CYBEREYE

Google-NSA partnership should be more public, less private

Google has raised some eyebrows lately, first by going public in January with the news that it had been hacked and blaming the Chinese government for illegally accessing some Chinese Gmail accounts. This kind of openness in the area of cybersecurity is as unusual as it is welcome.

Less welcome is the recent news that Google and the National Security Agency are negotiating an agreement for sharing information, apparently with an eye toward unraveling the attack itself and creating effective defenses against future attacks.


Related stories

New evidence in Google attack points East

NSA to partner with Google to investigate cyber attacks


The plea for better public-private cooperation in cybersecurity has been made by both government and industry for more than 15 years, and it should be good news that Google and NSA are practicing what has been preached for so long. But if it is to serve the public interest, any public-private partnership needs to be as public as it is private. So far, this relationship does not seem to fit that description.

Neither Google nor the NSA has commented publicly on the agreement. Absent any openness, there is no way for Google customers to know what information the company is giving NSA and no way for U.S. citizens to know what NSA is doing for Google in return.

EPIC, the Electronic Privacy Information Center, last week filed a Freedom of Information Act request with NSA seeking records regarding the partnership. The request seeks, “All records concerning an agreement or similar basis for collaboration, final or draft, between the NSA and Google regarding cybersecurity; all records of communication between NSA and Google concerning Gmail, including but not limited to Google's decision to fail to routinely encrypt Gmail messages prior to Jan. 13, 2010; and all records of communications regarding NSA's role in Google’s decision regarding the failure to routinely deploy encryption for cloud-based computing service, such as Google Docs.”

This is the nightmare of every company that collaborates with government. FOIA is the bugaboo cited to justify reluctance in sharing information with agencies because they fear proprietary information will be leaked to the public. But when a company has access to the volume and kinds of information that Google has, it has strong obligations to respect and protect the privacy of customers.

It is not enough for Google to say it is not sharing anything inappropriate. The people whose privacy is at stake must be able to verify this and have a mechanism for enforcing it if necessary. It also is not enough to say they are only sharing it with the government. Disclosure of information to the government is just as much a breach of privacy as disclosure to any other party. To the individual, it makes precious little difference whether personal information is taken without permission by the Chinese government, or given without permission to the U.S. government.

On the other hand, NSA has no business working privately for Google or any other company. Information uncovered in the investigation of the attack should be available to all those who can use it, and any NSA techniques or tools for detecting, preventing or mitigating an attack should be made publicly available.

The ways to ensure these conditions are met are through a transparent process of negotiating any agreement and an open, enforceable agreement that protects the rights of the public as well as business and government.

A likely objection to this approach is that that it is an awkward, inefficient way to ensure public cybersecurity and national cyber defense. This is probably true, but it makes no difference. Both government and industry have obligations they must meet whether or not it is convenient. Ensuring our privacy and our security are among them.

Reader Comments

Sat, Aug 21, 2010 tim gallien

Google is NSA The fallacy of knowledge is the greatest single hurtle towards truth. You are not free. The internet never was. Internet = privatized intelligence gathering net. We don't call it the NET because of what it figuratively looks like. We call it the NET because of what it does. Kinda like INTERPOL. When a military or government application gets put into private hands, it is no longer held to account by the people. This "partnership" is a propaganda smokescreen, designed to reinforce the idea that all of this cyber security is not aimed at you, when it has been the whole time. Kinda like homeland security, the patriot act, military commissions act, as well as many other thing said to be for your own and the general public's well fair. Its not security when they build fences around you. It is not security when they spy on you. All you have to know is the answer to a few of questions. WHO IS THE GOVERNMENT MOST SCARED OF? WHO BENEFITS? WHAT WOULD HITLER, STALIN, POL POT, MAO, HAVE DONE WITH THE INTERNET?

Wed, Feb 10, 2010

Typical. Let's just tell everybody in the world how the NSA works. Let's share with every spy, hacker and kook in the world how to detect intrusions into very secure networks. No wonder the intelligence agencies in this country are snake-bit and don't trust outside groups; particularly the fourth estate. Live; 35 miles from ground zero #2, the nation's capital.

Tue, Feb 9, 2010

Google has been an NSA black project for years. I can't imagine a better source for "intelligence" than the halls of the Goog. And having posted this, I expect to vani... +++NO CARRIER

Tue, Feb 9, 2010

Over the years, I've worked with NSA employees. I found them to be of the best integrity. Please keep this in mind.

Tue, Feb 9, 2010 John Dittmer

William, I have to disagree that NSA needs to expose its techniques to the public. Those techniques came at great expense and we do not need to provide hackers of whatever variety information on how to create better attacks. What I didn't appreciate is how some in the press depict any cooperation between Google and NSA as automatically an attempt to spy on individuals. NSA was brought in to investigate how Google got attacked and how to prevent or mitigate it in the future.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above