Google has raised privacy and security hackles once again, this time by developing an application that accelerates Web surfing but can also delete pages or serve up password-protected content.
The complaints center on the search giant's Web Accelerator, which was
Though the software can be useful to consumers who are in a hurry--broadband connections already deliver pages quickly--critics were quick to find a potentially damaging glitch. A flaw with Web Accelerator, which Google acknowledges, can serve cached copies of private
Critics are rankled over a flaw with Google's new Web acceleration software that can serve cached copies of password-protected content.
For example, using the software, a Web surfer might call up a discussion group page and see the name of another group member, making it appear as if the surfer is signed in as that user. Web Accelerator does not cache secure Web sites using the "HTTPS" specification, such as banking or credit card pages, however, so data such as financial transactions are not at stake.
Marissa Mayer, Google's vice president of Web products, said the company is working on a fix but downplayed the threat. "It looks worse than it is," she said. "We've cached the page with that user name on it. But you are not actually signed in; you couldn't operate as that person," she said, adding it has affected only a small number of sites.
"We're committed to provide users the utmost of integrity in security and privacy, and we're working with urgency to solve this problem," she added.
Not a Google first
"The business they're in here with this new product is market
research--they'll be looking at what people are doing on the Internet, what they're reading, what they're buying," said Richard Smith, a privacy and security expert who runs the Web site Computerbytesman.org. "There's potentially a lot of information just from the click-stream of the URLs people visit."
Google has run into privacy and security problems before when
introducing new services. The company's free e-mail service, Gmail, roiled the privacy community for its practice of scanning the contents of e-mail to deliver related ads. Although the furor eventually subsided. Google's desktop search software, introduced late last year, contained a security glitch that temporarily exposed private data on the
Web. And Google's latest toolbar was
the subject of criticism for a feature that converted text on third-party Web pages to Google-designated links.
Google's Mayer said the Web Accelerator is not a market research tool. Rather, the company built the application to give people the same fast experience they have at Google--most search pages are returned in a fraction of a second--while surfing the Web at large. If
the tool can help someone save two or three hours a month surfing the Web,
that person might spend more time searching with Google, Mayer reasoned.
it collects and what Google does with the information.
"The tool offers a plausible consumer benefit. But it makes me
uncomfortable because it's Google collecting yet more information about everyone and doing it in a way that's not necessary," said Ben Edelman, a Harvard University researcher who investigates software applications.
For example, he said, it's unclear whether Google will tie
information collected from click-stream data to its cookies. Cookies are tiny tracking tags used by most Web sites to associate a specific
computer or user with his or her activity online. Often, cookies are
used to remember passwords or log-ins, as well as information such as
the user's geographic location or past preferences to better serve Web
"The most important issue they don't address is what click-stream data is tied to the Google cookie," said Computerbytesman.org's Smith. "My recommendation: Purge Google cookies and often."
Mayer said that that click-stream data from Web Accelerator is not
associated with the computer's cookie.
"To date, we're not doing anything with this data in terms of market research. We have no plans, but should that change we would aggressively notify our users and give them some escape hatch," Mayer said.
To address the security flaw, Mayer said the company is deactivating the mechanism that caches vulnerable Web pages. Mayer said the problem happens only on a small number of sites, typically discussion groups, because those sites are not passing the proper no-cache header information. She said the company is also contacting Web masters to work with them on that issue. In addition, Google is looking at possible mathematical algorithms to prevent the caching from happening in the future.
Web acceleration tools were popular years ago during the dot-com
heyday, when most people accessed the Web with dial-up connections.
Internet service providers such as America Online have offered them for free to their dial-up customers as a means of improving the surfing
experience. Market research firms such as ComScore Networks have also
used the tools as a means to entice new subjects for research panels,
watching their behavior online to estimate the popularity of Web sites, for example.
But in an era of widespread broadband usage--more than 50 percent of households in the United States have a high-speed connection--the value of such tools has diminished. Peter Christy, co-founder of market research firm Internet Research Group, said that despite that perception, a good Web accelerator can mitigate packet loss, or latency, as information is sent from router to router. It can also optimize how an object-heavy Web site is compressed and sent to a visitor.
Addressing the privacy issues, Cristy said there's always a
basic trade-off between getting a service and getting absolute
"If you look at Google, this fabulously useful company, they make
their money by selling people ads," he said. Besides search, "the way
Google becomes useful is in building some model of who I am and what I'm interested in and delivering me ads. That's either really useful or very sinister."