Denim Group has been acquired by Coalfire. Learn More>>

Google’s Christmas Gift to Total Information Awareness: Everyone’s Google Reader Feed Data


As if unpaid Government informants on Facebook weren’t enough, now Google has decided to make your shared RSS feeds on Google Reader available to anyone in your GMail contacts.  Or something like that.  Google says that your “friends” should only be folks in your contacts who you have chatted with via Google Talk but other users disagree and say that isn’t how it is behaving.  The important thing is that Google made a decision to “social network” up its hosted Reader product, and they didn’t have to check with anyone but themselves to see if that was all right.

There are lots of interesting things at play here:

  • Google tried to “after-the-fact” develop an automated authorization policy for how users should share their information.  Therefore it isn’t terribly surprising that this auto-authZ-policy doesn’t meet the needs of all their users.
  • Many users had already developed their own “applications” with specific functionality using the sharing features as they previously behaved.  These weren’t application they coded, but ways they leveraged the existing functionality of the application to accomplish some purpose.  If you read through some aggregated Google user feedback in the Slashdot Journal of Felipe Hoffa you can see several examples of how users had created their own new aggregation and discussion areas where they were sharing selected links with selected groups of people (often based on the security-through-obscurity of the URL).  When Google introduced these new features, all the previous business rules about who got to see what went out the window.
  • We can see the danger of pollinating functionality and data across multiple applications.  The current hubbub is based on Google creating definitions of relationships based on data being tagged in Google Reader, users existing in GMail, and users having performed actions in Google Talk.  There is tremendous potential to create cool new features from these interactions.  But there are also tremendous, unexplored risks for privacy and security.  The current issues have come up because one provider decided to link up several applications in their portfolio.  Imagine the chaos as these social networking APIs (expecially the ones that operate cross-platform like Google’s) start to gain more adoption.
  • At the end of the day, this is another reminder that when you put data online in someone else’s data center, you have no control over what they do with it.  This has huge implications for Software as a Service (SaaS) businesses and the organizations and individuals who come to rely on them.

Prediction: After a couple more incidents like this, some pseudo-tech-savvy Congressman is going to make some noise pushing for regulation of SaaS businesses – privacy, security, etc.  This will result in Google, Microsoft, social networking sites, etc all pushing to move datacenters offshore to jurisdictions where such pesky legislators don’t exist.  We have already seen hints of this a number of times at Denim Group for applications we build.  Clients say “Well, we want to comply in spirit with [Insert regulation X here], but since this will be hosted in [Insert country Y here] we don’t really have to worry about that.”  Too bad those HavenCo folks seem to have jumped the shark

Merry Christmas and Happy Holidays to everyone.  Travel safe.

dan _at_

PS Many thanks to the Wikipedia folks and AZAdam for the base cat image I LOL-Cat’d up.

About Dan Cornell

Dan Cornell Web Resolution

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

One Response to “Google’s Christmas Gift to Total Information Awareness: Everyone’s Google Reader Feed Data”

  1. Philip J Beyer

    the Google Reader team responded…

    i saw Scoble’s take on it yesterday morning and this morning…

    generally, i think the Google Reader team made a mistake in how/when they deployed the feature, BUT as a heavy Reader user, i always understood the items i was sharing were completely public, so it’s pretty hard for me to sympathize with other users

    as a matter of fact (again with my Reader user hat on), i’m kind of excited about the direction they are taking with the product

    as an information security professional, i’m disappointed that users were not first consulted when any such significant modification to a product (especially with privacy implications) was not properly announced

Leave a Reply

Your email address will not be published. Required fields are marked *