04/30/2010 05:12 am ET Updated May 25, 2011

Google, China, and 1984

The Google v. China controversy has missed the point. It should be about The Cloud, and how China's attack on The Cloud brought us closer to the future presaged in George Orwell's 1984.

"The Cloud" is where Facebook, Google, Amazon, and other web service companies host, store, and analyze the behavioral, or psychographic, data of their users. It is the new ideal for online businesses, offering cost efficiencies and scalable services for the enormous audiences that Cloud-based businesses have begun to attract.

Hacking itself is an established threat, but China's recent hacking of Google's infrastructure and psychographic data cast light on how cost efficiencies without technological security can expose the dangers of The Cloud, and more generally the questionable business models associated with it.

The problem lies in precisely what makes Google's, and others', business models so interesting: they are built on correlations between seemingly unrelated behaviors, and these correlations optimize the services they are providing. For example, Google stores and correlates the data of our web searches and our emails (Gmail) to serve us ads; Facebook uses data to recommend friends and ads; and ad networks use data to serve targeted ads across a variety of websites.

Chinese hackers led a sophisticated attack on the servers of Google and other Cloud computing vendors to access the email and other correlated data of Chinese dissidents, and used this data to harass those dissidents and their networks. This attack reflected four problems with the Cloud which should sober policymakers and give the public significant pause.

First, the attack successfully compromised Google's Cloud infrastructure. Google is accustomed to attacks by hackers, but a successfully sophisticated attack on a particular set of users (Chinese dissidents) and traced back to the Chinese mainland was unprecedented and unusual.

Second, the hackers used the cross-platform infrastructure and data of Google's Cloud to make further attacks. The psychographic data of Chinese dissidents stored and analyzed across services on Google could have been -- or was -- used by the hackers to harass these dissidents.

The third problem lay in the attack's implications for the mobile web: the Android mobile OS, and Google mobile apps on other phones, offer hackers GPS data correlated with online behavior. Chinese government hackers could have correlated psychographic data with GPS records of where a Chinese dissident may associate, and made decisions on how to manipulate that person or their social networks via their mobile phones.

Fourth, all three problems required Google, like other Cloud businesses, to be the last line of defense between user data and sophisticated hackers. A Cloud business's protective mechanisms are only as good as its business model; fortunately, Google has had an exceptionally strong business model. But there are other less successful (e.g., Facebook) or less-tech savvy cloud-based businesses (e.g., advertising networks, Mint, cell phone companies) which host equally sensitive data.

Neither the CEOs of Google or Facebook have done a very good job of reassuring their enormous user bases that they understand their unique position. Facebook CEO Mark Zuckerberg has argued that there is a new social norm around privacy: "users opt to interact with our service to the degree with which they're comfortable." Google CEO Eric Schmidt has also controversially opined: "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." Neither perspective seems to provide much weight to how their technology, in the wrong hands, may bring about an Orwellian reality.

Google seemingly woke up to this new reality only recently via their newly announced partnership with the NSA, which allows the two organizations to share critical information without violating Google's policies, or the privacy laws protecting Americans' online communications.

But three worrying issues remain. First, Google was not the only company compromised by these hacking attacks: Chinese hackers succeeded by spying on and targeting friends of employees of Adobe, Intel, and other companies on social networks. This implies minimal data aggregated and correlated across multiple "Clouds" can have maximal impact -- there is no one "weakest link" among services in The Cloud.

Second, CEOs and their counterhacking teams are not properly incentivized to be the last line of defense for our correlative personal data. A weak or failed Cloud business model may expose the user data of hundreds of millions of users, anonymous and perhaps identifiable, to business leaders who may seek to stay afloat by means both legal and illegal (NOTE: before Facebook, the last international entity with 300M+ people and a questionable business model was arguably the former Soviet Union.)

Last, and perhaps most worryingly, there is not much the US government can do to act as protector. The "opt-in" argument is, for the most part, correct -- a user ultimately chooses which information to expose to servers and to the public simply by logging into a service like Google, Facebook or Mint. The Obama administration recognized this dilemma in Secretary Clinton's Remarks on internet freedom on January 21st. The speech lays out five fundamental freedoms that the US will advocate and protect online, but makes no mention of The Cloud, nor of how the US government is prepared to specifically address these other frightening implications of The Cloud.

For this last reason in particular, Secretary Clinton's speech inadvertently may have revealed our hand to the world: a tech-savvy, forward thinking administration may not completely understand the implications of its embrace of 21st Century diplomacy and open government. This is not an allocation of blame -- "cyberspace" is an extraordinarily grey and rapidly evolving area, and it is vital that the US engage in "cyberspace" as it evolves.

But the Chinese arguably have revealed a darker threat to the individual safety of Americans than the Cold War ever did. Worse, in having made this attack, they may have forced the US to address whether it must counter the Chinese threat by engaging in, if not actively protecting, the psychographic data of Americans using the web.

The Obama administration now faces a set of complicated challenges against which it must act quickly, decisively, and shrewdly. First, it must define "cybersecurity" for the American people, and how it will defend Americans in cyberspace. The term is largely undefined, and needs to be better understood by the average American. Second, it must begin to educate Americans on how to engage in cyberspace -- millions of Americans have left themselves vulnerable simply by using the same password on multiple sites. An important first step would be to begin educating Americans on cybersecurity via YouTube and its other Web 2.0 channels immediately. Last, the administration must work more closely with businesses and Congress to better protect user data held by weaker businesses, and to build protective measures that shield consumer data in the event of business failures.

A bill in the works by Senators Snowe and Rockefeller appears to lay the groundwork for the Obama administration to address some of these concerns, and would give the President "new emergency powers." But it is arguable that the emergency already exists, and the opportunity for the Administration to take leadership on this issue is now.

Andrew A. Rosen is the Principal and Founder of AAgave LLC, a strategic consultancy in digital media, and a Term Member of the Council on Foreign Relations. He has worked in digital media at Viacom, on the foreign policy staffs for Senators Edward M. Kennedy and Robert Torricelli, and at the National Committee on American Foreign Policy, a New York-based think tank.