[Infowarrior] - Schneier: U.S. enables Chinese hacking of Google

Richard Forno rforno at infowarrior.org
Sun Jan 24 15:56:23 UTC 2010 

http://www.cnn.com/2010/OPINION/01/23/schneier.google.hacking/

U.S. enables Chinese hacking of Google
By Bruce Schneier, Special to CNN
January 23, 2010 5:20 p.m. EST

Editor's note: Bruce Schneier is a security technologist and author of  
"Beyond Fear: Thinking Sensibly  About Security in an Uncertain  
World." Read more of his writing at www.schneier.com.

(CNN) -- Google made headlines when it went public with the fact that  
Chinese hackers had penetrated some of its services, such as Gmail, in  
a politically motivated attempt at intelligence gathering. The news  
here isn't that Chinese hackers engage in these activities or that  
their attempts are technically sophisticated -- we knew that already  
-- it's that the U.S. government inadvertently aided the hackers.

In order to comply with government search warrants on user data,  
Google created a backdoor access system into Gmail accounts. This  
feature is what the Chinese hackers exploited to gain access.

Google's system isn't unique. Democratic governments around the world  
-- in Sweden, Canada and the UK, for example -- are rushing to pass  
laws giving their police new powers of Internet surveillance, in many  
cases requiring communications system providers to redesign products  
and services they sell.

Many are also passing data retention laws, forcing companies to retain  
information on their customers. In the U.S., the 1994 Communications  
Assistance for Law Enforcement Act required phone companies to  
facilitate FBI eavesdropping, and since 2001, the National Security  
Agency has built substantial eavesdropping systems with the help of  
those phone companies.

Systems like these invite misuse: criminal appropriation, government  
abuse and stretching by everyone possible to apply to situations that  
are applicable only by the most tortuous logic. The FBI illegally  
wiretapped the phones of Americans, often falsely invoking terrorism  
emergencies, 3,500 times between 2002 and 2006 without a warrant.  
Internet surveillance and control will be no different.

Official misuses are bad enough, but it's the unofficial uses that  
worry me more. Any surveillance and control system must itself be  
secured. An infrastructure conducive to surveillance and control  
invites surveillance and control, both by the people you expect and by  
the people you don't.

China's hackers subverted the access system Google put in place to  
comply with U.S. intercept orders. Why does anyone think criminals  
won't be able to use the same system to steal bank account and credit  
card information, use it to launch other attacks or turn it into a  
massive spam-sending network? Why does anyone think that only  
authorized law enforcement can mine collected Internet data or  
eavesdrop on phone and IM conversations?

These risks are not merely theoretical. After September 11, the NSA  
built a surveillance infrastructure to eavesdrop on telephone calls  
and e-mails within the U.S. Although procedural rules stated that only  
non-Americans and international phone calls were to be listened to,  
actual practice didn't match those rules. NSA analysts collected more  
data than they were authorized to and used the system to spy on wives,  
girlfriends and notables such as President Clinton.

But that's not the most serious misuse of a telecommunications  
surveillance infrastructure. In Greece, between June 2004 and March  
2005, someone wiretapped more than 100 cell phones belonging to  
members of the Greek government: the prime minister and the ministers  
of defense, foreign affairs and justice.

Ericsson built this wiretapping capability into Vodafone's products  
and enabled it only for governments that requested it. Greece wasn't  
one of those governments, but someone still unknown -- A rival  
political party? Organized crime? Foreign intelligence? -- figured out  
how to surreptitiously turn the feature on.

And surveillance infrastructure can be exported, which also aids  
totalitarianism around the world. Western companies like Siemens and  
Nokia built Iran's surveillance. U.S. companies helped build China's  
electronic police state. Just last year, Twitter's anonymity saved the  
lives of Iranian dissidents,  anonymity that many governments want to  
eliminate.

In the aftermath of Google's announcement, some members of Congress  
are reviving a bill banning U.S. tech companies from working with  
governments that digitally spy on their citizens. Presumably, those  
legislators don't understand that their own government is on the list.

This problem isn't going away. Every year brings more Internet  
censorship and control, not just in countries like China and Iran but  
in the U.S., the U.K., Canada and other free countries, egged on by  
both law enforcement trying to catch terrorists, child pornographers  
and other criminals and by media  companies trying to stop file sharers.

The problem is that such control makes us all less safe. Whether the  
eavesdroppers are the good guys or the bad guys, these systems put us  
all at greater risk. Communications systems that have no inherent  
eavesdropping capabilities are more secure than systems with those  
capabilities built in. And it's bad civic hygiene to build  
technologies that could someday be used to facilitate a police state.

The opinions expressed in this commentary are solely those of Bruce  
Schneier.

More information about the Infowarrior mailing list