I posted on this earlier, and Ars Technica has a followup post this morning. I think the most relevant concern is below, which has to do with the cost of allowing government monitoring:
Why only subject lines? If the attackers could get access to subject lines, why couldn’t they access entire e-mails? Apparently because the hackers infiltrated automated systems set up to provide such information to law enforcement in the US and elsewhere. (Getting access to the contents of e-mail messages is harder under US law than getting access to addresses, subject lines, etc, which are considered to be on the “outside of the envelope” and subject to pen register searches).
According to a Macworld source, “Right before Christmas, it was, ‘Holy s—, this malware is accessing the internal intercept [systems].'” Later, Google cofounder Larry Page supervised a Christmas Eve meeting on the security breach.
Fun fact: Google’s security team managed to penetrate one of the servers being used by the attackers, which was how the full extent of the attack—more than 30 companies—was revealed.
Breaches by design. Former Ars writer Julian Sanchez, now covering security at the Cato Institute, sees a problem with these automated law enforcement tracking systems in place at most major ISPs and Web companies. “As an eminent group of security experts argued in 2008, the trend toward building surveillance capability into telecommunications architecture amounts to a breach-by-design, and a serious security risk. As the volume of requests from law enforcement at all levels grows, the compliance burdens on telcoms grow also—making it increasingly tempting to create automated portals to permit access to user information with minimal human intervention.
“The problem of volume is front and center in a leaked recording released last month, in which Sprint’s head of legal compliance revealed that their automated system had processed 8 million requests for GPS location data in the span of a year, noting that it would have been impossible to manually serve that level of law enforcement traffic. Less remarked on, though, was Taylor’s speculation that someone who downloaded a phony warrant form and submitted it to a random telecom would have a good chance of getting a response—and one assumes he’d know if anyone would.”