Track Record In China Sets Cisco’s “TOS” Scandal In A More Sinister Light

Cisco did some apologizing this past week. The networking giant apologized for all the confusion about Cisco Connect Cloud and the suspect terms of service that many people viewed as a way for the company to monitor behavior and potentially cut off their router if they infringed.

Cisco Connect Cloud is a service that updates a router automatically for customers. It’s part of Cisco’s effort to connect all the “things,” in your home, be it your PC, tablet, appliances and anything else you can think of. It limits the owner’s capability to control the router itself.  The advantage, Cisco claims, is it gives you the ability to manage your router no matter where you are.

Issues surfaced last week when customers upgraded the firmware on their routers and were directed to a page that asked them to update to the Cisco Connect Cloud service.

Ars Technica’s Jon Brodkin experienced the issue himself after buying a Cisco Linksys EA3500 dual-band wireless router. Soon after installing it, he was notified of a firmware update. A sign up page appeared for Cisco Connect Cloud when he tried to access the browser’s internal administrative Web interface.  After signing up for Cisco Connect Cloud he had limited ability to manually administer the device.

Brodkin:

In exchange for the convenience of Connect Cloud, you have to agree to some pretty onerous terms. In short, Cisco would really hate it if you use the Web to view porn or download copyrighted files without paying for them.

The story soon spread. Cisco has since backed off and has changed the terms of service.  I did a search for “pornography,” and did not find any references.

Update: A Cisco spokesperson said the company has comprehensively rebutted allegations that it monitors personal Internet use. He said Cisco has similarly comprehensively rebutted allegations that the company has in any way modified its technology to aid with surveillance in China. Cisco has a company policy that prohibits selling such technology for public infrastructure projects in China, he said. He referred to a blog post from Cisco’s general counsel on the subject. The spokesperson alsop said Cisco’s terms of service contained errors which have been comprehensively addressed. He noted  that Cisco did not change its ervice or policy. Instead, it corrected errors in a document.

This all may not seem like a big deal to many people. It ties into the belief that companies can be trusted with our data or that nothing will ever happen to them even if they do have it. Also, companies generally have pretty restrictive terms of service. Legal departments demand it.

But Cisco is a bit different. Here’s why.

Cisco is in the business of surveillance. It provides Internet and video surveillance technology to law enforcement organizations, national governments and any number of government agencies. ISPs and service providers throughout the world use Cisco’s “Lawful Intercept,” technology to conduct electronic surveillance.

Cisco’s surveillance technology is used throughout the world. But it’s the work Cisco does in China that raises the most questions about its ethical practices.

The Human Rights Law Foundation filed suit last year in federal court, arguing Cisco helped customize its networking equipment to monitor members of the Falun Gong group. They argue that with the help of  the Cisco technology, the Chinese kidnapped, detained, imprisoned, tortured and subjected group members to forced labor. There are reports that the Chinese harvested organs from Falun Gong members they took into custody.

From the Weekly Standard:

The financial excitement of a wired China quickly led to a proliferation of eight major Internet service providers (ISPs) and four pipelines to the outside world. To force compliance with government objectives — to ensure that all pipes lead back to Rome — they needed the networking superpower, Cisco, to standardize the Chinese Internet and equip it with firewalls on a national scale. According to the Chinese engineer [that the publication spoke with], Cisco came through, developing a router device, integrator, and firewall box specially designed for the government’s telecom monopoly. At approximately $20,000 a box, China Telecom “bought many thousands” and IBM arranged for the “high-end” financing. Michael confirms: “Cisco made a killing. They are everywhere.”

Cisco vehemently denies the charges.

I am sure many of you will say that the people complaining are overwrought with conspiracy theories. I have no special knowledge of Cisco’s intentions, but I do believe Cisco’s policies about monitoring an individual’s use of their home routers is relevant to its corporate focus on surveillance and interests in China.

There may not be a connection at all between this and the iffy TOS, but the TOS is certainly is a reminder of how Cisco allegedly helped China use its technology as a tool for repression. In similar fashion, is Cisco now using a questionable firmware update to lock users into terms that could be used to restrict customer freedoms? The terms have been updated but it still forces the question about Cisco’s policies.

Here’s a closer to look at the terms of service I mentioned earlier.

Until last week, Cisco’s terms of service for Cisco Connect Cloud meant access to your apps, browser history and more. Here’s an excerpt that has been quoted widely by Brodkin and others:

When you use the Service, we may keep track of certain information related to your use of the Service, including but not limited to the status and health of your network and networked products; which apps relating to the Service you are using; which features you are using within the Service infrastructure; network traffic (e.g., megabytes per hour); internet history; how frequently you encounter errors on the Service system and other related information (“Other Information”).

What would Cisco do with that information? That’s the big question. The reports of Cisco being willing to help the Chinese government snoop calls into question its own practices with its own customers.

Now, let’s take it a step further. What if you are active in the conservation movement or involved in a political campaign ? I don’t care if you are as left-wing as Marx or out in the parking lot with John Wayne. It’s this excerpt from the terms of service that makes you pause:

You agree not to use or permit the use of the Service: (i) to invade another’s privacy; (ii) for obscene, pornographic, or offensive purposes; (iii) to infringe another’s rights, including but not limited to any intellectual property rights; (iv) to upload, email or otherwise transmit or make available any unsolicited or unauthorized advertising, promotional materials, spam, junk mail or any other form of solicitation; (v) to transmit or otherwise make available any code or virus, or perform any activity, that could harm or interfere with any device, software, network or service (including this Service); or (vi) to violate, or encourage any conduct that would violate any applicable law or regulation or give rise to civil or criminal liability.

That’s a pretty broad terms of service. It’s curious for a few reasons.  It’s a questionable restriction on free speech. It puts Cisco in control of your own hardware. It gives Cisco the ability to share your data with third parties. And it sets the stage for more hooks and potential packet sniffing.

Now compare it to what we know about the Golden Shield Project, China’s master database and firewall that it uses to censor Chinese society. Like Golden Shield, Cisco’s terms of service made it clear that they were monitoring what you do. They did not say they were censoring you. They just made it abundantly aware that they could take action if need be.

Brett Wingo, vice president and general manager for Cisco Home Networking said in a blog post that the service has never monitored customers’ Internet usage, nor was it designed to do so.

How we ultimately judge Cisco depends on how it wields its power. Cisco has issued an apology. It says it will not use your data against you. It maintains it will not arbitrarily disconnect customers from the Internet.

But can it be trusted?