SAN FRANCISCO — Google has spent months and millions of dollars encrypting email, search queries and other information flowing among its data centers worldwide. Facebook's chief executive said at a conference this fall that the government “blew it.” And though it has not been announced publicly, Twitter plans to set up new types of encryption to protect messages from snoops.
It is all reaction to reports of how far the government has gone in spying on Internet users, sneaking around tech companies to tap into their systems without their knowledge or cooperation.
What began as a public relations predicament for America's technology companies has evolved into a moral and business crisis that threatens the foundation of their businesses, which rests on consumers and companies trusting them with their digital lives.
So they are pushing back in various ways — from cosmetic tactics like publishing the numbers of government requests they receive to political ones including tense conversations with officials behind closed doors. And companies are building technical fortresses intended to make the private information in which they trade inaccessible to the government and other suspected spies.
Yet even as they take measures against government collection of personal information, their business models rely on collecting that same data, largely to sell personalized ads. So no matter the steps they take, as long as they remain ad companies, they will be gathering a trove of information that will prove tempting to law enforcement and spies.
When reports of surveillance by the National security Agency surfaced in June, the companies were frustrated at the exposure of their cooperation with the government in complying with lawful requests for the data of foreign users, and they scrambled to explain to customers that they had no choice but to obey the requests.
But as details of the scope of spying emerge, frustration has turned to outrage, and cooperation has turned to war.
The industry has learned that it knew of only a fraction of the spying, and it is grappling with the risks of being viewed as an enabler of surveillance of foreigners and American citizens.
Lawmakers in Brazil, for instance, are considering legislation requiring online services to store the data of local users in the country. European lawmakers last week proposed a measure to require American Internet companies to receive permission from European officials before complying with lawful government requests for data.
“The companies, some more than others, are taking steps to make sure that surveillance without their consent is difficult,” said Christopher Soghoian, a senior analyst at the American Civil Liberties Union. “But what they can't do is design services that truly keep the government out because of their ad-supported business model, and they're not willing to give up that business model.”
Even before June, Google executives worried about infiltration of their networks. The Washington Post reported on Wednesday that the N.S.A. was tapping into the links between data centers, the beating heart of tech companies housing user information, confirming that their suspicions were not just paranoia.
In response, David Drummond, Google's chief legal officer, issued a statement that went further than any tech company had publicly gone in condemning government spying. “We have long been concerned about the possibility of this kind of snooping,” he said. “We are outraged at the lengths to which the government seems to have gone.”
A tech industry executive who spoke only on the condition of anonymity because of the sensitivities around the surveillance, said, “Just based on the revelations yesterday, it's outright theft,” adding, “These are discussions the tech companies are not even aware of, and we find out from a newspaper.”
Though tech companies encrypt much of the data that travels between their servers and users' computers, they do not generally encrypt their internal data because they believe it is safe and because encryption is expensive and time-consuming and slows down a network.
But Google decided those risks were worth it. And this summer, as it grew more suspicious, it sped up a project to encrypt internal systems. Google is also building many of its own fiber-optic lines through which the data flows; if it controls them, they are harder for outsiders to tap.
Tech companies' security teams often feel as if they are playing a game of Whac-a-Mole with intruders like the government, trying to stay one step ahead.
Google, for instance, changes its security keys, which unlock encrypted digital data so it is readable, every few weeks. Google, Facebook and Yahoo have said they are increasing the length of these keys to make them more difficult to crack.