Google Desktop Security Concerns

[markomalley]

Follows is an article from an e-mail newsletter I receive. It brings up some really good points for anybody using Google Desktop to consider. My apologies for posting the whole article, but I didn't see the info up on the web to hyperlink for those who might be interested:

---

Google Desktop raises security questions

By M. E. Kabay

Recently Google announced an additional feature to its popular Google Desktop search engine - the ability to store indexing information remotely, on Google's own servers. The description includes the following explanation:

"Search Across Computers makes the following files searchable from your other computers:

* Web history (from Internet Explorer, Firefox, Netscape, and Mozilla)

* Microsoft Word documents

* Microsoft Excel spreadsheets

* Microsoft PowerPoint presentations

* PDF files and Text files in My Documents

"Note: Your HTTPS Web history will never be shared with your other computers, whether or not you allow indexing HTTPS items on one of your computers."

The explanation goes on to say:

"In order to share your indexed files between your computers, we securely transmit this content to Google Desktop servers located at Google. This is necessary, for example, if one of your computers is turned off or otherwise offline when new or updated items are indexed on another of your machines. We store this data temporarily on Google Desktop servers and automatically delete older files, and your data is never accessible by anyone doing a Google search. You can learn more by reading the Google Desktop privacy policy."

The privacy policy dated Oct. 14, 2005, details how Google collects information about searches, customizes advertisements, aggregates information, and provides details to law enforcement or uses the data in fraud-prevention processes.

Reader Jon Chorney, systems administrator at Master, Sidlow & Associates in Wilmington, Del., sent me the following thoughtful analysis of liability issues for corporate employees contemplating use of Google's Search Across Computers.

* * *

If I were to use that tool to remotely access any computer with confidential data (think healthcare, investments, etc.), it seems that I would compromise any precautions put in place to comply with applicable legislation. This is true no matter how secure the method I choose to connect to the remote computer.

Although Google may swear that access will be limited, no one with any care for confidentiality would want to place their trust in unvetted staff at another organization.

In February, the Electronic Frontier Foundation (EFF) issued a press release warning that Google's new tool would greatly increase government access to private information using a subpoena against Google instead of a warrant against an individual - a drastic reduction in the burden of proof required for such access.

So the implications of Dell pre-installing the tool on computers that it sells to business are, in my view, serious indeed and underline the need for strong, enforced policies regarding software installed on a business computer.

* * *

Mich here again.

With respect to Jon's concern about unvetted staff, I note that Google's Privacy Policy states:

"We take appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data. These include internal reviews of our data collection, storage and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store personal data. We restrict access to personal information to Google employees, contractors and agents who need to know that information in order to operate, develop or improve our services. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations."

To the extent that we trust Google to follow its own rules, these are encouraging assertions.

However, many other commentators have noted that although the configuration of Google Desktop allows exclusion of specific directories from the search domain, few novices will pay attention to this security feature. Any system with Google Desktop using the Search Across Computers feature must be considered compromised until proven otherwise. Security administrators beware.

---

This is hardly the first piece of info I've seen that call Google desktop into question. In fact, if you're interested in reading a few of them, you can click for articles on one site regarding that application.

Desktop searches, toolbars (such as AOL, Google, Yahoo, etc.), and so on all provide information to third parties when you use them. Consider yourself cautioned!

[Tom Strange]

thanks Mark... do you think there's any risk using GoogleEarth? ...of course, I guess there's risk using any freeware... (there's always a hitch, whether hidden or not)

[GarthP2000]

do you think there's any risk using GoogleEarth?

Only when their satellite cameras get to the resolution to clearly spot you at your computer.

:blink:

[WordWolf]

Sir,

why do you think I never installed it?

The caching feature on their servers allows you to load stuff faster-

and allowed others to access your cache.

People were browsing online stores, and their browser was

announcing they were logged into the site as [name of someone else.]

Private forums and stuff could be accessed by the same method.

I love Google's normal search function. But ANY data ANYBODY saves

makes me give them "the hairy eyeball", so the "helpful improvements"

I pass on.

[markomalley]

thanks Mark... do you think there's any risk using GoogleEarth? ...of course, I guess there's risk using any freeware... (there's always a hitch, whether hidden or not)

Tom,

None in particular that I'm aware of...other than the possibility that a record might be kept of the locations you search on...but even then I'm not sure it's keyed to you.

Garth, LOL

WW, I agree. Never installed it myself.

[justloafing]

I had it and dumped it in a week. Just never really used it,