Google is a platform-its a tool that can be abused. That is why generic reassurances such as the lame – Don’t Be Evil – just don’t go anywhere far enough. Google seems to have a problem with policy– the kind of policy that allows a user to make their own decisions about potential risks in using the service. Chris Byrne calls this out clearly in his latest blog. According to Chris:
The bottom line here is that Google should have been up front in their documentation and disclosed what exactly the install process would do, what ports would be needed and why they would be needed. One of the questions in the help section is “Does Desktop Search install malicious software?” The answer they give is “No. When you download and install Google Desktop Search, you’re just getting Desktop Search. That’s it. End of story.” Like a politician in a debate, the answer really is not as clear as it should be. That is just plain wrong and irresponsible of Google.
Taking Chris’ thoughts to their natural conclusion, i believe that corporate IT departments should immediately make a clear commitment to either
a. fully support Google Desktop Search, including end to end security remediation
b. completely ban use of the product on corporate networks
These organizations are already thrashing to try and cope with current security breaches and threats, especially in the context of enterprise desktops. Now Google has added another potential exploit, a new listener to the desktop. Of course SP2 should block the port, as should a personal firewall, but GDS certainly adds a new risk in terms of corporate desktops and operational controls in enterprises.
I would advise the IT department to go for b above and work out whether to support the tool later, once risks can be better assessed and more eyeballs have got to work on the problem. It may seem a shame to lock down end user apps – especially ones that fall into the “productivity” space. But which is worse–annoying a few end users or failing a Sarbanes Oxley audit–i think in this case you may find the CEO is on your side…
As Bruce Schneier keeps trying to help us understand–you can’t remove risk entirely. But you can help people make more informed decisions. Google hasn’t helped its users enough in this case. Google is not just a tool for home users. It it is also now an important business application. Google therefore needs to do a better job of helping enterprise customers build usage policies, especially if it really wants be different from Microsoft, which has had, for example, some email policy issues.
Policy may be boring, but it gives us a basis for decision making that goes beyond gut instinct. Don’t be Evil is just a matter of opinion. Don’t install GDS on a machine used for corporate business, even at home for now–is a sensible IT policy.