Google is exploring ways to encrypt files stored in Google Drive to prevent the the U.S. government and other authorities from demanding access to user data, according to a CNET report.
The company is allegedly “actively testing encryption to armor files” on Google Drive, CNET reported on Wednesday. If true, this privacy protection measure would mean that even if the National Security Agency obtained a legal order under the Foreign Intelligence Surveillance Act, or the police showed up with a search warrant, there is nothing Google would be able to do. The data would be encrypted, and the user would be the only one with a key.
Many companies protect the contents of what is transmitted over the Web with HTTPS, whether it is financial data on e-commerce and banking sites, or login credentials as we sign on to sites, to name a few. However, companies generally don’t extend a similar level of protection to files stored on their servers. Security savvy users can always take care of it themselves by encrypting the files locally before uploading them to servers.
Google has said in the past that while it encrypted the actual upload process, the files themselves were stored unencrypted on Google Drive. According to CNET’s report, Google is experimenting with ways to encrypt the files while they are stored, as well.
“Mechanisms like this could give people more confidence and allow them to start backing up potentially their whole device,” Seth Schoen, senior staff technologist at the Electronic Frontier Foundation in San Francisco, told CNET.
Users Want Encryption
While there are a handful of business-focused services that offer encryption, very few consumer-focused file-sharing and file-storage services currently offer this feature. There are a handful of services, such as Norton Zone, which claim to encrypt the file immediately on the user’s behalf before saving them onto their servers. In the case of Norton Zone, Symantec owned the encryption key, which means when the government types come a-knocking with a court order, the company is likely to hand over both the data and the key.
I heard from several storage providers over the past year that while there was plenty of business interest in encryption, for the most part, consumers weren’t interested in doing it themselves. Then came the PRISM bombshell, and now everyone wants to know how to protect their files from the government’s grubby paws.
“There are many interesting subjects that the NSA situation has brought to light, including the lack of encryption and key management used in public and private cloud environments,” Jeff Hudson, CEO of Venafi, an enterprise key management company, told SecurityWatch.
CNET didn’t have details about Google’s plans to make it easier for users to store their data encrypted on Google Drive, but hinted the company was planning to perform the encoding and decoding on its servers. So long as the encryption key stays off Google servers and under the user’s control, Google would not be able to obtain the unencrypted data without the user’s cooperation.
“We applaud Google for taking steps to encourage and drive the need for improved security in the cloud,” Hudson said.
Current Options for Encrypted Storage
Until Google gets this rolled out for Drive, privacy-sensitive users can look at some of the existing services that give users control over their data. SpiderOak earlier this year added encryption to its file-sharing service. Since the user controls the key, if the user forgets the password, the data is lost; SpiderOak can’t help recover that data at all. LaCie offers a similar feature for its file-sharing service Wuala. Mozy offers encryption in its Mozy Remote Backup service. There are fairly easy-to-use services that help you encrypt your files before uploading them to the storage service of your choice, such as DigitalQuick and Boxcryptor.