Google is trying to put on a good show of security theatre recently, and the media is almost falling for it (via WaPo)
Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.
I really want to say this means something, but it doesn’t. As we saw just a few days ago, the NSA is more than willing and able to put backdoors into everything. They could encrypt every bit of traffic between all of their servers, and it would be meaningless if they were forced to give away the root keys via a NSL, or had someone inside of Google who could place a “bug” or get the certificates themselves.
They almost recognize this, but miss the target by about a meter.
Encrypting information flowing among data centers will not make it impossible for intelligence agencies to snoop on individual users of Google services, nor will it have any effect on legal requirements that the company comply with court orders or valid national security requests for data. But company officials and independent security experts said that increasingly widespread use of encryption technology makes mass surveillance more difficult — whether conducted by governments or other sophisticated hackers.
No, it doesn’t make any difference with mass surveillance, none at all. If they don’t fight the NSLs directly and have a proven audited system to assure that there are no spooks inside planting bugs or giving out root keys, then they haven’t done anything more than security theatre.
This doesn’t change a thing, as long as Google is in the US and these NSLs get issues without any real oversight or transparency, then they could one-time pad everything between their servers and it would mean very little. The system is compromised, it is proven to be compromised.
If you have a rusty piece of metal, no amount of rust paint will top the rust. You need to get rid of the rust first. American businesses need to show that they are willing to actually defy these orders to prove to anyone that they are trustworthy again. Lavabit did, but they don’t have the resources of Microsoft, Google or Amazon.
Sucks, but it’s a fact. If you want secure transmissions and need confidentiality, you cannot use American services with any certainty anymore, even if they put on a big show.
Kelly J. Rose 