Google has rolled out a security service for its business customers that could put a serious downer on the UK government’s plans to increase law enforcement’s surveillance powers.
The service was revealed by Google product manager Leonard Law in a blog post and is currently in beta form.
It will let businesses running the company’s Google’s Compute Engine create their own encryption keys.
Encryption is a security technology that scrambles digital information using specialist mathematics.
It makes it so only people in possession of a specific unlock key or password can read the encrypted information.
Google’s move may not sound like a big deal to people outside the technology community, but the implications for the move are pretty massive.
What the Google Compute Engine is
Google’s Compute Engine is the basis of the company’s cloud computing platform.
Cloud computing is a special type of technology that uses a network of remote servers hosted on the internet to run computer processes traditionally done on a device’s internal hardware.
In theory, this means cloud computing customers can get high-powered computer performance, or run complex tasks beyond normal hardware’s capabilities without having to buy lots of equipment.
As well as Google, which uses the tech to power many of its own services, such as YouTube, numerous big-name companies including Coca Cola, Best Buy, Rovio, Avaya and Ocado also use the Compute Engine.
How it links to government surveillance
The widespread use of Google’s cloud tech means it handles vast amounts of user data. Data running through the platform can include things like customer records, account information and, at times, the user’s geographic location.
PRISM documents leaked by Edward Snowden in 2013 revealed intelligence agencies, such as the NSA and GCHQ, have been siphoning vast amounts of web user information from Google’s cloud platform — as well as many other cloud service providers.
The move makes sense, as the Compute Engine’s large customer base lets the agencies collect data from multiple companies and services from one central source.
A game of cat and mouse
Google already encrypts services running through its Compute Engine by default. This partially protects customers as it means agencies like the NSA or GCHQ cannot read the data without knowing which encryption key was used.
However, the tactic is not foolproof, as the NSA and GCHQ can use legal requests, such as letters sent under the US Foreign Intelligence Surveillance Act (FISA), to force Google to unlock or hand over unencrypted copies of the data.
This issue was set to get even worse in the UK and US as both governments have hinted at plans to make it easier for law enforcement and intelligence agencies.
Law enforcement agencies within the US have been lobbying for the US government to control business use of encryption since the PRISM leaks emerged. FBI director of counter-terrorism Michael Steinbach warned lawmakers that strong encryption technology allows terrorists “a free zone by which to recruit, radicalize, plot and plan,” in June.
UK prime minister David Cameron has hinted at plans to hamper the use of encryption. Cameron told Parliament he wants to “ensure that terrorists do not have a safe space in which to communicate,” on June 6.
How companies having their own keys will hamper surveillance
Experts within the security community have argued that Google’s move will cause problems for the UK government’s plans.
FireEye global technical lead Simon Mullis explained to Business Insider this is because it will make it so Google won’t be able to decrypt the data, even if ordered to.
“Essentially the access to, ownership and management of the keys used to encrypt all data within Google Cloud is now handled by the end-customer,” he said.
“[This will] make it harder for any external agencies such as law enforcement or intelligence services to gain access to the decrypted data as there are fewer parties [people able to unlock the data] involved.”
As a result, if law enforcement wanted access to the encrypted Compute Engine data, they would have to mount individual requests to each customer, a practice that would slow their surveillance operations.
Business Insider has reached out to the UK Prime Minister’s press team for comment on how custom encryption keys will impact Cameron’s plans.
Google is one of many technology companies working to fight the UK and US government’s surveillance plans. A group of 140 companies, including Google, Microsoft, Apple and Facebook, sent an open letter to President Obama in May urging him to reject the encryption proposals, fearing they would damage the US economy. Apple CEO Tim Cook claimed law enforcement’s hostility towards encryption is dangerous in June.