I have blogged before about China’s focus on censoring Web use and identifying Internet users. China has been seeking to require censorship software (called Green Dam-Youth Escort) be preinstalled on computers sold in the country. But, the software was plagued both by technical problems and bad publicity from privacy and civil liberties restrictions. China decided to postpone the mandatory preinstallation, but some computer makers are forging ahead anyway.
Last year, the New York Times reported that the Chinese government secretly ordered news Web sites to require individuals to use their real names and identities when commenting on the sites. In 2008, Xinhua News Agency (which is controlled by the Chinese government) reported that China started photographing and identifying users of Beijing’s Internet cafes.
But even with all these efforts, China seems to having a tough time with its war over the Internet, according to a recent Wall Street Journal article noted that, “The Great Firewall’s power used to be in the government’s ability to keep its vast Internet control system under the radar of Chinese users, few of whom use the Web mainly for politics. Now, ‘fan qiang’—a cyber dissident’s phrase meaning to ‘scale the wall’ — has become standard lingo for Chinese Internet users of many persuasions.”
An now, in a posting on Google’s official blog, the company revealed recent security and privacy events may cause Google to pull out of China altogether.
In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.
First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.
Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. […]
Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. […]
These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.
Google also said that it used what it learned from this attack “to make infrastructure and architectural improvements that enhance security for Google and for our users.” One of those improvements seems to be that Gmail (Google’s Web-based free e-mail system targeted by the attack) now defaults to encrypted access. Now when you go to Gmail, you will get https: instead of http:. What does this mean? According to Google’s posting about the change, “Using https helps protect data from being snooped by third parties, such as in public wifi hotspots.” Why didn’t Google encrypt Gmail access from the beginning? “We initially left the choice of using it up to you because there’s a downside: https can make your mail slower since encrypted data doesn’t travel across the web as quickly as unencrypted data,” Google said.
Previously, you had to go into your settings and make a change so that your Gmail account would always sign in via encrypted access. (Here’s some info in case the https: change affects your offline access to Gmail.)