PGP Blogs

International Relations Fallout of Google Breach
Monday, January 25th, 2010

The fallout from Google’s announcement last week about their business in China continued on Thursday in a major policy address by Secretary of State Hillary Rodham Clinton. In a wide ranging speech in Washington, D.C. the Secretary again demanded the Chinese authorities conduct a full and transparent investigation of the cyber attacks outlined by Google.

Some analysts have called these attacks and their aftermath a day of reckoning; others a watershed in the development of a secure Internet. It may be one or both of those things, but my own belief is that it is also the day when the world finally grew up relative to the data breach phenomenon. Moving forward the world will come to understand that the Internet is not an inherently safe environment into which cyberattacks occasionally intrude.

Because the internet itself is a community much like that of a developing country, all shared data is at risk.   While this observation is true even in a developed society, the Internet does not come with security, rule of law, or other infrastructure to ensure that “responsible” behavior is the norm.  Those that share their information and data on the Internet truly do so at their own risk. The recent events highlighted by Google only demonsrates the magnitude and consequences of those risks.

These events also prove  that the Internet has become an inherently unsafe environment in which cyberattacks are the norm. To prevent these attacks from rendering the Internet useless for commerce and communications will require an unprecedented level of vigilance and willingness to engage nation states at the highest levels as Secretary Clinton has done.

I thought Mrs. Clinton summed up what is at stake here quite eloquently when she stated:

“Ultimately, this issue isn’t just about information freedom; it’s about what kind of world we’re going to inhabit. It’s about whether we live on a planet with one internet, one global community, and a common body of knowledge that unites and benefits us all. Or a fragmented planet in which access to information and opportunity is dependent on where you live and the whims of censors.”

When current foreign policy includes dialogue and diplomacy about the impact of data breaches, it’s undeniable that data security (or the more correctly, the lack thereof) has ceased to be under the sole purview of cybercriminals and information security officers.They have become an integral part of the fabric of international relations.  My advice is that we all become accustomed to this. It IS the new normal.

Filed under: CEO Blog
Tags: china, Google, Secretary of State Clinton
Comments: No Comments

Google Stands Up for Corporate and Personal Rights
Tuesday, January 19th, 2010

It was remarkable last week watching how a single cyber-attack has ignited a firestorm of global reaction. I’m referring, of course, to the “highly sophisticated and targeted attack” on Google and a few dozen other companies. While the common wisdom is that the attacks were initiated in China, it hardly matters. All enterprises of any size (including PGP Corporation) are under cyber-attack every hour of every day from a large number of bad actors both foreign and domestic.

While most of the news coverage has focused on speculation about the source of the attacks, the real news here is that a corporate entity is standing up to defend both corporate confidentiality and individual rights. This sort of attack has the potential to not only affect global commerce, but global conventions on what rights individuals inherently possess regardless of their citizenship.

First, let me acknowledge and applaud Google for taking a leadership position on this key issue. For a company like Google that makes its living providing consumer focused products and services, it takes no small measure of courage to threaten to abandon the largest consumer Internet market on earth.

Second, I have to point out that even if the facts eventually prove China was attempting to monitor the communications of their own citizens, this issue is in no way unique to China. In fact, the American government has shown enthusiastic willingness monitor its citizen’s communications.  Historically, governments, even very liberal governments, have had a hard time recognizing and respecting an individual’s right of privacy. Even the U.S. Constitution, with its enumeration of specific individual rights, contains no explicit right of privacy.

PGP Corporation was founded on the core belief that every citizen of each nation possesses an inherent right of private communication.  PGP Corporation’s founder Phil Zimmermann predicted 20 years ago that global governments would attempt to use the Internet to diminish our individual rights to privacy, and Phil nearly went to prison defending those rights.

Third, I believe that the political and economic ramifications of Google’s public statement and disclosure of the attack will echo for months, if not years. Western governments will be forced to respond both technically and diplomatically to avoid being perceived as weak in the face of a clear and present danger. Companies that have moved manufacturing and/or customer service operations to jurisdictions that refuse to recognize the fundamental rights of their employees who are citizens of those countries will come under increasing pressure to curtail their engagement in those regions. This issue is not going to go away quickly and I believe it will leave a very different set of international business practices and standards in its wake. It’s going to be fascinating to see how this plays out, particularly given how dependent western economies are upon Asian manufacturing and financial resources. The only thing I know for sure is that somewhere in the world Phil Zimmermann is smiling and thinking, “I knew this would happen!”

Filed under: CEO Blog
Tags: china, Google, privacy
Comments: No Comments

Google Lives Up To Its Motto
Monday, January 23rd, 2006

As you might expect, I admire business people taking a moral stand. Google has always touted its motto of not doing evil. This week, Google has been put to the test. In case you haven”t heard, in its defense of the 1998 Child Online Protection Act, the U.S. government has subpoenaed a number of ISPs and portals for 1 million IP addresses in the search history as well as 1 million search terms over a week. Uniquely, Google has refused to comply with the subpoena and the government has, in turn, sued Google. Google has said it will fight the suit “vigorously.”

On the one hand, it shouldn’t come as a surprise to anyone that there is porn on the Internet– Avenue Q has made that into an hilarious joke. On the other hand, there are plenty of people who don’t want to see it. Balancing these two isn’t easy for the government or companies that make their living on the Internet.

However, PGP (and we believe most other security companies) would likely decline similar requests from the government. In my view the government doesn”t even need the Google data to achieve its stated objective. They can do research. They can talk to people who have data. After all, there were plenty of companies that did turn over customer data. The government already has access to most of the data they need and can obtain the rest without resorting to the power of subpoena.

Google’s sense of ethics is such that it believes in protecting the privacy of its customers. Every time Google does anything controversial, its policy of “you can make money without doing evil” is brought up. It”s good to see that when it counts, when a difficult decision has to be made that may not make money, Google lives up to its principles.

However, there are things that we as Internet users need to know. Most websites record much more information than we realize. The IP address of the machine you are using can often pinpoint you in time and place. Some websites record the entirety of the click-stream you create as you use the site. It’s one thing when they use this information to enhance your experience. The danger, of course, is when unanticipated demands come for that data. The Internet is a dangerous place, and the dangers are not all from hacking, phishing, and viruses. They also come from the unintended use of our reading and shopping habits or mere curiosity.

Those of us who create systems to increase security and protect privacy can do things to help. I have a series of articles lined up to talk about advances in privacy. We can’t do everything, though, and there has to be a better solution to preserving privacy than to simply decide we shouldn’t search for things on the Internet.

There are some things technology can’t solve, however. Policies, attitudes, and decisions about the right way to use a customer’s data are all part of the equation. That situation is changing. A few years ago, those of us who talked about how easy it was for personal information to be lost or stolen were seen as a bit wild-eyed and paranoid. Now, announcements of data breaches have made the need for encryption and data security obvious to everyone. This new reality is bringing home the fact that there is danger in this data wandering from its intended use into an unintended one. It’s good to see that Google understands the difference.

Background Reading

Avenue Q, “The Internet is for Porn”, 30-second audio clip [real]http://www.aristaassociatedlabels.com/media/avenue_q/audio/…

Avenue Q, “The Internet is for Porn”, full song with World of Warcraft videoshttp://www.youtube.com/watch.php?v=lr_HR-iIlYg

Coursey, David, “The Feds Go Fishing, but Google Ain’t Biting,” eWeek.com, January 20, 2006�
http://www.eweek.com/…

“Google Shares Have Biggest Drop After Justice Suit”, Bloomburg.com, January 20, 2006�
http://quote.bloomberg.com/apps/…

McCullah, Declan and Elinor Mills, “Feds Take Porn Fight to Google”, C/Net, January 19, 2006�
http://news.com.com/…

Musil, Stephen, “Google, the defiant one,” C/Net, January 20, 2006�
http://news.com.com/…

Ten things Google has found to be true: You can make money without doing evil:http://www.google.com/intl/en/corporate/tenthings.html

Filed under: PGP Advisory Board
Tags: Google
Comments: Comments off