Problem solve Get help with specific problems with your technologies, process and projects.

Google Desktop gets scarier

As if the threats posed by Google Desktop weren't enough, Google's latest release is chock-full of new dangers -- especially to enterprises. In this tip, security guru Mike Chapple reviews Google Desktop 3 and its "Search Across Computers" feature, and explores whether its benefits are worth the risks.

When Google Desktop first appeared on the computing scene, it was met with mixed reviews. This new tool offered what Windows didn't -- an easy way to search across your local files, Internet history and e-mail, all in one integrated search. However, it also raised the specter of privacy and security concerns. Where was all that data going? What could/would Google do with the private information they were likely to obtain? Back in November, Mathew Schwartz covered these topics in How to tame Google Desktop. If you weren't creeped out then, now's the time to be full-blown worried about the potential threat posed by this desktop search engine.

Google recently released Google Desktop 3, which includes a nifty new feature called "Search Across Computers." This function has an innocuous-sounding purpose -- it allows you to search any of the computers you own, linked by your Google account. The benefit is that you're able to search for a document on your desktop when you're on the road using your laptop or search your home PC from work, etc.

Wondering how this great service works? It maintains a centralized index of your files on Google's server farm. To quote from the Google Desktop Privacy Policy: "If you choose to enable 'Search Across Computers,' Google will securely transmit copies of your indexed files to Google Desktop servers, in order to provide the feature." By this point, you probably have a good idea why you don't want this product running unfettered in your enterprise. But, there's plenty more.

More Google information

Learn how to block DSEs in this tip.

Protect your business from a Google hack.

Find out more about Google hacking.

Google's well-publicized philosophy is to "Do No Evil." However, even if you trust Google to be a responsible steward of your organization's data, you should consider these factors:
  • Google accounts are owned by individuals, not companies. If one of your employees links a corporate desktop to his or her personal Google account, you're bound to have issues down the road. What happens when that employee leaves the company and still has access to cached data?

  • You may have data that you're not entitled to share. Do you have customer data that's subject to privacy laws or policies? If so, does storing this information on Google place you in violation of those policies?

  • Do you really trust Google? Their policy says that they will handle desktop search data as "personal information." However, in another policy document, they list acceptable uses of personal information and have some frightening clauses. Those include the ability to use your personal information to display customized content and advertising, and the use of this data for "auditing, research and analysis."

  • Do you trust the countries in which Google does business? If you choose to use this application, you'd better. The Google privacy policy states that they reserve the right to process your information on servers outside of the United States. Remember, the search and seizure laws outside this country vary dramatically.
So, what can you do about this threat? First, you may wish to implement a search management solution for your enterprise and direct users to that approved, internally managed solution. If you absolutely must run Google Desktop 3, consider using the Enterprise Edition, which allows you to manage settings across the enterprise. You can then set enterprise systems to automatically disable the "Search Across Computers" functionality. To learn how to block Desktop Search Engines, read How to tame Google Desktop.

About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

This was last published in April 2006

Dig Deeper on Productivity apps and messaging security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.