Computerworld is reporting that the hacking attack on Google (which prompted it to tell the Chinese government it would no longer censor on its behalf) exploited a system the company set up to help the government access its users’ data:
They apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. “Right before Christmas, it was, ‘Holy s***, this malware is accessing the internal intercept [systems],'” he said.
This is a very interesting report. If accurate, it means that this incident is the fulfillment of warnings that we at the ACLU as well as security experts and our allies have been making since at least the 1990s: when you design information architectures around providing law enforcement with people’s personal information, that can open up significant security gaps that become vulnerable to exploitation by hackers.
It’s unclear what Google’s “internal intercept system” is or how it operates, but we do know that in other cases companies have set up standing portals to allow routine law enforcement access to customer data. And in the 1990s, Congress passed a law called CALEA that requires telecommunications companies to actively design their systems in ways that make government eavesdropping easier.
In the 1990s battles over enactment of CALEA and its implementation, the ACLU argued that the FBI’s proposed law could threaten the security and health of the providers’ networks. More recently we argued that the NSA’s eavesdropping systems also create risks of being hijacked — that with communications flows under centralized NSA monitoring, communications all around the globe would be susceptible with just a single point of failure in security systems. Respected internet security experts Susan Landau and Whitfield Diffie of Sun Microsystems and other prominent experts have been warning about this problem in both the domestic law enforcement and NSA contexts — including in this op-ed in the Washington Post.
Just such a thing happened in Greece in 2004–2005, when software put in place to enable wiretapping was hacked by still-unknown parties and more than 100 phones belonging to Greek government officials — including the prime minister — were compromised.
To be clear, there is nothing improper about a lawfully served search warrant based on individualized suspicion, and Google holds an awful lot of data and must get served with many such warrants. But this incident is just a glimpse at a vast subterranean reality — and it is a warning. We have no idea of what other kinds of exploits may have taken place. And law enforcement and the telecoms have a long history of extra-legal and illegal cooperation in the mass violation of Americans’ privacy, and we are witnessing the development of what we have called a “Surveillance-Industrial Complex,” in which the government leverages a (sometimes willing, sometimes unwilling) private sector to greatly expand the reach of routine government surveillance into the lives of Americans. And recent evidence suggests that the telecoms and other companies are sharing customer data with law enforcement with unprecedented detail and frequency.
This incident should not be used merely to beat the cybersecurity drum (which is among other things the latest fuel for accelerating the growth and powers of security agencies — as well as corporate profits — here in Washington D.C.). Members of Congress and the media need to ask some hard questions about whether we are inflicting some pretty significant security vulnerabilities upon ourselves.