
Google tests encryption to protect users' Drive files against government demands - declan
http://news.cnet.com/8301-13578_3-57594171-38/google-tests-encryption-to-protect-users-drive-files-against-government-demands/
======
cliveowen
When I first set up my Drive account it wasn't the U.S. government I was
worried about, it was Google itself. That's why I put all of the files I
wanted to sync in an encrypted image (which you can create with Disk Utility
on Mac OS X) and then uploaded the image. Also, to avoid re-uploading the
whole shebang (which is more than a GB) I use a sparse bundle disk image which
means that if I modify a single file only a small portion of the image will be
re-synced with Drive.

~~~
toomuchtodo
I do the same thing, but with Truecrypt and Dropbox.

~~~
guiambros
Hmm, does sparse bundle work well with TrueCrypt? Any consistency issues when
sync'ing with Dropbox?

~~~
toomuchtodo
I didn't use a sparse bundle, just a TrueCrypt container. It uses the full
space allocated on disk, and I've rarely had an issue (1-2 times over 4
months) with Dropbox syncing.

~~~
guiambros
Thanks. I research more, and seems that TrueCrypt still does not support
sparse bundle, so that's still a no go. The only option is to do what you did,
sharing a full container.

But if you have a big container (say, 1GB or so), it has the drawback of re-
syncing the file back-and-forth. And if you have multiple devices (including
mobile, etc), this would easily became a nightmare.

That's a bummer. I _love_ TrueCrypt for local encryption of filesystems and
containers, but I wish I could use as a lightweight, on-the-fly, encryption of
files. Particularly dropbox and other cloud-based storage.

------
dmix
The same Google whose new strategy - only two months ago -involved disabling
the ability to use off-the-record on Gtalk by default in chat? Or using third-
party OTR plugins (with real encryption) by replacing gtalk XMPP with Google
Hangout?

[http://news.en.softonic.com/google-chat-history-can-no-
longe...](http://news.en.softonic.com/google-chat-history-can-no-longer-be-
turned-off-by-default)

> One of the features of Hangouts that was really emphasized at I/O, was that
> you will no longer have to worry about losing anything. Chats are kept, and
> everything you share, like photos, is put in folders and stored.

~~~
rdtsc
> was that you will no longer have to worry about losing anything. Chats are
> kept, and everything you share, like photos, is put in folders and stored.

Let us help you by monitoring you better and recording everything you do. For
your convenience and protection of course.

You know, I didn't like them. Now I despise them. They said that with a
straight face. They could have just you know, not say anything, or say
Facebook is doing all this stuff we can't fall behind we need this data on
your because we want to target ads better or we have to comply with government
regulations. That's fine. I understand that. But telling people how this is
for their convenience is really demeaning.

~~~
magicalist
> But telling people how this is for their convenience is really demeaning.

I see your intention here, but I think you've stepped out of touch with the
vast majority of users here, and I don't mean the "people just want to share
their lives on facebook, privacy be damned" kind of way.

"Chats are kept, and everything you share, like photos, is put in folders and
stored" really is a feature that people want. Not being able to set a default
for do/don't save all chat history should be fixed, but what you quote really
is for convenience.

I search over my gtalk history _all the time_ , as just as much useful
information is in there as is in my email. I don't use the Google+ picture
auto-upload, but I do use the Dropbox one, so that all the pictures I take
with my phone are automatically uploaded to my dropbox folder and available on
all of my computers. Those things are really convenient, and I love not having
to have to think about them; they're just there when I do need them. I don't
see how that could be possibly construed as only motivated by ad revenue and
government regulations.

What needs to come along with those features:

1) easy to disable/enable with good granularity (per feature, per contact,
altogether, etc)

2) possible to secure client-side if I want to

3) government needs to demonstrate probable cause to get warrant to get access
to what is not secured client-side

4) I need to be notified within a reasonable amount of time of a warrant being
served

none of those things preclude these kinds of "nothing is ever lost" features.

~~~
tracker1
3) Fisa's 3-hops rule just means that you have to have an acquaintance that
has an acquaintance that has an acquaintance that is on some investigative
list for said warrant to apply to you.

~~~
magicalist
yes, I'm certainly not claiming that those needs are met by the situation that
we have now.

------
pppp
If it's not client-side encryption (where only you know the password and the
stuff is encrypted on your machine before it is sent), then it's a non-
starter. The government can just order Google to bypass the protections for
their suspect.

~~~
declan
I understand that's your legal theory. The article says, however, that remains
an "unanswered legal question" in the United States, according to Jennifer
Granick at Stanford's CIS.

------
FellowTraveler
I've already lost all faith in Google.

I recommend Spider Oak as a replacement for Google Drive.

Also, don't forget Bittorrent Sync.

~~~
stfu
Google: _the company may be taking a different approach by performing the
encoding and decoding on its servers._

Spider Oak: I wish there were some open source cloud client similar to True
Crypt. Something that were really easy to use, working on every system and
open source. Spider Oak's client seems to be still mainly a closed source
product.

~~~
zorlem
Have you tried duplicity [0]? It encrypts the archives using GnuPG, uses two
separate keys - one for encryption, the other for signing, and can store the
backups using a multitude of protocols [1]: _> Currently local file storage,
scp/ssh, ftp, rsync, HSI, WebDAV, Tahoe-LAFS, and Amazon S3 are supported, and
others shouldn't be difficult to add._

It is libre software and cross-platform. A number of front-ends address the
issue of ease-of-use.

[0]: [http://duplicity.nongnu.org/](http://duplicity.nongnu.org/) [1]:
[http://duplicity.nongnu.org/features.html](http://duplicity.nongnu.org/features.html)

~~~
dmix
I prefer Tarsnap.

cperciva posted why Tarsnap was more secure and cheaper than Duplicity a while
back:

[https://news.ycombinator.com/item?id=459334](https://news.ycombinator.com/item?id=459334)

------
webwanderings
Last time I was using Drive, I ran into a trouble of re-synching my files with
Drive after a crash. I had copy of my files on a hard drive which I was able
to bring back in. I reinstalled Google Drive to learn that Google has no way
to avoid the resync (ultimately making duplicates). So I gave up on Drive
altogether. Their encryption efforts won't be winning me back.

------
thret
"PRISM. The utility collates data that the companies are required to provide
under the Foreign Intelligence Surveillance Act -- unless, crucially, it's
encrypted and the government doesn't possess the key."

Couldn't they just use a hand-wavy encryption like a caesar cipher that meets
the legal requirements without actually making storage any harder?

------
RachelF
We use an app called Syncdocs to encrypt everything locally with AES256 before
uploading it encrypted to Google Drive. It is simple to setup and seems to
work well.

[http://www.syncdocs.com/how-to-set-up-google-drive-
encryptio...](http://www.syncdocs.com/how-to-set-up-google-drive-encryption/)

~~~
LeeLorean
Syncdocs and Boxcryptor are quite similar. What I like about Syncdocs is it
enables EncFS for the folders selected to be encrypted, too.

------
jlgreco
Does anyone know of a good way to use Google Drive from Linux securely? I'm
currently sitting on a 1TB Drive account with nothing really to do with it. I
tried fuse-google-drive and it was so broken it was unusable.

~~~
mateuszf
I'm not sure how Google Drive works for synchronization, but if it does like
for Dropbox (automatic filesystem sync) than you could use EncFs or git-annex
with encryption enabled.

~~~
jlgreco
Ah, I should be more specific: My issue is with accessing Google Drive on
Linux at all, let alone with my data encrypted. An encrypted rsync-style
remote with git-annex would be ideal of course.

I'm going to give insync a look, though I'm not thrilled about paying for
something to access cloud storage that I'm not paying for.

------
newsign
SpiderOak is the best solution ... client side encryption and fully secured
with zero-knowledge policy ....Bye Bye Drive, Skydrive & DropBox :)

------
tracker1
If google handles the communications channel, and the "encryption" software,
they still have access to everything.

------
decryptthis_NSA
This sounds like an ad for Google, including the Microsoft and Verizon
bashing. The truth is that Google 'needs' to see the messages, all you other
info and documents in clear text to serve ads and mine them. That's their
business model and they aren't about to change it.

Oh and as other said, NSA can force them to do what Microsoft did.

~~~
ok_craig
There are no ads in Drive. You pay for storage, that's how it makes money.

------
hannibal5
This would mean that Google would not be able to data main user data for
relevant ads. If Google wants to take small free from the encryption, I would
be OK with that.

It would be also nice to have option where my data is begin stored (again for
a fee if necessary). I would like mine in their Finnish data center.

~~~
Kapura
> If Google wants to take small free from the encryption, I would be OK with
> that.

You shouldn't have to pay a company to make sure they don't share your data.
That is, in essence, what you're suggesting: you pay google, they encrypt your
data and when the government comes a-knocking, it's safe. It's like a hack in
a broken system

~~~
kyzyl
That may be true, but the broken system is the government, not Google. Google
appears (being the operative word...) to simply be doing what they can in the
current system.

However, I think you somewhat sidestepped hannibal's point. My impression was
that he was saying that just by putting your files in drive for google to
mine, you are effectively paying google. If they encrypt your files, it's akin
to them discontinuing their monthly fee (or whatever) for the service.

So sure, if you're already paying a fee for a service then _maybe_ you
shouldn't need to pay extra for the luxury of privacy (make no mistake,
privacy _is_ a luxury these days), but Google encrypting their revenue stream
means you are substituting the ad fee for the encryption fee. Seems fair to
me.

