[LINK] Crikey: 'Google a 'honeypot' for authoritarian governments'

Roger Clarke Roger.Clarke at xamax.com.au
Thu Jan 14 14:19:41 AEDT 2010

Google is a "honeypot" of information for authoritarian governments
Margaret Simons
14 January 2010

The hack attack on Google in China is a direct threat to the freedom and
privacy of us all, with the likely real target Google's vast data bases of
in depth information about our online behaviour.

So says Professor Roger Clarke, a leading consultant on data surveillance,
and visiting professor at the Australian National University, the
University of Hong Kong and the University of NSW. Clarke is also chair of
the Australian Privacy Foundation.

Clarke says that international privacy activists and IT professionals have
been "lying awake at night" for years, concerned that Google was creating a
"honey pot" of information that was bound to attract the interests of
authoritarian governments, who might access it with or without Google's
knowledge and cooperation.

"Google would have to be very smart indeed in its security measures, and it
is smart," he said this morning.

"But it is a running battle, and I don't see that Google can be confident
that it will always win it."

The problems reside in part in the design of Google's Gmail system, which
according to Google was the focus of the attacks from inside China that has
led it to consider abandoning that market.

The key words in the Google blog entry that announced the Chinese problem
might well prove to be in the first paragraph, in which Google says that
the attack resulted in "the theft of intellectual property from Google" --
before quickly passing to suggestions that the attacks were mainly
unsuccessful, and were not focussed solely on Google.

In 2004, Clarke advised on and participated in a letter sent to Google's
founders, Sergi Brin and Larry Page, by  thirty one international privacy
and civil rights organisations warning them that the way in which Gmail had
been designed posed a risk. In this letter, the organisations said that the
email text scanning infrastructure Google had built for the purpose of
serving up relevant advertising would have unintended consequences:

No policy could adequately protect consumers from future abuses. The
societal consequences of initiating a global infrastructure to continually
monitor the communications of individuals are significant and far-reaching
with immediate and long-term privacy implications. Google needs to realize
that many different companies and even governments can and likely will walk
through the email scanning door once it is opened...

Other companies and governments may have very different ideas about data
correlation than Google does...

Once an information architecture is built, it functions much like a
building -- that building may be used by many different owners, and its
blueprints may be replicated in many other places.

Clarke said to Crikey this morning that the fact that Google was prepared
to sacrifice its position in the vast Chinese market suggested that
something much more valuable than the Gmail accounts of human rights
activists was at stake. Information was scarce, so he could only surmise,
but the obvious target was Google's databases and archives.

"It would be surprising if the Chinese Government was not interested in
them. Of course they would be, and so are many others."

Clarke said that Google had accumulated vast holdings in individuals -- not
only those with Gmail accounts or Google accounts:

It's got all of your search-terms. And it's got what you clicked on while
you've been on Google pages. It's got a list of pretty much every ad you
ever clicked on. It's got any emails that you sent to Gmail users. It's got
what people sent to you from Gmail accounts. It's got the correspondence
that you exchanged with people who, unbeknown to you, flush all of their
mail from other accounts through Gmail. It's got every posting that you've
sent, since about 2004, to every email-list that you're on (because at
least one person on every list uses Gmail). All of that data is directly
related to you because of the email-addresses, IP-addresses and personal
names contained in all of that traffic.

That's reinforced by its use of your email-address as your login id for
Google services, and a suite of cookies that are common across all
services. If you're a Google addict, it may also have every location that
you ever typed into Google Maps, and every Streetview you ever displayed.
And you may have even gifted it your photo collection, and a copy of your
own disk-files.

So Google is in a position to mine from its holdings: your online
behaviour; your economic and social interests, your political views, your
network of contacts and your close associates.

An authoritarian government would like to be able to do that too. So it
would be no surprise whatsoever if the Chinese Government sought access to
the Google archive and its internal search capabilities. In fact, it would
be a big surprise if it didn't.

Crikey contacted Google this morning, seeking a response to Clarke's
concerns, and in particular for information on the nature and extent of the
intellectual property that was stolen in what Google has described as a
"highly sophisticated and targeted attack".

A Google spokesperson told Crikey that:

The trust of our users is very important to us. That's why we're being
transparent about this attack, and have taken an unusual step by sharing
this information with such a broad audience.  (See this blog by our
president of Google Enterprise for more information).  We have already used
information gained from this attack to implement additional infrastructure
and architectural improvements that enhance security for the company and
for our users.

We see attack attempts on our systems frequently, but that does not mean
that they succeed. That's because we invest substantial amounts of time and
money in security and we're constantly improving our systems. No security
solution is perfect, but most organisations do not have the resources to
invest in security in a comparable way.

We believe our products are safe to use. That's why our employees use them
all day, every day. We have taken significant additional steps since the
attack to protect our systems and our users. We would also advise people to
protect themselves online by making sure they change their passwords
regularly, and by using anti-virus software and upgrading their browsers.

Roger Clarke                                 http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list