[ISN] Google admits Desktop security risk

InfoSec News isn at c4i.org
Tue Feb 21 01:14:48 EST 2006


Tom Espiner
February 20, 2006

Google Desktop 3 Beta contains a security risk for businesses, says
Gartner, and Google agrees

Businesses have been warned by research company Gartner that the
latest Google Desktop Beta has an "unacceptable security risk".

Google Desktop allows indexing and searching of PCs' hard drives, and
sharing of information through a feature called Search Across
Computers. This enables users to search for information within a
network such as an intranet.

The risk to enterprises, according to Gartner, lies in how this shared
information is pooled by Google. The data is transferred to a remote
server, where it is stored and can then be shared between users for up
to 30 days.

Gartner said in a report on Thursday that the "mere transport [of
data] outside the enterprise will represent an unacceptable security
risk to many enterprises", as intellectual property could be
transported out of the business.

Google told ZDNet UK on Monday that it recognised the risk, and
recommended that companies take action. "We recognise that this is a
big issue for enterprise. Yes, it's a risk, and we understand that
businesses may be concerned," said Andy Ku, European marketing manager
for Google.

Google confirmed to ZDNet UK that data was temporarily transported
outside of businesses when the Search Across Computers feature was
used, and that this represented "as much of a security risk as email

"Theoretically any intellectual property can be transferred outside of
a company," said Ku. "We understand that there are a lot of security
concerns about the Search Across Computers feature, but Google won't
hold information unless the user or enterprise opts in [to the

Google said that security was the concern of individual businesses.  
"The burden falls on enterprises to look after security issues," said
Ku. "Companies can disable the Search Across Computers facility."

Gartner said that sensitive documents may be inadvertently shared by
workers, who may not have specialist knowledge of regulatory or
security restrictions.

Google said it was unable to comment on the risks posed when
individuals sharing sensitive information. "Some users may, and some
users may not be able to," said Ku, adding that companies should
follow their own policies.

"At the end of the day, each company should make its own decision. If
they are uncomfortable, they shouldn't enable the feature," Ku said.  
"It's about what a company deems to be best corporate policy."

Gartner has recommended that businesses use Google Desktop for
Enterprise, as this allows systems administrators to centrally turn
off the Search Across Computers feature, which it said should be
"immediately disabled".

Companies "must also evaluate what they are allowing to be indexed,
and whether they are comfortable that they can adequately bar the
sharing of data with Google's servers," said Gartner.

Google agreed that Google Desktop Enterprise would better mitigate
security risks. "If you're given a choice, choose Enterprise," said

More information about the ISN mailing list