They have addressed and/or solved some of those issues:
>So how does this work when the CA's are less than reputable
Chrome has been using certificate pinning for Gmail for quite some time. Not sure what has been implemented in other browsers yet.
>Google has to comply with various homeland security acts
That's a legislative issue, and not something Google can fix. I would argue their track record on pushing for new legislation in that area is quite okay.
>they didn't notice people tapping their fibre
Traffic passing between their DCs is now being encrypted (well, it's been confirmed for Gmail.)
>have had numerous problems with their own staff
I can think of two cases from the top of my head. There's always going to be a small group of people who need full access to production data to do their job. All they can do is keep that group as small as possible and audit everything.
> Traffic passing between their DCs is now being encrypted (well, it's been confirmed for Gmail.)
Encrypted how? With what keys? There's still a single point of failure to capture a huge amount of GMail traffic and an aggressive adversary who has penetrated Google's networks before. Google could be saying this and still handling over the keys to the gov't. The key is increasing the cost of bulk surveillance. This doesn't help. The only acceptable solution is one where I encrypt my data with my own keys.
> That's a legislative issue, and not something Google can fix.
Yes, but technical architecture changes what it means for Google to comply. If all they have is my encrypted data, that's all they can hand over.
Sure, that's a valid point. That's something that is true for any email provider though. Google isn't stopping you from encrypting your mail, and you can't really expect them to force their users to do that, because sadly, the majority doesn't care and would switch to other providers who wouldn't annoy them with that whole encryption stuff.
That's the point: Google has their own interests, and they're not aligned with my privacy or security, except to not be embarrassed. There is a lot they could do besides forcing encryption on everyone, but I honestly think they have other priorities.
>So how does this work when the CA's are less than reputable
Chrome has been using certificate pinning for Gmail for quite some time. Not sure what has been implemented in other browsers yet.
>Google has to comply with various homeland security acts
That's a legislative issue, and not something Google can fix. I would argue their track record on pushing for new legislation in that area is quite okay.
>they didn't notice people tapping their fibre
Traffic passing between their DCs is now being encrypted (well, it's been confirmed for Gmail.)
>have had numerous problems with their own staff
I can think of two cases from the top of my head. There's always going to be a small group of people who need full access to production data to do their job. All they can do is keep that group as small as possible and audit everything.
>they have done evil before?
please elaborate.