Friday03 February 2023

Google Encrypts Search... Too bad it Won't Stop the NSA

Reading time is around minutes.

The big news today is that Google is preparing to encrypt their search data. They are planning to automatically encrypt not only the connections, but the information sent back to the user. On the surface this would seem to be a big step towards preventing people like the NSA from finding out what we do on the internet and it would be in line with consumer demands for more protection from spying eyes. The question is, will this move actually do anything or is it all just a feel good PR event.


Encryption is a great thing when used properly and the number of people that have access to the keys is limited to those that need access to the information. If I want to send someone a secure document and I only give them the key to it (while I maintain a key) then it is pretty secure from unauthorized reading right? Well sadly it is not that simple. In order for it to be really secure I would need to make the lock myself, be the only person capable of making keys, and also be the only person that makes the box the information is in. If any of these is trusted to someone else then the system can be broken.

In the case of Google they would have to use a type of encryption that is not available to any government authority. Remember that the NSA worked flaws into the most common encryption standards and has worked for years to find weaknesses in the standard tools used to generate encryption keys (remember the RSA issue?). So this means that the NSA (and others too) have the means to break most of the publicly used encryption methods making encryption something of a joke when it comes to nation states or government agencies.

On top of the fact that most encryption has been or can be broken is the nasty fact that the NSA can simply as for a National Security Letter and force Google (or another company) to hand over the unencrypted search information. After all, in order to make encrypted search work, Google must have the keys to decrypt the search information coming into their servers. This means that the search data is unencrypted in their system at some point and Google is legally compelled to maintain that data (not to mention they like to keep it anyway for advertising and metrics). So with a single letter the NSA can get the information they want for as many people as they want.

The two cases we listed above are bed enough, but there is another component to this that most people do not even think about. These are the many DPI (deep packet inspection) or SSL monitoring systems that exist all over the internet. Many ISPs maintain them to check for unauthorized traffic (and some have been used in copyright cases). These systems are designed to dig into packets that are encrypted using SSL (secure socket layer) and are typically invisible to the end user. For example, sitting at home you connect to Google and request a certain search via SSL. A properly setup DPI system will actually respond to you using a transparent proxy forwarder. The DPI box then sends the request to Google on your behalf. At this point it is able to read all of the data from Google and from the originating system. Believe it or not this type of system is in use in many, many corporations today and have existed at the ISP level for a number of years. The companies that make these are even now pushing them to more people specifically to work around Google’s secure search.

With these items you can see that Google’s move to an encrypted search is more than likely just a feel good move. There are multiple ways around their encrypted search feature and you can be sure that Google knows they exist. However, after the fiasco with the PRISM program and other leaks from Edward Snowden Google and other companies have to appear to be doing something. They are losing customer trust by the day and know it. This is like Microsoft announcing that they were encrypting mail on their Hotmail servers, it is nothing more than a show. Until there are major changes put in place that require information to be protected (unless it is part of a legitimate and active investigation) then we will always have more of the same form the NSA and the corporations we trust with our information. Of course to effect this change will require a massive effort on the part of each and every internet user… and we are not talking about just complaining on Facebook.

Tell us what you think in our Forum


Last modified on Thursday, 13 March 2014 13:33

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.