Friday, January 2, 2009

Googling Security: How Much Does Google Know About You? Book Review


Googling Security: How Much Does Google Know About You?

Greg Conti

5 stars

Witty (hopefully) Title for Amazon: Google may not be evil, but its still worth keeping an eye on

Disclaimer: I know the author personally and was given a review copy of the book.

I haven't read many (non-religious) books that totally change my outlook about the world we live in. In 2008, Robert O'Harrow's "No Place to Hide" is one such book and Greg Conti's Googling Security is the second.

The book begins with a simple question. "Have you ever searched for something you wouldn't want you grandmother to know about?" A simple but powerful question. Of course all of us have searched for topics we would rather our grandmother, friends, or spouse not know about. Would you ever consider posting the sum of your Google queries on your blog or website? Probably not, but just about all of us have given this information to Google in our dealings with them over the years. The book helps you take a look at how the sum of that information gathered through the use of the multitude of Google's "free" tools adds up to take a huge chunk of our privacy and very well could be giving Google a solid look into our personalities to include things most of us would prefer keep private.

Breakdown of the chapters:

Chapter 1: Googling 1

Chapter 2: Information Flows and Leakage 31

Chapter 3: Footprints, Fingerprints, and Connections 59

Chapter 4: Search 97

Chapter 5: Communications 139

Chapter 6: Mapping, Directions, and Imagery 177

Chapter 7: Advertising and Embedded Content 205

Chapter 8: Googlebot 239

Chapter 9: Countermeasures 259

Chapter 10: Conclusions and a Look to the Future 299


A common theme that the author found while conducting research for the book was "Google will collect personal information from you to provide you with a better experience."
Right now we expect Google to "do no evil" and their current policies say they don't personally identify its users but as the author points out through the chapters in the book; Google gathers A LOT of data they DO tell us about and the ability to gather even more data is already built into its "free" services.

Some other reviewers have said that its "preaching to the choir." While I agree that the normal person that would buy this book is in the IT field, I wouldnt be so quick to immediately say that the average system admin or evern security guy understands the magnitude of information gathering that could possibly be going on and the value and power of that information. While not specifically mentioned in the book I would encourage anyone interested in the topic to check out Conti's DEFCON 16 presentation on "Could Googling Take Down a President, a Prime Minister, or an Average Citizen?" When you think about the importance or value of that first page of results returned by Google and think about how events, commerce, or public opinion could be shaped by crafting the results that are returned you have a powerful tool(weapon?). What if the top results for a certain political candidate consistently only returned negative commentary? or if events were "buried" by Google never returning those results? Just because Google doesn't currently appear to be altering results or collecting and using personal information, its important to understand the power every user gives to Google in both personal information and the power of controlling what is presented to searchers.

One of the best things the book has that most books covering similar (privacy) type topics is a countermeasures chapter. While saying "don't use Google" really isn't an option for most people the best advice from the chapter was teaching people to know and understand what they are disclosing and adjusting the behavior accordingly.

My only dislike in the book was the coverage of "physical" information leakage (TEMPEST). The material is good, but I don't think it was pertinent to the Google and privacy discussion.

Conti's DEFCON 16 INFO

Abstract: http://www.defcon.org/html/defcon-16/dc-16-speakers.html#Conti
Materials: http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-conti.pdf




Book Review Criteria: http://carnal0wnage.blogspot.com/2008/03/book-review-criteria.html
CG

No comments: