Google’s New Cloud Encryption: A False Sense of Security

keyI’ve been impressed with what I’ve seen and used from Google Cloud Storage so far. With very little effort, you can leverage Google’s massive storage and processing infrastructure to create mobile apps that store, process, and communicate data in a remotely managed, efficient, and highly available environment. In fact, Google includes tools for creating Android messaging apps that exchange data with almost no code to write. The service is remarkably easy to use and feature-rich.

Sadly, however, it cannot guarantee your privacy, despite Google’s recent announcement that it has beefed up its security. Far from it. In fact, very few cloud solutions can.

It sounds good, though. With its update, Google now encrypts each object you store with a dedicated encryption key specific to that object. That object-specific key is used with the industry-standard and time-tested AES-128 encryption algorithm. Because AES is rock-solid in keeping secrets, only the holder of the keys will be able to make sense of the data you’ve stored.

That begs the question of who holds the key used to encrypt an object. Well, each encryption key (remember, there’s a different one for every object you store in your portion of their cloud) is itself encrypted using a master key that is personalized to you and you alone. In other words, the encryption keys are likewise encrypted, which prevents anybody else from learning what they are. If nobody else knows what key was used to encrypt a particular data object, then no one else can figure out what the data object is. So, your secret will remain a secret.

The key that is customized to you, however – the one that is used to encrypt the key that is used to encrypt one of your data objects – isn’t just known to you. It’s also known to a certain company whose name begins with a G which calls Mountain View, California, home and was recently found to be sharing private user data either knowingly or unknowingly with the NSA.

Sure, Google encrypts your customized key using its own master key that prevents attackers from stealing them. But Google knows that master key. It therefore can easily learn your personalized key and then gain access to all of the keys that have been used to encrypt your data objects.

If you’re new to cryptography, all this talk about keys and encryption algorithms is surely sucking your will to live by now. The key point is this: if someone other than you has your key, then he has everything he needs to be able to read your stuff. So, your stuff is not really private. If you have to trust someone else not to have prying eyes, you have no real expectation of privacy. End of story.

Google’s cloud services are great. They give you a lot of features seemingly for free. However, privacy is not one of them, no matter how convincing the marketing verbiage might seem.


About Ray Klump

Associate Dean, College of Aviation, Science, and Technology at Lewis University Director, Master of Science in Information Security Lewis University,, You can find him on Google+.

Leave a Reply

Your email address will not be published. Required fields are marked *