In mid-December, Google said in a blog posting yesterday, the company discovered "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit significant one--was something quite different."
First, Google said, it found out that the attack on it apparently was part of a coordinated attack against at least 20 other large companies, many of which seem to be US-based. According to the Washington Post, it was more like 34 companies.
Second, Google says it has evidence suggesting that "a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists." Google also said that it didn't believe that more than two GMail accounts were successfully accessed, however.
Third, Google did find that dozens of accounts of "US-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties" apparently through persistent phishing and other malware attacks.
As a result, this and other problems with its operations in China has led Google "to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China."
Needless to say, Google's announcement has set off a firestorm that more than one newspaper has said may impact US-China relations.
US Secretary of State Hillary Clinton, for instance, was said by the New York Times to have demanded an explanation from the Chinese government and was quoted as saying that, "We have been briefed by Google on these allegations, which raise very serious concerns and questions.We look to the Chinese government for an explanation. The ability to operate with confidence in cyberspace is critical in a modern society and economy."
China so far has not officially responded to Google's threat, and the Chinese news media have been playing it down, but I don't see how it would ever bow to Google's demands. My expectation is that China will tell Google to take its search engine and not let the cyber door hit you on the way out.
According to a story in today's Wall Street Journal, Google China has about 31% of the search engine market while China's home grown Baidu has 64%. Furthermore, Google is (was) planning to sell its cell phone systems in China, which gives the Chinese government a lot of financial leverage.
The next 72 hours will be interesting to watch.
The Google episode also highlights another concern about privacy of information. IEEE Senior Editor Harry Goldstein sent me a link to a story at The Rumpus about what Facebook purports to capture about its 230 million plus users, which is basically everything, including information that is deleted and what Facebook users click on. If you are a Facebook user - I am not - you might want to read this.
What I found more interesting was the statement that Facebook has four mirrored data center sites, three in the US and one in the UK that contain full copies of all the Facebook information. In addition, Facebook is actively looking to expand significantly outside of major Western nations.
If I am a government intent on rooting out dissidents, Facebook seems a perfect place to start looking. Even more so, I might invite Facebook to set up a data center in my country where I could plant my agents. I wouldn't be the least surprised, given the UK government's desire to capture everything that UK citizens are doing on the Internet, telephone, etc., to find out that the UK's Security Services already have access to everything that resides on the Facebook data center site in London.
Maybe a simpler way is for a government to surreptitiously fund a startup company to duplicate what Facebook does. Then it could tap in at its leisure.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.