Google’s Christmas Gift to Total Information Awareness: Everyone’s Google Reader Feed Data

Googlechristmascat

As if unpaid Government informants on Facebook weren’t enough, now Google has decided to make your shared RSS feeds on Google Reader available to anyone in your GMail contacts.  Or something like that.  Google says that your “friends” should only be folks in your contacts who you have chatted with via Google Talk but other users disagree and say that isn’t how it is behaving.  The important thing is that Google made a decision to “social network” up its hosted Reader product, and they didn’t have to check with anyone but themselves to see if that was all right.

There are lots of interesting things at play here:

  • Google tried to “after-the-fact” develop an automated authorization policy for how users should share their information.  Therefore it isn’t terribly surprising that this auto-authZ-policy doesn’t meet the needs of all their users.
  • Many users had already developed their own “applications” with specific functionality using the sharing features as they previously behaved.  These weren’t application they coded, but ways they leveraged the existing functionality of the application to accomplish some purpose.  If you read through some aggregated Google user feedback in the Slashdot Journal of Felipe Hoffa you can see several examples of how users had created their own new aggregation and discussion areas where they were sharing selected links with selected groups of people (often based on the security-through-obscurity of the URL).  When Google introduced these new features, all the previous business rules about who got to see what went out the window.
  • We can see the danger of pollinating functionality and data across multiple applications.  The current hubbub is based on Google creating definitions of relationships based on data being tagged in Google Reader, users existing in GMail, and users having performed actions in Google Talk.  There is tremendous potential to create cool new features from these interactions.  But there are also tremendous, unexplored risks for privacy and security.  The current issues have come up because one provider decided to link up several applications in their portfolio.  Imagine the chaos as these social networking APIs (expecially the ones that operate cross-platform like Google’s) start to gain more adoption.
  • At the end of the day, this is another reminder that when you put data online in someone else’s data center, you have no control over what they do with it.  This has huge implications for Software as a Service (SaaS) businesses and the organizations and individuals who come to rely on them.

Prediction: After a couple more incidents like this, some pseudo-tech-savvy Congressman is going to make some noise pushing for regulation of SaaS businesses – privacy, security, etc.  This will result in Google, Microsoft, social networking sites, etc all pushing to move datacenters offshore to jurisdictions where such pesky legislators don’t exist.  We have already seen hints of this a number of times at Denim Group for applications we build.  Clients say “Well, we want to comply in spirit with [Insert regulation X here], but since this will be hosted in [Insert country Y here] we don’t really have to worry about that.”  Too bad those HavenCo folks seem to have jumped the shark

Merry Christmas and Happy Holidays to everyone.  Travel safe.

–Dan
dan _at_ denimgroup.com

PS Many thanks to the Wikipedia folks and AZAdam for the base cat image I LOL-Cat’d up.

About dancornell

Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader. Dan has speaks at such international conferences as RSA, ROOTs in Norway and OWASP AppSec EU.

One Response to "Google’s Christmas Gift to Total Information Awareness: Everyone’s Google Reader Feed Data"

Leave a reply