Shostack + Friends Blog Archive

 

Green Dam

Update 26 June 2009: The status of Green Dam’s optionality is still up in the air.  See, for example, this news story on PC makers’ efforts to comply [link to http://tech.yahoo.com/news/ap/20090625/ap_on_hi_te/as_tec_china_internet_pc_makers no longer works], which points out that

Under the order, which was given to manufacturers in May and publicly released in early June, producers are required to pre-install Green Dam or supply it on disc with every PC sold in China from July 1.

Last week, it appeared the government backed away from requiring compulsory installation by users, but manufacturers are still being required to provide the software.

I suspect that there will be at least one more update to this post before all is said and done.

Update 17 June 2009Green Dam is now to be optional, but installed-by-default.

There’s a great deal of discussion in China right now about the new government-mandated “Green Dam” Internet filtering software that must be installed on all PC’s in the People’s Republic of China

Every PC in China could be at risk of being taken over by malicious hackers because of flaws in compulsory government software.

The potential faults were brought to light by Chinese computer experts who said the flaw could lead to a “large-scale disaster”.

The Chinese government has mandated that all computers in the country must have the screening software installed.

It is intended to filter out offensive material from the net.

I was in a taxi in Beijing a couple days ago and the driver was listening to a call-in/talk radio show whose topic was the software and its flaws/weaknesses.  My post, however, had to wait until I returned states-side due to this ‘blog being blocked by the three different connections I tried to access it while I was in China.

The consensus about this software among the locals that I spoke to is that it will be widely ignored, except in places like primary schools and some government offices.

There is so much to say about this, however, that I almost don’t know where to begin.  First, there is the issue of externalities.  The benefit from this software are the government censors.  The cost, however, will be borne by those whose machines are rendered less stable, less secure, and less useful (due to the censoring).  This is the opposite of the theoretical goal of regulation–the transfer externalities back onto their creators, not the other way around.

The results here may be even more toxic than observers currently realize, however.  By demanding compliance even when it does direct harm to those who must comply, the government undermines the loyalty of the citizenry and its own credibility.  It may only be one straw on the camel of Chinese citizens’ discontent, but eventually, there will be a straw that breaks the camel’s back.  This software has re-energized the domestic debate over the role of government censorship and whether their goal is to keep the populace safe or merely in-line.

Similarly, there is a lesson here for security and risk managers.  Namely, policies must also be perceived as benefiting those they govern.  Corporations whose policies are too obviously unfair or which demonstrate a contempt for employees produce similar disloyalty.  While it may not be immediately obvious in the current job market–people generally won’t quit in protest if they can’t find another job–that makes the effect worse.  A grumbling workforce is an unproductive workforce.

Yes, we must achieve our goals, in my case protecting information, and the combination of reduced budgets and nervous employees makes it that much harder to achieve results.  But in times like these, we also need to tread more lightly than ever since the resisters of policy–those employees who are more likely to be a risk–are more likely to stay with us and undermine it from within.

So, as ever, when we are dealing with security, the mantra remains, “People, process and technology–in that order.” Any attempt to attack the problem otherwise frequently produces unintended–and often
unwanted–results.

Footnote:

I don’t know what my employer’s corporate stance is going to be, but we have a significant white collar presence in China, so will probably be unable to ignore the problem.

When asked, I will argue that we already perform this filtering on our corporate proxy servers, but it does not change the fact that the government has created a huge externality for their population and for companies operating here as part of a futile attempt to prevent Chinese citizens from viewing porn or dissident political commentary–not necessarily in that order, IMHO.

2 comments on "Green Dam"

  • Charles Liu says:

    Your story is a little off. The end users were never reuqired to install or run Green Dam.

    “preinstall” in Chinese actually means “bundle”. Take this 6/12 ZDNet article citing WSJ for example:

    http://blogs.zdnet.com/BTL/?p=19688 [link no longer works]

    As to what Green Dam will filter, it is configuable by the user.

    How can this be twisted into censorship is beyond me – anti-sinoism perhaps?

  • Charles Liu says:

    Chandler, I think you’ve misquoted the Thomas Claburn article. It doesn’t say Green Dam is installed by default, actually the opposit:

    “The unnamed official said that the software’s setup files must be present on all computers or on an installation CD, but the actual installation of the software is up to users.”

Comments are closed.