Wednesday, January 13, 2010

Google, Gmail, security and China

So other than the tragic earthquake last night in Haiti, I started work today with the war that Google launched against China. In fact, I first read about it in the Guardian's "Google sends a shockwave through the Chinese internet" by Charles Arthur. I was not satisfied with Arthur's analysis, so I went to one of the links provided to Google's official blog, in which they provided their position in a blogpost titled "A new approach to China." And I thought that would be it for the rest of the day, since we would have to wait for a while to see what would happen. But then, oddly enough I stumble upon another blogpost by Google, this time the Gmail blog, "Default https access to Gmail" where the giant declares that gmail correspondence will be encrypted by default from now on. Though personally I am not sure if this is whole thing is an actual war or just a Media stunt used by Google.

Ok, let's digest this bit by bit. First of all, there is the Guardian article. You see, this is the vice that I am always preaching against, the white supremacy of Western mainstream media. You see, Arthur's intentions are good, but in his mind, what is really happening is that Google has courageously taken the holy assignment of liberating the Chinese people (and the World!) from the mighty tyrant that is the Chinese government.

Therefore we will attack you in the way that is guaranteed to undermine you: by removing censorship.
The truth – or at least "unapproved" opinions – about the Dalai Lama
and the Falun Gong will reach the populace. And that will only be the

Can China's repressive government survive that? If it thought it could, it wouldn't block it in the first place.

That is not to say that the Chinese government is innocent of these charges or anything, but it's kind of naive to think that the system will crumble to the ground now that Google decided to pull out of China. Check out other tyrannies, like for example Egypt. And as Arthur himself acknowledges, Google in China is not the mega-search engine, as it is the case in the rest of the world:

It would be easy (but almost certainly hopelessly optimistic) to
think that by those actions, internet censorship will end in China. The
reality is that Google is only a minority player there (with about 12%
of the search market, compared to the in-country with 77%).
Yet it will make a difference.

Of course Google only went into China for financial purposes only, after all 12% of the search market in a huge country like China is still a huge piece of cake. If Google is leaving China for now there must be another reason. Arthur hinted to it, but did not emphasize it enough:

For years, security experts in the US and Europe have known that
Chinese hackers sanctioned by its government have been probing the
computer systems of important organisations – whether aerospace
companies, science laboratories or the British parliament, which was
targeted at the end of 2005. Now Google has discovered that it, too, is
among the targets of those attacks.

In fact, if you visit Google's blog you would read a different attitude, the authors speak in detail about the security breach itself, what had happened and what the investigations revealed, and the main reason why they were attacked:

Second, we have evidence to suggest that a primary goal of the
attackers was accessing the Gmail accounts of Chinese human rights
activists. Based on our investigation to date we believe their attack
did not achieve that objective. Only two Gmail accounts appear to have
been accessed, and that activity was limited to account information
(such as the date the account was created) and subject line, rather
than the content of emails themselves.

Now this makes more sense, Gmail has long promoted itself as simple, reliable and secure, any other fancy shit come in second place. In fact, most activists (myself included) prefer Gmail because of that. For sure, Gmail is not an angel that seeks to protect all those poor activists, it is a matter of marketing, if Gmail's security is breached I will be the first person to actively speak against it and warn anyone I know about it. And for sure, others, who are more influential than I am would do the same. Gmail cannot afford to loose the masses and they will do anything in their means to protect privacy and performance.

Which takes me to the third article of today, on Gmail's official blog. Sam Schillace, Gmail's Engeneering Director (ouh juicy position! ok back to serious), informs the public that from now on, the default setting for Gmail will be https. Which means that from now on, by default all data you send or receive via Gmail will be encrypted.

Think of it this way, an email is like a letter, right? So let's say that you are a Lesbian teenager sending your girlfriend a love letter, you would be careful to put your letter in an envelope, because you need to ask you mother to take this letter to your girlfriend (because you're a lazy teenager and you know your mom would do anything for her kids), non? You don't want your mom accidentally checking the piece of paper only to read about how much you miss your gf's juicy lips! Now as your mom gets suspicious of the nature of your Friendship, she might decide to open the envelope and read what's in it. This is the http world, when you are sending an email and the network (the e-Mom) you are using is not safe enough, those hooked to the network can practically see the words flying.

So you are careful to seal the envelope, your mom won't tear the envelope because she knows you will know. This is https, it encrypts the words before sending them to fly on the networks.

But what your witty Mom can do is trick you into giving her the letter without an envelope, like let's say she will tell you that she has these new envelopes that smell like coconut and vanilla, but they are expensive so if she wont give you the envelope, instead she wants you to give her the letter and she will put it in one of the envelopes. Eventually, your gf will receive the letter smelling like coconut and vanilla, but you mom would know what you wrote in the letter. This is malware and phishing sites that Google talks about in the first article.

So now to set things straight, Gmail decided that all email correspondence will be https by default. Because we all know that 90% of people stick to whatever comes by default. An activist for example, usually ends up as an activist by mistake, they start off as just regular people and they somehow start getting into the cause. So most activist only start thinking about their security when they face trouble. Only to realize that their accounts have already been compromised and their information violated. I'm sure if you ask any activist around you, chances are they don't encrypt their correspondences, they don't use php blockers, they still use hotmail and they gladly use public networks. And these are very basic security mistakes, this is not the complicated shit that Chinese activists have to go through to protect themselves.

So by taking this step Gmail is protecting most people, from dangers they may be or may not be aware of. So yeah I think this is a good step. But if this was such a smart move, why didn't Gmail do it before? Simply because https websites are slower than http websites. The peeps at Gmail, probably weighed the pros and cons of both options and decided that it is not worth slowing down all email correspondences for the sake of a few activists that may be tracked. Keep in mind that encrypting your emails (https) has been optional for over a year.

Now I believe they changed their mind. But the blogpost on Gmail does not mention anything about this step being in any way, shape or form, related to the Chinese security assault. This connection is my personal speculation. But it just seems to be obvious to me. I mean both blogposts (on Google's blog and Gmail's blog) were published on the same day with only 6hours difference between the first and the latter. Plus the Google post clearly says that the Chinese assault aimed to sniff information about Gmail accounts. I don't see how can Gmail's decision NOT be related to the Google-Chinese war.

With that being said, I can't help but to wonder why did Google do this? I mean, yeah sure they love activists and their reputation, but were there no other way to do this? I mean even that assault did not result in any significant breach. On the other hand, a declared war with China is just not a good idea, microsoft lost the war against China, why would Google be better equipped.

Clearly Google is aware of the risks, you can see that in the way they are kissing Chinese ass, admiring the Chinese economic advancement, and in the last paragraph they even make the following statement:

The decision to review our business operations in China has been
incredibly hard, and we know that it will have potentially far-reaching
consequences. We want to make clear that this move was driven by our
executives in the United States, without the knowledge or involvement
of our employees in China who have worked incredibly hard to make the success it is today. We are committed to working
responsibly to resolve the very difficult issues raised.
Meaning that they are aware that this war can reflect really badly on the employees of the Chinese office staff. After all, the staff is probably Chinese and they will probably stay in China. So why Google? WHY?

One theory that has been boiling in my mind is that maybe this is a stunt by Google. They could be sacrificing and jeopardizing the safety of their Chinese employees to make a media stunt. After all, in the world where Google is king, like the world that Charles Arthur lives in, this news is rapidly spreading about the courageous act that Google did. Facing the evil Chinese censors, Human Rights Watch is praising the decision as an "important step to protect human rights online." Others are looking forward to see how this war of Titans will turn out, and individuals, such as the Beirut Spring calls it popcorn material. Mashable already covered it under the title "HTTPS becomes Default for Gmail."

The war itself is already settled, will be closed by the Chinese government and Google won't be crying about it. That is why I say maybe just MAYBE it's a stunt, probably to compensate for the mediocre performance of another media sensation, Google Wave, which was quickly forgotten, as my friend Mike eloquently tweeted: "Anyone remember Google Wave?"

No comments: