[Cryptography] How the CIA Made Google

Jerry Leichter leichter at lrw.com
Sat Jan 31 19:36:36 EST 2015 

On Jan 31, 2015, at 3:51 PM, Tom Mitchell <mitch at niftyegg.com> wrote:
> The reality I suspect is: Google protects its data with more care than most
> federal agencies.
Now *that's* setting a pretty low bar, based on everything we know about the security of Federal agencies.  As for "most" ... one would have to believe that of all Federal agencies, the one doing the best job at protecting its digital assets would be the NSA.  And yet ... Snowden and, most likely, at least one other leaker as well.

Having worked at Google at one time ... yes, they are *extremely* careful about maintaining the security of their data.  I can't talk about some of the things I know they were using at the time - and (a) I certainly didn't know about all of them; (b) given the revelations of the last couple of years, I'm sure they've added much more.

It is important to keep in mind that security implements a particular policy.  It's strong to the degree that it prevents violations of the policy.  You may not like the way Google targets ads based on what you say in gMail, say, but providing some access to the contents of gMail by the advertising systems is part of the policy.  Similarly, providing access to government agencies under certain conditions is also part of the policy - perhaps not by Google's choice, but because it's a constraint that they have to work under as a US (and EU, and various other jurisdictions) corporation.  Just because you would prefer that Google have some different policies doesn't make it a security issue when they implement theirs and violate the policies you would prefer.

What Google would consider a violation of its security policies concerning gMail, for example, is that those not specifically permitted access gain it.  Google was extremely upset by some Chinese hacking into its systems to get at gMail, and by NSA's listening in on inter-data-center links for the same purpose.  In both cases, they responded by strengthening the appropriate security layers - e.g., encrypting all those links.  Every security system has its failures.  What you need to look at is how frequent are they, and what's the response.

Google's certainly not the only company with this kind of attitude.  Apple seems to have "gotten religion" under Tim Cook.  (Security doesn't seem to be something that much interested Steve Jobs.  It's not that he was against it - he just focused on other things.)  Microsoft is harder to read.  On the one hand, they've put a huge effort into moving away from the insecure coding practices that plagued them - and every user of their software - for many years.  On the other, they arguably took Skype and "de-secured" it.  Facebook ... let's not go there.  Twitter seems to take things seriously.  Most smaller, rapidly-growing consumer Web companies - not so good, anything that would slow down mega-growth gets ignored.

Once you move beyond the consumer-facing companies, operations are typically very opaque to outsiders, so it's hard to comment.

                                                        -- Jerry

More information about the cryptography mailing list