Silicon valley folks seem to forget that technology is always limited, especially around cryptography. From Bloomsberg:
The companies, burned by disclosures they’ve cooperated with U.S. surveillance programs, are protecting user e-mail and social-media posts with strengthened encryption that the U.S. government says won’t be easily broken until 2030.
That’s all great and all, but there’s a big problem here. It doesn’t matter at all.
Cryptosystems always have the “large-bag-of-money” attack, the “rubber-hose” attack and the “throw-you-into-jail” attack. In the US, the “throw-you-into-jail” attack is particularly easy to use, and is being used as shown by Lavabit, comments by Yahoo’s CEO and the Snowden leaks.
You see, cryptography requires trust, the ability to know that the secret keys have not been transmitted to a untrusted third party. In the US, with the Lavabit case, it has been shown that a US company can be coerced to give up the primary private keys for its cryptosystems. What is worse is that they can be forced to do this and forced to not tell anyone.
This means, put simply, as long as you are an American business, your security must be considered suspect until such laws are put into place forbidding the US government from requesting blanket access to such keys.
It doesn’t matter if you have a gold plated private fiberoptic wire encrypted with the finest 512-bit AES encryption, and guarded at both ends by men with assault rifles and hand grenades. If the US government can demand that they get the get private key, all bets are off.
The only possible way for US cloud services to be considered secure/trustworthy moving forward is for them to either blatantly violate the law (ala Lavabit), force the law to change through heavy lobbying, or move all of their operations off shore and legally ensure that the private keys are out of the reach of the US court system.
If you believe this security theater by Google and other Silicon Valley folks will make a real difference, you are a fool.