You are here

Google’s “Going Dark” Encryption Leadership Threatens Sovereign Security

Google is unique in its leadership, plans, and global marketpower to accelerate the majority of all global Web traffic “going dark,” i.e. encrypted by default. Google’s “going dark” leadership seriously threatens  to neuter sovereign nations’ law-enforcement and intelligence capabilities to investigate and prevent terrorism and crime going forward.

Google is not the only U.S. Internet company endangering the national security of many countries by “going dark” via end-to-end corporate encryption in an environment of exceptional terrorist risk -- Apple has been self-servingly irresponsible as well.

Nevertheless, Google warrants the spotlight and primary focus here on “going dark” for three big reasons.

First, since 2009, Google has been the Internet industry’s encryption visionary and ringleader in trying to establish encryption as a de facto Web standard to defend the Internet digital commons from the reach of sovereign authority and accountability.

Second, Google commands by far the most market power and Web traffic generation to make widespread encryption by default happen, and happen relatively quickly.

And third, Google flaunts its extraordinary political influence to dictate U.S. Government technology policy to ensure that its corporate interests come before the America’s best interests.    

Google is poised to advance relatively quick mass encryption of Web traffic via an important new Web standard (to be discussed below) under the PR guise of speeding up access to web content, promoting user privacy, and opposing government surveillance.

However, Google is silent here about its ulterior motives and the self-serving benefits of widespread encryption to Google.

Encryption by default via a new Web standard: facilitates Google’s modis operandi of evading sovereign accountability and authority on antitrust, privacy and copyright enforcement; covers up its increasing dominance of the Web and ICANN-related organizations; and augments its market power and voracious data collection by providing Google for the first time the technical visibility into most intra-app and inter-app activity on the Web. 

Pre-Paris ISIS massacre, FBI Director James Comey openly criticized Google and Apple for endangering national security by “going dark” via unbreakable and inaccessible end-to-end corporate encryption.    

Post-Paris ISIS massacre, CIA director John Brennan said: “I do think this is a time for particularly Europe, as well as here in the United States, for us to take a look and see whether or not there have been some inadvertent or intentional gaps that have been created in the ability of intelligence and security services to protect the people that they are asked to serve.” [bold added]

What is Google’s leadership role in accelerating the Web “going dark?”

Few outside of the Internet technical realm appreciate that the core HTTP Internet network protocol standard, which is the foundation of data communication on World Wide Web, was updated in 2015 for the first time since 1997. It is named “HTTP/2.”

Even fewer know that Google’s pioneering SPDY Internet network protocol was both the impetus for, and the basis of, the new HTTP/2 standard, which is the World Wide Web’s foundational computer code. Google’s SPDY protocol proved it could reduce the latency of how long it takes web pages to load through better compression, multiplexing and prioritization. Its core technical approach has largely become the new Web standard used by all the major browsers.

While HTTP/2 itself does not require encryption, Google Chrome has “stated they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.” (TLS is Transport Layer Security, i.e. encrypted transmissions.)

See the pattern here. The world’s most dominant Internet entity technically, economically and politically proposes a redesign of the World Wide Web protocol. Its technical approach is very quickly adopted by the IETF and becomes the world’s new Web network standard.

Then Google, which controls Android, the world’s dominant mobile operating system and Chrome, the world’s leading browser, tells the rest of the world that they will only support adoption of the new improved modern Web network protocol HTTP/2 if it is tied to adopting Google encryption via TLS.

Thus over time, most of the generators of the web traffic that travels through Google Chrome and Android practically will have to adopt Google’s encryption approach over time if they want to “freely” interact with the Web’s most dominant entity over the fastest most modern Web network protocol. 

In addition, Google Gmail is the world’s leading email service with over a billion users and Google is planning to “nudge” higher adoption of Google encryption by sending a warning to Gmail users that an incoming email is coming from unencrypted connections, creating monopsony pressure for others to adopt Google’s preferred encryption, if they want to reach the world’s largest base of email users without their sent emails going into the junk folder of the Gmail receiver by default.

Tellingly, former NSA Director Michael Hayden warned: "Gmail is the preferred Internet service provider of terrorists worldwide," "I don't think you're going to see that in a Google commercial, but it's free, it's ubiquitous, so of course it is."

How does “going dark” help Google to become less accountable to sovereign authority?

Few outside the technical realm of the Internet, appreciate how a broadly-encrypted World Wide Web is a game changer for the Web/Internet and the concept of national sovereignty.

That’s because the big practical implication of encryption as a Web standard is that it more completely virtualizes Web traffic by making it more separate and distinct from the Internet network of connected computer networks that the Web rides upon.

Simply, encryption effectively separates the Web’s software from the Internet network hardware by Web traffic “going dark,” i.e. not being distinguishable or identifiable to hardware as anything but generic traffic.

Importantly and more specifically, when encrypted Web traffic passes through ISP routers and any de facto sovereign country filter device for national security purposes, the ISP or sovereign entity can no longer see the origin and destination of the traffic or what kind of traffic, application, network or device is involved.

Dangerously, this type of encryption effectively neuters anti-terrorism and law enforcement prevention, investigation and prosecution because “going dark” means sovereign authorities cannot learn any of the essential real-time clues and communication facts in the public domain that are essential for preventing and countering terrorism like ISIS-Paris and 9/11.   

Currently a country’s Web traffic goes through local, in-country ISPs where traffic is filtered for spam, malware, viruses, denial of service attacks etc. and where a sovereign nation can see what type of traffic is going where and when, so if they have a terrorist or law enforcement investigation they can have the potential visibility to quickly inspect it, potentially via deep packet inspection.   

Creating end-to-end encrypted connections are a lot like a Virtual Private Network (VPN) connection where web traffic is diverted to Google’s proxy servers and thus passes through the ISP routers or country filters with no visibility of the traffic headers to indicate what kind of traffic is entering and exiting the country to whom, by whom, via what type of application.   

The massive implications here for the ISP sector globally, is that going-dark-mass-encryption not only blinds sovereign law enforcement and regulatory accountability, it effectively transforms local ISPs largely into dumb telecommunications pipes with no information services value-added for that encrypted traffic.

In one fell swoop Google’s mass-encryption-by-default creates a “GoogleNet” network of proxy servers that encrypt and decrypt the traffic for their purposes only, thus de facto creating the world’s largest and dominant global virtual ISP.  

I do not think Google understands the serious national security threat that Google becomes to sovereign authorities around the world, if Google effectively “goes dark” over time and becomes effectively the world’s dominant “Virtual Internet Service Provider” (VISP) outside their sovereign jurisdiction/reach, and the world’s sole repository and gatekeeper for the roughly half of the Web’s Internet activity that Google generates, processes, stores, and controls.

Google “going dark” via mass encryption will naturally put a big spotlight on GoogleNet’s global proxy 1400 server points-of-presence, geographically located in 140 countries per USC research in 2014.

There are other relevant statistics to Google’s massive bypass of ISPs via mass encryption. YouTube is localized in 70 countries “in 76 different languages (covering 95% of the Internet population).” Google Maps has recorded 28 million miles of roads in 194 countries. Google Street View enables 75% of the global population to view their homes on Google Maps. And Google Translate translates 91 of the world’s top languages spoken by ~97% of the world population like a modern day Tower of Babel.

Conclusion

In sum, Google’s unique leadership, plans, and global marketpower to accelerate the majority of all global Internet/Web traffic “going dark,” threatens to neuter sovereign nations’ legitimate law enforcement and intelligence capacity to investigate and prevent terrorism and crime.

Google cleverly can claim it is just benignly making the Web faster with more privacy, while it knows full well that it is technologically morphing into a new technical structure where sovereign law enforcement’s ability to enforce antitrust, privacy, data protection, copyright protection laws becomes much more complicated, delayed and difficult, so that Alphabet-Google can more secretly and further consolidate its proliferating dominance and unmatched collection of private data.  

Now it also should become clearer why Google has devoted so much time and effort to lead and fund the net neutrality movement and why Google led the opposition to oppose any blocking of sites engaged in content piracy in defeating SOPA-PIPA anti-piracy legislation. That’s because preventing sovereign blocking of websites is essential to creating an encrypted Web-based, virtual digital commons that ultimately is not subject to sovereign nation authority or accountability.

With the vast majority of Internet users on Google’s platforms, “Google-Nation” can try and lay claim to the political legitimacy of being the only entity effectively organizing the global Internet community into a virtual nation state, largely separate and distinct, from real world sovereign authority and accountability.

Most disturbing here, is that “going dark” could make “the free and open Internet” become increasingly indistinguishable from the “Darknet” over time. This in turn could further encourage sovereign nations to increasingly sovereignize, and de-Americanize, their national parts of the global Internet into sovereign-accountable, Nation-Nets, or Region-Nets where they can better protect and ensure their own national/regional security.

Just like the Snowden revelations have had a profound effect on the Web/Internet and U.S. Internet platforms over the last couple of years, expect the very real and terrifying scourge of ISIS and other Internet-facilitated terrorism to also have a profound effect on the Web/Internet and its leading platforms going forward.  

Forewarned is forearmed.

***

Scott Cleland served as Deputy U.S. Coordinator for International Communications & Information Policy in the George H. W. Bush Administration. He is President of Precursor LLC, an emergent enterprise risk consultancy for Fortune 500 companies, some of which are Google competitors, and Chairman of NetCompetition, a pro-competition e-forum supported by broadband interests. He is also author of “Search & Destroy: Why You Can’t Trust Google Inc.” Cleland has testified before both the Senate and House antitrust subcommittees on Google and also before the relevant House oversight subcommittee on Google’s privacy problems.

 

 

 

Q&A One Pager Debunking Net Neutrality Myths