Sysadmins have a new security risk to consider thanks to the launch of Google Desktop Search.
Announced last week and currently available in a beta version, Google Desktop Search allows you to scour your hard drive for lost or forgotten documents. But it just may be too good at what it does, according to privacy and security experts, who say it poses risks for users who don't understand its power.
Once installed, Google Desktop Search scours a computer for Microsoft Office files, AOL IM chat sessions, cached web pages, and Outlook and Outlook Express e-mail files, and creates a searchable index. What's alarming to many is that Google Desktop Search can resurrect web pages that were not meant to be viewed again, including online banking and brokerage transactions, as well as web-based e-mail received and sent on the computer by previous users.
"This is basically a spying program," says Richard Smith, an independent privacy and security consultant. "Like a gun, it is extremely useful and potentially very dangerous."
Google, however, says the application does not pose security or privacy risks. Google Desktop Search can be configured not to index specific domains or secure Web pages, says Marissa Mayer, Google's director of consumer Web products. This would prevent it from storing copies of the secure pages used by financial sites, or from storing Web pages from a domain such as "mail.yahoo.com," she says.
The beta version of the program can only be installed by one Windows user profile. That means if a second person logs onto the same computer using a different user profile they cannot access or install Google Desktop Search, says Mayer. She says that Google Desktop Search is not intended to be used on computers that are shared with more than one person.
Web pages resurrected
In informal tests, Google Desktop Search was able to bypass user names and passwords that secure Web-based e-mail programs and allow users to view personal messages sent and received using the Web-based e-mail services of America Online, Microsoft's Hotmail, and Yahoo Mail.
Because of this, Smith and other privacy experts say the beta version of Google Desktop Search presents a security threat for insecure and shared computers running the software in the workplace and in public settings like Internet cafes.
By searching for "compose" and "inbox" using Google Desktop Search, you're able to view Web pages that the application had indexed. The query results can't be accessed directly, but Google Desktop Search creates and stores its own cached versions of search results on your PC. Cached versions of sent and received e-mail from services like Yahoo, Hotmail, and AOL can easily be viewed.
Google Desktop Search also allows you to view cached versions of Web pages from online banks and brokerages.
Security or privacy threat?
Privacy experts at the Electronic Frontier Foundation say Google Desktop Search is not a privacy threat, rather a threat to computer security. "If you lose control of your computer, someone could quickly pry into password protected information," says Kevin Bankston, an attorney with the group.
Google Desktop Search could actually be a privacy boon by allowing people to save Web pages and e-mail locally on their PCs instead of relying on third-party Web-based services, Bankston says.
The application does pose a security risk at the workplace, says Ken Dunham, a security expert at iDefense "This is another vector for someone to access sensitive data on someone else's machine," Dunham says.
He says the Desktop Search tool could give the keys to your PC's front door to the wrong people. "There are plenty of ways to get at personal information on a PC. The question is how easy do you want to make it?"
Dunham says that Google Desktop Search represents a "low" but potentially dangerous security threat for companies.
Bruce Schneier, a security expert with Counterpane Internet Security, says if you use a public computer terminal - with or without Google Desktop Search - you should assume that everything you type can be read.
Schneier and others don't recommend installing Google Desktop Search on work or school computers you can't control. They recommend disabling the part of Google Desktop Search that creates copies of secure Web pages and preventing the software from storing the pages of Web-based e-mail accounts you want to keep private.
"This is an amazing product," Smith says. "But it can also be a real privacy threat to unsophisticated computer users."