Incidence of compulsion
This is an encouraging story about Google exploring the ability to encrypt ‘sitting files’ in their Google Drive product. This is distinct from something like SSL, which only protects items in transit; most companies store the canonical file in the clear.
Declan mentions problem #1, which is that encrypted files are hard to search, and search is Google’s thing. Take that away, and the product is devalued.
What is less thoroughly explored is that, for the government to actually be impeded in retrieving your files, Google would have to be legitimately ignorant of your key. Which means that you would have to be the unique owner of said secret.
In this scenario, Google could not be compelled, secretly, to hand over your files, because they do not have the technical ability to do so.
(Remember, this is not true if Google encrypts your files but also holds the key.)
If the gov’t wanted access to your files, they’d have to compel you to hand over the key — and this sort of pursuit would be harder to keep on the DL. It also wouldn’t scale (a feature, not a bug).
We might call this the incidence of compulsion, where ‘incidence’ is used the sense of tax incidence.
We have well-known statutes and procedures about compelling information from individuals. Our procedures for compelling information from organizations, however, are largely opaque and legally immature.
So, from a privacy perspective, you would rather the law ask you for information, transparently, rather than asking an organization for same, secretly.
—
Back to the product problem: users expect to be able to get in touch with a vendor should they lose their password. In the above scenario, loss of the key would mean loss of the files; Google simply couldn’t help you, for the same reason they couldn’t help the gov’t.
And this is a devalued product for a lot of users. So I wonder how much Google stands to gain from such a thing.