The US giants that rule the Internet were enraged by the latest revelations about the National Security Agency's activities. "We do not provide any government, including the US government, with access to our systems," Google's chief legal officer, David Drummond, responded to the Washington Post story, before assuring the world's Gmail users, "We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform."
Google and Yahoo have a good reason to be furious - the thought among users that private data could be compromised represents a direct threat to their business models. "There are a lot of security concerns about cloud computing anyway, and companies, like Google and Yahoo, have spent lots of money trying to reassure people that it is secure," said Carl Miller, research director of the Center for the Analysis of Social Media (CASM) in the UK. "And there's a burgeoning industry of cloud encryption that is trying to monetize all those concerns."
As if to address that threat, Google's Drummond also said in his statement, "We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links."
But encryption may not be the weak point. By their very nature, networks like the one that Google relies on have to trade off security for smooth service. "They build these huge 'cloud' networks," Falk Garbsch, spokesman for German digital rights group Chaos Computer Club, explained. "The trick is that you have to hold the data wherever the user is - if I have an email account in Germany I also want to access it in the US, but if every data retrieval happens via the transatlantic underwater cables, then it slows down the network connection. So Google and Yahoo exchange data between the data centers."
In other words, Google keeps a number of data centers - often big enough to occupy an entire building - all around the world. When data is transported, it is encrypted before it leaves and then unencrypted inside another data center. To hack that data, Garbsch thinks it is likely that the NSA would try to attack the point where the encryption happens.
"One problem with cloud systems is that you need one point within the data center with unencrypted data - the data center needs to be able to read the data in order to organize it and show it," he said.
Prisms and court orders
It is not (yet) publicly known how the NSA was able to attack this network. "There are several possibilities," said Garbsch. "Either I get access to the actual building somehow - either via laws that allow me do it as a secret service, or I break in, or I have employees inside to install some kind of hardware that provide a connection to the outside."
The most likely scenario is that the NSA gets a court order on the company which provides Google with its fiber-optic cables - Level 3 Communications - which would then be forced to install special devices that contain prisms to divert the cables light signals - without Google's knowledge.
The NSA can also use the structure of the cloud network to circumvent the law. "The NSA is not allowed to investigate domestically, just as we in Germany have intelligence agencies that aren't allowed to investigate domestically," said Garbsch. "So in this case it appeared that the NSA worked together with the British agency GCHQ to access British data centers and then sent back information to the US - so technically this was data not sent within the US."
The end of state paternalism
CASM's Carl Miller thinks this latest story is another illustration of a much wider change in perceptions about government. "This is all ending the idea of security paternalism," he said. "In the last couple of decades we've undergone a radical shift in our expectations of government. The boundaries between government and people have got a lot more porous - in whatever policy area. People want to have more of a stake in how policy is made."
Edward Snowden's leaks about the NSA, Miller argues, represent an attack on the highest taboo of government control - national security. "What Snowden has done is drag the last bastion of this paternalistic model of policy-making into the light," he said.
But Miller also warned that it may take a while before the public debate on surveillance is truly open. "What is happening at the moment is that the security community is digging in under the bombardment of all these revelations," he said. "We haven't had any kind of balance. Security officials feel too legally and morally constrained to be able to talk openly about why they're doing the things they're doing, which means that the civil liberties groups are getting more frustrated and exasperated - it's so radically polarized that there doesn't seem to be any way we can maturely move forward at all."