Google Desktop: Next Big Thing or Dangerous Tool?
eSecurityPlanet Columnist Linda LeBlanc says IT managers need to carefully analyze the Google Desktop before it goes on any user's machine. Do the rewards outweigh the risks?
For instance, the Google Desktop has the Photo Slideshow that will display photos from your hard drive, the websites you visit and RSS feeds you may be subscribed to. This should do wonders for keeping employees from inappropriate sites during work hours. Or, it will do wonders for the bottom line when an employee is inadvertently exposed to inappropriate content.
What about the cool new ability to download sidebar plugins. These are little third-party applets that will do any number of things, such as compute currency excahnge rates, along with acting as a thesaurus and dictionary. Who in your orgnization will vet those executables to make sure they are doing what they say they do, and not anything else, like sending password and account data back to the mothership. Now, not only have they scooped some subset of data you aren't even aware of, it's possible they have the username and password to your employee's Gmail account which provides access to the Google Desktop.
You see, the Google Desktop is being touted as the next revolution in information sharing in the workplace. Unfortunately, it seems it's also the next revolution in, well, information sharing, if you know what I mean.
Google Desktop can index the following types of items on your
By default. You can disable the indexing and search features for whole categories. But it doesn't appear that you can disable by file folder. What user is going to be dilligent in their setup to ensure the right categories get de-selected?
The allure of this product is the ease with which you can retrieve information. Turning off indexing and searching of Word, Excel, or email doesn't make a lot of sense if you want to utilize the strengths of the application. But where are you most likely to store your senstive data? Probably in Word, Excel and email documents.
If you turn off indexing, anything you use afterward isn't indexed, but everything you've indexed before remains in the cache available to be searched.
It gets better.
You know that email you wrote to your boss, explaining in great detail what a moron he is and how you have half a mind to just quit and collect unemployment? Yes, you saved it, thought better about it and then deleted it. But it has been indexed and cached, and you can bring up that cached copy, or worse, your boss can. All documents that have been indexed and cached provide a revision history. This could be a good thing, but it could most definitely be a very bad thing. You can delete your cache, but will you remember to do it?
Disabling indexing by file folder would save a lot of aggravation. But human nature says most users keep mutliple copies in multiple locations because they can never find it when they need it. Or, they received email containing documents which now reside in some attachment directory somewhere no one ever thinks about.
So there's this little matter of indexing, caching and searching and with V3 the great innovation is to allow Searching Across Computers. This means you can find all that incriminating data from over the Internet. Of course, you have to be in possession of the Google account username and password. Oh, unless you happen to be using the Enterprise version, in which case, all your collaborative workers can share all of your darkest electronic secrets. From your illicit AIM chats to the salacious pictures you might download.
Search Across Computers ''temporarily'' stores your files on a Google server in order to provide them to your other computers should the source system be offline or powered off. How long is ''temporary'' if they never know when your machine is going to be offline?
This may seem like no big deal, until you consider the amount of sensitive material that gets passed around your company on a daily basis.
HR is sending employment, medical data, and payroll information to colleagues and employees. Employees are sharing important company data with other groups within the company and consultants outside the company. Nothing makes more sense than to have this data freely available to all involved parties, until you realize you're making it easier for people other than the ones you intended to have access to it, as well.
A hacker in Italy has posted a webpage describing a way to utilize the Google Desktop to exploit vulnerabilities in IE to phish user data via malicious webpages. This is not news, and anyone who uses IE as the default corporate browser (because it's easy and it's delivered with the operating system) needs to have their head examined. The hacker has updated his webpage to indicate that the hole has been plugged, but the question remains how long will it be before another vulnerability in IE is exploited through the Google Desktop?
I'm not saying the Google Desktop is a bad thing to use. I am saying that if you plan to use it in the corporate environment, you need to thoroughly investigate the best method for configuring and maintaining it to protect your most valuable resources.
Don't be afraid to say that the rewards are not worth the risks and don't be afraid to bring that message to your employees, either. Enforcing a good business decision involves the buy-in of employees, and when you bring a decision of this nature to them with the facts of how it will protect them, their identity and privacy, as well as business assets, they'll be more willing to listen.
However, unless you operate a draconian workstation software policy, you will have rogue installations to worry about.
If you plan to use it in a personal setting, don't forget to weigh all the risks of letting anyone who has access to your system, have access to all your documents, pictures and email.