Schneier on Security: Tagged Google

Entries Tagged "Google"

Page 17 of 17

Google and Privacy

A New York Times editorial observes:

At a North Carolina strangulation-murder trial this month, prosecutors announced an unusual piece of evidence: Google searches allegedly done by the defendant that included the words “neck” and “snap.” The data were taken from the defendant’s computer, prosecutors say. But it might have come directly from Google, which—unbeknownst to many users—keeps records of every search on its site, in ways that can be traced back to individuals.

This is an interesting fact—Google keeps records of every search in a way that can be traceable to individuals. The op-ed goes on to say:

Google has been aggressive about collecting information about its users’ activities online. It stores their search data, possibly forever, and puts “cookies” on their computers that make it possible to track those searches in a personally identifiable way—cookies that do not expire until 2038. Its e-mail system, Gmail, scans the content of e-mail messages so relevant ads can be posted. Google’s written privacy policy reserves the right to pool what it learns about users from their searches with what it learns from their e-mail messages, though Google says it won’t do so. . . .

The government can gain access to Google’s data storehouse simply by presenting a valid warrant or subpoena. . . .

This is an important point. No matter what Google’s privacy policy says, the fact that it maintains information about people’s search activity enables the government to gather that data, often with a mere subpoena, which provides virtually no protection to privacy—and sometimes without even a subpoena.

Solove goes on to argue that if companies like Google want to collect people’s data (even if people are willing to supply it), the least they can do is fight for greater protections against government access to that data. While this won’t address all the problems, it would be a step forward to see companies like Google use their power to foster meaningful legislative change.

EDITED TO ADD (12/3): Here’s an op ed from The Boston Globe on the same topic.

Posted on November 30, 2005 at 3:08 PM • View Comments

Searching Google for Unpublished Data

We all know that Google can be used to find all sorts of sensitive data, but here’s a new twist on that:

A Spanish astronomer has admitted he accessed internet telescope logs of another astronomer’s observations of a giant object orbiting beyond Neptune but denies doing anything wrong.

Jose-Luis Ortiz of the Institute of Astrophysics of Andalusia in Granada told New Scientist that it was “perfectly legitimate” because he found the logs on a publicly available website via a Google search. But Mike Brown, the Caltech astronomer whose logs Ortiz uncovered, claims that accessing the information was at least “unethical” and may, if Ortiz misused the data, have crossed the line into scientific fraud.

Posted on September 23, 2005 at 1:43 PM • View Comments

Eric Schmidt on Secrecy and Security

From Information Week:

InformationWeek: What about security? Have you been paying as much attention to security as, say Microsoft—you can debate whether or not they’ve been successful, but they’ve poured a lot of resources into it.

Schmidt: More people to a bad architecture does not necessarily make a more secure system. Why don’t you define security so I can answer your question better?

InformationWeek: I suppose it’s an issue of making the technology transparent enough that people can deploy it with confidence.

Schmidt: Transparency is not necessarily the only way you achieve security. For example, part of the encryption algorithms are not typically made available to the open source community, because you don’t want people discovering flaws in the encryption.

Actually, he’s wrong. Everything about an encryption algorithm should always be made available to everyone, because otherwise you’ll invariably have exploitable flaws in your encryption.

My essay on the topic is here.

Posted on May 31, 2005 at 1:09 PM • View Comments

Hackers Taking Over Webcams

In this story, someone took control of a webcam using the Subseven Trojan.

In other cases, it’s even easier. There are lots of webcams out there that are completely open to anyone who logs into them. You can even search for them using Google.

Posted on March 18, 2005 at 7:25 AM • View Comments

Desktop Google Finds Holes

Google’s desktop search software is so good that it exposes vulnerabilities on your computer that you didn’t know about.

Last month, Google released a beta version of its desktop search software: Google Desktop Search. Install it on your Windows machine, and it creates a searchable index of your data files, including word processing files, spreadsheets, presentations, e-mail messages, cached Web pages and chat sessions. It’s a great idea. Windows’ searching capability has always been mediocre, and Google fixes the problem nicely.

There are some security issues, though. The problem is that GDS indexes and finds documents that you may prefer not be found. For example, GDS searches your browser’s cache. This allows it to find old Web pages you’ve visited, including online banking summaries, personal messages sent from Web e-mail programs and password-protected personal Web pages.

GDS can also retrieve encrypted files. No, it doesn’t break the encryption or save a copy of the key. However, it searches the Windows cache, which can bypass some encryption programs entirely. And if you install the program on a computer with multiple users, you can search documents and Web pages for all users.

GDS isn’t doing anything wrong; it’s indexing and searching documents just as it’s supposed to. The vulnerabilities are due to the design of Internet Explorer, Opera, Firefox, PGP and other programs.

First, Web browsers should not store SSL-encrypted pages or pages with personal e-mail. If they do store them, they should at least ask the user first.

Second, an encryption program that leaves copies of decrypted files in the cache is poorly designed. Those files are there whether or not GDS searches for them.

Third, GDS’ ability to search files and Web pages of multiple users on a computer received a lot of press when it was first discovered. This is a complete nonissue. You have to be an administrator on the machine to do this, which gives you access to everyone’s files anyway.

Some people blame Google for these problems and suggest, wrongly, that Google fix them. What if Google were to bow to public pressure and modify GDS to avoid showing confidential information? The underlying problems would remain: The private Web pages would still be in the browser’s cache; the encryption program would still be leaving copies of the plain-text files in the operating system’s cache; and the administrator could still eavesdrop on anyone’s computer to which he or she has access. The only thing that would have changed is that these vulnerabilities once again would be hidden from the average computer user.

In the end, this can only harm security.

GDS is very good at searching. It’s so good that it exposes vulnerabilities on your computer that you didn’t know about. And now that you know about them, pressure your software vendors to fix them. Don’t shoot the messenger.

This article originally appeared in eWeek.

Posted on November 29, 2004 at 11:15 AM • View Comments

←Previous 1 … 15 16 17

Sidebar photo of Bruce Schneier by Joe MacInnis.