Archive for the 'privacy' Category

Mac Google Desktop… unfortunately rather intrusive.

Thursday, April 5th, 2007

The user experience

I like Google’s tools. I use GMail and google. My Find It! Keep It! tool provides shortcuts to Google’s web, book, froogle, news and scientific paper searches. So I downloaded Google’s desktop mac hoping for a faster Spotlight.

Like the folks at TidBits, I found it slowed down my computer significantly when indexing my drive. However one can turn it off using the System Preferences panel it installs. Like that I can let it index stuff at night.

Press Command twice and a search panel shows up, which will show the first 10 results. To see more, your browser will be opened to display the results as page that looks like google’s generic search page, so it’s running a small web server.

It runs as root, and does not respect your update statistics settings

Google Desktop installs itself as root: the index is at /Library/Google/Google Desktop/Index/(some directory which only root can access). This means it can access anything on your machine and do anything it likes. It doesn’t need to and on a first date, I don’t trust anything that much. Every user on the machine will have their content indexed, even if they don’t agree. You could say that Spotlight also runs as root, but people using an operating system written by Apple do have to trust Apple.

Even more bothersome: I told it not to upload statistics to Google. Their Privacy Policy says:

If you choose to enable Usage Statistics on Google Desktop, it allows Google Desktop to send crash reports and to collect a limited amount of non-personal information from your computer and send it to Google. This includes summary information, such as the number of searches you do and the time it takes for you to see your results, and application reports we’ll use to make the program better.

Well I didn’t, but Little Snitch tells me that a program called StatsUploader wants to talk to every 30 odd minutes so. I happen to trust Little Snitch as I used it to help me make sure that Find It! Keep It! wasn’t loading anything from the Internet (unlike most other “internet page saving solutions”, such as those that use WebArchives).

It silently installs an Input Manager

Find It! Keep It! crashed, and the crash started neither Apple’s CrashReporter nor my built in CrashReporter which is extremely odd. Given my past bad experience with Input Managers, I used Find It! Keep It!’s input manager panel to see whether I had acquired a new one. Indeed I had. It lurks in /Library/InputManagers/GoogleModLoader.

Now this bothers me. I did NOT agree to have an InputManager installed. InputManagers in /Library/InputManagers are loaded into EVERY application running on the computer for every user. So what the #!$! does it do? Simply running
cd /Library/InputManagers/GoogleModLoader/
strings GoogleModLoader.bundle/Contents/MacOS/GoogleModLoader
in the Terminal tells us that it loads modules.

Further investigation using OTX shows that indeed it crawls a Google/Mods directory and loads modifier bundles into the applications specified by the key GoogleModTargetApplications in some dictionary somewhere. It also appears to do a fair amount of stderr, debugging, pthread and system logging.

If you attach gdb to a running copy of Safari, you can see that SafariSearchResults.gmod and SafariWebHistory.gmod from /Library/Application Support/Google/Mods/ are now loaded by typing info sharedl. One thing they do is to add a new item to your google searches: “About 34 results stored on your computer”. I’m guessing that SafariWebHistory allows pages you just visited to be found with google desktop.

Nevertheless, Input Managers should not be installed silently. They can easily cause system instabilities and this particular mechanism could be diverted by third parties to install unauthorized gmods in a place no one knows about: a big security risk. Given the furore over Unsanity’s Smart Crash Reporter, I’m surprised Google installs this. It’s not like anybody worries about Unsanity’s secret plans of world domination.

It also installs a Kernel Extension

John Gruber over at Daring Fireball found where the injected code lives and noticed that they’re also installing a kernel extension!

Again kernel extensions aren’t something that should be installed silently as they could very easily impact the system’s stability.
For instance, it includes the nice message “socred_fini() failed, which is a known bug with Apple’s socket filters. Sorry but you have to reboot”.
cd /Library/Google/Google\ Desktop/GoogleDesktopDaemon.bundle/Contents/Resources
sudo strings GDFSNotifications.kext/Contents/MacOS/GDFSNotifications

I’m have no idea what its doing with the sockets, but a guess would be that they might need something like that to inform Google Desktop when a file changes to reindex it or for their snapshot capability.


I’m disappointed. I was going to look into Google’s open API to speed up searching the Find It! Keep It! Database for those users using Google Desktop. I think I’ll wait.

Hopefully future versions of Google Desktop will respect user preferences, clearly request the right to install any Input Managers and allow paranoid people like me to give it limited permissions (eg: a single user’s permissions). Alternatively they could release its source code, as they have done with MacFUSE so that we know what it’s doing. In the mean time, I’m uninstalling it.

Hopefully Leopard will draw attention to Input Managers which will prevent nasty surprises. That’s not to say they’re all bad. They just shouldn’t be installed without a user’s consent.

Changed on Thursday 5 April to add some more information, and clarify it

Browzar solves the wrong problem

Saturday, September 2nd, 2006

So… the no-cost commercial privacy browser Browzar is adware. Of course it is. That’s how you make money on free things. The real question is why people buy its privacy story.

Browzar says that it prevents information from being left on the computer you used. Independent testers deny this. I don’t have Windows so I can’t verify either claim.

Even if Browzar does what it says, people may be under the impression that it will keep their browsing private. For instance, the BBC says Net browser promises private surf. Browzar promises users total privacy when surfing the web. Not true!

Privacy on the web

Browzar’s underlying assumption is that data on your computer is less private that data off it: by not saving any data, no incriminating evidence is left. This sidesteps the fact that everything you do on the internet is public. The websites you use, and the computers that route your traffic know who you are and could record what you do. By not saving data, the browser has to fetch it more often, actually increasing your chances of being seen on the net.

To strengthen your privacy on the internet you have to:

  • Minimize your internet traffic.
  • Encrypt your internet traffic.
  • Prevent your browser from identifying you to the website you are browsing.

Minimizing your internet traffic means caching things on your home computer, thereby reducing your internet usage.

Encrypting your internet traffic generally means using SSL: use the https prefix instead of the http prefix wherever possible (for instance when reading your mail from gmail).

Preventing the browser from identifying you to the website you are using is nigh impossible because it goes against the way the internet works.

  • When you request a page from a website, the website needs to know where your computer is so that it can send the information back to you. This is one way that search engines such as AOL identify all a users’ searches. Anonymous proxies, such as those provided by Tor, can hide your computer behind an effective smokescreen of other computers.
  • Your browser requests data from the address it was given. By uniquely tailoring this address to you, you can be identified: For instance web bugs in an email, if downloaded, can tell a webserver that your read that email. “Phishing detection” tries to address this by telling you whether the phishing-detector’s author trusts the website.
  • Browsers pass sideband information to the website in what are called headers. These include what you typed into forms, cookies, the last page you were on, and so on. Because this information is not shown to users, many websites leak private data here. Privoxy strips this information out at the cost of requiring user tinkering
  • Javascript can access more detailed information such as your browser history, encrypt it so the browser cannot detect it and send it to the website
  • Furthermore every plugin including Java run by your browser implements whatever security it feels fit. For instance, Flash can be told to save information on your computer, emulating cookie behavior even if you turned cookies off. Legitimate uses include Pandora which uses this to track which songs you’ve listened to. However a bugs in any common plugin could be used to read your personal files on your harddrive

Given these hurdles, it’s best to think of everything you do on the internet as being public.

Network tools shows you what your browser is leaking. To learn more, go to Shields Up.

Privacy at home

It is not socially acceptable to read someone else’s diary, but for some odd reason, it’s OK to use someone else’s webbrowser. A partial solution is provided by Safari’s “Private Browsing” mode, but it increases one’s internet traffic. A better solution might be to provide quick switching between different private browsing sessions. The key would be to make the switching painless.

What can we learn from Browzar?

  • The media didn’t fact check this story. Even the BBC seems to have just published Browzar’s press release.
  • Browzar’s story is a purple cow. It took off like wildfire because people really want the easy-to-use privacy they promised.
  • If something commercial is free, it’s because it was worthwhile for someone to pay to get your attention for their own benefit.
  • The internet is self-correcting to those in the know, but let’s hope that noone gets into trouble.

Web 2.0 and Internet Cafes

Tuesday, August 8th, 2006

Despite yesterday’s hoopla about AOL, there’s a new online desktop out there. It’s still very much a beta (the mp3 player stopped responding in Safari) but it’s pretty and gives a good idea of where things are going.

If it has reasonable bandwidth requirements, it could do very well among people who use Internet Cafes, either because they cannot afford a computer, or because they’re traveling. I was astounded by the ubiquity of and crowds at Internet Cafes in India.

The other potential market is people who want to have a personal desktop they can share at work and at home. This market is less safe because corporations can easily block out services. A service for people in those markets would do better targeting people’s personal mobile phones.

Nevertheless, I didn’t see anything in their terms of service about how they protect my data from over-inquisitive people.

Privacy: the big flaw in Web 2.0

Monday, August 7th, 2006

While I understand many of the benefits of Web 2.0, the downsides have always bothered me. Few people realize that everything they do online is public knowledge. Techcrunch is up in arms about AOL’s recent release of data (Google cache). User 17556639 may well find himself in trouble pretty soon.

The data release may be a good thing. It gives us a clearer picture of what a government can get if it subpoenas a search engine. This may either help change the law, or the data-retention practices of Web 2.0 companies. Ultimately we may see a Web 3.0 emerge: where data leakage to the web-application is minimized and monitored by your web-browser. For instance the browser could encrypt the data, and while the web application could ask questions about the data, their number would be strictly controlled.