Angry Over U.S. Surveillance, Tech Giants Bolster Defenses
Google, via Associated Press
A Google data center in Hamina, Finland. This summer, the company sped up a project to encrypt internal systems.
By CLAIRE CAIN MILLER
Published: October 31, 20
SAN FRANCISCO — Google
has spent months and millions of dollars encrypting email, search
queries and other information flowing among its data centers worldwide. Facebook’s chief executive said at a conference this fall that the government “blew it.” And though it has not been announced publicly, Twitter plans to set up new types of encryption to protect messages from snoops.
It is all reaction to reports of how far the government has gone in
spying on Internet users, sneaking around tech companies to tap into
their systems without their knowledge or cooperation.
What began as a public relations predicament for America’s technology
companies has evolved into a moral and business crisis that threatens
the foundation of their businesses, which rests on consumers and
companies trusting them with their digital lives.
So they are pushing back in various ways — from cosmetic tactics like
publishing the numbers of government requests they receive to political
ones including tense conversations with officials behind closed doors.
And companies are building technical fortresses intended to make the
private information in which they trade inaccessible to the government
and other suspected spies.
Yet even as they take measures against government collection of personal
information, their business models rely on collecting that same data,
largely to sell personalized ads. So no matter the steps they take, as
long as they remain ad companies, they will be gathering a trove of
information that will prove tempting to law enforcement and spies.
When reports of surveillance by the National Security Agency surfaced in
June, the companies were frustrated at the exposure of their
cooperation with the government in complying with lawful requests for
the data of foreign users, and they scrambled to explain to customers
that they had no choice but to obey the requests.
But as details of the scope of spying emerge, frustration has turned to outrage, and cooperation has turned to war.
The industry has learned that it knew of only a fraction of the spying,
and it is grappling with the risks of being viewed as an enabler of
surveillance of foreigners and American citizens.
Lawmakers in Brazil, for instance, are considering legislation requiring
online services to store the data of local users in the country.
European lawmakers last week proposed a measure to require American
Internet companies to receive permission from European officials before
complying with lawful government requests for data.
“The companies, some more than others, are taking steps to make sure
that surveillance without their consent is difficult,” said Christopher
Soghoian, a senior analyst at the American Civil Liberties Union. “But
what they can’t do is design services that truly keep the government out
because of their ad-supported business model, and they’re not willing
to give up that business model.”
Even before June, Google executives worried about infiltration of their networks. The Washington Post reported on Wednesday
that the N.S.A. was tapping into the links between data centers, the
beating heart of tech companies housing user information, confirming
that their suspicions were not just paranoia.
In response, David Drummond, Google’s chief legal officer, issued a
statement that went further than any tech company had publicly gone in
condemning government spying. “We have long been concerned about the
possibility of this kind of snooping,” he said. “We are outraged at the
lengths to which the government seems to have gone.”
A tech industry executive who spoke only on the condition of anonymity
because of the sensitivities around the surveillance, said, “Just based
on the revelations yesterday, it’s outright theft,” adding, “These are
discussions the tech companies are not even aware of, and we find out
from a newspaper.”
Though tech companies encrypt much of the data that travels between
their servers and users’ computers, they do not generally encrypt their
internal data because they believe it is safe and because encryption is
expensive and time-consuming and slows down a network.
But Google decided those risks were worth it. And this summer, as it
grew more suspicious, it sped up a project to encrypt internal systems.
Google is also building many of its own fiber-optic lines through which
the data flows; if it controls them, they are harder for outsiders to
tap.
Tech companies’ security teams often feel as if they are playing a game
of Whac-a-Mole with intruders like the government, trying to stay one
step ahead.
Google, for instance, changes its security keys, which unlock encrypted
digital data so it is readable, every few weeks. Google, Facebook and Yahoo have said they are increasing the length of these keys to make them more difficult to crack.
Facebook also said it was adding the encryption method of so-called
perfect forward secrecy, which Google did in 2011. This means that even
if someone gets access to a secret key, that person cannot decrypt past
messages and traffic.
“A lot of the things everybody knew they should do but just weren’t
getting around to are now a much higher priority,” said Paul Kocher,
president and chief scientist of Cryptography Research, which makes
security technologies.
Facebook said in July that it had turned on secure browsing by default,
and Yahoo said last month that it would do the same for Yahoo Mail early
next year. And Twitter is developing a variety of new security
measures, including encrypting private direct messages, according to a
person briefed on the measures.
Many tech companies have made public information about the number of
government requests for user data they receive, and sued to ask for
permission to publish more of this data. On Thursday, Google, Microsoft,
Facebook, Yahoo, Apple and AOL reiterated these points in a letter to
members of Congress.
But publishing the numbers of requests the companies receive has less
meaning now that reports show the government sees company data without
submitting a legal request.
A sense of betrayal runs through the increasingly frequent conversations
between tech company lawyers and lawmakers and law enforcement in
Washington, and in private conversations among engineers at the
companies and increasingly outspoken public statements by executives.
Mr. Drummond and Larry Page, Google’s co-founder and chief executive,
have said privately that they thought the government betrayed them when
the N.S.A. leaks began, by failing to explain the tech companies’ role
to the public or the extent of its spying to the tech companies,
according to three people briefed on these conversations. When President
Obama invited tech chief executives to discuss surveillance in August,
Mr. Page did not go and sent a lower-level employee instead.
Mark Zuckerberg, Facebook’s chief executive, sarcastically discussed
surveillance at the TechCrunch Disrupt conference in September.
“The government blew it,” he said. “The government’s comment was, ‘Oh,
don’t worry, basically we’re not spying on any Americans.’ Right, and
it’s like, ‘Oh, wonderful, yeah, it’s like that’s really helpful to
companies that are really trying to serve people around the world and
really going to inspire confidence in American Internet companies.’ ”
| Google veteran brought in as part of health website fix USA TODAY
WASHINGTON — An engineer from technology giant Google has been recruited to help fix HealthCare.gov, the new federal insurance exchange website.
|
| |||
| Google, Samsung, Huawei sued over Nortel patents Chicago Tribune
Google
is accused of infringing seven patents. The patents cover technology
that helps match Internet search terms with relevant advertising, the
lawsuit said, ...
|
| |||
| Google, Microsoft develop new ways to snoop on you MarketWatch
Microsoft (NASDAQ:MSFT) , Google (NASDAQ:GOOG) and Facebook (NASDAQ:FB) are working on systems that could mean the end of, or at least a vast ...
| ||||
| Google has a long list of Android app updates waiting, but why? CNET
Sixteen of the core apps found in Android are showing they were recently updated in the Google Play store, yet the updates are nowhere to be found. What's ...
|
| |||
| Google's Android grabs 81% of smartphone market as BlackBerry ... The Globe and Mail
Google Inc.'s popular Android operating system now controls 81 per cent of the ... smartphones now running Google's OS,” said senior analyst Scott Bicheno.
|
| |||
| Google Fonts now lets you experiment with typefaces in a free app Engadget
Google
has a lot of free fonts on offer, but it's hard to know how they'll
look on a website without putting them into HTML code or buying a
preview tool. It's now ...
| ||||
| Google Unveils Nexus 5 With Android 4.4 KitKat PC Magazine
Google on Thursday
officially unveiled its next-gen smartphone, the Nexus 5, and launched
an updated version of Android, dubbed KitKat. The smartphone ...
| ||||
| Google, Yahoo hacked by US government Fox News
The National Security Agency has broken into the highly secure data centers where Google and Yahoo store vast troves of data on their users by hacking an ...
| ||||
| Can Google Glass Change The Music Business? Forbes
Google
Glass is coming and the naysayers are out in mass, predicting a big
miss for the search company due to over-engineering, government
regulation, or just ...
| ||||
| Google shuttles DNS queries from Brazil back to US PCWorld
Google
is using U.S.-based servers to answer website address queries from
Brazil after the country's president proposed stronger privacy laws,
according to an ...
| ||||
文件顯示NSA從谷歌、雅虎海外服務器截取數據
, , 2013年10月31日
華盛頓——美國國家安全局(National
Security Agency,簡稱NSA)前承包商僱員愛德華·J·斯諾登(Edward J.
Snowden)泄露的文件顯示,NSA和英國情報部門看來已經侵入了連接谷歌(Google)和雅虎(Yahoo)海外服務器的光纜,並複製了大量電子
郵件和其他信息。
《華盛頓郵報》(The Washington
Post)本周三報道,NSA與名為「政府通訊總部」(Government Communications
Headquarters,簡稱GCHQ)的英國機構合作,顯然利用了在一些全球數據中心存儲並在其間轉移的大量數據。這類中心都使用最先進的網絡技術。
與NSA在美國國內的行動相比,它在海外的信息收集活動所面臨的法律限制和監管都比較少。
- 檢視大圖
WikiLeaks, via Associated Press前NSA分析師愛德華·斯諾登泄露的文件表明美英正在收集數據。
本周三,谷歌和雅虎表示,他們不知道政府在訪問它們的數據鏈路。雅虎發言人莎拉·梅倫(Sarah Meron)表示,該公司不曾配合任何政府機構開展這樣的攔截活動,而谷歌首席法務官戴維·德拉蒙德(David Drummond)則表達了憤怒。
「長期以來,我們一直擔心可能遭到這樣的監控,這就是為什
麼我們繼續為越來越多的谷歌服務和鏈接加密的原因,」德拉蒙德在一份聲明中說。「我們不向包括美國政府在內的任何政府提供進入我們系統的權限。美國政府似
乎曾經大費周章地從我們的私有光纖網絡上攔截數據,這令我們感到憤怒,這種事的發生也突顯了迫切做出改變的需要。」
在一份聲明中,對於它曾侵入這些公司海外數據鏈路的指
責,NSA沒有直接做出回應。但它強調,它側重收集「外國」情報,而非國內情報,對於它之所以在國外收集信息,是為了「避開」國內監控法律約束的說
法,NSA予以駁斥。此外它還表示,說它收集「大量的」美國人數據,是「不實的」。
像谷歌這種經營互聯網服務——包括電子郵件、在線文檔、照
片存儲,和搜索查詢——的公司會通過連接世界各地數據中心的光纜發送大量數據。這些數據中心使用熱敏感攝像頭和生物識別身份驗證系統來保持高度的安全性。
公司相信流經各個中心的數據是安全的。但是谷歌上個月表示,在有關NSA竊聽的說法於今年夏天曝光之前,它就開始加密這類內部數據通訊,在那之後,它更是
加快了行動的步伐。知悉谷歌安全工作的三位匿名人士表示,谷歌的安全主管們曾懷疑包括政府在內的外界各方可能會侵入其光纜,但是沒有確鑿證據顯示有這樣的
情況發生。
計算機網絡專家、斯坦福大學(Stanford)教授尼古
拉斯·麥基文(Nicholas
McKeown)說,NSA可以把實體設備安裝在光纜上來監聽電子信號,或者在數據流經的線纜上插入一個分路器。或者,能遠程登錄訪問光纜交換機或路由器
的人還可以對流經電纜的數據進行重定向。
Level 3是一家為谷歌提供光纜的公司,這一點是一位知悉谷歌基礎構架情況的人透露的,此人未獲授權公開談及此事。
Level 3在一份聲明中說:「每到一個國家開展業務,我們都會遵守當地的法律。總的來說,在執法或安全調查方面尋求幫助的政府,都會嚴格禁止有關各方透露所提供的幫助。」
一家德國電視台曾報道該公司與美國情報機構合作,監聽使用
其網絡的德國公民,Level
3在7月對此予以否認。《紐約時報》在9月報道稱,GCHQ曾嘗試用各種手段來獲取進出谷歌、雅虎、Facebook和微軟Hotmail運營數據中心的
數據通訊,這種活動持續了至少三年。據說,GCHQ是與NSA緊密合作開發了這一項目,根據斯諾登提供的GCHQ文件,到2012年為止,該項目取得了深
入谷歌系統的「新途徑」。但這究竟意味着什麼還不很明確。
《郵報》的報道稱,GCHQ使用一個代號為Muscular的系統存儲所截獲的數據,「緩存」三到五天的內容,並實時更新,在這期間,兩家情報機構合作對這些數據進行解密,並篩選出它們需要保留的內容。
該報道還說,NSA使用了約10萬個用於搜索條件過濾的
「選擇器」。報道稱,這比NSA在美國國內開展的「稜鏡」(Prism)項目中使用的「選擇器」多出一倍多。「稜鏡」是法院根據2008年通過的《外國情
報監聽法修正案》(FISA Amendments
Act)向NSA授權開展的,在項目進行期間,NSA通過谷歌、雅虎及其他公司收集海外外國人的郵件、搜索條目和其他在線活動的數據。
《衛報》(The
Guardian)從斯諾登處獲取並與《紐約時報》共享的GCHQ文件顯示出,英國情報機構在數年時間裡集中精力開發Muscular以及另一個密切相關
的項目,代號為Incenser。這些文件表明,NSA的情報需求從很大程度上推動了這兩個項目的進展,美國人也非常看重它們。
2010年11月,那家英國情報機構寫道,
「Muscular/Incenser大幅增加了NSA從我們的特殊信源途徑獲得的好處」。在一些情況下,這兩個項目提供了任何其他信源都無法提供的數
據,一份文件說道,這「突顯了我們如今為NSA做出的特殊貢獻,為了解他們的一些最重要的目標提供了很多觀察。」
在《郵報》出版了那篇文章之後,NSA局長基思·B·亞歷
山大上將(Gen. Keith B.
Alexander)在一場網絡安全會議上接受了採訪。他斷然否認了一些記者對《郵報》報道略做調整後的敘述,說它存在「事實性錯誤」,但是不清楚他是否
理解《郵報》報道的是對海外服務器間數據鏈路的侵入。
「沒有證據顯示,他們實際上進入了服務器,」總部位於舊金山的電腦安全公司Artemis Internet的安全顧問亞歷克斯·斯塔莫斯(Alex Stamos)說。「但他們守在谷歌和雅虎數據中心外,截取那些公司自以為受到嚴格保護的數據。」
Charlie Savage自華盛頓、Claire Cain Miller和Nicole Perlroth自舊金山報道。James Glanz自紐約、John Markoff自舊金山對本文有報道貢獻。翻譯:曹莉
沒有留言:
張貼留言