
Re:publica 15: Google Promotes Privacy, But Not Too Much - kricko
https://tutanota.de/blog/posts/republica-google-promotes-privacy-but-not-too-much
======
pdkl95
[https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html](https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html)

In case anybody hasn't read it yet, Philip Zimmermann's essay on why he wrote
PGP is very relevant to this discussion. Google is effectively saying
_envelopes_ are not meant for common use.

Did you send everything by postcard back in the snail-mail days, only using an
envelope when the contents was very-important? If someone saw you mailing an
envelope, did they suspiciously ask what was so important that you needed to
hide it? No, wrapping your mail in an envelope was commonplace.

This is what we need to do for digital messages: wrap them in an envelope
(encryption). More importantly, we need a _culture_ that sees sending
encryption as normal. You may not be sending anything important at the moment,
but other people are, and if encryption is only used for "important" things,
it invites suspicion.

If Google has a problem with this, I suggest they find a new business plan.

~~~
tormeh
Not really a valid comparison. Encrypting a message is more like sending your
letter in a titanium safe.

~~~
pcrh
It isn't so bad. Tampering with mail is a federal crime.

------
danieldk
Does this surprise anyone? Google has contradictory interests when it comes to
encryption and privacy.

It has been at the forefront of pushing SMTP to SMTP encryption and HTTPS
everywhere. Google has to spread (and perhaps seriously believes in) the idea
that they transfer data securely, unreadable by the Five Eyes. Because the
perception that Google is in bed with the NSA et al. is seriously undermining
their reputation (especially in Europe).

On the other hand, scanning content for ads requires that they have unfettered
access to user data. If by implementing good end-to-end encryption e-mail
would not be visible to them anymore, their abilities to do user profiling of
those on and not on GMail would be impeded seriously.

If you want _real_ privacy, you should move out of the Google ecosystem. Their
terms of use are too far-reaching and their interest in your data too large to
assume that they would go all-in with complete end to end encryption of
everything.

~~~
petjuh
Unfortunately their services are too convenient. I use them for almost
everything I can, my reason being that they already know enough about me from
my google searches, so I might as well use every other service they have.

Plus they're encrypted so only they know it. Also, I'm not from the US so MY
government doesn't have access to their data.

~~~
Zigurd
Same here. But I also pay Google for various services, and the lack of privacy
bothers me enough that I would readily pay Google the relatively small amount
I'm worth to them as a data source in order to get privacy.

THAT's where Google's position, or at least this Google spokesman's position
is wrong: I'll give up both some convenience and some money to get more
privacy.

~~~
edwhitesell
But that's exactly the conflict: Google doesn't want your money, they want
your data.

Paying for more privacy is not and probabably will never be an option.

~~~
Zigurd
Ehhhhh. "Google, would you trade ad revenue for the same or larger
subscription revenue?" I think the answer would be yes.

~~~
edwhitesell
Most companies, yes. Google, no.

It's completely against their current models. They're basically telling
advertisers: You know that product we were selling you, that made us billions
of dollars together? We're not selling it to you anymore, but it's still
making us money.

------
bandrami
I remember end-to-end vs. point-to-point from my crypto class back in the
Pleistocene, so I thought I'd share the analogy my professor used just because
I loved it:

In WW2, the Allied Navies faced two main naval code strategies: Germany's and
Japan's. Roughly, the Japanese Navy sent their routing information in
plaintext, while the Kriegsmarin sent it in ciphertext. Because the German
routing instructions were encrypted, each node had to be able to decrypt
universally. Capture one U-boat, and, well, we all saw the movie.

In contrast, the Japanese navy sent the routing information in the clear, so
transceiving stations only had to read the routing information and transmit
the ciphertext verbatim: capture a Japanese sub and you can only decode
messages sent to that sub. _However_ , because the routing information was
visible in all transmissions, a lot of sideband avenues were opened up (you
may not know _what_ Yamamoto was sending to the Coral Sea fleet, but you're
damn sure interested in the fact that he was talking to them at 2am this
morning, particularly since you can then watch what they do.)

Anyways, not directly relevant to the article but a cool example of how far
back this question goes.

~~~
tomjen3
Why not encrypt the routing separately?

~~~
marcosdumay
Remember that those were different times. Computer science itself was born by
trying to break that crypto, and modern cryptography wasn't available.

A different key for each vessel would mean several passes through the
encryption machine, key tables distributed through several places, and the
requirement of specialized workforce where otherwise just typing stuff in a
machine would do. And all the errors that come with manually dealing with
that, all during a major war.

~~~
bandrami
_Computer science itself was born by trying to break that crypto, and modern
cryptography wasn 't available._

^^^ That.

------
a3n
"Because translation."

If they really said that, that's amazingly weak and clumsy.

I would have been impressed if they had openly said it's because they can't
analyze your email for ads and targeting.

In fact I'd be very impressed if they said up front, briefly and not implied
in a ToS book, that the reason you get free email is so they can read your
email.

~~~
pdkl95
If they really believe in their business plan, they should admit their real
motives; dissembling with such a weak excuse just gives Google that "shady
used car salesman" look.

The fact that they went with a dodge suggests they know that they risk a lot
of blowback if people started to learn about their actual business plan.

------
abritishguy
I don't need the extra security provided by end-to-end encryption for the vast
majority of emails I receive and send. I value that ability to search/filter
these emails far more than I value the security.

For the few emails I send where the value of the security provided exceeds the
lost value due to being unable to search I can, using their extension, enable
end-to-end encryption.

This system suits my needs perfectly, I appreciate that others may want all
the emails they send to be encrypted but why should Google cater to this -
they cannot make any money from encrypted emails.

~~~
JupiterMoon
Agreed. The question is. Can you perfectly, always and with regard for
potential future changes to what may be sensitive information decide which
ones to encrypt?

One email sent the wrong way when tired. One change in legislation (to e.g.
retrospectively criminalise an activity or legalise a certain type of
snooping). Now your company's IP is compromised. Or now your in jail. Or now
you can be blackmailed.

Furthermore the idea that you will be encrypting the mail may cause tired
future you to write something you wouldn't put on a post card.

So unless you are perfect and never ever click in the wrong place good luck in
this brave world of ours.

~~~
malka
What insane law system makes an action retrospectively criminal ? Does the US
law system allows this ?

~~~
ascagnel_
At least in the US, 'ex post facto' laws are specifically forbidden by the
Constitution:
[http://en.wikipedia.org/wiki/Ex_post_facto_law](http://en.wikipedia.org/wiki/Ex_post_facto_law)

~~~
amreact
True, but the US government doesn't even pretend to follow the Constitution
anymore.

Also, the Constitution can be amended. We can't guarantee that ex post facto
laws will remain unconstitutional for the duration of your lifetime.

Also, states are technically not obliged to abide by the US constitution.

~~~
dragonwriter
The first and last paragraphs are incorrect; you may disagree that the federal
government actually follows the Constitution, but that's a different issue.
And while many provisions of the Constitution address only the federal
government, States are still bound by it to the extent it addresses them, as
it does, among other places, in the 14th Amendment.

~~~
amreact
The first paragraph is correct because I clearly meant it in figurative
language, not literal language. Regardless, my point is this: the US
government does not obey the US constitution.

The last paragraph is correct in context. Specifically, with regards to
encryption, states are allowed to do whatever they want because the
Constitution doesn't mention encryption and because of the 10th amendment,
which states:

The powers not delegated to the United States by the Constitution, nor
prohibited by it to the States, are reserved to the States respectively, or to
the people.

The last paragraph is also correct because the ex post facto law clause of the
Constitution only applies to Congress, not the states [1]

[1]
[https://en.wikipedia.org/wiki/Article_One_of_the_United_Stat...](https://en.wikipedia.org/wiki/Article_One_of_the_United_States_Constitution#Section_9:_Limits_on_Congress)

------
amreact
Just brainstorming here. Here are a few ways in which you can get in trouble
with the law because of unencrypted online communications (these are ordered
from most likely to occur within 1 human lifetime to least likely to occur
within 1 human lifetime, IMO):

1\. You could travel to another country where they arrest you for something
unencrypted you did online in a country where it was legal. This has already
happened. [1]

2\. Your communications could become evidence in court that you "always had
radical leanings." So while you're not convicted for what you did online, it
still becomes evidence against you. I suspect this has already happened.

3\. You could travel to another country where retroactive laws are allowed,
and get caught because of something you said in the past in the US.

4\. The US could eventually allow retroactive laws, and catch you for
something you did before retroactive laws were allowed.

Note: these are just ways you could get in trouble with the law; not mentioned
are things like your reputation being destroyed, death threats, identity
theft, or malware due to lack of encryption. I also have not mentioned ways in
which your friends could get in trouble because of something unencrypted you
did online.

[1] [http://www.cnn.com/2015/03/05/middleeast/american-
arrested-i...](http://www.cnn.com/2015/03/05/middleeast/american-arrested-in-
uae/)

------
mikkohypponen
For what it's worth, I spoke at re:publica right after Eric, and commented a
bit on Google's privacy goals.

Video: [http://youtu.be/pbF0sVdOjRw](http://youtu.be/pbF0sVdOjRw)

~~~
dredmorbius
That should likely be a post in its own right.

------
blfr
Anyone who says that PGP is not meant for common use has 20+ years of history
clearly proving them right. Moxie doesn't believe it in[1], even PGP's own
creator doesn't use it any more[2]. OP is trying to make news out of nothing.

[1] [http://www.thoughtcrime.org/blog/gpg-and-
me/](http://www.thoughtcrime.org/blog/gpg-and-me/)

[2] [http://www.forbes.com/sites/parmyolson/2013/08/09/e-mails-
bi...](http://www.forbes.com/sites/parmyolson/2013/08/09/e-mails-big-privacy-
problem-qa-with-silent-circle-co-founder-phil-zimmermann/)

~~~
jordanthoms
Actually, I suspect PGP usage is increasing right now. It's very commonly used
in darknet markets, and they are growing very quickly and will probably
continue to do so.

------
mattmcknight
From my perspective, what I miss with decryption only in the client (where the
mail database is stored encrypted) is search. That's also the primary value of
Google Apps for me. Easy encryption across the Internet would be more valuable
to me than encrypted storage, but the option to have encrypted storage for
things that are really private would make sense. I tend to opt for alternate
channels with no storage in those cases though.

~~~
pdkl95
> what I miss with decryption only in the client ... is search

Yet another casualty of "software as a service". There could be better search
tools on the client, but the fad for the last decade has been to push vendor
lock-in and data mining instead of installable client apps. So now the full
consequences of those choices are starting to be recognized.

~~~
mattmcknight
Installable client apps just don't work from me. I need to access the same
email database from 4 different devices, including some I don't own and don't
want the data on.

~~~
pdkl95
Then your requirements are in conflict with security. You cannot trust the
network to do your encryption for you, and you can't trust a a computer you
don't own to handle your private key.

You may want to reconsider either dedicating some sort of portable device to
be your email that you carry with you, a multi-account system the separates
private email from the the email you can access remotely, or resigning
yourself and those communicate with to sending using only postcards (non-end-
to-end-encrypted email).

------
leni536
I tried to use PGP (gnupg) but it doesn't seem to be simple even for an
advanced user. Since I use Debian already it means that I implicitly trust
Debian maintainers. So I explicitly trusted one Debian maintainer in gnupg.
From there I thought that verifying other keys would be a breeze since I have
a trusted guy in the strong set. While there are online tools (at least one)
to find trust paths between IDs I didn't find a tool that does this
automatically and verify signatures through this. This should be seamless
without manually tracking down trust paths, manually importing keys that I
don't want just to verify an ID 2-4 hops away.

Here is my concern with the WOT: it's not clear what signatures mean. It could
mean "This guy can give out valid signatures" or "I verified that this guy's
name is John Doe" or "This is the key used to sign Debian isos", but these are
all implicit. Typically it's the first two which makes it hard to use PGP with
pseudonyms. When you verify a signature in PGP you want the following chain:

o--I trust this guy's signatures-->o--I trust this guy's signatures-->o--I
know this guy-->o

Other concerns: any way to rotate the master key would be nice. I wouldn't
assume that my master key won't be compromised in the next 50 years .Then I
would have to rebuild my whole WOT and revoke my previous master key (If I
can). Key distributon should be decentralized.

Maybe I'm missing something, but this is my takeaway and I really tried to
like PGP and gnupg. Maybe Google will solve some of these concerns on their
interface but I wouldn't bet on it. I'm not surprised that PGP isn't widely
used. I would really like a safe end-to-end encryption implementation that is
easy to use.

------
nly
Duh. If everyone encrypted their mail then Google wouldn't be able to
personalise their ads to mailbox content, and they'd lose a huge commercial
advantage over other ad networks. Advocating end-to-end encryption would be
Turkeys voting for Christmas.

~~~
venomsnake
Have no worries ... full email encryption is two years away. Also has been
that way for the last couple of decades.

------
dombili
Talk:
[https://www.youtube.com/watch?v=DJdGblrWX9o](https://www.youtube.com/watch?v=DJdGblrWX9o)

------
sanxiyn
More convincing than translation would be spam filtering. I think end-to-end
encryption would make spam filtering a lot more difficult.

~~~
woodman
Proof of work. Every email the spammer sends out would need to be properly
encrypted (or else the target wouldn't see your ads). This would actually put
a lot of control in the hands of the user - set the amount of work required to
mail you through key strength. Spammers would absolutely hate this, it would
be like the USPS requiring bulk mailers to prove they aren't spamming by
including the recipient name (not "Current resident" or "Our friend at").

------
nameless__
neither is electronic surveillance

------
MichaelGG
How's Tutanota any better? "End to end" but client side JS where you plop your
key into the form they serve up. It's only as good as their TLS/server
security, and your trust in them. In face of real opponents, it breaks down
just as much as gmail-to-gmail emails.

------
mcintyre1994
I wish there was a real quote here, because I find it hard to believe his only
example of a Google value add is translation. Personally I'm happy to use
Gmail for insecure communication as long as I can keep search - it'd be
utterly unusable without.

------
anon4
Sadly, they're not wrong. End-to-end encryption products are written for
expert use and hard to set up by mere mortals.

~~~
lectrick
Are you sure this isn't just another way of saying that decentralized
authentication is too hard? ;)

------
rogeryu
If I need to translate using Google Translate, copy & paste will do. I don't
need to do this directly in Gmail.

------
philippnagel
I say it is.

Who's right?

~~~
CHY872
20 years of history at least provides evidence for you being wrong.

~~~
lectrick
Paper envelopes dating back to 2300 years ago in China at least provides
evidence for you being wrong.

User-unfriendliness ≠ "not meant for"

~~~
CHY872
Fine. End-to-end crypto requires key authentication. This means that users
must have some way of authenticating a key.

For the majority of people, this is too much. People should not be expected to
spend time manually checking the signatures on a key, and should likewise not
be expected to get signatures for their key. They should not have to worry
about key revocation. If a solution is not as easy as email is at the moment,
it's not a solution.

So, the problems that need to be solved _in an automated manner_ :

Finding a public key, verifying it to be authentic beyond all reasonable
doubt, making it so that a new user can be trusted. Revoking the key if the
device is compromised.

These problems are not new - they've been around since PGP was invented. Yet,
there is seemingly no compelling answer to them that doesn't involve bringing
your passport to a key signing party.

All of the end-to-end encryption systems I've seen either have some
complicated handshake process before one can communicate with another, or are
unauthenticated.

So, anyone who argues for widespread end-to-end encrypted communication must
provide evidence that such a system can actually be produced in a way that is
totally transparent to the user.

Google's doing well with this software - they're massively reducing the
barrier to entry for PGP; I just don't see why people are complaining about
their preaching of security gospel.

~~~
lectrick
> Yet, there is seemingly no compelling answer to them that doesn't involve
> bringing your passport to a key signing party.

The only reason I trust the source of an email by its "from" address is
because of the history of correspondence with that person from that address.
Yes, if it is compromised, I may not realize it right away, or I may (see:
phishing emails from virus/malware infestations), but by and large it works as
advertised.

Same thing with usernames in forums. There's a certain cred that is eventually
attached to a username over time.

If I use the same public key to represent myself in all my communication "for
a while", then there's implicit trust that it's me there, for the same
reasons.

Key revocation is admittedly not as simple, if I want to continue to maintain
my "trust balance" somehow. What happens if I switch email addresses? "Hi
guys, this is my new email address." What if I was compromised and someone
else did that? (Well, how often does that happen in real life?)

Perhaps you could keep one key super secret (and offline) and sign all new
day-to-day keys with it. I don't know.

What I'm saying is- Treat it like email. Forget trying to centralize who owns
what key. Forget trying to exercise absolute control over trust in a given
key. The key(s) I use "most of the time" is "me". If I need to revoke it, I
will suffer some in the short term, but I will quickly build my cred back up
by using a new one.

If it was more widespread then perhaps we could centralize SOME third-party
signing. Say I could go to a bank and they could sign my key saying "this key
definitely belongs to lectrick", and it would work because the bank's public
key is known-trusted.

~~~
CHY872
I'm afraid that fundamentally doesn't work (though at first glance it does).
Email is not a forum - it's person to person. When someone emails me, I might
not know anyone else who has also had a conversation with them.

In order for anyone to trust your key _at all_ you need to make it available
out of band.

This is because otherwise, your email provider could simply man-in-the-middle
you (or them); and they have no way of working out.

The first time they email you, their key is already compromised. You then
build up your trust for them; but you've trusted an attacker. The system is
worse than useless.

This is worse than (say) TLS because TLS, you generally do not connect through
a single access point. Email is far more centralised.

So, they need to get your key from outside the communication system, somehow.

------
dredmorbius
Is Google's Eric Grosse familiar with anonymous authentication techniques over
Tor?

Because there are at least two projects which address this: FAUST and Fair
Anonymity:

[http://arxiv.org/pdf/1412.4707v1.pdf](http://arxiv.org/pdf/1412.4707v1.pdf)

[https://gnunet.org/node/1704](https://gnunet.org/node/1704)

I _very_ strongly encourage Eric to have his team look at these, or other
options, and back the motherluving frell out of whatever seems viable.

Listening to his Re:publica conversation with EFF's Jillian York, the topic
comes up, but best I can tell he doesn't know of these.

At 17m 50s in the presentation, the question of using Google services over Tor
is raised.

That's ... an issue I've had some experience with:

"How to kill your Google account: Access it via Tor"

[https://www.reddit.com/r/dredmorbius/comments/2w618r/how_to_...](https://www.reddit.com/r/dredmorbius/comments/2w618r/how_to_kill_your_google_account_access_it_via_tor/)

First off, I totally get the abuse angle. Most of my specific complaint with
my own experience wasn't over Google's _challenge_ process to my attempted Tor
access. Rather, it was over the company's policies and procedures for account
recovery. Multi-factor auth is well and good, but I've _yet_ to find a way to
activate an option _other_ than phone-based auth _without providing Google
with a phone number_. Which for a number of valid reasons I cannot or will not
do.

(Grosse states that "you should not even have to give us a phone number", and
that there are internal debates on the subject. Yay.)

More specifically, the problem is that the question _" Who are you?"_ is
proving to be the most expensive operation in all of computing. Because you're
fucked either way you get it wrong. Lock someone out when you should let 'em
in, and you're fucked. Let someone in when you should've locked 'em out, and
you're fucked. And all you get to look at is 1s and 0s on the wire.

I detail that in more length in this comment to my dreddit post:

[https://www.reddit.com/r/dredmorbius/comments/2w618r/how_to_...](https://www.reddit.com/r/dredmorbius/comments/2w618r/how_to_kill_your_google_account_access_it_via_tor/conz50f)

(I'll also note that Grosse specifically notes that PKI works great, ahem,
Yonatan Zunger....)

So: first, Google's _really_ got to revise and fix its account recovery
processes.

But that identity thing: Grosse goes on at length noting that Tor exit nodes
aggregate a lot of traffic activity, and that Google effectively relies
strongly on IP address as an indicator of identity.

The fair, and anonymous, reputation systems mentioned above are _specifically_
intended to work over Tor. Which is to say, people are tackling the problem.
Nothing in Grosse's presentation gave any indication that he's aware of this
fact. For sheer technical competence reasons, he should be.

