I’ll admit I’m not a subscriber to
conspiracy theories. I believe Oswald acted alone, 9/11 wasn’t an inside job,
and the Titanic just plain hit an iceberg and sank. That being said, the
revelation by Edward Snowden that the National Security Agency (NSA) has been spying on Google
and Yahoo wasn’t a particular surprise to me – nor to many other people either.
It wasn’t a matter of a conspiracy; it was only a matter of time.
The purpose of the NSA is to gather
information that might be vital to United States interests. My goal isn’t to
discuss whether the NSA should or should not engage in this kind of activity,
but rather what it might mean for you or your business if you are a Google user
What have they been up to?
The story was reported
in the Washington post on October 30th. “According to a top-secret
accounting dated Jan. 9, 2013, the NSA’s acquisitions directorate sends
millions of records every day from internal Yahoo and Google networks to data
warehouses at the agency’s headquarters at Fort Meade, Md. In the preceding 30
days, the report said, field collectors had processed and sent back 181,280,466
new records – including ‘metadata,’ which would indicate who sent or received
e-mails and when, as well as content such as text, audio and video.”
Basically, the NSA has been looking at
data in motion – network traffic – between Google’s data centers. This took
place overseas where the NSA is permitted to conduct these operations. The full
implications have yet to unfold but Google’s past and future may well be
divided by this line crossing its history.
Google has condemned
this activity and explicitly
stated “We do not provide any government, including the U.S. government,
with access to our systems.”
In turn, the NSA
has defended their actions (PDF) by
stating: “NSA conducts all of its activities in accordance with applicable
laws, regulations, and policies.” They assert they are looking for “terrorists,
weapons proliferators, and other valid foreign intelligence targets” and
that “our focus is on targeting the communications of those targets, not
on collecting and exploiting a class of communications or services that would
sweep up communications that are not of bona fide foreign intelligence interest
Regardless of intent or results, if
you or your business has data on Google’s servers – whether in the form of
Gmail, documents stored in Drive, or company information kept on private Sites,
I’m sure you’re wondering exactly what you should do to protect your data from
unwanted interception from any third party or agency.
So, what can I do?
First I want to state that my advice
applies to individuals and businesses engaging in legal activities who are
concerned about their privacy. I feel you have less to worry about if you aren’t
a desirable target for government spying, but I understand we all have
different definitions and opinions of what the feds may have planned or what
constitutes a “desirable target.”
Now, this may sound shocking or
cavalier, but if you’re a Google customer and you transmit confidential
information to their systems, you shouldn’t be doing anything differently – with
one special exception which I’ll discuss below. Why is that? Because you’ve had
your data in the hands of others all along and safeguarding it to the best of
your ability, not to mention your level of comfort, has been a priority from
the get-go. Hopefully it’s an ingrained habit.
This means not sending messages
through Gmail containing information which might ruin your organization if
leaked (such as an announcement about an impending buyout offer).
Yes, your browser connection to Gmail
is encrypted via certificate as shown above, but that protects you against
someone sniffing traffic between you and Google. In this case the NSA was
monitoring data between Google data centers, meaning they were already inside
Good security practices also mean not
storing information on anyone else’s servers unless it’s protected by strong
encryption. For instance, I use TrueCrypt to create virtual encrypted disks (also known as containers)
which I can mount as a drive by entering my password (which is over 18
characters). Nothing I don’t wish to share with the world is kept online other
than within these TrueCrypt containers. This certainly gave me peace of mind
when I lost a smartphone in New York City last summer which had copies of my TrueCrypt
containers on it.
If you encrypt your data with a long,
random 256-bit key (some feel 128-bit is sufficient, but the key to that is the
length of the key!) it is virtually impossible for someone to guess the password via “brute force”
computation. Upload this encrypted information to Google Drive and you can rest
easy. Yes, it may be a pain having to mount and unmount the TrueCrypt container
to add or change information – not to mention resynchronizing the saved file up
to your Drive account. However, that’s simply the price tag for keeping
sensitive material off-site.
As for passwords, you are changing
those on a regular basis, right? Same goes for your encryption keys (I realize
I just stated it’s impossible for someone to guess the password but how many of
your ex-employees might know it?). What about ensuring your company
workstations are free of malware, keystroke loggers, and other threats which
can impact your privacy? How about making sure your wireless networks are
locked down and your routers aren’t using the default passwords? Hopefully you
can see where I’m going with this. Threats will always be present whether
inside or outside, and require the same measures.
Now, I need to talk about that special
exception of what you should do differently, which I mentioned above. Be
forewarned that encryption isn’t necessarily a magical shield. The NSA is working
hard to defeat or reduce the complexity of encryption. For instance, not all encryption products are ironclad; the NSA
has engaged security vendors to devise back doors which they can exploit. Open source products are your best bet – and TrueCrypt is one
such example. Best of all, it’s free.
It should also be noted that in
response to this incident Google is encrypting the connections between data
centers, meaning that the traffic within their systems will be more difficult
to snoop on. Google is making it clear their priority is to maintain the
security of their customers.
Going forward from here
I don’t believe this issue is
sufficient cause for concern to compel companies to opt out of using Google
products. In-house systems and services can pose similar risks and you can
never guarantee with 100% certainty your data won’t fall into the wrong hands. What
you can do is tie those hands so your data isn’t extractable no matter where it
In the end, what with Google fighting
back against the NSA, this episode may end up meaning little or nothing at all to
you, so long as you’ve been following smart guidelines and safe habits.