The NSA has been revealed to be collecting data from the communication links used by Google and Yahoo data centers. What does this mean for you and your business?
The purpose of the NSA is to gather information that might be vital to United States interests. My goal isn't to discuss whether the NSA should or should not engage in this kind of activity, but rather what it might mean for you or your business if you are a Google user or customer.
What have they been up to?
The story was reported in the Washington post on October 30th. "According to a top-secret accounting dated Jan. 9, 2013, the NSA's acquisitions directorate sends millions of records every day from internal Yahoo and Google networks to data warehouses at the agency's headquarters at Fort Meade, Md. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records - including 'metadata,' which would indicate who sent or received e-mails and when, as well as content such as text, audio and video."
Basically, the NSA has been looking at data in motion - network traffic - between Google's data centers. This took place overseas where the NSA is permitted to conduct these operations. The full implications have yet to unfold but Google's past and future may well be divided by this line crossing its history.
Google has condemned this activity and explicitly stated "We do not provide any government, including the U.S. government, with access to our systems."
In turn, the NSA has defended their actions (PDF) by stating: "NSA conducts all of its activities in accordance with applicable laws, regulations, and policies." They assert they are looking for "terrorists, weapons proliferators, and other valid foreign intelligence targets" and that "our focus is on targeting the communications of those targets, not on collecting and exploiting a class of communications or services that would sweep up communications that are not of bona fide foreign intelligence interest to us."
Regardless of intent or results, if you or your business has data on Google's servers – whether in the form of Gmail, documents stored in Drive, or company information kept on private Sites, I'm sure you're wondering exactly what you should do to protect your data from unwanted interception from any third party or agency.
So, what can I do?
First I want to state that my advice applies to individuals and businesses engaging in legal activities who are concerned about their privacy. I feel you have less to worry about if you aren't a desirable target for government spying, but I understand we all have different definitions and opinions of what the feds may have planned or what constitutes a "desirable target."
Now, this may sound shocking or cavalier, but if you're a Google customer and you transmit confidential information to their systems, you shouldn't be doing anything differently - with one special exception which I'll discuss below. Why is that? Because you've had your data in the hands of others all along and safeguarding it to the best of your ability, not to mention your level of comfort, has been a priority from the get-go. Hopefully it's an ingrained habit.
This means not sending messages through Gmail containing information which might ruin your organization if leaked (such as an announcement about an impending buyout offer).
Yes, your browser connection to Gmail is encrypted via certificate as shown above, but that protects you against someone sniffing traffic between you and Google. In this case the NSA was monitoring data between Google data centers, meaning they were already inside the perimeter.
Good security practices also mean not storing information on anyone else's servers unless it's protected by strong encryption. For instance, I use TrueCrypt to create virtual encrypted disks (also known as containers) which I can mount as a drive by entering my password (which is over 18 characters). Nothing I don't wish to share with the world is kept online other than within these TrueCrypt containers. This certainly gave me peace of mind when I lost a smartphone in New York City last summer which had copies of my TrueCrypt containers on it.If you encrypt your data with a long, random 256-bit key (some feel 128-bit is sufficient, but the key to that is the length of the key!) it is virtually impossible for someone to guess the password via "brute force" computation. Upload this encrypted information to Google Drive and you can rest easy. Yes, it may be a pain having to mount and unmount the TrueCrypt container to add or change information - not to mention resynchronizing the saved file up to your Drive account. However, that's simply the price tag for keeping sensitive material off-site.
As for passwords, you are changing those on a regular basis, right? Same goes for your encryption keys (I realize I just stated it's impossible for someone to guess the password but how many of your ex-employees might know it?). What about ensuring your company workstations are free of malware, keystroke loggers, and other threats which can impact your privacy? How about making sure your wireless networks are locked down and your routers aren't using the default passwords? Hopefully you can see where I'm going with this. Threats will always be present whether inside or outside, and require the same measures.
Now, I need to talk about that special exception of what you should do differently, which I mentioned above. Be forewarned that encryption isn't necessarily a magical shield. The NSA is working hard to defeat or reduce the complexity of encryption. For instance, not all encryption products are ironclad; the NSA has engaged security vendors to devise back doors which they can exploit. Open source products are your best bet - and TrueCrypt is one such example. Best of all, it's free.
It should also be noted that in response to this incident Google is encrypting the connections between data centers, meaning that the traffic within their systems will be more difficult to snoop on. Google is making it clear their priority is to maintain the security of their customers.
Going forward from here
I don't believe this issue is sufficient cause for concern to compel companies to opt out of using Google products. In-house systems and services can pose similar risks and you can never guarantee with 100% certainty your data won't fall into the wrong hands. What you can do is tie those hands so your data isn't extractable no matter where it lives.
In the end, what with Google fighting back against the NSA, this episode may end up meaning little or nothing at all to you, so long as you've been following smart guidelines and safe habits.