This is good news I suppose. I actually thought the data might already be encrypted by default, but an IT spokesman from Google said that all new data is automatically encrypted using a 128-bit encryption key standard and all existing data will be encrypted “in the coming months”.
Still… it seems a bit… gratuitous. What does this encryption really mean? Both the key pairs (the encryption and the decryption keys) are managed by Google. Once you log into your Google Drive (or once anyone logs into your Google Drive) the data is seamlessly decrypted or encrypted (if you’re changing or adding new data). If you have Google Drive set to not require login at your computer desktop, laptop, tablet, phone, etc., then the encryption is only as good as your device’s security.
And what about the government? Presumably, Google is responding to public interest in Cloud Security as of late –with the recent Snowden stuff making the news. Can the NSA still read your data? You bet.
Data collection programs revealed by former U.S. National Security Agency contractor Edward Snowden have raised questions about U.S. government data requests made to Internet companies such as Google for national security investigations.
A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law.
“Our legal team reviews each and every request, and we frequently push back when the requests appear to be fishing expeditions or don’t follow the correct process,” she wrote. “When we are required to comply with these requests, we deliver it to the authorities. No government has the ability to pull data directly from our servers or network.”
If you truly want your data encrypted on the cloud, encrypt it first using something like PGP, then upload it. If Google wants to impress me on this, they should make key management by the user an option, taking the automated management at Google’s server side out of the equation.
It’s important to note that data encryption is not something that only terrorists and drug dealers need to worry about. Keeping personal and corporate data safe from casual or even deliberately invasive intrusion is an important consideration. It is very easy for things like credit card data, personal addresses or phone numbers, names of loved ones, etc. to become public without even realizing it. Your banking information is at risk. Your personal correspondence between trusted family and friends is at risk.
References and Notes: