I am more worried about subpoena on steroids than individual hackers. Big budget crackers are a different thing.
> I'm worried about Google working with intelligence agencies to try and target me politically, feed me propaganda, or put me on some list of undesirables.
The threat model isn't google. And I believe that google's engineers are more than up to the task of protecting their servers from everyday hackers.
The threat I'm worried about is the surveillance arm of the US government. The small glimpses we've seen are frightening - for example, they spliced a cable between two google data centers and recorded (some? all?) of the traffic travelling between them. This particular hole has since been plugged (google encrypts between-data-center traffic now), but we simply don't know what the US government's capabilities are. This isn't paranoia stuff - they really do this kind of thing.
And even if google manages to 'go dark' to the NSA, the US government can just legally demand access to all of our data. And block google from telling us that the data intrusion happened.
Its funny you mention FUD. Fear, Uncertainty and Doubt is exactly how I feel about trusting google (and by extension the US government) with every email, search, voice, in-app text in android, phone call and so on that I've ever made.
As a non-US citizen, I have even fewer protections and I can't fight this politically. But I can give my money to Apple instead. So thats what I do.
can you really be hacked if you were a DARPA funded honey pot from day 1? I'd say the main reason Google and many of the other big tech companies haven't faced much effort from the US government to be broken up is because federal agencies love being able to get a bunch of info on people through a single subpoena
Hacked/stolen: anything I wouldn't want in the hands of criminals goes through ssl. If they've broken that, Google tracking me is the least of my worries.
Sold: I'm comfortable with advertisers being able to target me. If they've narrowed down their target market by videos viewed on motherless, I'd be damned curious to see the ads.
Subpoenaed/NSL'd: were I to engage in any activities that would give me trouble in the event of LE attention, I'd be doing it through TOR from a coffeeshop, on a throwaway netbook running Truecrypt with the juicy stuff in a hidden volume. That's not to suggest that only criminals need fear the security/justice apparatus, but if I were doing anything that could draw unwanted attention I'd take precautions.
Back when I was raiding with anon, before it had anything to do with political motivations, I was paranoid about how easily I could be doxed and took extreme measures to ensure I was unfindable. Now, I'm pretty open about most of my online activities. If knowing my interests lets Google provide better services, then they have my blessing. Should I decide to engage in activities that would run me afoul of powerful organizations, I'll take precautions.
You won't find many stronger proponents than I of the need for anonymous communication, but I don't extend that to all communication. I'm cool with getting fed ads in order to support the services I like, and if data collection means fewer ads or better services, them I'm on board.
Well, there is that as well. But I guess most people are less concerned about Google US having access to their data (even if it is illegal) than their data being given to US intelligence agencies.
Is it really easier to crack SSL or break into Google's data centers (or hack Google's servers) or guess/crack my password or get hired at Google with intention of espionage/theft than it is to break the ground floor window I'm sitting next to and carting off my desktop?
Really?
The only thing that might be easier is for Google or the Government (via subpoena or collaboration) to get access to my data.
Google fights against subpoenas and warrants all the time but sometimes they lose. At that point they have to comply or be held in contempt and I can't really blame Google for complying in that situation.
With many thousands of engineers it is totally possible for bad actors to have infiltrated Google. It's one of the reasons why there are such strict protocols for accessing customer data or production hardware. The idea is that by default no one has access to anything and that all accesses to data and production hardware are logged and audited.
I'm sure there're still opportunities for a rogue employee to do something bad but Google are way better at protecting access to their customer's data than many of the companies I've seen.
And the same government that wants to tap everything and subpoena email accounts with little cause is going to enforce that Google makes it difficult/impossible to do those things?
There are two main concerns at play here that are very different: consumer privacy and national security.
The consumer privacy concerns are generally subject to regulation by law, but national security concerns often are extralegal in nature. This makes a big difference in the availability of tools to address the problems. Google will follow your laws or pay fines until they comply. Spies won't.
It's not Google who you should be afraid of it's your government, if your government cares about data protection, than Google will not risk it, it's not worth it, even if they are evil,
But if your government forces Google to make a wiretap interface for them, they have no choice.
Either way they are in the hands of the government.
2) The NSA in turn shares information with law-enforcement agencies. ICREACH contains information on the private communications millions of American citizens who have not been accused of any wrongdoing.
3) The DEA (and possibly other agencies) uses this information to target Americans, and then lies about the origins of the information in a process called "parallel construction."
It's not difficult to see the potential for abuse in a shadowy process that surveils the private communications of Americans, applies unknown selectors and data mining algorithms, and then reports the results to law enforcement.
Just to clear the record: there is technology out there that can obfuscate data (anonymization) and offer protection against unauthorized access (it is even possible to store data in tamper-proof systems to which nobody has access, including Google). Nobody is suggesting Google should not respond to subpoenas. We are suggesting that Google protect our data and take steps to reduce the risks of subpoenas.
I live in the EU, and as such am pretty much nameless for any Google employee. It's not like they would disrupt my personal life. Automated reading however, scales. The damage to any individual is lowered, but it is also multiplied by the number of users. Reliably so.
And now they have a mighty powerful pattern matching machine, they can easily ask more than where I could possibly spend money. They could ask for my political affiliations, or my sexual orientation, my social network (who knows, I may be related to the second or third degree to some nefarious terrorist?).
That last one is very worrying. Especially since recently, my country (France) is being eerily harsh with political opponents. I've just read a story about a journalist (whose income happens to come from YouTube & donations), who is being judged for… gang theft (the pun also works in French), risking up to 75.000€ in fines and 5 years of imprisonment, just because he covered the unhooking of a 8€ portrait of our current president in a Town Office (which usually have president's portraits, but this is not mandatory). Unhooking, they reportedly did not even take the portrait.
So yeah, I'm more and more worried about giving our governments the means to apply their increasing insanity. Sure, having an individual reading my private email is unacceptable, but that risk is getting smaller and smaller, in comparison, to the mass surveillance that automation enables.
I trust Google as a company. But as Google is under US jurisdiction it is affected by things like National Security Letter subpoenas (see: http://en.wikipedia.org/wiki/National_Security_Letter). This is a type of subpoena that does not require a probable cause or judicial oversight (meaning that the FBI can issue them without court order) and the recipient is under a gag order prohibited from speaking about them.
In addition, Google seems to also abide to subpoenas issued by other countries, but does not clearly state under what conditions. E.g., is the German government only able to subpoena accounts of German citizens? Or of people who used Gmail in Germany? Or of any Gmail user if there is a probable connection to Germany? And under what conditions does Google adhere to the data retention laws in some European countries?
I acknowledge that there are cases where it is legitimate that government agencies get access to one's mails. But if this is possible without court orders I consider this largely undemocratic. As a consequence, I try to keep as much information as possible on my own server (with a fully encrypted filesystem).
So I:
- Currently use Google for searches, but I have set my browser to delete all cookies on shutdown. I have not Flash installed, so I'm not affected by "Flash-cookies". I also tried out duckduckgo as search engine, but in my opinion the search results are considerably worse than Google's.
- I have some domains using Google Apps that I've moved to Google in the past. But I'm currently in the process to also move the remaining domains (that only relay mails) back to my own server. However, I also acknowledge that this is somewhat futile given that 90% of people I communicate with use Gmail - meaning that all of my mails are stored on Gmail anyway.
I fear google way more than the NSA or the government. Google can link my name to someone claiming I'm a racist. It can tie me to stupid things I said online 15 years ago. Who knows what it will do in 5 years when Bing reduces their profit margin.
In order for the NSA to actually hurt me the government would have to essentially go full on fascist. But even in that case, first thing they'd do was to crack open Google's database.
That's what the FBI did after 9-11. They went to VISA and Mastercard to find out what the hijackers were up to.
> I'm worried about Google working with intelligence agencies to try and target me politically, feed me propaganda, or put me on some list of undesirables.
This.
reply