Since the news about Google demanding unfiltered search came out earlier today, I’ve speculated in a number of places that Google have broader reasons for wanting out of China, and that the issue of search – and, by extension, free speech – was not exactly #1 on their list of priorities. In particular, I mentioned on LWN my thoughts on what kind of an effect Chinese infiltration of Google Apps would have on the customer base they’re trying to build.

To reprise some of the facts in the reports;

  1. BBC News mentioned “a sophisticated and targeted” attack, but then later says that Google pointed the finger at phishing and malware scams rather than security problems.
  2. The reports are that Gmail accounts were mainly targeted, and these Gmail accounts were of known dissidents.

Now, 2) is quite believable, but 1) is not at all. Phishing and malware is nothing new, there’s not a lot you can do to stop it, and it’s certainly not sophisticated and targeted unless the Chinese Government was intercepting legitimate Google traffic. Even then, with SSL, that’s a difficult proposition.

Wikileak’s twitter account added a couple of other suspicions:

  1. China has been quietly asking for the same access to google logfiles as US intelligence for 2-3 years now.”
  2. Gossip from within is Shanghai office used as CN gov attack stage in US source code network.”

With this kind of affair, it’s usually instructive to consider the adage of Cui bono. Sure, Chinese intelligence probably could use more information about dissidents and would probably like log file access and things like that. Almost certainly they try to access gmail accounts too. I have little doubt that Google would have immense trouble detecting this from the more general problem of phishing, and to that extent it’s really not their problem – it’s a social engineering problem.

There is a far larger prize at stake, of course. If Google source code is under attack, which seems reasonable, this presents two major issues. The first, that Google code could be used by China: there is the issue of straight-up rip-off, which devalues Google at the very least. However, Google is already #2 and is well behind Baidu, the native search system. There is motivation to do this of course, but it’s not exactly the biggest prize on offer.

The larger prize is access to code to work out security issues. Google does not develop code in the open, and while most of it is probably secure there are doubtless issues that a determined attacker could find more easily with access to code. And, once you start getting access, you start being able to gain the stuff of real value: the information stored on Google’s systems, in Gmail, in Google Docs, in Postini, as well as the various logs and other behavioural data associated with advertising.

Put like that, Google simply cannot afford to work in China. In one sense, China is lawless: there is a certain class of “criminal” who is state-sponsored and therefore can do as they please. There is no good technological defence to this, there is only the question of whether to participate or not. And what are the potential costs of participating? Essentially, limitless. Major US and EU firms on Google Apps will not want their business information readable by the Chinese authorities. More than that, firms doing business with other firms using Google Apps will not want their information readable too.

On Facebook, I gave the example of Jaguar Land Rover as one company who use Google Apps for everything. Will they like the idea of the Chinese authorities being able to see what they’re up to? No. Even if it’s not happening, it will put the wind up them: potentially, it could destroy their business. And lets remember, there are now millions of businesses on this platform.

This highlights one danger of cloud computing: not only do you have to trust the provider, but you also have to trust that the aggregation of data in one place doesn’t become a sufficiently juicy target for someone else. And Google is a very, very juicy target.

Let me speculate further on a few potential issues in the future (none of which are problematic at this point today):

  • Google controls large amount of “dark fibre” and “private internet”. That’s a juicy target.
  • Google are putting Android into many handsets. Yum, yum, another juicy target!
  • Google maps / street map / other raw data. If, somehow, the collection of data could be controlled by another agent – well, that’s quite a useful tool to have.

This doesn’t even go into the potential issues of having hardware controlled by another agent in your data centre or in your phone, which isn’t outside the realms of practical possibility for the Chinese Government either.

Let’s be clear about this: all Governments have secret services, and the Chinese are by no means the most adept or technologically advanced. However, they may be the most dangerous and the most likely to work clandestinely. Google must know already that they have spies working for them, not just in China but in all their major offices. Most good industrial espionage is internally undetectable, because it’s acquired information out only. The Chinese spies clearly have been up to many detectable activities, which puts them in a very different class.

Update: Wired has a very good article up with more details about the attack. In short, there was a specific piece of malware targeted at Google to pull their source code out of the organisation. It doesn’t say what, but it does say that the large amounts could be sent and doesn’t say how quickly they detected in. Which is exceptionally scary. I would have thought the Windows-based attack would limit the scope of what could have been lifted, but this doesn’t explain many of the other rumours about Google’s Chinese offices, and doesn’t (on its own) explain Google’s seeming decision to withdraw. Possibly, Google were attacked in other ways too.