SURVEILLANCE THREAT: Google Tries To NSA-Proof Gmail
(CNNMoney) — Google just beefed up the security of Gmail to make mass surveillance of its customers’ email nearly impossible. It’s not quite NSA-proof, but it’s close.
To accomplish the feat, Google secured how you connect to its servers. Gmail is now strictly using a secure communications protocol called HTTPS, which encrypts your email on its entire journey: from your computer to Google, between Google’s servers, and from Google to the person receiving your email.
In a blog post Thursday, top Gmail security engineer Nicolas Lidzborski said the increased security was in response to disclosures about government surveillance made by former NSA contractor Edward Snowden.
“This ensures that your messages are safe … something we made a top priority after last summer’s revelations,” Lidzborski wrote.
Google is trying to limit the abilities of the U.S. government’s secretive PRISM program, which can spy on citizens’ communications. The NSA declined to comment for this story.
As the New York Times explained last year, government spies have been tapping the fiber-optic cables between big tech companies’ data centers. Data typically travels unencrypted between giant computer server farms, allowing for easy interception.
But by encrypting the flow of data between company servers, Google has made that kind of mass collection technologically unfeasible.
“That should be effective,” said Mikko Hypponen, a top security researcher in Finland. “By protecting the connection between you and Google servers, they protect you against tons of attackers.”
Hypponen explained that the HTTPS encryption method is essentially uncrackable at the moment.
That doesn’t stop the federal government from eventually worming its way into your personal data, though. The FBI could still send Google a National Security Letter demanding client records — something it does all the time. In 2012 alone, Google received Foreign Intelligence Surveillance Act requests on the content of 20,000 to 22,000 users’ communications.
Google is taking the kind of approach to combating surveillance that top privacy researchers advocate: Make mass collection unfeasible by making it more difficult and more expensive to accomplish.
“I wouldn’t call it NSA-proofing,” Eugene H. Spafford, a computer science professor at Purdue University. “But they’re doing something reasonable to protect against that and any other similar kind of eavesdropping.”
That includes hackers that routinely spy on unsecured Internet connections, including hackers that lurk on public Wi-Fi connections and employers that snoop on workers in the office.
Privacy advocates aren’t giving Google too much credit, however.
“This is something they could have done years ago,” Spafford said. “It was a known problem with known solution. They and others have been very slow to adopt it.”