Google speed bump draws scorn

Search giant raises privacy and security hackles with its application that accelerates Web surfing.

Stefanie Olsen Staff writer, CNET News
Stefanie Olsen covers technology and science.
Stefanie Olsen
5 min read
Google has raised privacy and security hackles once again, this time by developing an application that accelerates Web surfing but can also delete pages or serve up password-protected content.

The complaints center on the search giant's Web Accelerator, which was released on Wednesday. Downloadable software for broadband users, Web Accelerator is intended to speed access to Web pages by serving up cached or compressed copies of sites from Google's servers.

Though the software can be useful to consumers who are in a hurry--broadband connections already deliver pages quickly--critics were quick to find a potentially damaging glitch. A flaw with Web Accelerator, which Google acknowledges, can serve cached copies of private discussion groups or password-protected pages to people using the software.


What's new:
Critics are rankled over a flaw with Google's new Web acceleration software that can serve cached copies of password-protected content.

Bottom line:
Google says it is working on a fix for the Web Accelerator threat. Regardless, privacy advocates charge that the search engine's privacy policy doesn't address some consumer concerns.

More stories on this topic

For example, using the software, a Web surfer might call up a discussion group page and see the name of another group member, making it appear as if the surfer is signed in as that user. Web Accelerator does not cache secure Web sites using the "HTTPS" specification, such as banking or credit card pages, however, so data such as financial transactions are not at stake.

Marissa Mayer, Google's vice president of Web products, said the company is working on a fix but downplayed the threat. "It looks worse than it is," she said. "We've cached the page with that user name on it. But you are not actually signed in; you couldn't operate as that person," she said, adding it has affected only a small number of sites.

"We're committed to provide users the utmost of integrity in security and privacy, and we're working with urgency to solve this problem," she added.

More broadly, privacy advocates are concerned about the scope of data collected with the Web Accelerator, charging that Google's privacy policy does not address some important consumer issues. Critics say the tool's capabilities to monitor a person's travels across the Web feeds into an overarching worry that Google is becoming a massive market research firm capable of collecting oodles of information on millions of people.

Not a Google first
"The business they're in here with this new product is market research--they'll be looking at what people are doing on the Internet, what they're reading, what they're buying," said Richard Smith, a privacy and security expert who runs the Web site Computerbytesman.org. "There's potentially a lot of information just from the click-stream of the URLs people visit."

Google has run into privacy and security problems before when introducing new services. The company's free e-mail service, Gmail, roiled the privacy community for its practice of scanning the contents of e-mail to deliver related ads. Although the furor eventually subsided. Google's desktop search software, introduced late last year, contained a security glitch that temporarily exposed private data on the Web. And Google's latest toolbar was the subject of criticism for a feature that converted text on third-party Web pages to Google-designated links.

Google's Mayer said the Web Accelerator is not a market research tool. Rather, the company built the application to give people the same fast experience they have at Google--most search pages are returned in a fraction of a second--while surfing the Web at large. If the tool can help someone save two or three hours a month surfing the Web, that person might spend more time searching with Google, Mayer reasoned.

Google states in its privacy policy that it does not share personally identifiable information with use of the software. Still, privacy experts warn that the policy is silent about what click-stream data

it collects and what Google does with the information.

"The tool offers a plausible consumer benefit. But it makes me uncomfortable because it's Google collecting yet more information about everyone and doing it in a way that's not necessary," said Ben Edelman, a Harvard University researcher who investigates software applications.

For example, he said, it's unclear whether Google will tie information collected from click-stream data to its cookies. Cookies are tiny tracking tags used by most Web sites to associate a specific computer or user with his or her activity online. Often, cookies are used to remember passwords or log-ins, as well as information such as the user's geographic location or past preferences to better serve Web pages.

"The most important issue they don't address is what click-stream data is tied to the Google cookie," said Computerbytesman.org's Smith. "My recommendation: Purge Google cookies and often."

Mayer said that that click-stream data from Web Accelerator is not associated with the computer's cookie.

"To date, we're not doing anything with this data in terms of market research. We have no plans, but should that change we would aggressively notify our users and give them some escape hatch," Mayer said.

To address the security flaw, Mayer said the company is deactivating the mechanism that caches vulnerable Web pages. Mayer said the problem happens only on a small number of sites, typically discussion groups, because those sites are not passing the proper no-cache header information. She said the company is also contacting Web masters to work with them on that issue. In addition, Google is looking at possible mathematical algorithms to prevent the caching from happening in the future.

Yet another contingent, Web designers, has criticized the application for deleting Javascript commands or pages of their sites within the software environment. That means that people using Web Accelerator may not be able to hit the back button to return to a previous page. Google spokesman Nate Tyler said the company is also looking into that issue.

Web acceleration tools were popular years ago during the dot-com heyday, when most people accessed the Web with dial-up connections. Internet service providers such as America Online have offered them for free to their dial-up customers as a means of improving the surfing experience. Market research firms such as ComScore Networks have also used the tools as a means to entice new subjects for research panels, watching their behavior online to estimate the popularity of Web sites, for example.

But in an era of widespread broadband usage--more than 50 percent of households in the United States have a high-speed connection--the value of such tools has diminished. Peter Christy, co-founder of market research firm Internet Research Group, said that despite that perception, a good Web accelerator can mitigate packet loss, or latency, as information is sent from router to router. It can also optimize how an object-heavy Web site is compressed and sent to a visitor.

Addressing the privacy issues, Cristy said there's always a basic trade-off between getting a service and getting absolute privacy.

"If you look at Google, this fabulously useful company, they make their money by selling people ads," he said. Besides search, "the way Google becomes useful is in building some model of who I am and what I'm interested in and delivering me ads. That's either really useful or very sinister."