Google and China, a love... er, frustration story

Ted Hardy

Jan 13, 2010 • 6 min read

Unless you’ve been living under one of those proverbial rocks, you’ve probably heard that Google is a bit miffed with the Chinese right now. Well, more specifically, elements within the country, likely covertly employed by the communist government, who have been attempting to hack into Google’s systems. After dealing with such behavior for four years, Google has become fed up and they’re not going to take it anymore.

Back in 2006, when Google said it would create google.cn and agree to filter their search results, the company took a great deal of heat. If you click the first link in this paragraph, scroll down past Google’s official words and look at the linked articles, you’ll see a long listing of those negative responses. Many people felt that the company was retreating from its ‘do no evil’ mentality, at least in spirit if not the letter of the rule. Google’s response was that to not be in China, providing the best search results possible under Chinese law, meant that the Chinese government won by default as there was no one big enough competing in the market to give users anything other than what the government allowed. With a big player like Google there, it makes it that much more difficult for the government to actually police search results.

It was a trade-off, and one that in hindsight, seems to have proved its critics to be correct.

Despite the news everyone else is reporting about today, there were a few things that people are not talking about in the blog post that really struck me as almost a story within a story. Let’s do a little quoting…

Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.

First off, kudos for Google admitting they had a problem and having the guts for stating they lost more than just user data. Rightly so, most news organizations are focusing on the dissident email hacking, but note here that not only did the thieves go after user data, they went after Google’s code. What makes this all the more interesting to me, is other reports I’ve seen which discuss how the government requires companies who operate within the country to provide access to their corporate servers. I don’t know if this is access occurs at the company’s location, monitored by Google employees, or if it is secured remote access, but it does bring up a few difficulties for a company like Google.

Google makes its money by anticipating what users want and providing their users with quality results shown next to ads. This means sophisticated search algorithms, something the company wouldn’t want many of their own people to see, much less a foreign government. Its like KFC posting its recipe on the intranet site of Popeye’s. Yet, Google most likely agreed to let the Chinese government have access to at least some part of its infrastructure. I assume that there were likely some safeguards involved to protect intellectual property, but China doesn’t have the best reputation for following protections of this sort.

Now imagine if you will, the IP that Google lost during the attack, ending up in the hands of Baidu, their biggest competitor in China. Baidu just happens to be a homegrown company that is favored by the Chinese government, namely for its willingness to play ball with the government. Suddenly, Google’s exit from the market isn’t solely about not being evil, but about protecting itself from those being evil to it.

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

I’ll be the first to say that Google has a lot of smart people, but I find it hilarious that they’re the ones who have to go around to a bunch of international corporations asking if they’ve seen anything fishy on their server logs in recent weeks. Can you imagine being the chief of IT security and having another company, even one as well meaning as Google seems to be, give you a phone call to tell you that China is rocking your world and you may not even know it. Similarly, I can imagine Google providing the evidence to U.S. authorities and saying, “You’ve wanted evidence, we’ll give you evidence” as they pass terabytes of data showing who, where, when and how the attacks happened. Imagine the goldmine of intelligence and capability insight that must be contained in those traces.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

If only subject lines and account information were compromised, but not the emails themselves, that has interesting implications about what Google does internally with your emails. It sounds to me like there is a split between the actual location of the email and the information Google gleans from the email to understand more about each user. This really isn’t a huge revelation (its a very sound architectural design), yet its just nice to have that confirmation. What this says to users is that your actual correspondence, the emails you send and receive, are stored separately from the account information Google collects and aggregates about you from your usage of their services. If a hacker wanted to steal your information, they have to break down multiple sets of doors (the Google front door, the Gmail door, the Account door, etc) to find it all. If a hacker only gets past the Account door, they have an email address, your name and some demographics information, plus whatever magic format Google uses to determine more about who you are.

This should actually be a big comfort to us all. If a hacker knows enough about you to pinpoint you out of the billions of Google users, they likely already know more about you than Google does. They already knew your name and email address, otherwise how would they have known to look for you in Google’s servers? Also, they probably know your race, age, currently address, height/weight, etc, without Google even needing to have captured any of that information.

(The previous paragraphs turned out to be mere speculation on my part. MacWorld explains that full emails are protected differently (and more fully) than the information that was compromised. The compromised information was stored separately as it is 'outside the envelope’ information that can be accessed by law enforcement with a warrant.)

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users’ computers.

Two comments… first, if you didn’t already realize this, there really are no boundaries on the Internet. If you can get a connection to the server, no matter where it is located, you can try to break into it. Second, and more important to me, people just do not learn. Protecting yourself is not that hard, if you stop and think about it just for a second. If a stranger walks up to you on the street and offers to give you an unknown package, you would refuse. If you visit a new website for the first time, why would you agree to install whatever application they offer you? There should be no difference in our reaction to either situation, yet time and again, people prove themselves to be ignorant about taking simple precautions when surfing the web. At some point ignorance crosses the line over into stupidity. I really think we’re rapidly approaching that time.