Google Does Information Systems Governance A Disservice with Desktop Search Tool Beta

Yes I love Google as a search engine. I love Gmail as a sacrificial e-mail account. I do not love what Google is doing with the launch of "Google Desktop Search". It has nothing to do with the product itself, it is what the installation does without any documentation except for "between the lines" reading of their online help system: It installs a search engine/web server on the local machine. Without adequate disclosure by Google of this not so trivial piece of information, and in apparent violation of their own corporate software principles, employees of organizations put their employers at potential risk by downloading and installing this software. I have posted my concerns on Ed Brill's blog and to a couple of IS Governance and Sarbanes-Oxley Listservs I subscribe to.

So here is what I have found out from further research and email discussions with Bob Gilbert of Tembec, who graciously gave me permission to quote our discussions here.

Bob said the interface is slick and performs "considerably better than the base MS search capabilities". Bob also said that "I have tried a few similar tools and given up on every one. Security issues aside I have to say I really like it!" Bob also asked me where I found out about the server installation and I pointed him to this document in the help file. We agree that "having a local web server running is not inherently wrong but it certainly might be."

What Bob found is that the server is running on the local machine with an IP Address of 127.0.0.1 and is listening on local TCP port 4664. He did not see any communication going on so he is unsure of the purpose. The firewall did not detect anything. he acknowledged that "any open port is by definition a potentially exploitable hole. The practical answer would depend on local firewall settings, perimeter firewalls you are behind, any specific vulnerabilities with the Google program listening on that port and so on." This is a potential vulnerability that organizations need to address before allowing users to download and use this tool.

Another concern I had was whether or not this tool could be used to search mapped network or shared drives. The answer is yes and no. No they cannot be searched per se, but if documents have been opened from those mapped drives will be cached by the engine and be searchable.

The bottom line here is that Google should have been up front in their documentation and disclosed what exactly the install process would do, what ports would be needed and why they would be needed. One of the questions in the help section is "Does Desktop Search install malicious software?" The answer they give is "No. When you download and install Google Desktop Search, you're just getting Desktop Search. That's it. End of story." Like a politician in a debate, the answer really is not as clear as it should be. That is just plain wrong and irresponsible of Google.

In facy as stated earlier, they may have violated their own corporate software principles which state:

"UPFRONT DISCLOSURE

When an application is installed or enabled, it should inform you of its principal and significant functions. And if the application makes money by showing you advertising, it should clearly and conspicuously explain this.  This information should be presented in a way that a typical user will see and understand -- not buried in small print that requires you to scroll. For example, if the application is paid for by serving pop-up ads or sending your personal data to a third party, that should be made clear to you. "

If you agree, you can e-mail Google and tell them so. They invite feedback.