The recent hacking attack on Google in China is proof of what privacy activists have been worrying about for years: that Google has created a "honey pot" of information, bound to attract the interests of authoritarian governments.
The hack attack on Google in China is a direct threat to the freedom and privacy of us all, with the likely real target Google’s vast data bases of in depth information about our online behaviour.
So says Professor Roger Clarke, a leading consultant on data surveillance, and visiting professor at the Australian National University, the University of Hong Kong and the University of NSW. Clarke is also chair of the Australian Privacy Foundation.
Clarke says that international privacy activists and IT professionals have been “lying awake at night” for years, concerned that Google was creating a “honey pot” of information that was bound to attract the interests of authoritarian governments, who might access it with or without Google’s knowledge and cooperation.
“Google would have to be very smart indeed in its security measures, and it is smart,” he said this morning.
“But it is a running battle, and I don’t see that Google can be confident that it will always win it.”
The problems reside in part in the design of Google’s Gmail system, which according to Google was the focus of the attacks from inside China that has led it to consider abandoning that market.
The key words in the Google blog entry that announced the Chinese problem might well prove to be in the first paragraph, in which Google says that the attack resulted in “the theft of intellectual property from Google” — before quickly passing to suggestions that the attacks were mainly unsuccessful, and were not focussed solely on Google.
In 2004, Clarke advised on and participated in a letter sent to Google’s founders, Sergi Brin and Larry Page, by thirty one international privacy and civil rights organisations warning them that the way in which Gmail had been designed posed a risk. In this letter, the organisations said that the email text scanning infrastructure Google had built for the purpose of serving up relevant advertising would have unintended consequences:
No policy could adequately protect consumers from future abuses. The societal consequences of initiating a global infrastructure to continually monitor the communications of individuals are significant and far-reaching with immediate and long-term privacy implications. Google needs to realize that many different companies and even governments can and likely will walk through the email scanning door once it is opened…
Other companies and governments may have very different ideas about data correlation than Google does…
Once an information architecture is built, it functions much like a building — that building may be used by many different owners, and its blueprints may be replicated in many other places.
Clarke said to Crikey this morning that the fact that Google was prepared to sacrifice its position in the vast Chinese market suggested that something much more valuable than the Gmail accounts of human rights activists was at stake. Information was scarce, so he could only surmise, but the obvious target was Google’s databases and archives.
“It would be surprising if the Chinese Government was not interested in them. Of course they would be, and so are many others.”
Clarke said that Google had accumulated vast holdings in individuals — not only those with Gmail accounts or Google accounts:
It’s got all of your search-terms. And it’s got what you clicked on while you’ve been on Google pages. It’s got a list of pretty much every ad you ever clicked on. It’s got any emails that you sent to Gmail users. It’s got what people sent to you from Gmail accounts. It’s got the correspondence that you exchanged with people who, unbeknown to you, flush all of their mail from other accounts through Gmail. It’s got every posting that you’ve sent, since about 2004, to every email-list that you’re on (because at least one person on every list uses Gmail). All of that data is directly related to you because of the email-addresses, IP-addresses and personal names contained in all of that traffic.
That’s reinforced by its use of your email-address as your login id for Google services, and a suite of cookies that are common across all services. If you’re a Google addict, it may also have every location that you ever typed into Google Maps, and every Streetview you ever displayed. And you may have even gifted it your photo collection, and a copy of your own disk-files.
So Google is in a position to mine from its holdings: your online behaviour; your economic and social interests, your political views, your network of contacts and your close associates.
An authoritarian government would like to be able to do that too. So it would be no surprise whatsoever if the Chinese Government sought access to the Google archive and its internal search capabilities. In fact, it would be a big surprise if it didn’t.
Crikey contacted Google this morning, seeking a response to Clarke’s concerns, and in particular for information on the nature and extent of the intellectual property that was stolen in what Google has described as a “highly sophisticated and targeted attack”.
A Google spokesperson told Crikey that:
The trust of our users is very important to us. That’s why we’re being transparent about this attack, and have taken an unusual step by sharing this information with such a broad audience. (See this blog by our president of Google Enterprise for more information). We have already used information gained from this attack to implement additional infrastructure and architectural improvements that enhance security for the company and for our users.
We see attack attempts on our systems frequently, but that does not mean that they succeed. That’s because we invest substantial amounts of time and money in security and we’re constantly improving our systems. No security solution is perfect, but most organisations do not have the resources to invest in security in a comparable way.
We believe our products are safe to use. That’s why our employees use them all day, every day. We have taken significant additional steps since the attack to protect our systems and our users. We would also advise people to protect themselves online by making sure they change their passwords regularly, and by using anti-virus software and upgrading their browsers.