<p>Some of Google's <a href="http://www.itworldcanada.com/news/google-attack-part-of-widespread-spying-effort/139742" title="Gmail systems were hacked">Gmail systems were hacked </a>by what are believed to be Chinese intruders. Whether the hackers were <a href="http://www.state.gov/secretary/rm/2010/01/135105.htm" title="state sponsored">state sponsored</a> or not remains to be determined, but the very presence of an <a href="http://www.state.gov/secretary/rm/2010/01/135105.htm">announcement</a> by Secretary of State Clinton lends credibility to that possibility. Aside from the questions that this breach raises about cloud computing in general, the exact nature of what was stolen is even more interesting. Normally, I avoid opining in public on matters that might be considered political, but the technical details of this attack are fascinating enough that I thought it was worth adding to the public discussion on this one:</p>
The ironic part of this attack is that Google may have been under surveillance by the hackers through back-doors built in to allow US surveillance in the first place.
Based on preliminary reports, it appears that the data the hackers were able to obtain was actually metadata about the emails. This might include subject line, dates, times, and recipients, but not the actual contents of the email. The reason this data, and not the email contents, was vulnerable is in part because of US anti-terrorism laws. A pen register search can access routing, addressing, or signaling information transmitted by an instrument or facility from which an electronic communication is transmitted and equivalent information used to identify internet traffic.
How would someone get access to this kind of pen register data? Most likely by accessing tools built-in by Google to allow surveillance of Google records by US law enforcement! According to some published reports, the "malware is accessing the internal intercept [systems].'" According to security experts, "As the volume of requests from law enforcement at all levels grows, the compliance burdens on telcoms grow also—making it increasingly tempting to create automated portals to permit access to user information with minimal human intervention."
In essence, it appears that our own surveillance systems were turned against us. Prior to this breach, some information requests had been directed at Yahoo!, Verizon, and other major internet carriers, seeking to discover the extent of the automated data tracking systems. The companies opposed these requests, saying that telling the public would "shock" customers, "shame" the companies, and "confuse" customers. It has been reported that "Sprint’s head of legal compliance revealed that their automated system had processed 8 million requests for GPS location data in the span of a year, noting that it would have been impossible to manually serve that level of law enforcement traffic".
Now, it looks as if the cat is out of the bag. It's not clear at this point why Google decided to publicly disclose the nature of the breach instead of keeping communications private. As the story develops, it will be interesting to see how this mix of statecraft and enterprise business plays out. However, when viewed in conjunction with the recent killing of CIA agents in Afghanistan, it is clear that an active surveillance and counter-terrorism policy doesn't come without consequences.
The question of whether the consequences are worth the benefits is a matter for public policy debate. In a way, the data breach at Google is a good thing, because it has generated broader public debate about the role of corporate america in statecraft, and whether US companies should make moral judgments in the conduct of their business. It's worth talking about.