real threats to corporate IT security.

john_perez
john_perez

Google is an Israeli company, so being spied on by Google is the same as being spied on by Israel. Lavabit has been shutdown by the U.S. Government for not providing passwords for Ed Snowden's account. Similar actions by Isreal against firms within it's spere of influence is not hard at to believe. Either let us take a peek, or you get shut down.

Systems Guy
Systems Guy

Not patting my self on the back, but, what I've been saying since day one and this Cloud business:  Why would any body put company data in the cloud? (or on Google or fill in the blank).  DON'T put your data out in the cloud!

pgit
pgit

"They assert they are looking for "terrorists, weapons proliferators, and other valid foreign intelligence targets"..."

 All they need is a mirror.

Christy Ganger
Christy Ganger

means that businesses are paying too much by comparison for there bandwidth

Cata Catalin
Cata Catalin

To his now to read this our how is read this : is not accepted simply person, and this with the time our now if is it..

Axel Seh Biyoghe
Axel Seh Biyoghe

this is scrap..!!why don't you say the NSA spy the whole world....instead of disclose days after days something that everyone suspected already..!!A.X

Gisabun
Gisabun

Spying on Google? Isn't that old news? :-)

smmatteson
smmatteson

Good comment by Jon Farmer in the UK over on Google+: "KIn the UK you are required by law to offer up your passphrases and keys if the court orders you too. Saying you don't have them or you can't remember them is no defence. This needs to be made clear in any advice to use encryption IMHO."

Edward D
Edward D

monsuco,

This example is a bit far off, but you may remember a few years back that while banks guard customer data tightly with respect to credit card transactions, banks also contracted (outsourced) the collection of credit card transactions.  The collecting company had no specific security measures and were not required to have them in their contracts with the various banks using their services.  (Was this an honest oversight, or just a cheap gamble on the part of the banks?)  Hacking theives broke into the database and stole many thousands of records including sensitive customer data.  This was a perfect setup for identity theft and for dishonest use of credit card accounts.

My point is that the NSA is collecting data, but I personally have no faith in their efforts to protect the data that they gather.  Sure, they are not sharing deliberately, but the NSA does "spy" on foreigners and trade that data with other nations (thus gathering data on Americans that they were not allowed to gather in former years). What will they trade in the future?  And with whom?  After such data is shared, how is anyone to feel any comfort that such data is secure?

And keep in mind that political views change rapidly, espeically after elections.  Mindless beauraucrats change the rules wihtout any idea what will happen when new policies are implemented.  We have many historical examples of such foolishness.

cybershooters
cybershooters

@Systems Guy I agree, I always suspected the information would be compromised by the NSA and other intelligence agencies, and they might be providing the space for free or for X now, but what if they raise their prices?  They have you over a barrel.  I think in limited situations putting a bit of info in the cloud may be okay but as a general rule I'm against it.

cybershooters
cybershooters

@smmatteson Yes, but that's a court ordering you to do it.  You know from where the blade fell.  I haven't got a problem with proper rule of law but the NSA tapping Google's cabling in the Irish Sea only came about because of a whistleblower telling us.  The NSA saying these things are "legal" is disingenuous, only a court can say for sure if their activities are legal and I don't think some of their reported activities are.  Using a 51% confidence level for determining whether a target is a US person for example.

Editor's Picks