New York Times
POSTED: 1:30 a.m. HST, Nov 1, 2013
SAN FRANCISCO » Google has spent months and millions of dollars encrypting email, search queries and other information flowing among its data centers worldwide. Facebook's chief executive said at a conference this fall that the government "blew it." And although it has not been announced publicly, Twitter plans to set up new types of encryption to protect messages from snoops.
It is all reaction to reports of how far the government has gone in spying on Internet users, sneaking around tech companies to tap into their systems without their knowledge or cooperation.
What began as a public relations predicament for America's technology companies has evolved into a moral and business crisis that threatens the foundation of their businesses, which rests on consumers and companies trusting them with their digital lives.
So they are pushing back in various ways — from cosmetic tactics like publishing the numbers of government requests they receive to political ones including tense conversations with officials behind closed doors. And companies are building technical fortresses intended to make the private information in which they trade inaccessible to the government and other suspected spies.
Yet even as they take measures against government collection of personal information, their business models rely on collecting that same data, largely to be able to sell personalized ads. So no matter the steps they take, as long as they remain advertising companies, they will be gathering a trove of information for law enforcement and spies.
When reports of surveillance by the National Security Agency surfaced in June, the companies were frustrated at the exposure of their cooperation with the government in complying with lawful requests for the data of foreign users, and they scrambled to explain to customers that they had no choice but to obey the requests.
But as details of the scope of spying emerge, frustration has turned to outrage, and cooperation has turned to war.
The industry has learned that it knew of only a fraction of the spying, and it is grappling with the risks of being viewed as an enabler of surveillance of foreigners and U.S. citizens.
Lawmakers in Brazil, for instance, are considering legislation requiring Google to store the data of local users in the country. European lawmakers last week proposed a measure to require U.S. Internet companies to receive permission from European officials before complying with lawful government requests for data.
"The companies, some more than others, are taking steps to make sure that surveillance without their consent is difficult," said Christopher Soghoian, a senior analyst at the American Civil Liberties Union. "But what they can't do is design services that truly keep the government out because of their ad-supported business model, and they're not willing to give up that business model."
Even before June, Google executives worried about infiltration of their networks. Reports on Wednesday that the NSA was tapping into the links between data centers, the beating heart of tech companies housing user information, confirmed that their suspicions were not just paranoia.
In response, David Drummond, Google's chief legal officer, issued a statement that went further than any tech company had publicly gone in condemning government spying.
"We have long been concerned about the possibility of this kind of snooping," he said. "We are outraged at the lengths to which the government seems to have gone."
A tech industry executive who spoke only on the condition of anonymity because of the sensitivities around the surveillance, said, "Just based on the revelations yesterday, it's outright theft," adding, "These are discussions the tech companies are not even aware of, and we find out from a newspaper."
Although tech companies encrypt much of the data that travels between their servers and users' computers, they do not generally encrypt their internal data because they believe it is safe and because encryption is expensive and time-consuming and slows down a network.
But Google decided those risks were worth it. And this summer, as it grew more suspicious, it sped up a project to encrypt internal systems. Google is also building many of its own fiber-optic lines through which the data flows; if it controls them, they are harder for outsiders to tap.
Tech companies' security teams often feel as if they are playing a game of Whac-a-Mole with intruders like the government, trying to stay one step ahead.
Google, for instance, changes its security keys, which unlock encrypted digital data so it is readable, every few weeks. Google, Facebook and Yahoo have said they are increasing the length of these keys to make them more difficult to crack.
Facebook also said it was adding the encryption method of so-called perfect forward secrecy, which Google did in 2011. This means that even if someone gets access to a secret key, that person cannot decrypt past messages and traffic.
"A lot of the things everybody knew they should do but just weren't getting around to are now a much higher priority," said Paul Kocher, president and chief scientist of Cryptography Research, which makes security technologies.
Facebook said in July that it had turned on secure browsing by default, and Yahoo said last month that it would do the same for Yahoo Mail early next year. And Twitter is developing a variety of security measures, including encrypting private direct messages, according to a person briefed on the measures.
Many tech companies have disclosed information about the number of government requests for user data they receive and have sued to ask for permission to publish more of this data. On Thursday, Google, Microsoft, Facebook, Yahoo, Apple and AOL reiterated these points in a letter to members of Congress.
But publishing the numbers of requests the companies receive has less meaning now that reports show the government sees company data without submitting a legal request.
A sense of betrayal runs through the increasingly frequent conversations between tech company lawyers and lawmakers and law enforcement in Washington, and in private conversations among engineers at the companies and increasingly outspoken public statements by executives.
Drummond and Larry Page, Google's co-founder and chief executive, have said privately that they thought the government betrayed them when the NSA leaks began, by failing to explain the tech companies' role to the public or the extent of its spying to the tech companies, according to three people briefed on these conversations. When President Barack Obama invited tech chief executives to discuss surveillance in August, Page did not go and sent a lower-level employee instead.
Mark Zuckerberg, Facebook's chief executive, sarcastically discussed surveillance at the TechCrunch Disrupt conference in September.
"The government blew it," he said. "The government's comment was, 'Oh, don't worry, basically we're not spying on any Americans.' Right, and it's like, 'Oh, wonderful, yeah, it's like that's really helpful to companies that are really trying to serve people around the world and really going to inspire confidence in American Internet companies.'"