Home » Data Protection » Network Security

5 Ways Google Is Shaking the Security World

Whether you're charged with preventing hacks, protecting assets, stopping fraud or defending trademarks, Google and other search engines present a new mix of risks for everybody in the security game.

Why it matters: It's easy to see why people get all prickly about this one. Once the tool is installed and files are indexed, a snoop needs only a coffee break, rather than a lunch hour, to search someone's hard drive for files about, say, Bob Jones's salary. To make matters worse, freewheeling users may not pay attention or understand how to make sure that sensitive documents aren't indexed.

To its credit, Google has tried to improve the standard configuration of the tool. An early version automatically returned results with password-protected files and secure HTTP pages; now, those types of files aren't indexed unless the user changes a setting. "People screamed about that, and Google changed it very quickly," SearchEngineWatch.com's Sherman says. Even so, setting up appropriate exclusions can get complicated. Some companies—as well as many individuals who are concerned about their personal privacy—are also leery of making so much information available to Google.

The new Search Across Computers feature only heightens these concerns. With this feature, Google says, copies of users' personal files can sit on Google's servers for up to 30 days. Google downplays this time frame. Says Matthew Glotzbach, product manager for Google Enterprise, "If both of your computers are on and syncing, [the files are on Google's servers] only a matter of minutes"—the time it takes for Google to pull up the information and push it back down onto the second computer.

But having the information saved on Google's servers at all is troubling, given that search engine companies are routinely subpoenaed by prosecutors. (Google's privacy policy states: "We may also share information with third parties in limited circumstances, including when complying with legal process, preventing fraud or imminent harm, and ensuring the security of our network and services.") In one especially charged case, Google fought a subpoena from the U.S. Department of Justice, which wanted search results to help analyze its enforcement of the Children's Online Privacy Protection Act. A judge reduced the amount of information Google must turn over, and the ensuing debate raised awareness about the amount (and nature) of information that Google has in its stores.

The fact that the software is relatively untested raises additional questions. Last November, an Israeli researcher reported that he had found a vulnerability in Microsoft Internet Explorer that allowed him to illicitly access information in Google Desktop. Google fixed the problem, but legitimate concerns linger. "Anytime you install software from a third party directly on a hard drive of a particular machine, you're potentially opening up holes in the security of that machine," says Matt Brown, a Forrester senior analyst.