Google's new document sharing app a security risk, experts say

A new feature on Google's customizable home page that allows consumers to transfer files heightens the risk that contractors might expose sensitive government documents, some security analysts say.

The giant Web-based search and software provider announced on March 29 that customers who use its personalized iGoogle page now can share photos, documents and other files with friends and colleagues online. Google also plans to add the feature to Gmail.

Google's large following, which includes federal contractors, will find it quick, easy and inexpensive to transfer company documents -- and potentially unencrypted government files, said former Gartner research director L. Frank Kenney.

"It's a simple two-click operation that is likely to be uncontrolled," said Kenney, now a vice president at Ipswitch Inc., a provider of secure file transfer applications. "You have to address that, especially in the contractor community, where they are interested in keeping the price point down for their operations."

While online chat services such as Google Talk and AOL Instant Messenger already offer file transfer features, Google's business model and its popularity make the tool more dangerous, he said. Google's strategy is to bundle services for users, even if they sign up for only one tool such as Gtalk. Kenney predicts Gtalk soon will be built into Google Docs, the company's free suite of office software.

If a user were to log into Google Docs, the program automatically would open up Gtalk. The ease of switching between the two applications increases the risk that a contractor might send a government file through Gtalk, either by accident or because it is cheaper than exchanging files on other licensed software.

Other security specialists say the file transfer feature in general is problematic, and the fact that Google is offering the capability on more services will not exacerbate the problem. Users often unwittingly expose materials through these applications because they do not understand the paths through which their data travels as it makes its way to recipients, said Johannes Ullrich, chief research officer at the SANS Technology Institute, a computer security training center.

"With Google Talk, at least you can apply some user controls," he said, noting some peer-to-peer file transfer services do not allow office administrators to block users from sending sensitive materials. Peer-to-peer file sharing allows people to instantly exchange materials, typically music or large documents, with others who have the same file sharing software..

Other industry sources noted file transfer has been available on Google Talk since 2006 and administrators can deactivate the chat service. Google's paid business applications do not offer the file transfer feature.

To ensure contractors do not exchange federal files through Google and other commercial applications, Ullrich advised companies and federal officials to use a control called data leakage protection. "It essentially looks at your outbound network traffic for confidential files," he said, likening the technique to the way antivirus software scans a computer. "Instead of looking for viruses, it looks for confidential data."

Google is concerned about privacy and security, said James Lewis, a senior fellow at the nonprofit Center for Strategic and International Studies and director of its technology and public policy program. Google recently rebuffed Chinese censorship rules and stopped filtering search results for Chinese users after discovering that hackers allegedly from China attempted to access the Gmail accounts of human rights activists.

Lewis views the Google applications as one more avenue for intruders to access networks. Some IT managers at companies told him they permit file transfer tools in the workplace because it makes employees better producers, he said. "Let's not overstate the risks. Let's not ignore the benefits," Lewis added.

A Google spokesperson said in a statement, "Organizations must determine the data sharing policies that are most appropriate for their employees, and we design our products to support administrators in enforcing the settings they choose. Our customers tell us that they are able to use our cloud computing applications to more securely share their information while teleworking than if they were to use other methods like storing data on portable devices that may be easily lost or stolen."