China, Google, privacy and security

With the widely reported attacks on Google and other companies doing business in China and Google’s planned and threatened actions in response, opinions are coming fast and furious on all sides, although official statements from U.S. government officials have been a bit more tentative, at least until more explicit evidence is brought to light revealing the Chinese government’s role in the attacks. With all the attention focused on the significance of the attacks and the potential economic ramifications of a possible Google pull-out from China, some other aspects of the whole situation seem to be getting overlooked. Herewith then are a few observations on some of the tangential elements of the story.

Google originally agreed to censor some of its search results in China as a condition of being allowed to operate in the company at all. With Google’s Gmail service the reported target of the attacks — specifically the accounts of known Chinese human rights activists — the company characterized the attacks as more than just a security incident. The nature of Google’s responses to the attacks has both political and practical drivers. Apparently prompted by the seriousness of the attack, Google now says if it continues to operate in China, it will only do so with uncensored results. It’s not entirely clear if the Chinese might be able to put an intermediary filter between Google’s servers and Chinese Internet users that would leave users with the same net result, but in any case Google says that if it can’t run uncensored, it won’t continue in China at all. No argument with the principle here, but it seems a little disingenuous for Google to say that some censorship (and widely suspected state-sponsored hacking) was fine, but now the Chinese have crossed the line, and Google just won’t operate on their terms anymore.

Google went public with the attacks for several reasons, but to date hasn’t shared a lot of technical details about the nature of the attack or the exploits that might have been attempted or succeeded, other than to declare there were no security breaches of Google itself, so the accounts were most likely compromised through the use of phishing or malware surreptitiously loaded onto client computers. Almost at the same time, Google made a change to Gmail’s default security settings and now connections to Gmail are HTTPS by default — a security improvement over the previous approach of letting users enable this option, but having it off by default. Use of webmail without some sort of transport layer security, especially during login, makes compromising an individual email account incredibly easy for an attacker, so while there may be no indication that anyone sniffed one of the victimized account holder’s credentials, it would have been a more credible declaration had this setting already been in place.

On the Chinese end, a seemingly landmark development in Chinese individual privacy rights has gone virtually unnoticed outside the legal community, in the form of the Peoples Republic of China Tort Liability Law, passed in late December to go into effect in July. As thoroughly yet succinctly summarized by privacy law experts Hunton & Williams LLP, law includes a statement of a right to privacy, and establishes private rights of action for Chinese citizens to bring tort litigation among Internet service providers, medical institutions, employers, and other parties who mishandle personal information or otherwise infringe on privacy rights. Admittedly, it’s easy to dismiss out-of-hand the notion that a single-party socialist regime long marked by suppression of fundamental human rights would recognize and respect personal privacy protections. Given the nature of the attacks on Google, however, it is ironic that this new law would ostensibly offer a legal remedy to the individuals whose accounts were hacked, if in fact the attackers could be accurately identified.

On a more general note, there’s a cautionary lesson to be learned here about the perceived and actual security protections afforded to users of online communications services, whether webmail, social networking, or cloud computing services. There is a phrase repeated so often it has become a little maxim in itself: there is no privacy without security. It is also argued that the reverse is true too, especially in cases where “security” is understood to mean “confidentiality.” Current discussions about moving into the cloud, for instance, focus first on what security measures can be used to help ensure confidentiality and integrity (and availability too while we’re at it) are maintained , but in an environment like China where privacy is not universally championed, focusing on better or more security measures can’t solve the problem. The most favorable way to interpret Google’s statements and actions about the China situation give the company credit for understanding that.