Google to encrypt cloud storage

[Moon Jones]

On 21.08.2013 00:40, rysiek wrote:
> Explained it already 2 times, if anybody else asks, I'll be happy to do it for
> the third time.

Ok. I think I get the point.

>> But do they have the legal right not to hold those keys? Or this matter
>> is irrelevant to you?
>
> This matter is very relevant to me. I believe if somebody is saying "we offer
> encryption", the encryption should be actually, you know, protecting the data.

My question was if they can, given the US law, do such a thing. You have 
repeated the previous statements.

I offer encryption means precisely «I offer encryption». If there is a 
full stop after that, than the rest is fantasy.

Take for example the fact that I do full disk encryption. I have the key 
somewhere. Now. Someone who has the key and the hard drive has access 
just like without full disk encryption. Including files that I have 
deleted through the regular delete and not some secure method. This does 
not make my hard drive any less encrypted than it is.

Now take another example: food containing dead pig meat sold in an 
islamic country as chicken or just «meat». In the first case it's a lie, 
it might as well write «no meat at all». In the second is a lie by omission.

Do not confuse the two cases. Google never ever stated the rest. It's 
just your imagination.

> As it stands now, the GCS encryptions doesn't protect the data from government
> snooping, from a rogue admin that has access to the master key, and probably
> from several other scenarios.

Have they said «we protect your data from the government»? I am sure to 
have missed that one. Same goes for the other scenarios mentioned.

> And the Google's rep saying "we do not provide the keys to the government"
> reeks of PR-speak and deception. Of course they do not provide the keys, they
> can simply provide the cleartext, de-ciphered first via the master key.

What?

You are strange.

They do not have to. Most important providers are bugged BEFORE the data 
reaches their servers. So it's first the Men in Black. Than is the 
server. Than is my computer.

On the other hand you have the power of law. Once there is a data 
storage one can ask a judge to write a special kind of legal letter to 
which the storage manager HAS to comply. So the whole chain starting 
with the investigator and ending with the judge couldn't care less about 
key, algorithm, hard drive size, CPU type, how many GHz the memory 
bandwidth. They ask for the data and they are going to receive it or a 
very convincing explanation. That was established way before computers 
were invented. And if you care about this aspect you are free to 
campaign against it. It's ONLY between you and the law. Google, the 
investigator, the judge, the postal service and all the others just comply.

>> But that's not what they are saying.
>
> They are saying they use encryption, and with several keys/levels. They are
> saying that during the whole PRISM debate heating up, a debate mind you that
> has Google among the NSA cooperators. They are even claiming they are not
> providing the keys to the government, so as to suggest even more strongly that
> they have cleaned up their act:
>
> "A Google spokeswoman said via email the company does not provide encryption
>   keys to any government and provides user data only in accordance with the
>   law."

Right. This is precisely what I have read.

> When in fact -- as far as PRISM-related stuff is concerned -- they have done
> anything but.

Pardon my thickness. How?

>> Isn't it ironic? So Google SHOULD make things easier for you to tell
>> people to use other services?
>
> No. Google SHOULD provide safe, privacy-aware services and encryption that
> actually truly protects the data, or at least not claim to do so if they have
> no intention to.

Sure. Also the pope should stay away from gay people since the year 300. 
Rich people should help as many poor as they can. One should rise in the 
bus and give the seat to an old gentleman or lady. But we live in a far 
from ideal world. That to play your game.

Otherwise Google does that already. It's safe. Because then can send you 
an SMS to recover your free account at their expense. They ask the 
security question each time you log in from a different location. And so 
on. They are privacy aware as they don't share your emails with your 
inquisitive mother. Something you can't say of the postal service or a 
chatty general practitioner. And given the evil janitor or the evil 
admin steal the hard drive with your mail they won't be able to read it.

Sure, you can idealise it to the extreme. But in real life and real 
world that is already enough for a free / cheap service.

You too should be more concerned with the employer, school, relatives or 
neighbours than with NSA. Please do notice than I am not saying it's a 
good thing what NSA does. Only that it is a distant threat. One as 
concerned as you are already does have a personal mail server somewhere. 
One should give thanks to someone like RMS for the ability to have that 
at the cost of the hardware components plus the power bill.

> Or, using your "let's turn the tables and see where that goes" method:
> So Google CAN lie and deceive the users by claiming or suggesting to provide a
> level of service they have no intention of providing?

They don't lie. They don't deceive. Not in this case. The problem is 
elsewhere. Think about it a couple of minutes.

>> Sounds like the new anti–gay legislation in Russia: making it easier for
>> priests to preach homofobia.
>
> Nicely done. I see we have a Schopenhauer admirer. "The Art of Being Right" is
> a great little book indeed:
> http://en.wikipedia.org/wiki/The_Art_of_Being_Right
>
> I'm just not sure if that's #8, #12 or #32. I'd go for #32, I guess.

Guess that spells «time to give it up» for me.