BKGGLSEC.RVW 20091020 "Googling Security", Greg Conti, 2009, 978-0-321-51866-8, U$49.99/C$54.99 %A Greg Conti conti@acm.org www.GregConti.com www.rumint.org %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2009 %G 978-0-321-51866-8 0-321-51866-7 %I Addison-Wesley Publishing Co. %O U$49.99/C$54.99 416-447-5101 800-822-6339 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321518667/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321518667/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321518667/robsladesin03-20 %O Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation) %P 332 p. %T "Googling Security: How Much Does Google Know About You?" The title is ever so slightly misleading: the subtitle is much clearer. This is not about doing Web searches to find security tools or information, but, rather, the information that Google collects from (and relating to) Internet users in the course of providing its services and tools. The preface states that the intent is to raise awareness of the privacy risks involved in using Google, its utilities and services, and of similar systems and agencies. Conti does not, for the most part, present solutions: some activities admit of no resolution. Google is not being singled out because the author doesn't like the company, but because it is the largest and most pervasive search and information system, with the greatest implications, and because the policies and decisions resulting from discussions of these issues can be applied more generally. Chapter one is an overview of the online world, and online activity, and the scope and capabilities of Google. There are extensive endnotes supporting the stories and studies cited in the text. The normal information flows involved with computer operations are outlined in chapter two, and Conti points out the potential areas of leakage. Although not named as such, he provides an excellent explanation of the trusted computing base (TCB), as well as reviewing covert channels such as TEMPEST and acoustic surveillance, and Internet entities. Turning more specifically to the structure of requests from browsers, chapter three notes the information that is captured by server logs. The author also notes data provided by users themselves, and that which can be obtained from statistical analysis of a large amount of activity. Chapter four notes the various search sites and functions, as well as the intelligence that can be inferred about someone, simply by examining the search requests submitted. Communications, mostly Gmail, is the subject of chapter five. Chapter six examines the mapping and related imagery functions, discussing the information disclosed by requests for directions, as well as the occasional invasion of privacy involved in the collection of satellite photographs. (Personally, while I don't use Google Earth, I use Google Maps quite a bit. I was interested to see that my non-standard interaction with the system inadvertantly protected against some of the dangers Conti points out. I don't "express interest" by clicking on the "Print" or "Link ..." buttons, but tend to copy the link location URL and use that. Of course, if Google buys up TinyURL I may be in trouble ... :-) Tracing functions related to the provision of advertising, as well as malicious enterprises associated with commercial proclamations, are noted in chapter seven. Webbot, spider, or crawler operations are detailed in chapter eight. Although Conti did not promise a solution, chapter nine does provide recommendations and resources to raise awareness of the issues, and assist with protecting the reader's privacy. Chapter ten finishes off with a look to the future, and the forces which ensure that whether or not Google survives, the privacy situation online is unlikely to change. The book is certainly interesting and illuminating. Internet users, for the most part, may have encountered security awareness material that speaks of the dangers of certain types of activities, but not necessarily of how much information they disclose in the course of normal pursuits. While Google is used as a specific example in many parts of this work, the internal operations of many of the services and utilities are not examined to the internal depth they might have been. A more accurate title might be "Privacy While Surfing." Which is an important enough topic to read about in any case. copyright Robert M. Slade, 2009 BKGGLSEC.RVW 20091020