Manage Learn to apply best practices and optimize your operations.

Are there still Google Desktop security problems?

Expert Michael Cobb explains why Google Desktop's "search across computers" feature has been so controversial.

Are there still Google Desktop security concerns, especially with its search features?
Google Desktop Search was first released as a beta version in October 2004. In early 2006, version 3 was released, and this included the Search Across Computers (SAC) feature. SAC lets users search multiple computers from one desktop, provided that Google Desktop is installed on each of the PCs. To perform the search, Google copies indexed files using SSL encryption to Google Desktop servers. This means that even if one of your computers is offline, you can still search its contents from another one of your machines. Any content that is older than 30 days is deleted from Google's servers to make room for new content.

SAC has always been controversial. The EFF (Electronic Frontier Foundation) urges consumers not to use this feature, because it will "make their personal data more vulnerable to subpoenas from the government and possibly private litigants, while providing a convenient one-stop-shop for hackers who've obtained a user's Google password." Research firm Gartner Inc. issued a recommendation that the Search Across Computers option should be disabled or heavily managed by enterprises.

Google's Enterprise Team agreed with Gartner's recommendation, and said enterprises should use the Google Desktop for Enterprise edition immediately and restrict its use accordingly. The Enterprise edition includes a Group Policy Administrative Template so that administrators can disable features such as the Search Across Computers. Administrators also have the ability to set time-based retention policies for different types of documents.

Security concerns about Google Desktop security surfaced in early 2007 when Web application company Watchfire Corp. found a series of vulnerabilities that could allow a hacker to gain remote access to sensitive data, and in some cases, gain full-system control. As a result of this serious flaw, Google changed some of the internal workings in version 5. Since then, no other security flaws have surfaced, but concerns over privacy have been ongoing.

As with most Google applications, the disclaimers that you implicitly agree to allow future changes in the license agreement. Could Google start scanning your files in order to serve targeted advertising? At the end of the day, using SAC means that your personal or business data is being stored on a third-party server, and you need to appreciate the risks this involves. If your Google account is ever compromised, any data that has been indexed may be readable by whoever accesses your account.

For many mobile workers working from different machines, being able to access files on multiple machines makes life a lot easier. SAC could also be a life saver if a laptop is stolen or a PC's hard drive fails. Google does have a good track record of protecting users' data from the authorities, but even so, it may be too much of a risk for many enterprises. If so, either use Group Policy or configure your firewall to block access to, which will completely block both incoming and outbound Search Across Computers activity.

This was last published in August 2009

Dig Deeper on Web application and API security best practices