Security Analysts Still Leery About Google Desktop 2

By Lisa Vaas  |  Posted 2005-08-23 Print this article Print

Some are wary of opening the door to the tool's powerful desktop search capabilities; the problems involve leaving sensitive data lying unprotected on users' desktops.

In spite of Googles efforts to placate the concerns of its enterprise audience, some security experts are still leery about opening the door to the powerful desktop search capabilities packed into the companys release of Google Desktop 2 on Monday. "This is a very powerful tool, potentially with a bidirectional metaphor," said James Governor, principal analyst and founder of the analyst firm RedMonk. "Its indexing all this stuff on your desktop and doing something on the Web. Whos to say thats not a potential breach?" Google Desktop 2 is the second beta of Google Inc.s desktop search tool, which it first unveiled in October 2004.
This version goes far above and beyond the first beta. For example, added features such as the Sidebar go beyond finding information on a users computer to personalizing an array of information on users e-mail, news, weather, photos, stocks and RSS and Atom news feeds, all based on their Web browsing history.
"We really focused on first, not only making desktop search faster and easier, but second, helping people to find new information through the Sidebar," said Nikhio Bhatla, product manager for Google Desktop. "We wanted to let people just sit back and let the Web come to them." Enterprises believe that some of that information is best not found, however. When Google first unveiled Google Desktop Search (since renamed as Google Desktop) in October, security experts and IT administrators were alarmed to find that the tool had the ability to reveal personal and confidential information in search results, including returning password-encrypted Microsoft Office files that were available to users without the password, pages from secure sites that display corporate data from Web-based enterprise applications, or personal information such as financial services accounts and medical records. Google responded to enterprise trepidation when it released an enterprise version of Google Desktop Search in May. The enterprise version enables administrators to restrict indexing of, or access to, files. It also allows administrators the ability to block communications back to Googles server for automatic updates of the software—a cause of concern that initially plagued security analysts with the consumer version of the product. "I worry about data leakage from my desktop back to Google," said Bruce Schneier, chief technology officer at Counterpane Internet Security Inc. "Is information on what Im searching for going upstream? I didnt know [when he first looked at Beta 1 of Desktop Search]. So Im less likely to use it." According to Bhatla, password-protected documents are no longer indexed in the enterprise version. In this current release of the consumer version, Desktop 2, Google has also added a feature to encrypt the index so that all files are protected from access if a laptop or computer is stolen. Desktop 2 also supports multiple users on one computer. If multiple people use a single computer and have their own, individual Windows accounts, each person can install and run Google Desktop and know that their information is inaccessible to other users—a major concern with Beta 1, as evidenced by feedback left on the subject by an eWEEK reader. "[The idea that] in order for you to be able to view the files and browser caches of other users on the system, you must be the system administrator … are not quite true," wrote the reader, "clarkalex." "On [Windows] XP maybe, [but] on other Windows systems a user can install software as a regular user account with no problem and can open up other users files with no problem," the reader wrote. "This is because the default permissions are Everyone Full Control on a Windows system. This even applies to the users folder in Documents and Settings. There are still plenty of Win2K systems out there. The security policies would have to have been modified to make your statements true. Or the owner of the files that were to be kept secret would had to have changed the ntfs permissions on them. (Assuming ntfs was the file system in the first place.) On a Win2K system, generally there would be nothing stopping a regular joe from downloading [Google Desktop Search], installing it, and being able to see whatever he wanted. That would indeed be a security threat." Next Page: Multiple-user systems use is still not advisable.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel