<nettime> Bruce Schneier: U.S. enables Chinese hacking of Google

[nettime's avid reader <nettime@kein.org>]

U.S. enables Chinese hacking of Google

By Bruce Schneier, Special to CNN 
http://www.cnn.com/2010/OPINION/01/23/schneier.google.hacking/index.html 

Editor's note: Bruce Schneier is a security technologist and author of
"Beyond Fear: Thinking Sensibly About Security in an Uncertain World."
Read more of his writing at www.schneier.com.

(CNN) -- Google made headlines when it went public with the fact that
Chinese hackers had penetrated some of its services, such as Gmail, in
a politically motivated attempt at intelligence gathering. The news
here isn't that Chinese hackers engage in these activities or that
their attempts are technically sophisticated -- we knew that already
-- it's that the U.S. government inadvertently aided the hackers.

In order to comply with government search warrants on user data,
Google created a backdoor access system into Gmail accounts. This
feature is what the Chinese hackers exploited to gain access.

Google's system isn't unique. Democratic governments around the world
-- in Sweden, Canada and the UK, for example -- are rushing to pass
laws giving their police new powers of Internet surveillance, in many
cases requiring communications system providers to redesign products
and services they sell.

Many are also passing data retention laws, forcing companies to retain
information on their customers. In the U.S., the 1994 Communications
Assistance for Law Enforcement Act required phone companies to
facilitate FBI eavesdropping, and since 2001, the National Security
Agency has built substantial eavesdropping systems with the help of
those phone companies. Systems like these invite misuse: criminal
appropriation, government abuse and stretching by everyone possible
to apply to situations that are applicable only by the most tortuous
logic. The FBI illegally wiretapped the phones of Americans, often
falsely invoking terrorism emergencies, 3,500 times between 2002 and
2006 without a warrant. Internet surveillance and control will be no
different.

Official misuses are bad enough, but it's the unofficial uses that
worry me more. Any surveillance and control system must itself be
secured. An infrastructure conducive to surveillance and control
invites surveillance and control, both by the people you expect and
by the people you don't. China's hackers subverted the access system
Google put in place to comply with U.S. intercept orders. Why does
anyone think criminals won't be able to use the same system to steal
bank account and credit card information, use it to launch other
attacks or turn it into a massive spam-sending network? Why does
anyone think that only authorized law enforcement can mine collected
Internet data or eavesdrop on phone and IM conversations? These
risks are not merely theoretical. After September 11, the NSA built
a surveillance infrastructure to eavesdrop on telephone calls and
e-mails within the U.S. Although procedural rules stated that only
non-Americans and international phone calls were to be listened to,
actual practice didn't match those rules. NSA analysts collected more
data than they were authorized to and used the system to spy on wives,
girlfriends and notables such as President Clinton.

But that's not the most serious misuse of a telecommunications
surveillance infrastructure. In Greece, between June 2004 and March
2005, someone wiretapped more than 100 cell phones belonging to
members of the Greek government: the prime minister and the ministers
of defense, foreign affairs and justice.

Ericsson built this wiretapping capability into Vodafone's products
and enabled it only for governments that requested it. Greece wasn't
one of those governments, but someone still unknown -- A rival
political party? Organized crime? Foreign intelligence? -- figured out
how to surreptitiously turn the feature on.

And surveillance infrastructure can be exported, which also aids
totalitarianism around the world. Western companies like Siemens and
Nokia built Iran's surveillance. U.S. companies helped build China's
electronic police state. Just last year, Twitter's anonymity saved the
lives of Iranian dissidents, anonymity that many governments want to
eliminate. In the aftermath of Google's announcement, some members of
Congress are reviving a bill banning U.S. tech companies from working
with governments that digitally spy on their citizens. Presumably,
those legislators don't understand that their own government is on the
list.

This problem isn't going away. Every year brings more Internet
censorship and control, not just in countries like China and Iran but
in the U.S., the U.K., Canada and other free countries, egged on by
both law enforcement trying to catch terrorists, child pornographers
and other criminals and by media companies trying to stop file
sharers.

The problem is that such control makes us all less safe. Whether
the eavesdroppers are the good guys or the bad guys, these systems
put us all at greater risk. Communications systems that have no
inherent eavesdropping capabilities are more secure than systems with
those capabilities built in. And it's bad civic hygiene to build
technologies that could someday be used to facilitate a police state.

The opinions expressed in this commentary are solely those of Bruce
Schneier.



#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mail.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime@kein.org