Slashdot Mirror


Google Desktop Search Functions As Spyware

dioscaido writes "Users of the Google Desktop Search software beware -- it indexes your files across all users on your PC, bypassing user protections. The Google cache feature allows all users to browse the contents of messages and files it has indexed, irrespective of who is logged in. 'This is not a bug, rather a feature,' says Marissa Mayer, Google's director of consumer Web products. 'Google Desktop Search is not intended to be used on computers that are shared with more than one person.'" Reminds me of a Neal Stephenson essay: "The Hole Hawg is dangerous because it does exactly what you tell it to. It is not bound by the physical limitations that are inherent in a cheap drill, and neither is it limited by safety interlocks that might be built into a homeowner's product by a liability-conscious manufacturer. The danger lies not in the machine itself but in the user's failure to envision the full consequences of the instructions he gives to it."

24 of 446 comments (clear)

  1. Tin foil hats for everyone!! by erick99 · · Score: 5, Insightful
    For God's sake, this is a long ways to go to find something to be paranoid about.

    Whether or not Google intended this, I take great pause at knowing any e-mail I write or read on a PC with Google Desktop Search could be called up and read by a complete stranger.

    This application is intended for single user machines which pretty much limits it, in most cases, to home machines. I don't have complete strangers roaming around my house so it is not an issue for me.

    Mayer dismissed my concern that this is a security issue. She points out that you can configure Google Desktop Search not to index Web pages or specific domains. That would prevent Google Desktop Search from indexing and caching the URL "mail.yahoo.com".

    So what part of that did the reporter not understand? Finally, this is not mandatory software. A user has to hunt it down, download it, and install it. So don't use it if it is a problem for your computer. Now, I am not trying to be a jerk and some of this is said with tongue planted firmly in cheek. Still, you gotta wonder why people need to find things to be upset about. I am not sure why this irks me so much, maybe I should drink less coffee.....

    --
    http://www.busyweather.com/
    1. Re:Tin foil hats for everyone!! by SeinJunkie · · Score: 5, Insightful

      Using the new software, I was able to bypass user names and passwords that secure Web-based e-mail programs and view personal messages sent and received on public PCs. She didn't bypass user names and passwords. She accessed unprotected files just like Windows Explorer allows. This is a non-issue. If users don't want their information to be seen, they should be protecting their profile's Documents and Settings folder.

    2. Re:Tin foil hats for everyone!! by LnxAddct · · Score: 5, Insightful

      I'm just curious but... isn't it a flaw of the operating system that files generated by a user aren't automatically restricted to access by that user? This isn't google's fault, the same exact design ported to linux would work flawlessly.
      Regards,
      Steve

    3. Re:Tin foil hats for everyone!! by Ravadill · · Score: 4, Insightful

      Someone using a single user OS like Home shouldn't really be worried about having unprotected files against local users.

    4. Re:Tin foil hats for everyone!! by jhoffoss · · Score: 4, Insightful
      You can exclude URLs and directories!

      This is the same old *I want my PC to do everything I tell it to, but I don't want it to possibly ever harm me* mentality...if you're going to install something, read the documentation and understand what that means.

      This is not even close to spyware. Now Windows, I don't ever recall seeing documentation on Windows until after it was installed... :)

      --
      Linux: The world's best text-adventure game.
    5. Re:Tin foil hats for everyone!! by node+3 · · Score: 3, Insightful

      So what part of that did the reporter not understand? Finally, this is not mandatory software. A user has to hunt it down, download it, and install it. So don't use it if it is a problem for your computer.

      The thing is, most people don't understand computers well enough to know the potential for privacy issues involved when they install software. It's unreasonable to demand users to become experts before using their computer. This tool sounds like it makes things worse. Google doesn't seem to be acting very responsibly here, even if a technically astute user can mitigate the risks.

      This article sounds a lot like, "Hey, dumb users such as myself, I installed the Google Desktop Search and some of my previously hidden data showed up to other users on the system. Take caution until Google addresses the issue."

  2. Security Breach? Really? by johndiii · · Score: 5, Insightful

    From reading the article, there is no indication that protected files were actually read. In fact, pretty much everything he talks about seems to have been pulled from the web cache. With default security on Windows XP, each user's cache is accessible to the other users. As are everyone's Outlook data files. This is not great security, but that is not Google's responsibility.

    So, I'd be really interested to know if the desktop search application runs as an admin process, or with system rights. Unless it does, this article is nothing but hot air. Google indexes files that you can read anyway? OMG!!! This is teh suxxorz!!!

    And spyware? Hardly. Nothing in the article even comes close to suggesting that all of this indexed information is transmitted anywhere.

    --
    Floating face-down in a river of regret...and thoughts of you...
  3. A problem if accessible remotely by Disoriented · · Score: 5, Insightful


    Keep in mind that once you have physical access to the machine, all bets are off.

    However...

    Google's tool could be a danger if someone figures out a way to launch it remotely, by getting a user to click a link, or through some Windows exploit. If so, it's plausible that a remote attacker could gain access to the cache and use the information to gain administrative access to the machine.

    ---
    "I contend that we are both atheists. I just believe in one fewer god than you do. When you understand why you dismiss all the other possible gods, you will understand why I dismiss yours."
    -Sir Stephen Henry Roberts

  4. An adage I've heard before by TimmyDee · · Score: 4, Insightful

    The Hole Hawg is dangerous because it does exactly what you tell it to.

    Yes, well computers in general are dangerous because they are very good at doing exactly what you tell them to do. For better OR for worse.

    --
    Per Square Mile, a blog about density
  5. Uh. by emazing · · Score: 5, Insightful

    Since when does this constitute spyware? To my knowledge, spyware sends information to a third party without the user's knowledge.

    1. Re:Uh. by metlin · · Score: 4, Insightful

      Worse, all that this does is use a feature of the OS - nothing more.

      It's almost National Enquirer-esque, sensationalist.

      Whether or not Google intended this, I take great pause at knowing any e-mail I write or read on a PC with Google Desktop Search could be called up and read by a complete stranger.

      If a complete stranger has physical access to your single user system, you have more problems than you realize. Don't blame Google for that. Duh.

  6. Nothing to see by samael · · Score: 4, Insightful

    It indexes all the files that you'd have access to anyway...

    Can't see what the fuss is.

  7. Google, the new Microsoft by The+Bungi · · Score: 5, Insightful
    FUD, clear and simple. With the usual hysterical Slashbot "OMFG TEH COMPANIE IS TEH SUXXORZ!!1!" byline. It's amazing how once a company starts entering different areas and markets everyone starts whining, crying wolf and feeling threatened.

    Windows users have had "home" directories that are inaccesible to anyone except themselves and a domain administrator since NT4 was released. If this Google tool is allowed to index things it's not suppose to index, then that's not Google's fault, and it's certainly not Microsoft's. It's the fault of whomever configured that machine. AFAIK NTFS security has not been comprimised yet.

    And the "spyware" tag? Love it. FUD works both ways, doesn't it?

  8. Google Desktop seems useful. by kngthdn · · Score: 5, Insightful

    I just installed Google Desktop today, but so far I'm pretty impressed. Even though it's still indexing, I haven't noticed any difference in speed.

    Google Desktop isn't spyware, because it makes what it is doing clear before you install it. Of course it reads your files; that's how Google works. As long as my data doesn't go back to Google, I couldn't care less.

    And actually, if everyone could choose just some of our files to make available publicly, think how much more useful Google would be.

    Maybe that's their plan. Get everybody to index their disks, and than offer killer p2p on Google.com.

    Does anybody *else* think that would be awesome?

  9. The same mistake was made in Unix! by Anthony+Liguori · · Score: 3, Insightful

    The locate command was designed to get around the terribly slow transversal of directories when looking for a particular filename. It suffered the same basic design flaw in that it did not take user permission into account. The slocate (s as in secure) was designed to get around this obvious flaw. I'm a tad surprised Google didn't see this one coming. Maybe they've been hiring a few too many PhDs and not enough folks with real experience :-)

  10. Not spyware by Guspaz · · Score: 5, Insightful

    Does it install itself onto your PC without your permission? No.

    Does it gather personal information and send it to Google? No.

    Does it run secretly in the background, with no way to remove it save an anti-spyware tool? No.

    Does it allow you to access anything you couldn't access without it? No.

    How is this spyware again? Or even a security threat? As another poster pointed out, this tool doesn't access anything you couldn't access through Explorer.

    What's this, is Slashdot helping to spread FUD?!? Say it ain't so!

  11. Who wrote this summary, Fox News? by Sleepy · · Score: 5, Insightful

    Users of the Google Desktop Search software beware -- it indexes your files across all users on your PC, bypassing user protections.

    This is just too misleading to be accidental. Talk about bias.

    So dioscaido, you are suggesting Google defeats NTFS users/groups directory permissions and encryption?

    No?

    Oh.

    Yeah, that's what I thought. Completely irresponsible journalism at work folks.

    Basically this utility works NO DIFFERENT than "Start-->Search-->Search IN files", except that noobs don't know how to use Search properly, and Google search is "prettier". Oh, and MS's brain dead Search can't peek inside compressed files. Whoopie-do.

    If I were more cynical, I'd chalk this fear-mongering up to someone with a lot of Yahoo stock, or someone afraid their wife/husband will find email evidence of an extra-marital affair. By default in Windows, ALL USERS CAN READ EACH OTHER'S FILES.

    Nothing to see here, move along..

    DISCLAIMER: I own no Google or Yahoo stock.

  12. PC WORLD by inKubus · · Score: 4, Insightful

    PC World has long been a Microsoft yellow journalism rag. It's just Microsoft Corp.'s Department of Monopoly Security at work.

    Really, the Google tool is simply very powerful and is merely exposing the low default security in Windows profiles to the masses--but it's nothing me and the parent haven't known for 4 or 5 years now..........

    Nothing to see here.

    --
    Cool! Amazing Toys.
  13. how is this spyware? by drew · · Score: 4, Insightful

    while i can understand why some people might be leary of the security implications here, how in the world does this qualify as spyware? it doesn't pop up annoying adds, it doesn't send my data to some secret gathering place, it doesnt report any of my habits to any other person (unless thay also have physical access to my computer and can search for that information)

    oh yeah, got ahead of myself. spyware is the new virus. its just a word one person uses to scare another person when neither one really knows what they are talking about. nothing to see, move along...

    --
    If I don't put anything here, will anyone recognize me anymore?
  14. Re:Security Breach? Really? by ip_fired · · Score: 5, Insightful

    The problem as I see it is in the startlingly easy way google desktop search makes intrusion possible, sometimes even without the person searching intentionally looking into other user's data. Any keyword I type is an instantaneous hook into the world of the other user who used the pc before me. That is what I find scary.

    But that's just it. It's a SEARCH tool. It's supposed to find things that you don't know about. If it didn't, it wouldn't be a very good search tool. This should not be installed on public computers. And, if you are personally are concerned about it, there are products out there that will store all that sensitive information (browser history, email files) on a USB drive that you plug into the public computer before use.

    As it is, I don't know how useful it will be to the average /. user. It only indexes files in your Documents directory, it only indexes a handful of files (.doc, .xls, .txt, .html files for example). It has SEVERAL limitations that are annoying. For example: I want it to index my java source code and javadocs for the project I'm working on. However, it refuses to index them.

    Also, it doesn't index my Firefox cache or history, nor does it index my Thunderbird mail files.

    In other words, nice try Google, but it's not useful to me (yet).

    --
    Don't count your messages before they ACK.
  15. The Irony - "stuffit" or zip by crucini · · Score: 3, Insightful
    I've long enjoyed this essay. I find some irony in the linked version, which gives us a teaser paragraph and then:
    Download the rest of the article here. Mac stuffit or PC Zip

    Considering that the essay is largely about the superiority of Unix, and the blindness of the prevailing PC/Mac culture to the existence of Unix, the PC/Mac dichotomy presented here seems oddly appropriate.

    Of course this notion of "downloading" a compressed version is dumb. Harper Collins just needs to add mod_gz to their web server, so they can transparently compress for most modern browsers.
  16. I guess so by alexisbellido · · Score: 3, Insightful

    I doubt that Google, or any other company dedicated to develop software, could do such a silly application. In any case, it would be Windows fault if their supposed protected files could be ready by a user (or application) not authorized. Also, as somebody already pointed, nobody is forcing you to donwload and install this tool, if you wanna use it then do so, it's free and it's easy.

    --
    Alexis Bellido
  17. Re:Let's get this into perspective by LiquidCoooled · · Score: 4, Insightful

    I agree 100% it should honor the ACLs, but I wonder if we could do anything else?

    We essentially have the google bot on our machines, would it be good to honor the standards the realbot uses?

    Would it pick up and honor my robots.txt file?

    Will we start seeing meta tags inside emails and word documents and stored pages to exclude from indexing?

    --
    liqbase :: faster than paper
  18. Re:Home vs. Pro edition of XP by praxis · · Score: 4, Insightful

    "Of course, all this seems silly as linux has had proper file permission settings forever whereas Windows has just recently added that feature."

    Windows has had proper file permission settings since Windows NT 3.5 shipped September 1994. Slackware 1.0 (I consider this the first viable installable distribution) shipped August 1993. That's a whole year different. Percentage wise, Linux has had proper file permission settings 10% longer than Windows.

    Not to mention, Windows ACL are more fined grained than what most Linux distributions offer.

    To preempt the argument that Windows defaults are insecure: I am comparing the technical abilities of the systems out of the box; which are the tools an administrator may use to configure what he feels are "proper file permission settings."