Want CNET to notify you of price drops and the latest stories?

Google: We didn't help the NSA (or did we?)

Google is now the first of the major search engines and e-mail providers to deny helping the National Security Agency with its wholesale surveillance of Internet content. Truth, lies, or damn lies?

Chris Soghoian
Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/.
Chris Soghoian
4 min read

Google is now the first of the major search engines and e-mail providers to make a firm statement on the issue of the National Security Agency's wholesale surveillance of Internet content.

Google has stated it didn't help the NSA search your e-mails. More specifically the company denies participating in the NSA's Terrorist Surveillance Program. But the company's carefully worded denial might not be enough to reassure savvy readers.

The Wall Street Journalrecently revealed the true extent of the NSA's surveillance system:

"According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic e-mails and Internet searches."

This builds on what we learned the previous week, when The Washington Post revealed that the primary motivation for the White House's wiretapping immunity demands is to protect those firms that assisted with illegal, mass-scale surveillance of e-mail traffic.

Google has now taken the interesting step to become the first major Internet company to deny helping the NSA. In an on-the-record e-mail with a company spokesperson on Friday, I was told that:

"Google was not part of the NSA's Terrorist Surveillance Program."

Is that enough to reassure you?

If Google was obligated to give up search/e-mail records, it is likely that this request would be made via a Patriot Act authorized National Security Letter. A recent Journalarticle confirmed as much, stating that the information gained from National Security letters ended up in the gigantic NSA databases. But recipients of those letters may not be allowed to tell anyone about it, and may in fact be forced to lie.

The owner of an ISP who received one of these secret orders explained the significant restrictions placed upon him in a letter to The Washington Post back in 2007.

Under the threat of criminal prosecution, I must hide all aspects of my involvement in the case--including the mere fact that I received an NSL--from my colleagues, my family and my friends. When I meet with my attorneys I cannot tell my girlfriend where I am going or where I have been. I hide any papers related to the case in a place where she will not look. When clients and friends ask me whether I am the one challenging the constitutionality of the NSL statute, I have no choice but to look them in the eye and lie.

If this poor gentleman had to lie to his girlfriend and family, it's possible that Google, if it did receive a FBI National Security Letter, might be placed in a similar position.

Careful wording
My original question to Google was, "Is Google sharing 'huge volumes' of search records with the government?" I never asked about the NSA's Terrorist Surveillance Program specifically.

As Salon's Glenn Greenwald has explained, the Bush administration has been very careful with its use of the term "Terrorist Surveillance Program." Many snooping activities, some of which were clearly illegal, do not come under this definition. Simply put, Google could have handed over a copy of every search request and every e-mail sent by a Gmail user to the U.S. government and it would still be able to quite correctly deny participating in the Terrorist Surveillance Program.

In any case, on January 17, 2007, Attorney General Alberto Gonzales announced that the Terrorist Surveillance Program would not be reauthorized by the president, but would be subjected to quasi-judicial oversight. So the Terrorist Surveillance Program, at least by that name, no longer exists, and Google could be actively handing over millions of e-mails, while the statement made by its PR people would be completely true.

Continued concerns

What if Google's PR people are telling the truth? What if Google really didn't help the NSA, and that the spooks are collecting millions of search records via wiretaps placed on the Internet backbone?

It's worth pointing out that Google has stood up to the feds when they demanded search records a couple years back--but this was the DOJ, not the NSA.

The problem remains that Google is not doing a single thing to protect its customers from this kind of large-scale surveillance. While the company supports SSL-encrypted Webmail sessions, it does little to advertise it, and has taken no steps to turn it on by default.

However, the biggest problem is search. Google offers no way for its customers to search the Internet without an evil ISP (such as AT&T) from snooping in on the traffic. Google could very easily enable SSL search sessions, but has not taken any steps to do so.

When asked about the webmail security problem, and which steps customers should take to protect their search traffic from snooping Internet service providers, Google's spokesperson directed me to the company's much ridiculed YouTube Privacy channel.

I spent a few minutes browsing through the channel, but couldn't find any specific advice on protecting myself from illegal wiretaps and government surveillance. YouTube seems to be a great place to find videos of skateboarding dogs, but not such a great source of privacy tips.

For those of you who care more about your privacy than cute YouTube videos, I highly recommend the Tor anonymous web proxy, as well as the Customize Google Firefox browser extension.