Google and encryption: why true user privacy is Google's biggest enemy

By Yasha Levine , written on January 27, 2014

From The News Desk

After hamming it up at a fireless "fireside chat" last week in Davos, Google chairman Eric Schmidt talked to the Wall Street Journal about encryption, privacy and government surveillance. He told the paper that Google is developing encryption technology that will prevent the NSA and other intrusive governments like China from spying on Google users, and estimated that it would make its services surveillance-proof "within the next decade."

Wait…a decade? Ten whole years? To deploy a technology that has been available to consumers since the 1990s? Sounds odd for a company that mapped just about every known street and backroad in the United States with a fleet of hi-tech Street View cars in under three years. I thought Google prided itself on being a hyper-innovator? Doesn't it have any self respect anymore? Ten years for encryption? Might as well be never...

Google execs like Schmidt pay lip service to privacy and encryption, but it's unlikely the company will provide its users with the kind of privacy protection that truly counts: end-to-end encryption that safeguards communication from all third-party interception, including Google.

The reason? This kind of encryption would be too effective — effective to the point of undermining Google's surveillance-based business model.

Don't believe me? Well, don't take my word for it.

Internet founding father Vint Cerf, who's employed as Google's resident wise old man, admitted as much during a privacy conference a few years back:

...we couldn't run our system if everything in it were encrypted because then we wouldn't know which ads to show you. So this is a system that was designed around a particular business model.
If you've been reading my Surveillance Valley coverage, you know that Google's "particular business model" depends on harvesting our information, profiling us, and processing our email conversations and search activity into something that Google really sells: for-profit intelligence. This data is highly lucrative, allowing Google to generate $20 billion in pure profits a year.

True end-to-end encryption would make our data inaccessible to Google, and grind its intel extraction apparatus to a screeching halt.

In a general sense, end-to-end encryption is a blanket term for an encryption system that protects data as it travels between endpoints. For personal internet communication, this type of encryption scrambles messages — be they email, chat sessions, or telephone calls — in such a way that allows only the intended recipients to decode and read the information.

In the case of email, a message is encrypted on a sender's computer then sent along in a scrambled format that can only be decrypted and read by the recipient. Third parties — law enforcement agencies, repressive governments, hackers and even email service providers — are locked out of the email exchange. Because they lack the proper key to decode the message, these third parties would have to to rely on brute computational force to crack the encryption and read the text.

The technology behind end-to-end encryption for email is old school. It was perfected for the consumer market in the 1990s. Back then, tech-utopians were sure that end-to-end encryption would become the gold standard of Internet communication. How could it not? The technology was open source, relatively simple to use and easily integrated into email software.

Encryption was good for everyone but the bad guys: People's private and business email would be safe from scammers, identity thieves, and repressive governments. Service providers like Google would benefit, too. No longer would they have to be the snitch and hand over their users' emails to the government. End-to-end encryption renders emails useless to third parties, turning text into gibberish that even Google wouldn't be able to read. So if the NSA or FBI or NYPD wanted access, they'd have to go shake the users down for their encryption keys. Or they'd have to work harder to bug individual computers. No longer would the NSA be able to treat Google as a mega mall for user data.

You'd think Silicon Valley companies like Yahoo or Google would have embraced end-to-end encryption, and used their massive email and chat marketshare to push the industry to follow suit. But that of course didn't happen. Popular email/messaging service providers didn't build encryption into their services — not even as an option that users could turn on for particularly sensitive messages.

The reason, as Vint Cerf explained above, had to do with the business realities of Surveillance Valley.

End-to-end encryption blocks Google just as effectively as it does the NSA. And if Google can't read our emails, it can't parse them for meaning. If it can't parse them for meaning, it can't build out our personality profiles. It can't can't profile us, it can't sell its targeted ad services. And if can't target us with ads, it can't make the big bucks. $20 billion in pure profits, give or take.

It's simple, really. But probably the best explanation of the inherent incompatibly of privacy and profitably hardwired into Google's business model comes from ACLU's Christopher Soghoian:

Now, you may ask, well, why are these companies not protecting our privacy more?

And the answer is that it's very, very difficult to deploy privacy protective policies with the current business model of ad supported services.

So as an example, many in the privacy community would like companies to deploy encryption; right?  If the data is encrypted on your device, if the police seize it they cannot get any of the data.

Unfortunately, it's very difficult to monetize data when you cannot see it.  And so if the files that I store in Google docs are encrypted or if the files I store on Amazon's drives are encrypted then they are not able to monetize it.  And of course we have all seen the ads on the right-hand side of a Gmail window. They are analyzing the content of your e-mail to show you ads, and there's not really a privacy preserving way for them to target those ads to you without seeing your data. And unfortunately, these companies are putting their desire to monetize your data over their desire to protect your communications.

Now, this doesn't mean that Google and Microsoft and Yahoo! are evil. They are not going out of their way to help law enforcement. It's just that their business model is in conflict with your privacy.

And given two choices, one of which is protecting you from the government and the other which is making money, they are going to go with making money because, of course, they are public corporations. They are required to make money and return it to their shareholders. So there you go: as Google sees it, true privacy is not a solution. It's a problem. So the next time you hear someone at Google talking about protecting your privacy, remember: they are full of schmidt.

Want to know more? Read Yasha Levine’s “Google’s for-profit surveillance problem.”

Image via Wikimedia.