U.S. Enables Chinese Hacking of Google

Tue May 3 08:01:11 PDT 2011

http://www.schneier.com/essay-306.html 

By Bruce Schneier

CNN and Ethiopian Review

January 23, 2010

Google made headlines when it went public with the fact that Chinese hackers
had penetrated some of its services, such as Gmail, in a politically
motivated attempt at intelligence gathering. The news here isn't that Chinese
hackers engage in these activities or that their attempts are technically
sophisticated -- we knew that already -- it's that the U.S. government
inadvertently aided the hackers.

In order to comply with government search warrants on user data, Google
created a backdoor access system into Gmail accounts. This feature is what
the Chinese hackers exploited to gain access.

Google's system isn't unique. Democratic governments around the world -- in
Sweden, Canada and the UK, for example -- are rushing to pass laws giving
their police new powers of Internet surveillance, in many cases requiring
communications system providers to redesign products and services they sell.

Many are also passing data retention laws, forcing companies to retain
information on their customers. In the U.S., the 1994 Communications
Assistance for Law Enforcement Act required phone companies to facilitate FBI
eavesdropping, and since 2001, the National Security Agency has built
substantial eavesdropping systems with the help of those phone companies.

Systems like these invite misuse: criminal appropriation, government abuse
and stretching by everyone possible to apply to situations that are
applicable only by the most tortuous logic. The FBI illegally wiretapped the
phones of Americans, often falsely invoking terrorism emergencies, 3,500
times between 2002 and 2006 without a warrant. Internet surveillance and
control will be no different.

Official misuses are bad enough, but it's the unofficial uses that worry me
more. Any surveillance and control system must itself be secured. An
infrastructure conducive to surveillance and control invites surveillance and
control, both by the people you expect and by the people you don't.

China's hackers subverted the access system Google put in place to comply
with U.S. intercept orders. Why does anyone think criminals won't be able to
use the same system to steal bank account and credit card information, use it
to launch other attacks or turn it into a massive spam-sending network? Why
does anyone think that only authorized law enforcement can mine collected
Internet data or eavesdrop on phone and IM conversations?

These risks are not merely theoretical. After September 11, the NSA built a
surveillance infrastructure to eavesdrop on telephone calls and e-mails
within the U.S. Although procedural rules stated that only non-Americans and
international phone calls were to be listened to, actual practice didn't
match those rules. NSA analysts collected more data than they were authorized
to and used the system to spy on wives, girlfriends and notables such as
President Clinton.

But that's not the most serious misuse of a telecommunications surveillance
infrastructure. In Greece, between June 2004 and March 2005, someone
wiretapped more than 100 cell phones belonging to members of the Greek
government: the prime minister and the ministers of defense, foreign affairs
and justice.

Ericsson built this wiretapping capability into Vodafone's products and
enabled it only for governments that requested it. Greece wasn't one of those
governments, but someone still unknown -- A rival political party? Organized
crime? Foreign intelligence? -- figured out how to surreptitiously turn the
feature on.

And surveillance infrastructure can be exported, which also aids
totalitarianism around the world. Western companies like Siemens and Nokia
built Iran's surveillance. U.S. companies helped build China's electronic
police state. Just last year, Twitter's anonymity saved the lives of Iranian
dissidents, anonymity that many governments want to eliminate.

In the aftermath of Google's announcement, some members of Congress are
reviving a bill banning U.S. tech companies from working with governments
that digitally spy on their citizens. Presumably, those legislators don't
understand that their own government is on the list.

This problem isn't going away. Every year brings more Internet censorship and
control, not just in countries like China and Iran but in the U.S., the U.K.,
Canada and other free countries, egged on by both law enforcement trying to
catch terrorists, child pornographers and other criminals and by media
companies trying to stop file sharers.

The problem is that such control makes us all less safe. Whether the
eavesdroppers are the good guys or the bad guys, these systems put us all at
greater risk. Communications systems that have no inherent eavesdropping
capabilities are more secure than systems with those capabilities built in.
And it's bad civic hygiene to build technologies that could someday be used
to facilitate a police state. 