Google in China: Unanswered Questions

Reporting by the New York Times has fleshed out the implication in Google's announcement that the attacks were co-ordinated, or at least conducted with the approval of, Chinese government agencies. And in a detailed analysis, Computer World writes that the security breach included an attack on Google's internal intercept systems, used to comply with requests from United States law enforcement.

Security experts have long warned that systems designed to make compliance with lawful interception more convenient can also create security vulnerabilities of their own. By providing an attractive one stop shop for outside attackers, surveillance compliance systems by their very nature often override the secure compartmentalization of data.

Security breaches that involve lawful interception systems are not new (see the Greek mobile eavesdropping scandal in 2005), and we're sure it will happen again. When a security conscious company like Google can get hit, it is a wake up call to all corporations about the dangers of hosting systems designed to snoop of their customers. What would the agent of a foreign power do with full access to Sprint Nextel's convenient live web interface for GPS location data on its fifty million subscribers?

We know that Google was not the only company targeted by this attack: other names mentioned have included Yahoo, Symantec, Juniper, Northrop Grumman and Dow Chemical. We don't know whether those attacks obtained proprietary information or personal user data. But users of these companies' products are rightfully concerned and we'd hope and expect more public statements that clarify this important difference.

Read More