Google recently trumpeted that it now encrypts Gmail messages while shuffling them among its data centers, an extra security layer aimed at thwarting government and criminal snoops, but didn't say if it applies this protection to its other applications.
Asked for clarification, the company declined to comment. "We don't have more details to share beyond the Gmail news, but we're always working in strengthening and encrypting across more services and links," a spokeswoman said via email.
Google's reluctance to clarify the scope of its internal encryption is baffling and does a disservice to enterprise customers who rely on the Apps suite for workplace communication, cloud storage and collaboration, according to analysts.
"When confronted with the evidence of a compromise, and asked for an explanation as to how it happened and what they are doing about it, Google is dissembling. This is no basis for trust," said Jay Heiser, a Gartner analyst.
At issue are reports from last year, based on leaks from former National Security Agency (NSA) contractor Edward Snowden, that the agency snooped on users of online services in part by intercepting data Internet companies transmitted unencrypted in "plain text" among their own servers and data centers.
Back in September, Google officials told The Washington Post that the company was accelerating efforts to encrypt communications between its data centers as a result of these reports.
"It's an arms race," Eric Grosse, vice president for security engineering at Google, said at the time.
About two weeks ago, Google announced it had turned on this "internal" encryption for Gmail, but glaringly neglected to address if and when this will be done for its other services and applications.
"Every single email message you send or receive — 100 percent of them — is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers — something we made a top priority after last summer's revelations," the Google post reads.
The Google spokeswoman declined to provide an update on the efforts described in The Washington Post article in September, in which Google officials were quoted as saying the "end to end" internal encryption project would be completed "soon." The spokeswoman also declined to say exactly when this encryption was turned on for Gmail, acknowledging only that it was first announced in the March 20 blog post.
The situation is a model case for why enterprise cloud-service buyers need more transparency from their providers, according to Heiser. "Not only did nobody expect their data would be vulnerable to surveillance in this way, but nobody outside of Google knows what question to ask to determine if that's been fixed," he said.
Sign up for CIO Asia eNewsletters.