Google tests encryption to protect users' Drive files against government demands

Google has begun experimenting with encrypting Google Drive files, a privacy-protective move that could curb attempts by the U.S. and other governments to gain access to users' stored files.

Two sources told CNET that the Mountain View, Calif.-based company is actively testing encryption to armor files on its cloud-based file storage and synchronization service. One source who is familiar with the project said a small percentage of Google Drive files is currently encrypted.

The move could differentiate Google from other Silicon Valley companies that have been the subject of ongoing scrutiny after classified National Security Agency slides revealed the existence of government computer software named PRISM. The utility collates data that the companies are required to provide under the Foreign Intelligence Surveillance Act -- unless, crucially, it's encrypted and the government doesn't possess the key.

"Mechanisms like this could give people more confidence and allow them to start backing up potentially their whole device," said Seth Schoen, senior staff technologist at the Electronic Frontier Foundation in San Francisco.

Major Web companies routinely use encryption, such as HTTPS, to protect the confidentiality of users' communications while they're being transmitted. But it's less common to see files encrypted while stored in the cloud, in part because of the additional computing expense and complexity and the difficulties in indexing and searching encrypted data.

Google previously had said that user files were transmitted in encrypted form, but stored in its data centers in an unencrypted manner, as detailed in an April 2012 post on a Google product forum from a community manager.

Jay Nancarrow, a Google spokesman, declined to answer questions about Google Drive encryption.

Secure encryption of users' private files means that Google would not be able to divulge the contents of stored communications even if NSA submitted a legal order under the Foreign Intelligence Surveillance Act or if police obtained a search warrant for domestic law enforcement purposes.

By contrast, secret NSA documents leaked by Edward Snowden show that Microsoft worked with NSA to "circumvent the company's own encryption" as part of PRISM, according to a report last week in the Guardian.

Microsoft General Counsel Brad Smith said yesterday that there are "significant inaccuracies" in last week's news reports. He added in a blog post, referring to Outlook.com: "When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency."

Some smaller companies already provide encrypted cloud storage, a concept that is sometimes called "host-proof hosting." SpiderOak says its software, available for Windows, OS X, Linux, iOS, Android, and Nokia N900 platforms, uses "zero knowledge" encryption techniques that allow it to store data that is "readable to you alone." SpiderOak also offers a Web access option because of "overwhelming customer demand," but the company suggests the client application is more secure.

Wuala is an application for Windows, OS X, Linux, iOS, and Android that also uses client-side encryption. Zurich-based LaCie AG created the application.

"LaCie employees have very limited access to your data," the company says. "They can only see how many files you have stored and how much storage space they occupy."

While details about Google's experiments with Drive encryption were not immediately available, the company may be taking a different approach by performing the encoding and decoding on its servers.

If that's the case, a government agency serving a search warrant or subpoena on Google would be unable to obtain the unencrypted plain text of customer files. But the government might be able to convince a judge to grant a wiretap order, forcing Google to intercept and divulge the user's login information the next time the user types it in. Vancouver-based Hush Communications was required to take a similar step in 2007 -- though that was under Canadian law, not that of the United States.

Whether the government could obtain a user's login information with a wiretap order is an "unanswered legal question" in the United States, says Jennifer Granick, director of civil liberties at Stanford University's Center for Internet and Society. "I think the answer would depend in part on whether decryption could be called a current capability of the provider -- or requires reengineering of the service."

Google has litigated aggressively in the past to protect users' privacy. CNET disclosed in May that the company is fighting the Justice Department over secret national security letter requests in two different federal courts. It fought the government over a subpoena for search logs and has an active case before the Foreign Intelligence Surveillance Court. It also was the first major company to adopt "perfect forward secrecy" for Web encryption, a technology that protects the confidentiality of user communications even if a government is eavesdropping on the network.

Alan Butler, appellate advocacy counsel at the Electronic Privacy Information Center, says a user typing in a passphrase might "be considered an electronic communication and subject to interception" under federal surveillance law.

CNET reported in an article last Friday that the U.S. government has used the threat of installing custom eavesdropping hardware on companies' networks to compel cooperation in aiding surveillance demands. The article disclosed that Verizon Business was required to install surveillance gear that the government had purchased and provided.

Disclosure: Writer Declan McCullagh is married to a Google employee not involved with Google Drive.