2009 06 10 Raj Goel Are You Googling Your Privacy Away
Is Your Company Googling It’s Security and Privacy Away? Raj Goel investigates.
It’s no secret that Google retains search data and metadata regarding searches—in fact,
they’re quite open about it. What’s unsure though is the long-term threat to information
security and privacy.
Most consumers regard privacy as a basic right. They do not expect their private transactional
details—whether it’s what they purchased or complained about, or how they paid for the
purchase—to be part of the public record.
As long as companies have retained consumer data, there have been privacy breaches. Stone
tablets, paper ledgers, data warehouses—it doesn’t matter how you store it, eventually, some
of it will leak out.
Here are some examples of the ways that data has been leaked:
• Criminal acts: theft of data; insiders selling data
• Carelessness: putting unshredded paper records in the trash bin; shipping unencrypted
• Lack of privacy awareness: prior to legislation such as the Healthcare Insurance Portability
and Accountability Act, it was legally acceptable to place records in the trash; using
personally identifiable numbers such as Social Security numbers as primary keys even though
the various amendments to the Social Security Act reserved the use of SSNs to the US
• Going out of business: once a company ceases operations, all privacy policies are null and
What’s Google Role?
So far, Google hasn’t lost information, other institutions have. However, Google plays an
ever-increasing role in our consumer and business lives. It has built a substantial business and
reputation, which could pose a serious threat to consumer privacy worldwide.
Let’s review the Google’s elements:
Google Search: This search engine is gathering many types of information about our online
activities. Its future products will include data gathering and targeting as a primary business goal.
All of Google’s properties—including Google Search, Gmail, Orkut and Google Desktop —have
deeply linked cookies that will expire in 2038. Each of these cookies has a globally unique
identifier (GUID), and can store search queries every time you search the web. Note, Google
does not delete any information from these cookies.
Hence, if a list of search terms is given, Google can produce a list of people who searched for
that term, which is identified either by IP address and/or Google cookie value. Conversely, if an
IP address or Google cookie value is given, Google can also produce a list of the terms searched
by the user of that IP address or cookie value.
Orkut: Google’s social networking site contains confidential information such as name; e-mail
address; phone number; age; postal address; relationship status; number of children; religion;
As per Orkut’s terms of service, submitting, posting or displaying any information on or through
the orkut.com service automatically grants Orkut a worldwide, nonexclusive, sub-licensable,
transferable, royalty-free, perpetual, irrevocable right to copy, distribute, create derivative works
of, and publicly perform and display such data.
GMail: The primary risk in using GMail lies in the fact that most of its users give their consent
to make GMail more than an e-mail delivery service and enable features such as searching,
storage and shopping. This correlation of search and mail can lead to the potential risks such as:
• GMail may not get the legal protection the Electronic Communications Privacy Act (ECPA;
see box) gives on e-mail.
• The storage of e-mail on third-party servers for more than 180 days can lead to the loss of those
privileges. This in turn creates a danger that we may redefine whether an e-mail has the
reasonable expectation of privacy.
ECPA, an act enacted in 1986, includes provisions for access, use, disclosure, interception
and privacy protection of all electronic communications. It declared e-mail as a private
means of communication that has the same level of privacy as phone calls and letters. The
employees of email companies cannot disclose emails to others and even the police in the
US would need a wiretap warrant to read emails.
Though email in transit is protected, those in law enforcement believe that once the mail is
processed and stored, it is no longer a private letter, but simply a database service.
The biggest selling point of GMail is that they don’t simply deliver your mail, but also store
and index it so that you can search for it.
In US v. Warshak the Dept of Justice (DOJ) argued that Gmail/Hotmail/any ISP-hosted
emails are not subject to ECPA at all, and therefore should not require subpeonas for
disclosure. So far, the courts have ruled against the government – however, this shows that
the DOJ is actively seeking access to emails and online activities without notifying US
citizens and is looking to circumvent ECPA and Stored Communication Act (SCA).
GMail Mobile: More and more phones comes with gmail applications built-in, or you can
download Gmail for your phone. The question becomes: How uniquely does your cellphone
identify you? When was the last time you changed it?
GMail Patents: Gmail’s Patent #20040059712 emphasizes on “Serving advertisements using
information associated with email.” This allows Google to create profiles based on various
information derived from emails related to senders; recipients; address books; subject line texts;
path name of attachments; etc.
Google Desktop: Google Desktop allows users to search their desktops using a Googlelike
interface. All word files, spreadsheets, emails and images on a computer are instantly
searchable. Index information is stored on the local computer. Google Desktop 3 allows users to
search across multiple computers. GD3 stores index and copies of files on Google’s servers for
nearly a month.
In the United States, using Gmail and Google Desktop on computers that contain health records,
financial records, educational records or credit applications could when is it considered a
violation? be a violation the Family Educational Rights and Privacy Act, HIPAA, Gramm-Leach
Bliley, PCI-DSS and state privacy laws if protected information is accidentally or maliciously
leaked. Given the XSS attacks that Gmail has suffered; the attacks that OpenSocial
demonstrated (google for “First OpenSocial app hacked in 45 minutes”); and the privilege-
ignorance flaw that let users of GDS3 see other users' files and the XSS attacks that GDS is
subject to (see http://news.zdnet.com/2100-1009_22-151299.html), it's only a matter of time
before protected information is leaked and the covered entities (healthcare personnel for HIPAA,
Educators for FERPA, Merchants for PCI, etc) point fingers at Google. It's an open question
whether the courts will buy the “Google leaked it, not me” defense or whether they'll hold the
covered entities liable for the leakage. .
One potential problem with the desktop search products is that they enable other people with
access to the desktop to discover information about other users. For example, spouses can read
indexed e-mails or browsing history and discover their partners’ infidelity or online shopping
trails. In business, competitors and malicious employees could use desktop search products to
locate proposals or negotiation documents.
Chrome: Chrome is Google’s browser. It’s available for download today – and will be installed
on new PCs in the near future. Some of the risks it poses include:
• Every URL you visit gets logged by Google;
• Everything you type into the location bar—every word, partial word or phrase, even if you
don’t click the enter/return button—gets logged by Google;
• Chrome sends an automatic cookie along with every automatic search it performs in the
Android: Android is Google’s operating system for cell phones. It retains information about
dialed phone numbers; received phone call numbers; web searches; emails; geographic locations
at which the phone was used.
Google Health: This product allows consumers—such as employees, co-workers and customers
—to store their health records with Google. Recently, CVS Caremark, along with WalGreens
and Longs Drugs in the United States, agreed to allow Google Health users to import their
pharmacy records into GH.
So far, we’ve looked at dangers posed by using or installing Google products. Most of these
threats can be mitigated by uninstalling these products or using competitive tools.
What about dangers to your organization just from Google Search? Look no further than
Google Flu Trends.
Google correlated CDC flu data from 2003-present with Google’s search data. Spikes in users’
searches about flu treatments correlated tightly with the CDC data. Using Flu trends, Google has
demonstrated its ability to analyze search data for a specific term or set of terms. And Google’s
privacy policies state they record IP addresses.
So, what’s to stop Google from analyzing all search data from Citibank’s networks? Or yours?
How many firewalls or proxy servers does your company use to control Internet access? One?
Five? 500? What’s the difference between analyzing flu trends and “Top 100 search terms from
XYZ Corp.”? Or what if someone were to correlate regional threats from swine flu, avian flu,
floods, etc., with search data from Google Health/Prescription data and then analyze the health of
their employees and detect long-term effects?
Google, as does Sun, Oracle and Microsoft, has a history of working with and selling data to the
U.S. Central Intelligence Agency, U.S. National Security Agency and others.
Overall, the most critical threat is our reliance on GMail—whether the setting is universities,
cities, companies or countries switching to GMail en masse, or the newest employees in the
organization using GMail as their primary or sole e-mail platform.
Questions to ask your security team are: How big is the organization’s e-mail archive? How
many years of e-mails are saved? If your company, agency or government, switches to hosting
email on Gmail, what happens to the privacy and confidentiality clauses in your contracts?
The U.S. Department of Justice is arguing that the ECPA does not apply to ISP-hosted e-mails.
In addition, Google, Yahoo and Microsoft have a history of complying with the U.S.’s and
foreign governments’ requests for information. If such data is turned over, how much corporate
security is being eroded by use of these platforms?
What the reliance on Microsoft Windows did to desktop and network security (consider the
amount of budget and manpower dedicated to dealing with Windows patches, viruses, spyware,
botnet detection), reliance on Gmail will do to corporate privacy and security.
Raj Goel, CISSP, is chief technology officer of Brainlink International, an IT services firm.
He is located in Queens, NY, and can be reached at firstname.lastname@example.org.
NOTE: An excerpt from this article appears in the June/July issue of Infosecurity Magazine, the
official publication of ISC2, the certifying body for CISSPs.