You’d think that I’d cut Scoble some slack given that he directed hordes of folks over this way (Welcome, new arrivals 🙂 with this post from yesterday. Well, I’ve been pretty skeptical of him here in the past (see here, here, here, or here), so I figure – why stop now? 😉
This time it’s his propagation of what I consider to be a fundamentally flawed implicit criticism of competing desktop seach products, Google’s desktop product in particular. Before I get to my objection, let me qualify my remarks by saying that there are many legitimate objections to GDS and its ilk, and Scoble points to a few of them. Autoupdate, phoning home, etc. I’ve written up the Google/trust issue before here, and I’m also on record as being somewhat worried about personal web servers being run on users disks (is this the first such exploit?).
But it’s this tidbit from Scoble that I’d characterize as borderline FUD:
1) Does your desktop search index your browser’s cache or history? MSN Toolbar Suite doesn’t. Why is this important? Because if your desktop search does then people who have access to your computer can easily search for passwords, where you’ve been in the past (do you really want your kids to know that you’ve been on porn sites?) or other things. (link)
I have had problems with this argument from the start, and I’m somewhat frustrated to see it still making the rounds.
This argument, to me, amounts to sticking your head in the sand with respect to browser security. The argument essentially boils down to this: MSN’s product is more secure because we don’t index cached webpages and offer it up for search. That couldn’t be more wrong, in my view. Whether or not your search tool exposes it, the underlying vulnerability – cached content, in this case – remains. Don’t believe it? In IE 6, do the following:
Tools: Internet Options: (General Tab) Settings: View Files
Browse around a bit, and then see what you think. If you’re still not convinced, here’s what Schneier has to say:
GDS’ ability to search files and Web pages of multiple users on a computer received a lot of press when it was first discovered. This is a complete nonissue. You have to be an administrator on the machine to do this, which gives you access to everyone’s files anyway.
Some people blame Google for these problems and suggest, wrongly, that Google fix them. What if Google were to bow to public pressure and modify GDS to avoid showing confidential information? The underlying problems would remain: The private Web pages would still be in the browser’s cache; the encryption program would still be leaving copies of the plain-text files in the operating system’s cache; and the administrator could still eavesdrop on anyone’s computer to which he or she has access. The only thing that would have changed is that these vulnerabilities once again would be hidden from the average computer user.
In the end, this can only harm security. (link)
The point here is simple: desktop search has its issues, but browser security is not one of them. It was an issue long before desktop search rolled out, whether people recognized it or not. In fact, I think MSN may regret the omission of that feature sometime down the line.
Scoble is right, however, to try and subject Google and its other competitors to some of the same scrutiny that Microsoft it is forced to bear, as there are indeed legitimate questions to be asked. Key to this, however, is asking the right questions, and keeping FUD levels low.