Okay, that’s a bit of an overstatement but it is a security professional’s nightmare.

Google Desktop is a popular free program that can be downloaded onto a personal computer to allow the indexing and searching of files on your computer. It operates much like the internet-based Google search engine and can find content from a wide variety of file types and formats including emails, instant message logs, web history, MS Office and Adobe documents, videos, music files, images, etc.

Given enough time, Google Desktop will search all drives to which you are connected. This means that if you are connected to your office’s systems, the Google Desktop engine will begin indexing all of their files as well – whether or not that was your intent. This information will be exposed to anyone with access to the index. Since web histories are included by default, this frequently has the result of allowing users to bypass usernames and passwords before seeing confidential information and to see information that should have been protected by someone else’s password.

Google Desktop allows users to “share across computers”. In theory, this increases your ability to find content since you can simultaneously search multiple locations. In practice, this exposes your documents and private information to outsiders. Even if you have the actual documents in protected folders, the index (and all the confidential information which was captured by that index) is available to everyone. The research company Gartner considers this an “unacceptable security risk”, an assessment to which even Google agreed. (See here for more.) If you have any private information on your computer or if you are covered by any privacy regulation (and in the insurance industry, we all are), you should never allow the installation of the “share across computers” feature.

Google Desktop also represents yet another piece of software which must be kept fully patched and up to date. Unpatched software creates an avenue which hackers can follow to gain access to your computer. Read this article about a recent vulnerability with this software.

Unless you have a dedicated security expert who can make sure that your configuration is exactly correct, Google Desktop should not be allowed on any corporate computer holding confidential information.

Leave a Reply