Google plans on automatically encrypting its users’ Cloud Storage data.
“There is no setup or configuration required, no need to modify the way you access the service and no visible performance impact,” read a note on Google’s Cloud Platform Blog. “The data is automatically and transparently decrypted when read by an authorized user.” Data and metadata in Cloud Storage will be encrypted via a unique key under the 128-bit Advanced Encryption Standard (AES-128), with the per-object key itself “encrypted with a unique key associated with the object owner.”
Those who wish to manage their own encryption keys can continue to do so, and secure their data before uploading it to Google’s Cloud Storage. Google already utilizes server-side encryption for new data written to Cloud Storage (both new and overwritten objects), and plans on migrating and encrypting older objects over the next few months.
Why is Google choosing to provide automatic encryption now? The Cloud Platform Blog doesn’t go into reasons, but the blogosphere is conjecturing that the NSA has something to do with it.
Earlier this summer, government whistleblower Edward Snowden offered a set of top-secret documents to The Guardian that detailed a NSA surveillance program known as PRISM. According to those documents, PRISM siphoned information from the databases of nine major technology companies, including Google.
In emails to Slashdot, Google denied that it was involved in PRISM, or that it willfully participated in any NSA surveillance program. “Google cares deeply about the security of our users’ data,” a company spokesperson wrote. “We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a ‘back door’ for the government to access private user data.”
Following that denial, in a bid to show that its users’ privacy and security was its first priority, Google began a mighty pushback against the federal government. In June, Google chief legal officer David Drummond asked the government for permission to release more information related to the latter’s national security requests, including FISA disclosures; he wanted to show that “our compliance with these requests falls far short of the claims being made.”
Google needs users to trust it with their data—both to target ads, and to earn revenues from products such as the business version of Google Apps. If users suspect that the search-engine giant is letting a third party pick through their data without a warrant, a healthy portion of them would probably switch over to other cloud services—which could severely impact Google’s bottom line. In that context, Google automatically encrypting user data makes perfect sense: no matter how easy the encryption might be to crack by a government supercomputer, it could still give those users the sense of security they need to stay with Google.
Image: Martin Charles Hatch/Shutterstock.com