There's still a gigantic difference between the government being able to "vacuum up" everything (weak/no encryption) from everyone, versus the government having to ask for communications from specific users.
If you are actually trying to hide something from a targeted government attack, you certainly don't want to use any hosted services like Google's.
If, however, you are merely trying to avoid the government passively sweeping up all of your data, searching through it, and maybe subjecting it to further scrutiny due to it containing the wrong keyword, it helps to know that it's encrypted in transit, and that in order to decrypt it, someone has to actually present a warrant to Google.
Of course, there's the additional problem of National Security Letters, as they aren't really real warrants and they have the secrecy around them.
These problems can be attacked on multiple fronts. We can improve cryptographic security, and work on more decentralized approaches to online services, and reign in the NSA's power at a legal level, and so on.
Yes, but (as others have already pointed out) the takeaway point from this press release shouldn't be "Google is doing great things to prevent spying" and should instead be "Google admits they have been sending sensitive customer data between data centers in plaintext."
For sure, but in the case of google this probably doesn't apply.
From what was published recently we know NSA has proven methods for bypassing encryption, namely getting the keys used for encryption (so they can decrypt everything) or getting access to the content before encryption or after decryption.
To me this last move by google is a PR attempt at regaining people's trust
I'm so bored of hearing the accusations of PR stunts.
They crop up in every submission detailing an action taken by Google with regards to the Snowden/Prism/NSA revelations. Is it so ridiculous that a large corporation should seek to ameliorate its image in the eyes of users and shareholders?
PR has become such a dirty word.
Of course it would be best if all these actions were taken earlier, purely as the result of a strongly held principle. However, when presented with the realities of public businesses operating on a global scale - I am glad that such steps as those detailed above are taken: at whatever stage, and for whatever reason.
The tinfoil hat brigade needs to, as the old saying goes, "stop seeing reds under the beds" and occasionally ... just occasionally ... take the facts presented to them.
In times when misinformation and confusion is so wont to proliferate, attempting to discern true motive is almost ridiculous - condemnation on the basis of any such discernment doubly so.
When Google does something that makes it impossible for them to hand over certain types of data to the NSA, either by not collecting it, or making it so that only the user is able to decrypt it, wake me up. Until then, it's a PR stunt.
I am not disputing the fact that a major motivation for their actions is PR. I am suggesting that action as a result of PR pressure is still action - vastly preferable to meek acceptance of the status quo.
That being so - dismissing something as "just PR" misrepresents the actual benefits something like this may confer.
IMAP/POP3 has always been a gmail option, which allows local PGP use. Chrome sync allows you to set your own encryption passphrase (provided you trust the binary doing the encrypting...). You've been able to share encrypted files on google docs/drive since they added arbitrary file storage. Etc.
Chrome sync is probably the strongest example that I can think of fitting your criteria, since it's built into the product itself, but a lot of this just comes with the territory of web-based apps.
They haven't done anything there though... They've just provided a standard IMAP service, and a standard file syncing service...
When they provide an option in GMail for people to upload their public PGP keys, and then start encrypting email on the way in, and don't store any non-encrypted versions of those emails, and build PGP support into Chromium for accessing those emails. Then they will have done something worth noticing.
If you are actually trying to hide something from a targeted government attack, you certainly don't want to use any hosted services like Google's.
If, however, you are merely trying to avoid the government passively sweeping up all of your data, searching through it, and maybe subjecting it to further scrutiny due to it containing the wrong keyword, it helps to know that it's encrypted in transit, and that in order to decrypt it, someone has to actually present a warrant to Google.
Of course, there's the additional problem of National Security Letters, as they aren't really real warrants and they have the secrecy around them.
These problems can be attacked on multiple fronts. We can improve cryptographic security, and work on more decentralized approaches to online services, and reign in the NSA's power at a legal level, and so on.