Wednesday, January 20, 2010

How China exposed Google's hypocrisy

By Chad Perrin ( Source )

China’s breach of Google email account security was, in Google’s own words:

limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Where Google’s new stance on China’s censorship and violation of dissidents’ privacy seems at odds with CEO Eric Schmidt’s recent statement that “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place,” an interesting implication of this statement about what information was compromised brings things back into expected focus. That sort of information is exactly the kind of thing that can legally be acquired by United States law enforcement agencies by way of a court order. This suggests that some part of the process of handing over private information to law enforcement personnel serving a court order has been automated, and that security crackers working for the Chinese government found a way to exploit that automated access.

Macworld reports on this disturbing implication in China: Google attack part of widespread spying effort. While the majority of the article focuses on the accusation of “corporate espionage” conducted by the Chinese government, it addresses the implication of poor security policy on the part of Google itself, with regard to its dealings with law enforcement. Speaking of the claim by Google that all the Chinese security crackers were able to access was some identifying account information and email subject lines, the Macworld article says:

That’s because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press.

“Right before Christmas, it was, ‘Holy s*, this malware is accessing the internal intercept [systems],’” he said.

Even the most law-and-order leaning security expert should have alarm klaxons sounding in his head at the thought of this state of affairs. Such an automated access system for law enforcement, in effect, creates an entire framework for compromising the privacy of sensitive data, ready-made for use by malicious security crackers. As Julian Sanchez at Cato put it, in Surveillance, Security, and the Google Breach, building automated law enforcement access portals into one’s network architecture is “breach-by-design” and constitutes “a serious security risk.” Julian went on to say:

The problem of volume is front and center in a leaked recording released last month, in which Sprint’s head of legal compliance revealed that their automated system had processed 8 million requests for GPS location data in the span of a year, noting that it would have been impossible to manually serve that level of law enforcement traffic. Less remarked on, though, was Taylor’s speculation that someone who downloaded a phony warrant form and submitted it to a random telecom would have a good chance of getting a response—and one assumes he’d know if anyone would.

Julian Sanchez never quite gets around to making the same statement I have on numerous occasions — that, to a significant degree, privacy is security. He does, however, bring up the problem of misguided efforts to provide greater “national security” by creating increased security risk:

The irony here is that, while we’re accustomed to talking about the tension between privacy and security—to the point where it sometimes seems like people think greater invasion of privacy ipso facto yields greater security—one of the most serious and least discussed problems with built-in surveillance is the security risk it creates.

The irony that is much more specific and relevant to the case of the Google security breach is that, while Google strikes a pose for free speech and privacy, the ink is not even dry yet on CEO Schmidt’s words to the effect that caring about privacy is something criminals do. Worse, it was in fact Google going so far as to create an automated system for violating individual privacy that created the opportunity for China’s attack to succeed in the first place.

More to the point, one might find it ironic that Google takes such a hard-line public stand in favor of Chinese dissidents who wish to evade Chinese law enforcement, but regards potential U.S. dissidents who wish to evade U.S. law enforcement as rightly subject to arbitrary surveillance. This is exactly the sort of cognitive dissonance that one should expect from examining moral judgments made by corporations, though, and will not surprise many of us.

The ultimate result is that security and privacy subject to the inconstant whims of corporate policy cannot be trusted to be consistent or trustworthy. This is one more reason why there is no such thing as a trusted brand.