Tue, June 19, 2007 — CSO — Without scrutiny, highly usable software that neglects security can seem heroic and revolutionary. Such may be the case for Google Desktop. Most users see the web-meets-desktop search capabilities and don't consider the security implications of making the boundary between google.com and the desktop so seductively porous.

Particularly troubling is the potential for an attacker to access information, documents, and possibly executables through Google Desktop via flaws (XSS in particular) in Google's website. In February Yair Amit et. al. found a vulnerability that could allow remote attackers access to data and functionality through Google Desktop. Rsnake has also pointed out some existing Google XSS vulnerabilities on his blog at ha.ckers.org.

Also, consider that Google Desktop keeps a fairly sizable index and cache for rapid search that by default is unencrypted. This index contains an amazing amount of historical data: It retains previous versions of files, web-based email communications, browsing history, etc. The problem is that this data persists even after reasonable efforts of the average user to delete it from the file system. Tools that purge files when they are deleted (and overwrite them several times) that are popular within corporations and government agencies for example have no effect on Google's index and cache of those files. This represents a sizable risk because it means that Google Desktop may completely obviate some corporate and governmental procedures for purging data.

The information on searches housed by Google Inc. is also concerning.  The Google Desktop privacy policy states: "Enabling Advanced Features also allows Google Desktop to collect a limited amount of non-personal information from your computer and send it to Google. This includes summary information, such as the number of searches you do and the time it takes for you to see your results, and application reports we'll use to make the program better."

The broader Google Inc. Privacy Policy states: "We may share with third parties certain pieces of aggregated, non-personal information, such as the number of users who searched for a particular term." Overall, Google's privacy policy seems to focus on disassociating you with the information you give but not necessarily the privacy of the information itself. This point was recently addressed in an interview with Google's Deputy Counsel Nicole Wong in the San Jose Mercury News who said "When you launch a search at Google we do record that a search has been asked for and the delivery of the result. That is not personally