Unnamed sources told CNET that Google is currently experimenting with encrypting Google Drive, and has already encrypted a small percentage of files.
The move arrives in the wake of revealed classified slides owned by the NSA which show that the government uses PRISM, a program that collates data provided by companies as required under the Foreign Intelligence Surveillance Act. PRISM does not collect encrypted data unless the government possesses a key.
Typically files are transmitted to Google Drive in encrypted form, but the data is stored in Google's data centers in an unencrypted manner. However if Google encrypts those files, then the company will not be able to divulge the stored content even if police obtain a search warrant for domestic law enforcement purposes, or if the NSA filed a legal order under the Foreign Intelligence Surveillance Act.
Currently the details surrounding Google's encryption experiments were not available to the sources, but there's speculation that the company may be performing the encoding and decoding on its own servers. If that's true, then a government agency wouldn't be able to obtain unencrypted text from customer files even with a search warrant or subpoena. Instead, they would need a wiretap order forcing Google to intercept and provide the user's login information the next time its typed in and submitted.
"Mechanisms like this could give people more confidence and allow them to start backing up potentially their whole device," said Seth Schoen, senior staff technologist at the Electronic Frontier Foundation in San Francisco.
It's typically not standard practice to encrypt files while they're stored in the cloud, but to provide a secure, encrypted connection when uploading and downloading those files. That's due to the complexity and the difficulties in indexing and searching encrypted data. The additional computing also comes with an added expense. That said, will Google charge an extra fee to provide on-site encryption, or will this added expense come straight out of Google's pocket?
Even more, will Google eventually be forced to break its own encryption to supply data to the government like Microsoft? That's what documents supposedly claimed last week, that the Windows company worked with the NSA to "circumvent the company's own encryption" as part of PRISM. In regards to Outlook.com., Microsoft General Counsel Brad Smith said that legal obligations force the company to pull specified content "from our servers where it sits in an unencrypted state, and then we provide it to the government agency."
There's that term again: unencrypted state. It's hard to imagine that our data resides on the cloud without encryption. The data is protected to and from the destination, but they're wide open for the taking otherwise. Of course, our files typically reside on our hard drives unencrypted, but that's a given: it's our hardware, and it should be a completely different story when data is stored alongside a stranger's own files on the Internet. Suddenly cloud storage has become an unattractive solution.
Still, Google, it seems, is trying to protect user privacy on the server side. CNET noted that Google is also fighting the Justice Department over secret national security letter requests in two separate federal courts. The company was also the first major company to adopt "perfect forward secrecy" for Web encryption. This technology protects the confidentiality of user communications even if a government is eavesdropping on the network.
