Cloudy Cloud, Google Chrome and privacy in The Cloud

December 15th, 2009

Zeropaid has this story about Google CEO Eric Schmidt Google Chrome and privacy:

There has been a bit of an uproar about a recent quote by Google CEO Eric Schmidt. While talking to CNBC, Schmidt remarked that, “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place. If you really need that kind of privacy, the reality is that search engines–including Google–do retain this information for some time and it’s important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities.”

Not surprisingly, the familiar pro-surveillance slogan of, “if you’ve got nothing to hide, you’ve got nothing to worry about,” raises the hackles of privacy advocates, and especially so coming this time from someone like Schmidt who has, theoretically at least, more access to users’ information than just about anybody else in the private sector. And Schmidt is not the first Silicon Valley executive to say disturbing things about privacy in the digital age, as the former Sun CEO Scott McNealy once said, “You already have zero privacy. Get over it.” While not disagreeing with the current state of the situation, noted security expert Bruce Schneier despairs of just this kind of attitude, that clashes so strongly with his own principle of how privacy corresponds with fundamental human rights, preserving internal domains from prying eyes, even if nothing nefarious is occurring.

What makes the question of privacy, user tracking and data collection so complex currently is the daily, almost constant exchange that occurs between users today and the service providers that make up the backbone of the web ecology. Every time we search on Google, use Google Apps (where this post is being written actually), visit a site using the Chrome browser, click on a friend’s link via Facebook , etc. etc. we are being “paid” in a sense via these services for the data we provide to the companies. They of course collate all that data in order to sell it, manipulate it, exploit it, what have you. It is precisely that data that has turned Google into a giant of 21st century business and will likely be the eventual route to revenue for innovative companies like Facebook and Twitter and many more.

Is this exchange, surrendering our data (and ultimately our privacy) for services a fair balance? Who is coming out ahead? Do users deserve more compensation for their online footprints, or at least have more control over who gets the data and what they do with it? What are the implications of an entire Chrome OS built upon this notion of exchange?

As we continue to examine the immense promise of cloud computing and online digital services, we should always keep these kinds of questions in mind, if only to be at least aware of what we are giving up, and what precisely we are getting in return.

Zeropaid

“Maybe you shouldn’t be doing it in the first place”. Hmmmm; maybe you should? Who knows.

What all readers of BLOGDIAL do know is what we think about “nothing to hide, nothing to fear”.

The fact of the matter is if you really want privacy, you can have it. We have been saying this on BLOGDIAL for many years; if you want privacy online, all you have to do is take it.

Even with cloud services like Google’s Chrome OS, that are inherently non private.

Here is how you do it.

Chrome OS is open source.
GPG is open source.
You put them together.

Imagine that your copy of Chrome OS is a layer that sits between you, GPG and the Google controlled cloud. Chrome OS and GPG are both running on your hardware, and you have total control over that hardware and what runs on it. Anything that you do on your machine, via Chrome OS is encrypted before it is sent to and stored on the cloud:

That means that when Google, at the request of the NSA or Homeland Security, look at your cloud data, all they see are a series of GPG encrypted ciphertexts that no one, and I mean NO ONE can decrypt.

That means all of your:

  • Email
  • Spreadsheet Data
  • Documents
  • Calendar items

and anything else that Google want to provide to you as a service are all encrypted and decrypted on the fly, and while they are stored on Google’s servers, they are in a form that cannot be read by anyone except you.

Your Google address book would need to stay in plaintext on the Google Cloud, since the email systems need that information in plaintext for your recipients to get mail from you. This system cannot do anything to protect you from having your email subjected to traffic analysis.

You have all the advantages of the Google cloud, without any of the privacy downside. Google maintains the parts of the Chrome OS that do their work, and people outside of Google maintain the Chrome GPG layer (under open source peer review) protecting your privacy. It’s a win-win scenario for everyone except the police state, and since all of the source is developed in the open, it will not be possible for, say, the French to cripple the GPG layer that everyone uses to secure their data, as they have done with the A5 cipher that is used to encrypt GSM phone calls.

All the cryptographic services to do this of this could be hacked into the Chrome OS so that it is completely seamless and transparent to the user; the only difference in operation of Chrome OS would be that there is a second login page where you type in your GPG passphrase that would unlock all your cloud data.

Zeropaid said:

As we continue to examine the immense promise of cloud computing and online digital services, we should always keep these kinds of questions in mind, if only to be at least aware of what we are giving up, and what precisely we are getting in return.

You do not have to give up any of your privacy for convenience. You can have total, unprecedented levels of privacy in your communications without any degradation of service whatsoever. For generations people have suffered having their letters opened, their telexes, faxes and phone calls tapped and their reading habits known to snoops; now, with GPG and ubiquitous and very powerful computing, it is possible for you to have all your letters absolutely secured, the content of all of your phone calls absolutely private, without any degradation in the utility of the services you use.

All you have to do is THINK, create the tools and then USE THEM.

And in there is a snazzy term to help you think about this… “Cloudy Cloud”… hmmmm ‘Chrome OS: Cloudy Cloud Edition’!

UPDATE

A lurker emailed, intrigued, and asked how Google Calendar could work on a shared calendar if all entries were encrypted by default to a single Cloudy Cloud users system.

Thankfully, with GPG you can encrypt your calendar entries (or any other data for that matter) with another person’s GPG Public Key.

This means that the calendar entries that are encrypted with your Public Key and a colleagues public key will be readable by only you and your colleague, and no one else.

Managing this would be as easy as ticking a single box populated by your contacts. the other person’s GPG Public Key would be imported if it did not already exist on your machine (and you would have to verify the trust of it obviously)  and then, automagically, they would have access to all those calendar entries that you want to share.

One Response to “Cloudy Cloud, Google Chrome and privacy in The Cloud”

  1. BLOGDIAL » Blog Archive » Cloudy Cloud Part Two: Fixing Chrome OS Says:

    […] is another aspect to this that we have already touched upon on BLOGDIAL, and for the record, software is perhaps the only speech for which this statement always returns […]

Leave a Reply

You must be logged in to post a comment.