Google admits Desktop security risk

Businesses have been warned by research company Gartner that the latest Google Desktop Beta has an "unacceptable security risk," and Google agrees.

On Feb. 9, Google unveiled Google Desktop 3, a free, downloadable program that includes an option to let users search across multiple computers for files. To do that, the application automatically stores copies of files, for up to a month, on Google servers. From there, copies are transferred to the user's other computers for archiving. The data is encrypted in transmission and while stored on Google servers.

The risk to enterprises, according to Gartner, lies in how this shared information is pooled by Google. The data is transferred to a remote server, where it is stored and can then be shared between users for up to 30 days.

Gartner said in a report on Thursday that the "mere transport (of data) outside the enterprise will represent an unacceptable security risk to many enterprises," as intellectual property could be transported out of the business.

Google told ZDNet UK on Monday that it recognized the risk, and recommended that companies take action. "We recognize that this is a big issue for enterprise. Yes, it's a risk, and we understand that businesses may be concerned," said Andy Ku, European marketing manager for Google.

Google confirmed to ZDNet UK that data was temporarily transported outside of businesses when the Search Across Computers feature was used, and that this represented "as much of a security risk as e-mail does."

"Theoretically any intellectual property can be transferred outside of a company," Ku said. "We understand that there are a lot of security concerns about the Search Across Computers feature, but Google won't hold information unless the user or enterprise opts in (to the feature)."

Google said that security was the concern of individual businesses. "The burden falls on enterprises to look after security issues," Ku said. "Companies can disable the Search Across Computers facility."

Gartner said that sensitive documents may be inadvertently shared by workers, who may not have specialist knowledge of regulatory or security restrictions.

Google said it was unable to comment on the risks posed when individuals share sensitive information. "Some users may, and some users may not be able to," said Ku, adding that companies should follow their own policies.

"At the end of the day, each company should make its own decision. If they are uncomfortable, they shouldn't enable the feature," Ku said. "It's about what a company deems to be best corporate policy."

Gartner has recommended that businesses use Google Desktop for Enterprise, as this allows systems administrators to centrally turn off the Search Across Computers feature, which it said should be "immediately disabled."

Companies "must also evaluate what they are allowing to be indexed, and whether they are comfortable that they can adequately bar the sharing of data with Google's servers," said Gartner.

Google agreed that Google Desktop Enterprise would better mitigate security risks. "If you're given a choice, choose Enterprise," said Ku.

Tom Espiner of ZDNet UK reported from London.

Stupid author

Get your facts straight.<br />"To do that, the application automatically stores copies of files, for up to a month, on Google servers."<br />You have to turn this feature on purpose. It's off by default. And no duh it's a security risk. You transfer any data outside your network there's ALWAYS going to be a possibility that someone else could see it.<br />Honestly, this article is so pointless that I'm amazed anyone took the time to write it.<br />It's the new "cool thing" to bash Google.<br />Do it when they deserve it. Not just when you feel like it.<br /><br />- James

[emeshuris]

Completely agree

I usually do not comment. But I read this post, your reply and remembered an article about firefox that I read a while back that infuriated me.<br />In that article, the author kept commenting on the fact that firefox could not open pdf files. I had the same version and it had no problems opening any pdf file.<br />This seems to be the same kind of issue.<br /><br />-Edward

[letras32]

beleive it

Completely agree. I can't beleive that is true now is souch a short time.<br /><br />Sam - <a class="jive-link-external" href="http://www.letras32.com/letras/f.php" target="_newWindow">http://www.letras32.com/letras/f.php</a><br /><a class="jive-link-external" href="http://www.letras32.com/letras/g.php" target="_newWindow">http://www.letras32.com/letras/g.php</a>

[n3td3v]

Where is the security risk???

Where is the security risk outside of the design spec for the product?

[stoicnluv]

There's no security risk?

...Then why did google admit that it was a risk?

[someguy389]

Yes, every user sits and reads the design spec

Security risks don't have to be flaws. The problem here is that the behavior of the software has changed in a way that some users might not be aware of (including even network admins who just aren't up on their latest Google news). That's ok, but Google is doing the right thing by acknowledging that and making sure corporations are aware of the risk. Keep in mind, the average office worker couldn't possibly be as technologically "l33t" as you. It?s certainly possible that workers having installed the software might turn the feature on without a solid understanding of what it does. That is a security risk. In the business world, even whiteboards are security risks. Codenames are used for projects to keep competitors and on site business partners from overhearing information they shouldn't. Businesses have to be careful. It's a competitive world.

[KsprayDad]

A Little Late

This story should have accompanied the original release...at this point its pointless...<br /><br />IT managers already know about it and common slobs don't need to worry since it isn't invoked on download.<br /><br />Non story.<br /><br />Oh...<br /><br />There is this great MAC site you should visit...<br /><br /><a class="jive-link-external" href="http://maxxuss.hotbox.ru/" target="_newWindow">http://maxxuss.hotbox.ru/</a>

[FutureGuy]

Re: Where's the risk...

...if I understand this correctly the said feature when enabled causes the software to send files outside of the enterprise, which would be most unacceptable for most enterprises. Unless there is a red flashing warning next to that feature stating that this is going to happen users are not going to know the consequence. Its like having a button "Free up space" next to a drive which would format it, the way the software was designed to do, is it a bug? no, can one blame the user to be totally stupid no, is it bad design yes.

[ssway]

How is it is any less of a risk for the home user?

Sure companies have to protect their intellectual property and what not, but how is this any less of a security risk for the home user? Home users don't want their personal files leaving their PC and going to google's servers. I sure as h3ll don't want my bank statements, etc going to google's servers. This is where Google has crossed the fine line they have been dancing on for the last few years. <br /><br />I'm starting to get a rather bitter taste in my mouth at the mention of Google. Moving forward the public must be wary and vocal about Google. If we just sit back and let them, they will walk in and take our privacy.

[Jamie314]

No difference.

As you say, the risk to home users is no different than the risk to businesses... the only difference is that most companies have more sensitive data than home users, like trade secrets.<br /><br />But the simple answer is to turn the feature off. If you're really paranoid, then don't use the program. I don't; however, consider this an example of Google attempting to "walk in and take our privacy". For one, the user has to consciously download and install some software, knowing what it does and how it works. This feature is hugely well documented... don't like it? Turn it off! You can also tell the software to not index certain folders, use that for your bank details. <br /><br />I like Google, and I like them because I can find pretty much anything on the internet in a few seconds. They have a great email system that I'm really happy with, and now I can find things on my computer as quick as on the internet. I'm just in the (seemingly) small minority of people who are security conscious and realistic about software features.

[Nitez]

Just another alternative

MP3 players, portable hard drives, palmtops, laptops, email,... you name them! It's not like google invented the concept of transferring data from one computer to another. Other companies (forgive me for not remembering their names) have already provided these "30 days Upload-Download" services for a very long time. On the other hand, network administrators have their own responsibility in setting policies on what users can and cannot do, and apply those policies. One of the previous notes indicated that this option is switched off by defeault. Finally, I couldn't agree more on the fact that it is becomming a trend to criticize Google's good work. If this is an issue, talk to all manufacturers of portable devices and e-mail sevices. They would be equally liable for the "risk" of letting data out of companies' network. I guess they would all agree, as google did, that their is a risk indeed ...

[J.G.]

Security issue is real

Portable devices are not comparable. The problem with this <br />application is that it allows data to be compromised via the <br />Internet, which is easy to do. A person has to go to quite a bit of <br />trouble to smuggle computer data out of a business via a portable <br />device if the business is being run properly. The advice that <br />businesses not use Google Desktop 3 is good.

[Steven N]

Poor argument

If a company is able to block portable devices, then you can be sure they will also not allow ANY software to be installed. So for those companies this is a non-issue.<br /><br />For the rest, I believe more sensitive data is transferred over the Internet using ftp, webmail, email,... without any form of encryption than with this tool that is using encryption.<br /><br />More people said it already: don't like it, don't install it. Don't like the feature, don't enable it.<br /><br />It's good advice from Gartner, but there is no need to make such a fuss out of it.

[mess483]

Article

I agree with the entire article.<br /><a class="jive-link-external" href="http://www.referat-de.com/referate/Griechisch/1/Griechisch1.php" target="_newWindow">http://www.referat-de.com/referate/Griechisch/1/Griechisch1.php</a>

[hawkeyeaz1]

The difference

The difference is the security risk is not <br />imposed, but optional for those who choose it. <br />Google provides people options so they can <br />decide what they want. <br /> <br />Certain other companies (whom I shall not <br />mention) try to force customers to 'choose' <br />their offerings, regardless of what the customer <br />wants. Thus, the security risks, which are <br />usually more significant are unavoidable. <br />And now they want to be able to say what the <br />customer can and can't do on said software, and <br />send data about every file to someone other than <br />the customer. Isn't that a larger security risk? <br />Yet, they are not giving customers any choice. <br />DRM. It's a bigger problem.

[J.G.]

DRM is NOT about security

Apparently, you like to attack DRM so much that you discuss it <br />even when it has nothing to do with the topic. DRM is not about <br />security. It is about the content owner protecting the value of its <br />content by limiting distribution.

[john.murray]

There are great network GDS alternatives

Use GDS ver1 with DNKA and TweakGDS resulting in a server based network search environment. No software on client machines:<br /><br /><a class="jive-link-external" href="http://dnka.com" target="_newWindow">http://dnka.com</a><br /><a class="jive-link-external" href="http://desktop.google.com/plugins/tweakgds.html" target="_newWindow">http://desktop.google.com/plugins/tweakgds.html</a>

[BKHerbert]

Uploading ANYTHING to a 3rd party is a risk

Given the fact that the Bushies feel they have the right to snoop-without-subpoena, go on fishing-expeditions without oversight, and hack into anything they feel like, I keep wondering how companies like Google think that people will entrust their data to a company that will obviously roll over at the first sign of a request for information? Forget the concept of "security of data"... This is about "nothing is safe from the prying eyes of the Feds."<br /><br />And before anyone regurgitates the tired argument about "If you have nothing to hide, then what's the problem?", I don't have anything to hide...I'm just tired of rolling over while the the Constitutional protections of the Bill of Rights is shredded in the name of "We're protecting you for your own good."

[Seaspray0]

Who's fault is this?

What? A security flaw and nobody is blaming microsoft? The silence is so.... refreshing.<br /><br />But what did I expect. Ever time it's someone else's security flaw, the MS haters club clamps shut like they were discussing hunting rifles at an animal rights rally.

[celina558]

well I didn t understand and i m afraid its something important so can someone help out? I wanna know if my data will be shared...I mean whats that feature that allows your data to jump out from your pc? Is there a chance to happen that thing? Please don t yell at me...English is not my native language and i m too young to know that stuff<br />To sum up is there any risk to lose my data or someone else have easy access to them and my pc through google desktop?

[groggyfroggy]

All you google-philes need a wake up call. So here it is. I USED to work for an IT dept at a rather large office supply company. I had several managers in my time there. How my last boss got his job is still a mystery to me. He had no degree in any IT discipline and used to work for the state prior to his arrival in my life. One day during our weekly meeting he exuberantly showed off his new installation of Google desktop. The first thing I noticed is that he had indexed his emails so he could find information from them more easily. Move forward a year later with a company in trouble and one day, while using his laptop to set up an audio visual presentation he would present that afternoon, some key words I punched in to his google desktop search to find the relevant document we'd be presenting pulled up something unexpected....a word document attachment containing an unflattering yearly review of ME and my upcoming release from my job!!! At my actual review, when I was handed my severance package, my boss remarked how calm I was - "You KNEW this was happening, didn't you!?" You betcha and it was SWEET and painless. Google desktop a security risk??? My friends, it is a HUGE SECURITY RISK. In the hands of one idiot, it can severely compromise any and all data on the most insignificant of machines at your company. If you use it at home, you're handing over your PC to the universe. Stop by the Google Hacking Database some time for some real fun. 'Nuff said.