Thanks to the whistleblower Edward Snowden we know that the US government’s spying goes beyond our most wild imaginations, and we discovered that unfortunately many of the biggest tech companies today, who provide services to hundreds of millions of people, are working hand in hand with the government to provide them easy access to million of people’s data at a time.
These partnerships were formed with the government, because the government wanted an easy way to get to all that encrypted data, without having to go through the trouble of decrypting everything themselves. That doesn’t necessarily mean they aren’t able to intercept a certain person’s encrypted communications or that they can’t decrypt his encrypted files, but multiply that by millions or hundred of millions, and it becomes a lot harder to do that. Since the government seems to believe that everyone’s communications are “relevant” for their investigations, that’s how the tech companies got into this mess, too.
Sadly, instead of fighting the government aggressively in Courts, they took they easy way out, and agreed to it. But now, after the Snowden leaks, they are finally realizing that giving their users’ data to a 3rd party like that (even when it’s the government – or rather especially when it’s the government) wasn’t that smart and could lose them a lot of users in the long term, when much more secure alternatives come along.
Some of them are saying that they are fighting the government to allow them to disclose more, but that’s taking baby steps. It doesn’t really help us. What they need to do is implement highly secure protocols for end-to-end encryption, that even the companies themselves can’t decrypt, because they wouldn’t have the keys. So when the government comes knocking to their doors, there is nothing to give them.
These are protocols such as OTR (Off The Record – not to be confused with Gtalk’s “Off The Record”, which is only similar in name), which encrypt every single message in the communication with a different key. That means that if anyone has access to them, they’d have to decrypt every single message, and can’t decrypt the whole conversation at once. This capability is called “perfect forward secrecy”.
Then there’s PGP for e-mails, which doesn’t include PFS, but the owner of the service still doesn’t have access to what’s in that conversation (only to the metadata). Google could implement this in Gmail, and even though the technology is kind of complicated to use by normal people, because you have to exchange keys with everyone you know – Google could make that a lot easier by helping you set-up your keys in the beginning (client-side, so they don’t have access to the private key) and then tie everyone’s public key to their profile. Then once you enable PGP in your e-mail, you could automatically talk to other Gmail users using PGP.
Google, and others, could implement these technologies, but the question is will they? I’m not seeing them in a hurry to implement any really secure technology. Until they do that, you can use open source OTR-enabled apps like TextSecure (by known cryptographer Moxie Marlinspike, who’s also collaborating with CyanogenMod for a secure texting solution), RedPhone for secure calls (also by Moxie), and Mailvelope for PGP.