According to CNET, Google may be experimenting with the encryption of files stored within its Drive service. If true, Google would be following the lead of services like SpiderOak and encrypting the files they store. One possible intention here being to restore user confidence in a post-Prism environment.
It’s a nice idea — that users can encrypt files that the cloud-company cannot access; and subsequently is unable to turnover to the government (or courts?) — but this seems like an “optics” play to me. It’s also likely not possible, at least for now… The CNET article interestingly identifies the Canadian company Hushmail, who have a pretty good reputation as a secure encrypted email and webmail provider; but as is described in this 2007 Wired article, Hushmail was forced to turn over a user’s passphrase. It wasn’t whether the company had encrypted its user’s files that became the weak spot, it was the login credentials, which the company was forced to capture and then turn over.
Will cloud companies move towards encrypted file storage? Probably. It’s hard to imagine most will exist in five years time without it. But is “file encryption” going to protect your data (or your client’s data) from government access? Even with bullet-proof encryption in place, user passphrases will be the next target. And if that door somehow locks, governments will lean on the companies themselves for ‘built-in’ access points.
Here’s the unfortunate truth about internet privacy: we don’t have any. We might someday, but not today. We hear so much talk about “encryption” being the answer; but that’s only one part of the story. Web-based services will still be vulnerable via user passphrases; and even if you step outside of the web-browser ecosystem, application software is no better. How can we be sure software providers haven’t created a backdoor? It happens.
Lawyers are required to consider their client’s privacy, and in Canada, many worry about storing client files on web-services with their servers based in the United States. Some believe that using (or not using) a cloud company based on its server location will protect them. I remain skeptical. If a government, ours or another, really wants your client’s information, I don’t think I’ve got a ‘tin foil hat’ on in thinking that they’ll find a way. But those ‘Patriot Act worrying lawyers’ have one thing right — It’s the law, and not technology, that is going to solve this.
Cloud-based, or application-based, protecting privacy is nearly impossible using any form of technology-forced solution. There’s always a human being creating it.
Over to you, lawyers (and legislators).