In a sense, we all knew. Doesn't nearly every single Hollywood spy movie feature some kind of global headquarters where American agents can access almost any data anywhere in the world?
1:32 PM
What China, India, and Obama Tell Us About Google
It’s now cool to dump on Google.
At Al Jazeera, Jason Leopold obtained copies of e-mail
exchanges between the NSA’s Keith Alexander & Google executives.
The meetings addressed an apparently benign episode of
behind-the-scenes jiggery pokery, in this case discussions concerning
NSA-industry cooperation on various cybervulnerabilities.
But, since it’s Google, there’s also room for darker interpretations:
Email exchanges between National Security Agency Director Gen. Keith
Alexander and Google executives Sergey Brin and Eric Schmidt suggest a far
cozier working relationship between some tech firms and the U.S. government than was implied by
Silicon Valley brass after last year’s revelations about NSA spying.
Disclosures by former NSA contractor Edward Snowden about the agency’s vast
capability for spying on Americans’ electronic communications prompted a number
of tech executives whose firms cooperated with the government to insist they
had done so only when compelled by a court of law.
But Al Jazeera has obtained two sets of email communications dating from a
year before Snowden became a household name that suggest not all cooperation
was under pressure.
Well, I dumped on Google before it was cool, when the Google
slogan “Don’t Be Evil” sent a thrill up techies’ legs instead of a derisive
smile to their lips.
It was clear long before Snowden that Google was in bed with
the US government.
In fact, it was revealed in the ruckus surrounding first big
China cyber-scandal—the hacks of Chinese activists’ Gmail accounts and the
Aurora exploit—back in December 2009-January 2010.
It’s interesting to go back and look at what was ignored and
what was hyped in those innocent pre-Snowden days.
Fortunately, I wrote about the whole affair in January 2010 at
Asia Times Online:
Google isn't doing well in China, and President Barack Obama
isn't doing well in the United States. These twin realities have helped trigger
a high-profile confrontation with China.
On January 12, Google responded to a sophisticated hack of its Google.cn
servers, apparently emanating from within China, with the threat that it would
stop filtering its Google.cn search results in compliance with the demands of
the Chinese government, even if that meant Google would have to close its China
operations.
…
Google's high-profile demolition of its relationship with
China may not simply be a matter of outrage at the hacking of pro-democracy
e-mails.
Bruce Schneier, a well-known US cyber security
expert, made waves in the IT community with an op-ed on CNN on January 23 [3]
asserting that the e-mail hacker had obtained the e-mail information by accessing Google's own internal
intercept system - a program
designed to enable Google to collect user information in response to US government demands.
If this is the case, the e-mail hack is more of an embarrassment for Google
than anything else: an indication that Google had not only created the
application to enable governments
to spy on e-mail accounts, it had done such a poor job of protecting it that it
could be hijacked by malicious parties.
The actual significance of the e-mail hack is open to question.
Only a handful of accounts were accessed, and apparently yielded no more
information than the kind that the US government is supposed to get in response
to a subpoena: account information and subject line. No message text was
compromised, according to Google.
In a January 21 conference call
with financial analysts,
Google executive Eric Schmidt stated that Google wasn't even sure that the
e-mail intrusion was related to the larger hack, now known as the Aurora
exploit.
Aurora was a sophisticated, simultaneous industry-wide penetration of sensitive
computers at Google, Adobe and perhaps more than two dozen other Silicon Valley
companies, possibly a "zero day" attack intended to exploit an
intrinsic weakness in Internet Explorer (IE) for maximum effect before the
attack itself compelled Microsoft to issue a patch to plug the leak.
The target of this multi-front blitzkrieg was apparently a quest for IT's crown
jewels - source code.
This cyber-sparring between Western high-tech companies and Chinese hackers is
a historical albeit worrisome feature of the complicated relationship between US
IT companies and the large Chinese market they hope to serve.
The large scale and synchronized timing of the assault has caused the target
companies to point the finger, albeit gingerly and with caveats, directly at
the Chinese government.
It is an open question whether the scale of the attack reflects Chinese
government involvement, or an awareness of the transient nature of IE
vulnerability and the resultant desire of networked private or semi-private
Chinese hackers to exploit the flaw massively before it could be discovered and
repaired.
Another anxious aspect was added to the case as rumors spread that Google
suspected that a Chinese employee of its organization inside China may have
facilitated Aurora's intrusion onto a computer with administrative privileges,
thereby opening significant domains
of the Google realm to inspection and downloading
by the hackers.
However, Google took an important and inflammatory step of escalating its
conflict with China by using the e-mail hack against democracy advocates to
wrap itself in a human-rights flag. As a result, its threat to stop censoring
its Google.cn search engine in retaliation for the hacks has become a cause
celebre for free speech and Internet-rights activists.
This cause has been taken up by the US government.
The Obama administration is smarting from its devastating political defeat in
the Massachusetts senate election, a defeat that has removed the Democrat
Party's supermajority and put it on track for possible electoral catastrophe at
November's mid-term congressional elections - unless it can rally its
disaffected base of liberal and progressive voters. Thus, Obama's government is
set to embark on a populist anti-banking campaign inside the US and a
crowd-pleasing anti-China campaign internationally.
Google's emergence as a champion of Internet openness is, in a certain sense,
rather ironic. Its data-collection capabilities extend from cookies to
click-logging, which involves the recording of a user's search terms for two
years and has aroused the concern of the European Union, the US government and
privacy advocates. The tools are likely the envy of China's busy public and
Internet security monitors.
Google is no stranger to cooperation with security services in the United
States as well as abroad.
Google has an intimate relationship with the US intelligence community. It
acquired one of its signature services - Google
Earth - from the Central Intelligence Agency's acknowledged
not-for-profit venture capital arm, In-Q-Tel. As part of a
one-hand-washes-the-other synergism between the private and public sector,
In-Q-Tel's director of technology assessment, Rob Painter, moved to Google in
2005 to become chief technologist for federal business. His main job: selling
Google Earth imagery back to the government.
The company itself is
secretive not only about the precious algorithm that drives its world-beating
search engine, but about everything else. Despite enjoying the benefits of being a publicly-traded
company, its ownership is structured to enable close control by its founding
members. It accumulates gigantic amounts of data concerning its users -
including information from the over 75 billion Google searches, 10 billion
Youtube views and hundreds of millions of Doubleclick ad page views per month
they undertake - so it can target them with advertising tailored to their needs
and weaknesses.
In an unintentionally ironic twist, Google chief executive officer Eric Schmidt
turned the company's ballyhooed motto - Don't Be Evil - into a warning to
Google's users in an interview with CNBC in December 2009. [4]
"If you have something that you don't want anyone to know, maybe you
shouldn't be doing it in the first place," Schmidt said. "If you
really need that kind of privacy, the reality is that search engines -
including Google - do retain this information for some time and it's important,
for example, that we are all subject in the United States to the Patriot Act
and it is possible that all that information could be made available to the
authorities."
Google is committed to an open Internet because this provides the maximum
leverage for its competitive advantage as the pre-eminent search engine. Google
also relies on the open Internet to allow it to collect the full spectrum of
data that allows it to characterize and exploit the monetary potential of its
users.
The one area in which Google cannot tolerate openness is in the one area the
hackers targeted: the secrets of its search engine.
It would not be surprising if Google decided to make a public issue of the
December 2009 intrusions in order to get the Chinese government to crack down
on hackers within its borders, be they public or private actors.
…
Simply walking back the tense
situation and negotiating some kind of symbolic, face-saving compromise on
filtering of search-engine results may also be out of reach, thanks to the
rapid escalation of political rhetoric by the Obama administration.
In a speech in Washington on January 21, Secretary of State Hillary Clinton
planted the US government flag as champion of the "right to connect"
to an open Internet. Echoing the phrase of British statesman Winston Churchill
that announced the beginning of the Cold War between the Soviet Union and the
West, she talked of an "information curtain" (rather than an iron
curtain) descending across the world at the behest of totalitarian regimes.
Clearly, the lengthy speech was prepared long in advance to burnish America's
information age luster. Equally clear was the fact that one paragraph was
inserted about the Google case at the last minute.
Clinton issued a call that the Chinese government investigate the Google case
"transparently", implying in effect that China had a responsibility
to mollify foreign stakeholders based on Google's so far undocumented public
assertions:
And we
look to the Chinese authorities to conduct a thorough review of the cyber
intrusions that led Google to make its announcement. And we also look for that
investigation and its results to be transparent.
Open-society advocates lauded the
tough American approach, even as IT professionals pointed out the awkward fact
that the US itself embargoes Internet software - including Google's Chrome
browser - to deny the benefits of Internet openness to users within Syria,
Sudan and other countries.
The Chinese government - which has labored mightily to create an international
regime in which China is an acknowledged superpower and not the target of
condescending and embarrassing demands for transparency - responded with
predictable heat.
China's Ministry of Foreign Relations denounced Clinton's call, stating,
"We urge the US to respect facts and stop attacking China under the excuse
of the so-called freedom of Internet."
China's Global Times accused the United States of "information
imperialism".
According to an Associated Press report [7], the US government seems willing to
up the ante:
Washington,
meanwhile, carried its message on Internet freedom directly to Chinese
bloggers. The US Embassy in Beijing and consulates in Shanghai and Guangzhou
hosted Internet-streamed discussions with members of the blogging community on
Friday afternoon - the latest example of Washington's outreach to Chinese
bloggers as a way of spreading its message.
The bloggers met with US diplomats from the political, economic and public
affairs sections, who held discussions and answered questions about Clinton's
speech. The meetings were similar to a session organized during Obama's visit
to China in November.
It would
appear that nothing good for US-China relations will come of this. Perhaps the
United States doesn't care too much.
In a widely-linked comment entitled "The Google news : China enters its
Bush-Cheney era" [8], the Atlantic Monthly's James Fallows saw the Google
case as a regrettable hardening of Chinese attitudes towards the US just as
America was entering the halcyon period of the Obama administration.
It is more likely that the Obama administration, with the world financial
system stabilized and Chinese goodwill a less vital commodity than before, and
its own political fortunes in jeopardy, has found it politically expedient and
feasible to harden towards China.
It subsequently came out that the Aurora hack--a zero-day vulnerability in Internet Explorer--had been discovered and reported to Microsoft a year before by an Israeli security firm, but MS had not gotten around to writing a patch for it. Nowadays, of course, we can wonder if the NSA also knew about it, did nothing about it, or, worst case did something about it: i.e. told Microsoft to keep the vulnerability under its hat while the NSA used Aurora itself to rummage through the innards of various target computer systems.
The exploit itself was relatively unsophisticated and remarkable only for the fact that it had been simultaneously unleashed against over two dozen companies, presumably to try and get something in a hurry before the vulnerability got fixed. When Symantec analyzed Aurora, it observed there was nothing special about the hack, only about the mainstream media furor surrounding it.
I am of the opinion that the United States government had decided to put Chinese hacking on the menu of US grievances, Google was ready to cooperate, and a generic hacking episode was seized upon in order to start selling the pre-prepared product.
By the way, blowing up Google's position in the China market was apparently a brainwave of Sergey Brin, executed over the objections of Eric Schmidt.
In my original piece for Asia Times Online, I speculated that Brin could afford to be blase about the mainland China market because the PRC had banned key Google services like Youtube, Baidu was eating Google's search-engine lunch, and Google's alternate future was the currently low-spending but big, democratic, Anglophone, pro-US, Indian market.
Indeed, Google responded to its setbacks in China with a huge push into India, making India--where only 12% of the population is currently on-line-- its most important market bet after the United States. In India Google's search engine share is over 97%, attracting envy, fear, and concern of everybody, including its customers, as a lengthy and revealing article in Forbes India reported:
Thus, partners and customers warily treat it as both a threat and an opportunity. A friend and a sort-of enemy—a ‘frenemy’.
Of
the nearly two dozen people Forbes India spoke to for this story, none
were comfortable saying anything even remotely critical of their
frenemy, Google, on record. Many refused to be quoted at all. Reason:
When the bulk of online sales depends on one company, you can’t afford
to antagonise it.
Readers reflecting on the close political ties between Google and the Obama administration will find this passage concerning Google's political activities in India revealing:
In December 2011 things appeared pretty bleak for Google after the union
telecom and IT minister, Kapil Sibal, berated it (along with peers
Facebook and Yahoo!) for not “pre-screening” user content for defamatory
comments before it was uploaded.
Having been ejected from China
for its failure to kowtow to the government, Google was, of course,
extremely wary of losing its next biggest market the same way. So it
pulled out the stops on a high voltage charm offensive.
Google
has used its popularity with consumers as a carrot, offering key
influencers a digital pulpit few others can match—the Google Hangout, a
multi-party video-conferencing service that can also be broadcast.
Though
Hangouts can be set up free of cost by any Google user, the service
offered to ministers and politicians was supported directly by Google,
with weeks of preparation beforehand.
The first person Google
chose to do a Hangout with in August 2012 was Gujarat chief minister and
BJP leader Narendra Modi. Drawing in tens of thousands of online
viewers, the session was a resounding success. That made the job of
convincing Congress politicians much easier, leading to Hangout sessions
this year featuring union ministers Shashi Tharoor, CP Joshi, P
Chidambaram and Milind Deora.
“It was the platform determining
the speaker, and not the other way round,” says a senior industry
watcher on the condition of anonymity.
Modi, of course, will become India's next prime minister if his BJP party performs up to expectations in the current Indian parliamentary elections.
Over four
years ago the institutional relationships between Google and the US
government (and the presence of surveillance backdoors in Google services) and
the political and personal synergies between Google execs and the Obama administration became
apparent, and a thing for people to get worked up about.
As to where this all leads, post-Snowden, I rubbed it in in a post from late 2013 titled Google Knew!
I recently wrote a post
on the (to me) unconvincing hero-splaining of the privacy commitments
espoused by Google, Yahoo! Et al. in the wake of revelations of “MUSCULAR” NSA
intrusions into their data backbones:
Two engineers with
close ties to Google exploded in profanity when they saw the [notorious smiley
face] drawing [showing the NSA’s penetration of the Google data backbone]. “I
hope you publish this,” one of them said.
Publish what? Evidence that Google's security is
cracked? Or document Google's hyperbolic anger at NSA transgressions to
reassure Google Cloud customers?
If you’re searching for privacy heroes, I think you’d better scratch Google off
your list. Per Gellman:
Last month, long
before The Post approached Google to discuss the penetration of its cloud, vice
president for security engineering Eric Grosse announced that the company is
racing to encrypt the links between its data centers. “It’s an arms race,” he
said then. “We see these government agencies as among the most skilled players
in this game.”
Google knew, kids.
Get used to it.
Then the Guardian reported:
Yahoo, Microsoft and Google deny they co-operate voluntarily
with the intelligence agencies, and say they hand over data only after being
forced to do so when served with warrants. The NSA told the Guardian that the
companies' co-operation was "legally compelled".
But this week the Washington Post reported that the NSA and
its UK equivalent GCHQ has been secretly intercepting the main communication
links carrying Google and Yahoo users' data around the world, and could collect
information "at will" from among hundreds of millions of user
accounts.
The NSA's ability to collect vast quantities of data from
the fibre-optic cables relies on relationships with the companies, the document
published on Friday shows.
In
an opening section that deals primarily with the telecom companies, the SSO
baldly sets out its mission: "Leverage unique key corporate partnerships
to gain access to high-capacity international fiber-optic cables, switches
and/or routes throughout the world."
This piece hasn't received a lot of play. Wonder why. On the other
hand, the Guardian treats us to a column from its digital beat guy, Dann
Gillmour, with the title slug:
Google,
Yahoo et al have the power (and money) to fight back against the NSA The tech billionaires should create the anti-surveillance,
pro-security equivalent of the National Rifle Association.
In my humble opinion, asking Google, Yahoo! et al. to lobby
on behalf of Internet privacy is like expecting the gun manufacturers who
provide a lot of the NRA’s juice to endorse gun control.
Google Knew! Maybe the new corporate slogan should be...Google Knows!
"Google Knew! And We Knew! For Over Four Years!"
1 Comment -
In a sense, we all knew. Doesn't nearly every single Hollywood spy movie feature some kind of global headquarters where American agents can access almost any data anywhere in the world?
1:32 PM