

Asking the U.S. to allow Google to publish more national security request data - Lightning
http://googleblog.blogspot.com/2013/06/asking-us-government-to-allow-google-to.html

======
slg
This is the kind of response I was expecting from tech companies. The mistrust
of the government has extended to this industry and we can't simply rest on a
simple denial of the accusations. Many people now believe that companies like
Google send a complete copy of their entire customer records to the NSA. That
is a dangerous belief and like discussed on other threads here, it could
really damage the long term viability of the tech industry. This is at least a
start to try to change public opinion.

~~~
EthanHeilman
It could really damage the long term viability of the __US__ tech industry
dealing irreparable damage to one of the major assets of the US economy has. I
would expect companies that need a strong international security reputation to
begin closing up shop and moving away.

The NSA just killed the goose that lays the golden egg and not much is going
change that.

~~~
slg
I disagree that this is a problem limited to US companies. With the global
nature of the tech industry, I think a product's or service's country of
origin has seen a reduced importance over the years. I don't think the average
consumer knows that Waze is based in Israel. I don't foresee anyone
considering the NSA and choosing a Canadian designed Blackberry phone over a
US designed Apple one. Instead I think this will just instill a general
distrust of technology and the cloud. I doubt people will be discerning enough
to focus their suspicions.

~~~
EthanHeilman
I think it will cause a deinternationalization of the technology industry
since each government will want it's citizens to use local tech (if you think
governments can't force this look at S. Korea and IE). US companies are some
of the most international, so this will hurt US companies the most and it will
reduce the margins of all the big players across the board (that is, short
GOOG).

~~~
cinquemb
Maybe corporations could go off the coast of nation states[0]… not that they
will beyond the influence of them, but states may have no legal authority over
them under those circumstances so they may have more freedom to be more
transparent to the public because of their interests to their bottom lines.

[0]: [http://www.seasteading.org/about/](http://www.seasteading.org/about/)

------
saalweachter
While I'd like to know how many secret requests are being made to whom, why
should I ever believe any numbers?

We're living in crazy-town, maybe we always were. What is to stop the A.G.
from publicly saying "Yes, disclose away!" and then to privately send one of
those magic-do-anything-we-say requests saying, "Don't disclose X, Y, and Z."?
Or if we are given an accurate count today, what is to prevent the government
from in the future secretly retracting that privilege?

I think in the end we can be satisfied by nothing less than some sort of "Too
Many Secrets" Constitutional Amendment, stating clearly that no private
citizen can be required or compelled to partake in a "National Security"
cover-up, so that everyone currently bound up in the web of lies could speak
up without fear of persecution.

That is what galls me as much as anything. If the government wants to gather
data and keep secrets, let them gather and keep them themselves. Drafting
people against their will into compulsory service in signals-intelligence,
forcing them to lie to their loved ones and the world, and persecuting them
for honesty, is absolutely amoral.

~~~
bo1024
Good point. If they can force companies to lie about the existence of FISA
requests, why wouldn't they force them to lie about the number of such?

~~~
kvb
What lies have companies told?

~~~
bo1024
From the news I've read, my understanding about FISA is that if someone asks
you whether you've been subject to one, you're legally obligated to lie and
say no. Right, or am I missing something?

~~~
mokus
If that is the case, it seems like a very risky move. If I were so ordered,
for example, I would immediately seek to challenge it on the basis of the
first amendment. Not the free speech part - the free exercise of religion
part. My religion explicitly states "thou shalt not lie".

EDIT: well, technically it says not to 'bear false witness against thy
neighbor', but it certainly would not be hard to justify a religious objection
to that requirement.

------
tptacek
In expressing his view that Google is being harmed by USG's lack of
transparency (combined with the godawful operational security of the
contractor-run intelligence agencies), is Google's chief counsel here starting
to build the standing to sue the government?

If this whole debacle sets up an epic confrontation between Google and the
DoJ, I may have to reevaluate how irritated I am at how "Prism" has been
reported. More Greenwald agita! Let's see if we can pick a fight!

~~~
jeremyjh
This is wishful thinking.

I have two ideas that are just as well supported by the complete lack of facts
that we all have.

First, that Google is setting us up to believe a half-truth related to FISA
letter counts. There are such numbers, we will get them, and they will not
include all surveillance conducted with Google's data but anyone who says that
will be back to being a crank.

Second, that Google perceives an existential threat to their company along two
related but separate axis. The first is that their customers will leave, but
that is less likely than the second. The second is that their best employees
will leave. Googlers will not want to consider themselves as clerks in the
Ministry of Truth. If they and their peers began to think about it in that
way, then they will leave and the business will eventually die. If their
employees have a credible excuse to think of their employer as a noble
crusader, then this threat is significantly mitigated.

~~~
tptacek
How is that claim falsifiable?

~~~
jeremyjh
It isn't a claim at all, its simply speculation. I think you raise an
interesting point though, which is that there is no possible evidence,
testimony or papers written by blue-ribbon commissions (coming in 2017!) that
will ever "settle" these questions in some quarters.

------
jroseattle
Unfortunately, the statements from everyone involved have made me skeptical to
the point I feel I have to consistently read between the lines and pick a
statement apart.

What does "unfettered access" mean? What are "valid legal requests"?

While there is an implication of spirit in their words, I know deep down that
everyone involved is focused on the letter of their words.

This has nothing to do with my personal trust and confidence in Google, but in
my trust and confidence in this entire charade. Google is part of it, whether
they're on the right side or not. I simply cannot tell.

~~~
acqq
Exactly, if the requests exist only to cover the legality of the access of the
U.S. citizen data as long as they are on U.S. soil, the numbers they mention
would still represent just a small piece of the whole picture.

At least they mention in one sentence "the number of FISA national security
requests that Google receives, as well as the number of accounts covered by
those requests" which is already much more useful information than only the
"number of requests." We saw that in Verizon case one single request was
enough to mean "give me all about everything from everybody."

------
WestCoastJustin
You have to think, that with the limited data they are allowed to release,
this must be extremely frustrating! A true rock and a hard place. The general
public are led to believe, that they are willing to conspire secretly together
with the government, to spy on their customers, must not only be infuriating,
but brand damaging! Then you are required by law not to defend yourself ;)

p.s. I'm taking google at their word -- that they are not giving 'direct
access' to the NSA. I am assuming they know, that the truth could leak out at
some point, where they to lie about it.

~~~
spankalee
As a Google employee I find it extremely frustrating. I'm sure it's even more
so for the executives and founders who created the brand and are being
personally questioned and attacked on top of it.

------
lignuist
I'm more interested in the international numbers, as US politics seems to
differentiate between US citizens and non-US citizens when it comes to human
rights.

Edit: Or is this also including requests for users in other countries? Sorry,
English is not my mother tongue, so I might got it wrong.

~~~
asperous
I believe, if it continues as it is currently, the numbers are government
requests, and how many users effected. There is no check or distinguishment in
whether the government and the user's country match.

They also publish non-us government requests as well.

------
anoncowardftw
So I'm a bit confused. Google has been happily complying with NSA without a
care or concern in the world. Now some news leaks that they have been..
Happily complying with NSA without a care or concern in the world.

So they release an "open" letter trying to redirect the masses attention, and
I'm not a little shocked it's working. People are actually praising Google?
WTH? If Google really cared this letter is like 5 years too late doncha think?
Google cares about one thing! That they got caught not giving a crap about the
privacy/rights of their customers.

News Flash, they still don't give a crap. But hey, if losing gmail, google+,
picasa, blogspot, drive etc. would just cause your world to fall apart, then
keep using it and just be honest that you don't give a crap about your privacy
or rights any more than Google does.

~~~
mrschwabe
The sad thing is that this letter is currently frontpage/top of HN. The #1
most important company implicated in this NSA leak; the very company accused
of co-operating & enabling the NSA's intrusive violation of our privacy - is
now enjoying this great exposure at the top of HN as 'hackers' eat it up.

------
ben_pr
The issue here is that Google doesn't know how much data the NSA collects. The
NSA has access to the internet backbone that Google uses and can read whatever
traffic it wishes that leaves the Google network. Obviously this is not
everything but most everything. It is a low view of the NSA to think that they
do not have the ability to real-time decrypt SSL certs from every major SSL
cert authority. So while Google can claim they do not allow the NSA direct
access to it's servers that is only a small comfort in the big scheme of
things.

This sort of response from Tech companies is just a distraction from the real
issue.

~~~
jmillikin

      > It is a low view of the NSA to think that they do not
      > have the ability to real-time decrypt SSL certs from
      > every major SSL cert authority.
    

The technology required to break SSL is sufficiently advanced that any
organization possessing it would probably have easier ways to collect data,
all of which would grossly outmatch all known security precautions. There
would be no need for any of these sneaking-around stuff because breaking SSL
is an instant win condition.

~~~
nitrogen
The only thing required to "break" SSL in the absence of some serious protocol
flaw is either the ability to MITM connections with a CA-signed certificate,
or possession of the private key used by the server.

~~~
packetslave
You should educate yourself on Perfect Forward Secrecy and pinned
certificates.

------
ChuckMcM
Ok, so its a bit snarky, but I wish Google would invest as much cleverness in
evading the letter of these non-disclosure rules as they do in evading the
letter of the tax laws in their various jurisdictions. Perhaps they could
create Google Panama Ltd which is the official entity to petition for all FISA
and NSL requests which is an independently operating subsidiary based in
Panama and outside the jurisdiction of the disclosure rules or something.
There are a lot of smart people there, you can figure this out.

~~~
jholman
It's not just snarky, it's preposterously unreasonable.

How much work do you, personally, put into making money? At least 40 hours a
week, I'm guessing, plus the time you spend on managing your investments,
doing your taxes, and so on? How much work do you put into maintaining your
own privacy? Is it even 1 hour per week, on average? Really?

Note that Google has, allegedly, already put a LOT of work into pushing back
on ensuring that due process is followed. Many engineers, many lawyers, lots
of executive-decision-effort.

Maybe you don't believe anything Drummond or Page say? Maybe you think
google.com/transparencyreport is purely fabricated? Maybe you think Google
should violate the law and get shut down (that's what you said, actually, with
"evade the letter of the law", but I find that position so laughable that I
assume I misunderstood you)? Maybe you yourself actually DO spend the same
time on privacy that you spend on pecuniary gain, or maybe you expect Google
to hew to a higher standard than you yourself do?

~~~
ChuckMcM
Not precisely a rebuttal (you missed my point) but an interesting point in
it's own right which I read was "Can you evaluate dollar value of privacy
using the dollar value of your income stream?" And doing a sort of solve for X
thing where you end up with hours invested in maintaining privacy becoming
valued at hours invested in generating income. If I misunderstood please let
me know, but assuming that I got the gist of it...

For me, I don't believe there is even a piece wise approximation between time
investment and privacy value because the tools are so much different and the
available actions being constrained. To illustrate where I get hung up on that
reasoning, if you build a phishing page setup and contract a botnet to spam
few hundred million people with phone phish-spam, you might get a lot of
"income" for a relatively small time investment, similarly you can get greatly
increase your privacy by investing in forged identity documents. So at the
least we would have to constrain the hours invested in legitimate ways to
enhance ones privacy and legitimate ways to enhance one's income.

Next there is an issue of facilitating the effort, so when company A sells me
raw materials at a modest markup they facilitate my ability to make a living
using them to provide said raw materials.If instead they were to charge an
extortionate mark up, I might still be able to make a living but I might find
the effort to do so requiring many many more hours of time investment. So at
what point do the actions of my raw materials supplier work for or against my
efforts at generating income. Similarly the provider of my tools can make it
easier or less easy for me to maintain my privacy, so for example a Google
Drive plugin which let me keep everything on their servers encrypted. If
Google provides that then its a small number of hours invested to enhance my
privacy, but if I have to rely on a third party who is acting without support
from Google, then it takes many more hours for the same level of enhancement.

Given these built in and essentially intractable forces which affect the
efficiency of hours invested needed to achieve the desired result, I am not
persuaded by your claim that I can evaluate the 'worth' of privacy using your
proposed reasoning.

Google can, and apparently does, to things like warrant notices where if you
are suddenly asked to reconfirm your acceptance of their terms of service it's
a signal that a warrant was served to them that they had to turn over your
data. I think these sorts of things help them in the eyes of their users and
are not illegal. They meet the letter of the law and so are not actionable,
just as their transferring of rights around amongst their national
subsidiaries is a completely legal way of not paying more tax.

My call to action was to try to think of ways that would make things like the
PRISM data not useful to the NSA and yet meet their obligations under the law.
I mentioned one (in cloud encryption with client side decryption) but I am
sure there are others.

~~~
jholman
Okay, 80% of your comment is replying to a framing that you chose earlier.
_You said_ Google should spend comparable amounts of effort on X and Y. In
that context, I pointed out that no one spends even 10% as much effort on X as
on Y, so why would you ask Google to, and you're being completely unfair. YOU
chose this context.

And I am _highly_ skeptical about this "reconfirm your TOS, as a hint that
there's an NSL on you". (I have no inside knowledge of this, and if I did I
would lie to you about it.) But if any engineer did that, and got caught,
they'd go to jail. Given that 99.9% of users who're NSLed will not have read
that blogpost (the crazy tinfoil-hat wild-speculation one that started this
rumour), what would be the benefit? No benefit, but one conscientious engineer
goes to jail. Yay.

Law, in general, is just as concerned with the spirit of the law as the
letter.

My whole reply is that Google is already working harder on privacy, as a
fraction of total resources, than nearly anyone you've ever met, and certainly
more than nearly any corporation. (Unless Google is lying about basically
everything, which I can't/won't prove they/we are not). Your expectations, as
originally stated, are unreasonable.

Disclaimer: And yes, I have a vested interest. Hopefully my argument stands on
its own merits. Your call to action is insulting.

~~~
ChuckMcM
Fair enough, we've spent a lot of effort at Blekko (also a search engine) at
being conscientious designing ways that we can dis-associate data from users
in order to protect our users from data that can be tied back to them. Since
our taxes are reasonably straight-forward at this point it is entirely
possible that we've invested more time in keeping peoples identities protected
in our data than we have in minimizing our tax burden. We are a prima facie
example of "someone" who has spent more effort on X than Y. But arguing
exemplars misses the point.

I am sure that Google is a much different place than when I left it, hell it
was different between the time I joined and left. That said ...

The comparison I was trying to make, and I grant you that it is imperfect, is
that Google, like Apple, has billions of dollars in free cash flow and in
legal testimony lately they have shown great creativity in ways to shuffle
that cash around so as to avoid being required to hand it over to various
revenue agencies. Google is also has billions of data points about all of the
individuals that use its services. If those data points were dollars, and the
revenue agencies were intelligence agencies, what creative ways might they
come up with to disassociate which data point belongs to which user such that
they could still use the data but not be compelled to hand it over. Just like
they use those free cash dollars rather than hand some percentage over as tax.

I've got nothing but respect for the smart people at Google, and still have
friends that work there (and folks who used to work here and are now working
there :-). Perhaps I'm misreading your tone but it sounds like you want to
pick a fight.

------
jka
Aggregate number of requests is one thing, but perhaps some indication of how
much content is provided with the average request would be required to really
indicate what is going on here?

An API may serve millions of requests per day and return single-integer
responses, or it might serve one batch query per day and provide a nested
document with many sub-sections.

~~~
rasterizer
"millions of requests per day"?! the number of FISA requests since 1979 is
just short of 34,000: [http://www.motherjones.com/mojo/2013/06/fisa-court-nsa-
spyin...](http://www.motherjones.com/mojo/2013/06/fisa-court-nsa-spying-
opinion-reject-request)

Let's try and keep the speculation to a minimum.

~~~
masterzora
It seems less like speculation and more an example of how raw number of
requests doesn't mean a whole lot in and of itself.

------
mtgx
I'm only upvoting this not because I have much loyalty or trust left for
Google, but because I want many other companies to follow their lead and
_flood_ the Administration with such requests.

I still feel this does very little, though. They need to be asking them for
much more. They need to ask them to end the spying. Until then I'm still
hoping Google, Microsoft, Facebook and others will _suffer greatly_ for this
abroad, and lose a ton of business and customers, both small and major.

Maybe then they'll start doing some real lobbying to the government to end the
madness, and maybe the government will stop thinking all the spying is worth
breaking all international relationships and hurting the US economy in the
process.

Until that happens, if Google cares that much about encryption and their
users' privacy, they should show me they are willing to implement OTR, ZRTP
and PGP in their services. The same goes for Microsoft and Facebook.
Otherwise, this press release means nothing except for showing that "they are
doing _something_ ".

~~~
tptacek
So you'll be happy when the US ends all foreign signals intelligence? Or makes
the Internet a safe haven from signals intelligence?

Also: by offering PGP in GMail, Google would _harm_ online security. If you
want PGP, install it on your computer. Google won't do anything to stop you.

~~~
rdl
1\. Google probably should offer passive S/MIME on mail. START TLS goes a long
way, but providing the same signals about message authenticity to people who
IMAP from gmail as who use the web UI would be nice.

A non-google-trusting way to do PGP with a better UI/UX would also be a nice
feature for gmail. Just indicating "encrypted" at the message-list view or
something. I have PGP working quite nicely in mutt, but a lot of people seem
to prefer webmail.

2\. I'd actually prefer a world where signals intelligence, outside extremely
tactical intelligence, were impossible through technical means. I think we'll
be there at some point, just because the cost of protection is dropping.

(confidentiality and message integrity _should_ be feasible for any reasonable
government defender at this point. traffic analysis/direction finding/etc.
burns bandwidth and latency budgets, so that might be harder, but you can do
arbitrarily well.)

The US (government and citizens/private industry) probably has more to gain
from universally strong COMSEC vs. effective USG SIGINT.

~~~
tptacek
I think I might prefer that world too. Now: how likely are we to be in that
world any time soon?

~~~
rdl
I'd bet "before 2025", absent some major catastrophe. First you build systems
which let platform developers centralize trust, then the essential step is
letting individuals or organizations pick their own roots of trust (and some
kind of crazy web of trust thing for interchange).

We're doing a pretty good job on mobile of "centralized trust", and also sort
of with cloud infrastructure, if not apps.

At least, we'll have secure infrastructure on which people can continue
writing insecure applications by 2020-2025. The "people writing insecure
applications" won't stop until people stop writing applications, hopefully
replaced by non-humans writing applications, maybe in 2050+.

------
malandrew
Please also request tagging for each of the requests. e.g.

    
    
        2013-07-12
            Foreign National
            Drug Related - Cocaine
        2013-07-18 
            US Citizen 
            Drug Related - Marijuana
            Request from FBI
        2013-07-22 
            Foreign National
            Terrorism Related
        2013-08-01
            Foreign National
            Industrial Espionage
    

I think it's really important that we know how many of the requests have to do
with the existential threat of terrorism, since that is the example the
administration and Congress keep using to justify these actions.

The more metadata the better. If they want our metadata, it's only fair that
we get their metadata too, to be able to keep tabs on their actions.

------
hoytie
I suppose it would be nice to know how many FISA requests there have been, but
what does the number of requests have to do with the core issue? Is the number
of FISA requests in proportion to the amount of data being shared? Does it
tell us the nature of what is shared or how it is shared? We still know
nothing about the contents of legal FISA requests and therefore can't really
say whether a single request violates our rights or not. Publishing aggregates
tells us essentially nothing because we still don't know the limits of a
request, or at least I don't.

------
mpyne
The cat's definitely out of the bag anyways, so Drummond is definitely right
that mentioning FISA numbers can't further harm national security. Make the
right call, Mr. Attorney General!

------
malandrew
I would also like to see Google and other companies specifically fund counter-
surveillance technologies, like end-to-end human friendly encryption.

I would love it if Chrome came with a GPG chrome extension that worked with
Yahoo Mail, Gmail and other popular webmail clients right out of the box.
Mozilla should also have a plugin that comes preinstalled for this.

The limiting factor in adopting end-to-end encryption in email is network
effects. Preinstalling GPG support in browsers is half the battle.

------
mrschwabe
Who cares people? The gig is up on Google. They are in PRISM. Instead of
upvoting every piece of Google PR we should be ignoring their rhetoric and
distancing ourselves from this company; and the other 9 implicated in PRISM.

Secret partnerships with government agencies is detrimental to free market
capitalism and goes against the true spirit of entrepreneurship.

------
pvdm
The seed of doubt has already been planted. Sorry, I am looking to secure my
data and will not trust any third party ever again.

------
wmt
"Assertions in the press that our compliance with these [FISA] requests gives
the U.S. government unfettered access to our users’ data are simply untrue."

What about the non-FISA requests, has any of them given the U.S. government
unfettered access to user data?

What does unfettered mean? "You only can access all user data for 2 hours"
"You need to specify (through tickboxes?) all the user data you wish to
download to PRISM" "You only access all user data of all German users"

------
corresation
What are the legal ramifications if employees at Google also work at the
behest of the NSA/FBI/CIA (unbeknownst to Google)? It is one thing to compel
the organization to reveal information, but what are the legal questions
around essentially spies within the various corporations?

This very blog post mentions that Google hires some of the best security
engineers in the world. I'm sure having "prior" employment at the NSA would
look great on a resume, and put the person in a position to compromise
essentially all internal security and data integrity.

~~~
floitsch
Disclaimer: I work at Google.

I'm working on the client-side (Chrome) and my knowledge in the server area is
therefore limited, but from my understanding this would be really hard.

1\. Googlers have access to almost all source code. It would be difficult to
hide code that just sends data to an outside entity.

2\. Google continually monitors its (internal) bandwidth. This is done to
optimize traffic, and detect intruders. A rogue Googler would trigger the same
traps that are exist for potential hackers.

3\. Google's infrastructure changes. You can't just install a gateway to the
NSA and expect it to continue working for a long time. It's not as if user-
data was stored in simple text-files.

~~~
TomGullen
I see a big potential benefit for the NSA to have a spy within google who
simply manually pulls and relays info on people at th nsa's request... It
doesn't have to be a full Api

~~~
jpatokal
Access to sensitive data is strictly controlled, logged and audited, often on
a per-case basis ("I need read access to log X for 60 minutes to investigate
bug Y"). Even if your hypothetical spy did manage to worm their way into the
very, very select ranks of people who can access (say) Gmail data, he'd be
busted as soon as the auditors spotted him accessing the files of people he
has no reason to access.

------
ck2
If google wants absolution it needs to state it's saving no more tracking data
than the minimum required by law.

But it's saving a whole lot more than that. Much more.

------
aresant
Traitor or not, you can't argue with the fact that Ed Snowden just gave
Google, FB, Yahoo, MSFT, etc fighting ammunition to at least address these
issues with the government publicly, and for that I am thankful.

------
TomGullen
Googles lost my trust. To my newly discovered emabarassment I naively and
passionately defended them amongst my friends for several years. Seems like if
a company gets big enough it's ethical demise is a certain inevitability (yes,
I'm a little late to the party). What a pathetic untrustworthy world I find
myself now living in.

------
annnnd
Smart response. Very smart. Damage control at its best: "How we wish we could
tell you that it's not so bad as you think it is... but government won't let
us... Government, pretty please?"

They just put the spotlight on Administration, which of course won't allow it.
Smart.

------
hoytie
I'm really curious what they intend to share as what they describe as the
scope of the requests.

------
patrickmay
Asking is far too polite. Every citizen, not just Google, should be demanding
the end to these secret orders and secret courts. The government is supposed
to be our servant, not our master. We need to start treating it appropriately.

------
Lost_BiomedE
Really, this is exactly what I expect of people wanting to do the right thing
when in between a rock and a hard place. I imagine this is what I would do if
sincere and in their position.

Thanks Google.

------
spinchange
Now, THIS is deserving of a White House petition.

------
Ziomislaw
the first question anyone should ask themselves is - how do you know they will
tell the truth? they might be forced by their police state law to pretend the
numbers are low and you have no way to be sure. you can not trust any company
based in Police State of America, everything they tell you might be because
law requires them to.

------
o0-0o
Why doesn't the government just profile. We all know who the terrorists are.

------
furyofantares
> Google has nothing to hide.

Strange phrase to put in there.

------
return0
Are they allowed to disclose the nondisclosure order?

------
javyerderderyan
Too late...

------
etherael
From here on in this is the only privacy model I will consider trustworthy for
a cloud service;

You have the encryption key, the data on our servers is completely useless
without that encryption key. We are physically unable to be compelled to
comply with any orders to violate your privacy from anyone.

The only example of a cloud service I can think of that matches this off the
top of my head is spideroak and tarsnap, perhaps also the new torrent sync?
I'm not entirely certain how that works but I do recall a client side crypto
key being involved in there somewhere?

~~~
plywoodtrees
You can use things like Duplicity which locally encrypt backups and then store
them to arbitrary cloud services.

The problem is, if the data is opaque to the cloud service, it is very hard
for it to do anything other than passively store and retrieve it, at which
point it is not really a cloud service at all.

And even then: they can give logs to authorities showing what you accessed
when and from where, they probably know your credit card and billing details.

~~~
etherael
I have an 8gb truecrypt file on dropbox, pretty much regardless of what
they're compelled to do, it's secure. That's the model I think should be
standard for cloud ops.

However, you do bring up an interesting point, it is indeed harder to do
"useful stuff" when the store is untrusted and has no idea what it's holding,
string searches et al become pretty much impossible generally speaking, big
bummer there.

Perhaps this will be a good accelerant for the adoption of homomorphic
encryption algorithms?

~~~
plywoodtrees
'Visions of a fully homomorphic cryptosystem have been dancing in
cryptographers' heads for thirty years. I never expected to see one. It will
be years before a sufficient number of cryptographers examine the algorithm
that we can have any confidence that the scheme is secure.' \-- Bruce Schneier

Even without PRISM, the rise of cloud computing is a strong incentive for
people to try to develop _practical_ homomorphic encryption. Until there's a
practical algorithm adoption will be limited.

------
youngerdryas
>Assertions in the press that our compliance with these requests gives the
U.S. government unfettered access to our users’ data are simply untrue.
However, government nondisclosure obligations regarding the number of FISA
national security requests that Google receives, as well as the number of
accounts covered by those requests, fuel that speculation.

Sounds suspiciously like they are going to ruin everyone's nerd rage.

~~~
jlgreco
You really love that phrase, don't you? I'm sure in other communities it is a
great way to marginalize those with interests that you do not share.

~~~
haberman
It's one thing to care about privacy issues, it's another to believe (and
react to, and soapbox about) a distorted and inaccurate version of reality. A
lot of the "nerd rage" has involved people assuming facts that may not in fact
be true. People who do this marginalize themselves. In general we call them
"conspiracy theorists."

For the facts that do indeed turn out to be true, soapbox away.

~~~
jlgreco
As I have seen it used, _" nerd rage"_ is really just a way of saying _" if
you care about this, you are a nerd"_, which is implicitly wrong. If the
intent is to call into question the accuracy of statements, then there are
better ways to do that.

------
taktix
Google's statement is too stuffed with presuppositions and it comes off as
manipulative, at least to me.

If it wasn't for this earth-rattling leak, Google would still be merrily
handing over my emails to the NSA. Fail.

