Is Google working with the NSA a cause for concern?

In an agreement first reported in a story by the Washington Post and quickly circulated more broadly by dozens of news sources (to say nothing of bloggers and Twitters), Google will apparently seek the assistance of the National Security Agency (NSA) to improve Google’s security posture and make the Internet giant better able to defend against cyber attacks. The key information in the story comes from the ever-popular sources speaking on the condition of anonymity so the full details are not certain, but it appears Google will open up its environment and network and system operations to the NSA so that the government’s leading information assurance experts can evaluate Google’s hardware and software for vulnerabilities and monitor Google’s environment to identify the kinds of attacks or penetration methods being used against it. There’s nothing obvious about the stated purpose of the pending collaboration that would suggest the NSA would want or would be given access to Google users’ personal data, but the prospect of any routine information sharing with the government makes some privacy advocates uneasy.

To be sure, the NSA doesn’t have the best track record in this regard, what with the extensive warrantless wiretapping the agency engaged in for several years following the September 11, 2001 terrorist attacks, until the program was ruled unconstitutional. Despite the unconstitutionality of the program, the NSA and the telecommunications companies that cooperated with the NSA in the surveillance operation have to date escaped legal liability, making some fearful that the agency can in effect do whatever it wants with little change of it being held accountable for violating individual privacy protections. However, the question posed in the Post article by Ellen McCarthy of the Intelligence and National Security Alliance, “At what level will the American public be comfortable with Google sharing information with NSA?” seems almost beside the point. There is little indication that Google has any plans to share personally identifiable user data with anyone, whether related to online searches or the use of its many applications and services. Google Mail users already implicitly consent to the automated scanning of the content of their email messages by Google (in order to serve targeted ads), and the sort of network traffic analysis likely to be involved in monitoring for malware or other threats doesn’t focus on that type of data for its analysis. Concerns over routine or persistent government monitoring of private communications might be better directed to the government’s Einstein intrusion prevention program (in which the NSA plays a significant role).

Despite the attention this latest report has garnered, this is not the first time Google and the NSA have worked together. Nearly two years ago the intelligence community publicized its use of Google search engine software and hardware appliances as part of the technical solution underlying Intellipedia, a private information sharing environment based on a wiki model that has been operational for nearly four years. At the time, the relationship between Google and agencies in the intelligence community prompted some of the same concerns over just how much of Google’s data might end up being exposed to the government. On balance it seems what the government was most concerned with was the technology Google’s solutions offered, not the data the company maintained.

There is another way to look at Google’s decision to seek assistance from the NSA is that, having fallen victim to cyber attacks exploiting a variety of vulnerabilities, some not even part of Google’s computing environment. Here we have a company that has discovered, and disclosed publicly, that its security posture is less robust than it would like, and now is actively seeking ways to improve its information security. At such a time any large company might seek advice from leading security consultants and practitioners, and ask for an evaluation of its current security practices and capabilities as well as recommendations for strengthening security and mitigating risks due to identified threats and vulnerabilities. If you’re Google, your operation is very large and technically advanced, you have a market leadership position you’d like to protect, and you would presumably turn to the very best experts you could find. In the information assurance arena, NSA is the best. Even without the national publicity surrounding the latest attacks on Google and their influence on international diplomacy for the United States, it is also understandable why the NSA would be willing to help a company like Google (indeed, the Post article notes that other (unidentified) technology companies have sought assistance from NSA), and gaining access to personal email and other data from Google users just doesn’t seem a reasonable motivation behind NSA’s participation in this agreement.