Several high profile security analysts are now coming out and expressing their concerns regarding the “Search accross PC’s” feature of the latest version of Google Desktop – echoing my post from a couple of weeks ago.
Silicon.com is reporting that Gartner and the Electronic Privacy Foundation are now both advising that this software should not be used – or should be “locked down”.
In my opinion, all companies who are concerned over Google having copies of their confidential documents, should ban the use of the Desktop Search on PC’s connected to their network, and should take steps to prevent the software sending documents “home” if a user should install it against company policy. Certainly your firewall needs to block all traffic to the Google servers where the data is transferred to.
I have yet to identify the server in question, but it should be possible to install the software on a “clean” test machine, set a couple of “dummy” documents, and watch the network traffic that the search tool generates when it sends those files home, however I’d suggest that concerned network admins contact Google via the link at the bottom of this page and ask something like “what rules should I apply to my firewall to prevent PC’s within my network which have Google Desktop installed on them communicating with Google’s servers?”
I’m not sure that it isn’t going too far to call this tool “spyware” – although if you read the agreements it’s not hiding what it’s doing, and you can turn on and off the feature – but even so, how many people are really going to take the time to configure this properly, the earlier versions required little configuration at all to be very useful, will this version require very little configuration to be a security risk?
I’m not going to install it to find out.
Update – Apparently Google agrees that it’s a security risk, but their only advice is “use the Enterprise version” – which apparently allows the feature to be switched off as a global setting – however there’s still nothing to stop end users downloading the personal version – or provide information to help sysadmins configure their network to prevent this.
Unfortunately it’s well know that users are the weakest link in computer security as was proved a couple of weeks ago when “free valentine” CDs handed out in street managed to bypass a number of companies security rules and procedures and “call home” from office PC’s across London – proving that despite many large companies having policies on installing unapproved software on desktops – they’re routinely ignored by a percentage of users.