In the wake of Chinese-based cyber attacks against Google’s corporate infrastructure, search giant Google turned to the U.S. National Security Agency to help it combat security threats, according to a published report.
It’s a move that has privacy advocates itching for more information on the cooperation between the world’s largest aggregator of data and the U.S. government’s controversial spy agency.
The original report, published Thursday in The Washington Post, contained no specific details on how the two organizations would be working together. Industry experts dismissed privacy concerns as overblown.
The deal will not involve the NSA accessing users’ search histories or Gmail accounts, the Post reported, citing unnamed sources with first-hand knowledge of the agreement.
The paper’s source characterized the agreement as an “alliance.”
That did not stop the Electronic Privacy Information Center (EPIC) from firing off a Freedom of Information Act request for communications between Google and the NSA “regarding Google’s failure to encrypt Gmail and cloud computing services,” they explained.
Despite the cyber security risk to the millions of Gmail users, Google did not enable complete encryption until after the hacker attack originating from China,” EPIC’s FOIA request claims. “… The timing of Google’s decision to enable traffic encryption suggests a connection between that decision and Google’s relationship with the NSA regarding the hacker attacks.”
Their request seeks:
1. All records concerning an agreement or similar basis for collaboration, final or draft, between the NSA and Google regarding cyber security;
2. All records of communication between NSA and Google concerning Gmail, including but not limited to Google’s decision to fail to routinely encrypt Gmail messages prior to January 13, 2010; and
3. All records of communications regarding NSA’s role in Google’s decision regarding the failure to routinely deploy encryption for cloud-based computing service, such as Google Docs.
EPIC also sued the NSA (PDF link) in a Washington, D.C. district court on a separate but related matter, seeking to reveal key documents outlining cybersecurity policy.
The group’s concerns are indeed legitimate, as AT&T whistleblower Mark Klein revealed in 2006 that the NSA has the ability to vacuum up virtually every electronic communication on the Internet, and he had helped the agency monitor all of AT&T’s traffic.
However, “fears that the Google will hand its servers over to the NSA are ‘completely unrealistic,’ stresses Alan Paller, director of research at the SANS Institute,” Information Week reported. “The NSA is an effective partner for the private sector companies because it has the highest level of in-house cyber-security expertise, he says. Other agencies tend to rely more on outside contractors, raising the risk of disclosure of corporate secrets.”
Following the China-based cyber attacks in January, Google said it would no longer censor its Chinese search engine, apparently removing the state-mandated caps the very day of its announcement.
The New York Times claimed that Google’s partnership with the NSA, as opposed to Homeland Security or another domestic agency, is based in part on a desire to avoid having its services classified as a “critical infrastructure” by the government.