Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×

Google Copies Corporate Data to Google's Servers? 295

Penguinisto writes "According to Silicon.com, some CIOs have been seeing their company data being transferred to Google's servers as part of Google Desktop's functionality." From the article: "Mark Saysell, IT director at Coutts Retail Communications UK, said he is planning a network audit to find rogue installations, which will then be de-installed. New security measures will also be put in place to prevent further downloads. He said: 'Google has definitely over-stepped the mark and in turn is forcing IT departments to take a very draconian approach to machine security and web access.'"
This discussion has been archived. No new comments can be posted.

Google Copies Corporate Data to Google's Servers?

Comments Filter:
  • more sensationalism (Score:5, Informative)

    by jbellis ( 142590 ) <jonathan@carOPEN ... er.com minus bsd> on Friday March 03, 2006 @05:21PM (#14846409) Homepage
    This article is a joke. It's all about quoting people talking about how dangerous the new version of Google Desktop is when Google is very up-front about telling you what features will result in data being copied, and how to turn it off.

    IT'S DISABLED BY DEFAULT. You have to WANT to turn it on.

    Lousy reporting, is what this is.
    • And... how are they to prevent employee's who WANT to turn it on from doing so? Just because THEY don't want it turned on doesn't mean they have any control over whether or not EMPLOYEE'S turn it on.
      • Write policy that says the feature can not be on. Audit the settings randomly and when someone has turned it on, rake them over the coals for it.
        • Well...isn't that what this article is about? Sounds like you agree with the CIOs.
          • by Rolan ( 20257 ) * on Friday March 03, 2006 @06:15PM (#14846810) Homepage Journal
            Well...isn't that what this article is about? Sounds like you agree with the CIOs.

            Not really. The CIOs in the article are saying that it shouldn't be installed at all. What I'm saying is that the product itself is not "harmful", but simply a feature of the product that is turned off by default. So, there's no problem with allowing people to use the product, so long as they do not turn on the feature. The policy you write is that the feature can not be enabled, and that is what you audit.

            If Google wanted to deflect this criticizm even more, they'd do a bit of extra code to allow Group Policy to disable the feature and keep users from enabling it. However, there's not much to criticize about it in the first place. It clearly states what happens if you turn on the feature (some files are stored on Google's Servers) and the feature is off by default. People who turn it on know what they're getting into here; it is very clear. If corporate IT/CIOs have problems with their users, then it is the user to blame, not the software feature.

            This is like saying that Microsoft has overstepped the bounds by installing solitare and other games with Windows XP Pro, because it would be harmful to productivity.... The software's not the problem, the user is.

      • by Knight Thrasher ( 766792 ) * on Friday March 03, 2006 @05:31PM (#14846498) Journal
        At that point Google Desktop would be more of a tool, and it would fall more on the employees shoulders for responsibility.

        If I install a FTP server app on my computer at work, set it to allow anonymous and share my whole hard drive, that's my fault when feces meets oscillating blades.

        • If I install a FTP server app on my computer at work, set it to allow anonymous and share my whole hard drive, that's my fault when feces meets oscillating blades.
          If the ftp port on your computer at work is open to the public Internet, your admins need to be round up and shot. You should be behind a firewall, and it's they're job to make sure. They should also be scanning the internal network and raising questions about your server.
      • If they're trying to stop employees *deliberately* getting their data copied to other servers, they would need to block internet access altogether. On its own, banning Google Desktop would not help to stop people who actually want to send data to places.
        There is a possibility that someone might not understand what they're doing, and accidentally enable this option, but similar possibilities exist with any Internet software, so there's no reason to single out Google Desktop specifically in this case.
        • Sure there is. Google, unlike "other software" stores it on their PERSONAL servers, and in that fine print that nobody ever reads specifically says they reserve the right to search it as they please. I'm pretty sure there's no such fine print in outlook, or flashfxp, or any other *internet software* that I've ever used.

          What other internet software do you speak of that would be putting a companies internal documents out there for anyone to read?

          **I've yet to see a corporate firewall that doesn't bloc
          • "What other internet software do you speak of that would be putting a companies internal documents out there for anyone to read?" You can't use outlook to mail a document to a mailing list? Wow, I'm baffled. And by the way, Google doesn't put this stuff into their web search results--I don't know what you mean by out there for anyone to read, but I hope to hell you didn't mean that.
      • by AusIV ( 950840 )
        So Google shouldn't create a useful tool because it might be abused? There are plenty of ways that employees can share data that employers would have a hard time stopping, but every one of them is deliberate. If an employee is sharing data they shouldn't be sharing, that's the employee's fault, not Google's.

        From a networking standpoint, Google Desktop is as easy to block as any other protocol. I have no problem with companies banning Google desktop on their systems, but isn't it a bit extreme to say Google

      • What is your damn point? If they don't have any control over something like that, guess what: they don't have any control over the employees doing exactly that with another tool instead. What do you want Google to do?
      • If they want to control what their employees do with their computer, then they should prevent the employees from installing any software that has not been pre-approved and probably also pre-configured.

        It is not Google's fault that the CIO did not take "draconian" measures to prevent people from installing software that did "bad" things. If it wasn't google desktop, it would have been kazaa with C: shared or any of a myriad of other programs and trojans.
      • by testrake ( 548083 ) on Friday March 03, 2006 @10:18PM (#14848042)

        Perhaps "they" do a little research and determine that you can use GPO to disable the parts they don't want running?

        They can, in fact, disable the installation in at least two ways: GPO from Microsoft (Google for "Software Restriction Policy") OR GPO from Google (http://desktop.google.com/enterprise/index.html [google.com])

        The GPO from Google (part of the Enterprise download) is able to control many of the settings -- including the sharing of index data and encryption of the indexes -- on both the Enterprise Google Desktop and standard Google Desktop.

        Of course, a competent network administrator would already know that, right?

    • This article is a joke. It's all about quoting people talking about how dangerous the new version of Google Desktop is when Google is very up-front about telling you what features will result in data being copied, and how to turn it off. IT'S DISABLED BY DEFAULT. You have to WANT to turn it on.

      I see you've never worked in customer support. Rule #1: People f*** with stuff. If there's a way for users to screw things up, then users WILL screw things up. All it takes is one secretary in the wrong position to flip the switch and suddenly you have Ubersecret Documents flying out of your not-as-secure-as-you-thought network. Sure, I doubt Google is going to spray your documents all over the web, but if I was a CIO whose entire livelihood depending on locking down the network of a multi-billion dollar company, I wouldn't want this thing on my desktops, either. The "neat-o" functionality provided just isn't worth the risk that someone might sniff out the data somewhere in the chain.

      • Ubersecret? (Score:2, Redundant)

        by missing000 ( 602285 )
        If you trust your employee base with docs that can't be leaked or copied into the wrong hands, why aren't you training them on software best practices and using filtering and scanning to make sure they aren't taking it off network?

        Really, Isn't this a bit of an amature hour effect here? If your security is that lax you probably also let people connect USB mass storage devices to your desktops as well. This is unlikely to be your greatest security hole.
        • If you trust your employee base with docs that can't be leaked or copied into the wrong hands, why aren't you training them on software best practices and using filtering and scanning to make sure they aren't taking it off network?

          This is so naive I can't believe it. Sure, you can train people to do stuff, but people aren't network adminstrators, and shouldn't HAVE to be network administrators. They'll (naturally) assume that they can do anything they want with software authorized for their systems. Espec

          • Flamebait??

            Anyways true but how does this make Googles software any new threat. Most corporate networks have ways to ban software like P2P you just mentioned. This is really a identical if less so threat than P2P software. It will be dealt with just the same. Only difference here is you have software that was once allowed now banned, and some people wanting to continue to use the old version. Reminds me of a discussion I had with a user of why they can't use bonsi buddy anymore.
      • That's fine, but ultimately they're attempting to provide a useful service. Not everyone's data is top secret to the point that they won't trust google with it. If it is, they can disable it. The implications of turning it on are clearly explained and users are sufficiently warned.
      • Then you train your employees not to turn it on, and punish them if they do.

        Most users don't f*** with stuff because most users have no idea how to.
    • When one of your bank's employees decides that he WANTS to "share" your personal data with his home PC, don't bitch.
      • Uhhh.. why not? The bank shouldn't be sharing that. Personal data can be shared with pencil and paper too you know.
    • by g0at ( 135364 )
      This article is a joke.

      Zonk posted the article. Just like the completely misleadingly-excerpted Apple one earlier. Are you surprised?

      -b
      • Zonk posted the article. Just like the completely misleadingly-excerpted Apple one earlier. Are you surprised?

        Slashdot's always seemed to need at least one editor that can stir up the crowd. Initelligent design? Fine. Global warming? Fine. Blame Google for allowing our employees to turn on a feature that's off by default? This is just fucking retarded.

        Such obvious nonsense just leads to bitching about the editor instead of any meaningful discussion about the topic itself, because there is no meaningful di

    • Normally, I would agree with you. But, seeing as how the Google Toolbar is now included with the latest Sun JVM (even when simply doing their "security updates", you have to manually uncheck the option to download that tool), I'm getting a little leary of the Google monster. It's one thing to offer a service to someone as an option, but quite another to bundle your service with unrelated options as part of "security updates".

      Who's to say that Google some day won't decide to enable this feature by defaul

  • This is dumb (Score:4, Insightful)

    by Danse ( 1026 ) on Friday March 03, 2006 @05:21PM (#14846413)

    If CIOs don't want people using Google Desktop, then make it a policy that they should not use it. Enforce the policy. End of story. Don't blame Google for making a tool that a lot of people find useful. There are other ways to give your enterprise the same capabilities without compromising your data.

    • by swb ( 14022 )
      I've never worked anywhere where IT policies like "no unauthorized software" were actually enforced. Hell, I've had HR people tell me they "won't" back terminations based on those policy violations because they're not severe enough. And if you're not firing people, you're not enforcing anything.

      I know one guy who got shitcanned for it, but he was a prick and HIS boss came to me looking for some additional crap to throw at him and I suggested "Oh, how about the three system rebuilds we've done due to his s
      • I've never worked anywhere where IT policies like "no unauthorized software" were actually enforced. Hell, I've had HR people tell me they "won't" back terminations based on those policy violations because they're not severe enough. And if you're not firing people, you're not enforcing anything.

        Ever work in a bank? How about with classified data? I would expect them to do it if anyone is. I have worked for USPS, which had such a policy, but developers were exempt because a) we needed the stuff to functio

    • What makes you think the IT staff knew that people were doing this, or that it was allowed to begin with. Most IT people I know have a rule that nothing gets installed without prier approval from IT, but the users don't ever follow it. Even if I was to send out a memo that said Google Desktop was not to be install, people would do it anyways, and some of these people are CEOs and Managers that wont be fired because of this. And after I uninstall it, they will just install it again. Then I go and remove
    • Here's what's dumb (Score:4, Insightful)

      by fm6 ( 162816 ) on Friday March 03, 2006 @05:55PM (#14846674) Homepage Journal
      Which is exactly what the CIO did. What's dumb is that Google (allegedly) got careless about copying data, putting the CIO in the position of having to ban the program. And what's absolutely stupid is idiots like you insisting that it's no big deal, just because nobody's forced to use the product. That's like saying that exploding laptops are no problem, just because only some brands explode.

      I use Google desktop, and find it very handy. It's quite possible I'll have to give up using it because of this issue. That doesn't make me feel well-disposed towards Google, or inclined to try any new products they might release.

      • Or you could just simply not enable Search Across Computers, espescially considering it is disabled by default. And yes, I can verify that, I'm running Google Desktop 3 Beta right now.
        • As previously discussed, that doesn't solve the problem. Just because I'm smart enough not to turn on a dangerous feature doesn't mean everybody in my organization is. So my CIO bans the programs and enforces the ban with regular audits. That means I can't use the program, even though I know how to use it safely. That makes me pissed at the people who don't know how to design software without dangerous features. That fact that these features are off by default is like saying a gun is unloaded by default.

          Y

          • Ummm, you said you may have to quit using the software, and I said you could disable the feature. I wasn't talking about an enterprise, I thought you didn't realize you could disable the feature. Sorry for the misunderstanding.
            • You obviously have never worked in an enterprise environment. If you had, you'd know that individuals don't always get to decide which programs they use.
  • They introduced a tool that lets you search your desktop from remote machines. They state at download that the tool copies data to their servers.

    You are not required to use it. You do anyway.

    Why is this overstepped? If you didn't want it to do this, you didn't have to use the tool.

    This is not Google's problem. It is the companies who have bad computer security's problem. Google is not trying to hide what it is doing. If they can't avoid this, how are they supposed to avoid when someone is trying to hi
    • They can avoid it easily -- stop uploading files!

      If users need to share data between computers, there are these newfangled technologies called "CD-R", "USB Key" and "Email" that would probably work pretty well.
    • They introduced a tool that lets you search your desktop from remote machines. They state at download that the tool copies data to their servers.

      It is not hard to argue that this does not help all that much however. Notice how Firefox, IE and pretty much all browsers warn the first time you want to submit a form on a webpage (google web search perhaps) that this action will transmit data over the internet? Or pretty much all registration procedures for software, and tons of other little things. The fact

      • Yet we consider the spyware makers evil but Google good here.

        Come on, this is easy to refute. Spyware by its very nature (the "spy" part) tries to install itself silently, and returns data to a central point without telling you. Google Desktop Search discloses its actions fully in all documentation, does not install silently, and the controversial option is off by default. Now, IT managers may be right to call for restraint in use of this product, but it's easy to see why spyware can be branded "evil", an
  • by __aaclcg7560 ( 824291 ) on Friday March 03, 2006 @05:22PM (#14846425)
    ... CIOs have been seeing their company data being transferred to Google's servers ...

    No wonder Google doesn't want to cooperate with the Justice Department's request for information. They're running warez servers!
    • ..which of course is an interesting sidepoint.

      If google are copying the hard drives of millions of computer users, how many warezed copies of software do they actually own? Many terrabytes of it I'd guess..
  • Not googles fault (Score:4, Insightful)

    by The Mysterious X ( 903554 ) <adam@omega.org.uk> on Friday March 03, 2006 @05:24PM (#14846438)
    This isn't an issue with google. It's an issue with the users.

    Search across computers is disabled by default. It doesn't even ask you to enable it in the intaller. You have to hunt through the options to turn it on.

    It's not google "overstepping the mark" it's incompetant users changing settings they don't understand.

    On a different note, if I were a sysadmin, then I would not be letting them install GDS anyway, without authorisation. They are company machines, subject to company rules, and should only run company software.
  • by farker haiku ( 883529 ) on Friday March 03, 2006 @05:24PM (#14846442) Journal
    Snort signatures for the google desktop and download of google desktop can be found here [bleedingsnort.com].

    If you're really worried.
  • by ThePepe ( 775625 ) on Friday March 03, 2006 @05:26PM (#14846456)
    Is it really asking too much of an Admin to maintain good software installation permissions and policies? If untrustworthy users have been given high enough authority to install their own software then Admins have no one to blame but themselves.

    Well you can probably blame management too.. thats always good.
  • by PIPBoy3000 ( 619296 ) on Friday March 03, 2006 @05:27PM (#14846464)
    There are certain laws in place that regulate how confidential patient information is passed around (HIPPA). I'm fairly certain that should an employee have such information on their desktop and it's copied up to Google, that would constitute a breach of those laws.

    Because of this, our desktop folks have decided that Google Desktop is not something that can be installed. It's a shame, too, as there's lots of "benign" features that we miss out on because of it.
    • HIPPA compliant systems should not even think of touching it, and any similar software--HIPPA requires strict control over data, and any system that indexes and at least partially caches the information probably violates this, even if it isn't being uploaded. These systems shouldn't even have the ability to access the internet, much less download software and install something like this without having the IT department do it.
    • Actually, it's HIPAA.

      Used to work IT at an insurance company.

    • Try Google Desktop for Enterprise, the software doesn't even contain this feature and the software can be locked down and can have document retention policies (if your email retention policy is 30 days, Google Desktop can be set to remove emails from its index after 30 days). Much better solution for companies.
  • by Todd Knarr ( 15451 ) on Friday March 03, 2006 @05:30PM (#14846491) Homepage

    Google Desktop is doing what it's designed to do: keep user's data on central servers so it's accessible from anywhere. It's just that it makes the assumption that all of the computer belongs to the user. Obviously in a corporate environment that's not the case, but Google Desktop doesn't know what kind of computer it's on so it can't do anything about that. The company needs to be more emphatic about the "no unauthorized software" rule (they do have a "no unauthorized software" rule, don't they?).

  • google value (Score:4, Insightful)

    by woverly ( 223564 ) on Friday March 03, 2006 @05:31PM (#14846504)
    This is where Google's greatest value really lies: data mining. The possible advertising revenue pales in comparison to the value of the corporate (and even consumer) intelligence that Google collects. Simply being able to detect that persons in company x are suddenly interested in company y and that investment bank z is also interested in company y would allow one to predict things like mergers. Increased specific searches around the holidays might help predict which retail chain might do well. The power of Google should not be underestimated.
  • Easy solution (Score:2, Insightful)

    by GmAz ( 916505 )
    Tell your employees not to install the software. Its not that hard. And if the employee does install it, hold that person liable for the data transfered.
    • And if the employee does install it, hold that person liable for the data transfered.

      Unfortunately it's not that easy. In the UK at least, it's the company's responsibility under the DPA to look after the data that it holds on a customer. If you as a company have not put adequate safeguards in place around data (and "I told him not to do it") is extremely unlikely to wash as 'adequate', then you (and more specifically, the directors) will be in rather a lot of legal hot water.

  • by moria ( 829831 )

    They should also forbid/filter HTTP POST requests, IM file transfers, e-mail attachments, and any internet application that would allow the enterprise data to flow out of the company network.

    This style of ruling totoally miss the point. You should teach your employers to generally avoid leaking enterprise data out of the company network and the risks of using certain applications. It is not to disable or to forbid the use of certain programs. Google Desktop Search is not built to compromise your data secu

  • by logicnazi ( 169418 ) <gerdes@@@invariant...org> on Friday March 03, 2006 @05:51PM (#14846650) Homepage
    By doing what? Releasing a software package which does exactly what it says it does?

    Might as well say the people who wrote FTP overstepped the mark as it doesn't stop people from sending sensitive data outside the company.
  • WTF?! (Score:4, Insightful)

    by d34thm0nk3y ( 653414 ) on Friday March 03, 2006 @05:56PM (#14846683)
    If these people have such sensitive data on their machines why the hell are they allowed to install any random software off the web onto them?? You can get "software" that does waaaaaaay more than just cache some of your files online, and you might not even know you installed it.
  • by Anonymous Coward on Friday March 03, 2006 @06:00PM (#14846713)
    It seems to me that Google is in the same position that Microsoft was years ago, when corporations all ran Netware or IBM servers because Microsoft products were naive about corporate reqirements. Google will probably climb the learning curve faster than Microsoft did, but they aren't there yet. /. readers who make suggestions like "forbid installing the software" or "fire users who do it" also don't understand corporate IT. Some corporations have desktops locked down so users can't install software, but some don't because their users are higher level and need to install selected applications.

    The suggestion to fire users who turn on the data upload is also hated by IT managers. Corporations are full of clerks and other mid-level people who never read IT policy documents, don't really care about security, and like to turn on cool features. The IT manager is not going to look good if he tells HR "Sally who is otherwise a great employee checked this box because she didn't know she shouldn't, so now you have to fire her".

    IT managers differ, but they generally want to give users as much functionality as possible, as long as they are sure it is safe and reliable. What an IT manager probably wants are network-level options to (1) forbid Google desktop entirely, (2) allow it but disable the data-sharing features, (3) leave it up to the user, or (4) do a mandatory (push) install to all desktops. Then the IT manager would want a web page or other report to see who had done what.

    When Microsoft figured out requirements like these, they invented Active Directory and its Group Policy component. Look at products like Symantec Antivirus Corporate, where you can look at all desktops and verify their antivirus status from a central console, or Microsoft's own free WSUS which lets you make sure everybody in the corporation has installed all critical patches.

    These are the kinds of solutions that work in the real world as opposed to firing people, and as soon as Google figures this out they will be a lot more popular on corporate desktops.
  • by richg74 ( 650636 ) on Friday March 03, 2006 @06:08PM (#14846765) Homepage
    From TFA:
    $ORGANIZATION is about to update its information security policy in light of Google Desktop with a recommendation that the software must not be downloaded onto any ... PC.

    For heaven's sake, what planet do these people that are allegedly responsible for IT come from? Let's see:

    1. Express great concern for security of secret corporate data
    2. Allow users to install software on their PCs
    3. Express shock and outrage that potential security problems develop
    4. Blame Google !

    I've worked as an IT director in a few financial services companies over the last ~20 years, and everyone employed there, on their first day, had to read and sign something like this:

    I understand that computer equipment and facilities provided to me are the property of the Company, and are to be used only for permitted business purposes, as outlined in the Computer Use Guidelines. In particular, I understand that unauthorized removal of Company data from the premises, or installing or downloading software from any unapproved source, are grounds for immediate termination. I acknowledge receipt of a copy of the Computer Use Guidelines.
    We would install or make available external software if it was useful and appropriate, after testing it. Otherwise, no dice. Will some people complain? Absolutely! Tough shit.
  • by DotDotSlasher ( 675502 ) on Friday March 03, 2006 @06:31PM (#14846919)
    My company now forbids using Google Desktop because of this feature.
    Yes, it's off by default.
    Yes, you have to go out of your way to turn it on.
    Yes, they keep track of what's installed on everyone's machine.
    Yes, there are ways around that -- but for safety's sake, I now use MSN's local search.
    Google's product is forbidden.

    So google (you listening?) -- how about local-only version for us corporate folks, with the upload option completely removed?
    We get a version that can be blessed by IT, you keep your user base.
    Seems like a winner to me.
  • The problem here is employees checking the "Upload my corporate data to Google's servers" checkbox.
  • Google has definitely over-stepped the mark and in turn is forcing IT departments to take a very draconian approach to machine security and web access.'"

    No you confused knucklehead. That's something your IT should have been doing all along. Why was your IT department allowing end users to install whatever software they wanted? There's nothing draconian about that.

    Goolge has over stepped nothing. You just have some lousy sysadmins.

  • How does one go about stopping it? Active Directory permissions? Proxy blocking?
  • by Truist ( 69046 ) on Friday March 03, 2006 @08:16PM (#14847533) Homepage
    It took a bit to dig this up, but it turns out that if you set the registry key:

    HKLM\Software\Policies\Google\Google Desktop\Enterprise -> disallow_ssd_service

    as a REG_DWORD to '1'

    Google Desktop won't let you use the "Search Across Computers" feature. (I tried it.) You can set that key in the group policy scripts relatively easily.
    • It took a bit to dig this up, but it turns out that if you set the registry key ...

      If they really do not want to be evil, they should:

      • Provide security documentation, and make it easily accessible to everyone (as opposed to "hard to dig up"). Security documentations means a detailed and complete description of what the software does, how it communicates, and how to prevent it from doing what the operator of a machine or network might not want it to do.
      • Offer multiple documented ways in which ty
      • There is an Enterprise version of Google Desktop that you ask for, except maybe #2. But I don't think they use a specific port - I assume it's all web service-based.

        The 'hard to dig up' bit was because I had to download their Enterprise version, read its documentation, and interpret the Group Policy Template to figure out what the registry key was. If it was actually trying to roll something out company-wide they've gone to great lengths to make it easy.

Basic is a high level languish. APL is a high level anguish.

Working...