[wtbob]

> I like G+ for the photo back-up from my Android phone.

See, I don't use any of Google's 'let us manage your plaintext data' services except for mail (because email travels in the clear anyway, I'm not too bothered by that).

If they would enable me to store my phone, tablet & app settings, Chrome passwords and backed-up data on their servers, encrypted on the client with a key known only to clients I control, then it'd be a killer feature for me.

Indeed, if they would bake crypto into their products such that all data were encrypted to the public keys of the intended recipients, then I think that they'd be going a long way towards making the world a better place.

But as it is, there's no way that they are laying a finger on my WiFi password, my web site passwords, my photos or any other data I create and do not intend to send to the world.

[magicalist]

Chrome sync (including passwords) can all be encrypted on the client. Just go to settings -> Advanced sync settings -> "Encrypt all synced data with your own sync passphrase".

Also, if you're this worried, you really owe it to yourself to put in a little effort on your email. Email is often not transmitted in the clear, especially if you're using gmail already, and if you would just switch to a desktop client and IMAP or POP3 access, you can PGP to your heart's content.

[wtbob]

I'm aware of the Chrome sync passphrase. If I used Chrome on Android (I don't—I use Firefox), would Chrome back my passphrase up to Google's systems? I dunno.

Is the crypto behind Chrome's sync anywhere near as good as that behind Firefox's? Not last time I looked.

I'm also aware that email often travels via SSL—but it's always cleartext to the sending and receiving hosts. I don't see that I'm suffering an especial risk with Gmail, since someone will always have plaintext versions of all mail I receive; I would be were I backing up data to them which I would never back up to anyone.

[magicalist]

> I'm aware of the Chrome sync passphrase. If I used Chrome on Android (I don't—I use Firefox), would Chrome back my passphrase up to Google's systems? I dunno.

At least the docs claim that it's only saved on your device. You can believe it or not. There may be a way to verify that it's not being backed up with your normal Android data, but I'm not sure.

> Is the crypto behind Chrome's sync anywhere near as good as that behind Firefox's? Not last time I looked.

It's never been not good. Maybe you're thinking of back when they didn't have the option to encrypt all your sync data locally, just your passwords? It uses Nigori[1] and the source is all available[2].

This is a little old, but it compares browser syncing security: http://gregoryszorc.com/blog/2012/04/08/comparing-the-securi...

> I'm also aware that email often travels via SSL—but it's always cleartext to the sending and receiving hosts

Fair enough, but if you're using PGP, those hosts are only the actual sender and recipient (and anyone the recipient shares an email with, of course).

[1] http://www.links.org/files/nigori-overview.pdf

[2] https://src.chromium.org/viewvc/chrome/trunk/src/sync/util/n...

[junto]

I absolutely agree with you. I even have a Nexus 4 phone, but with all of the core invasive tracking stuff turned off.

I want to control my data. Any data that gets stored at rest needs to be stored with PGP at Google's end and only I hold the key.

Until they can guarantee that and someone audits that and proved it to be true then I'll consider letting my data move off the device. Because fuck the NSA.