A new search technology from Google makes it possible for law enforcement officials to examine personal documents from your hard drive, without your knowing it, according to the digital-rights advocacy organization Electronic Frontier Foundation (EFF).

Released last week, Google Desktop 3, the latest version of the company’s desktop search utility, adds a “Search Across Computers” feature that automatically uploads files from a user’s computer onto Google’s servers. Then, when a search is performed on any computer owned by the user, Google Desktop will pull search results from both the Web and information stored on all the user’s computers.

Certainly, such a feature will be handy for anyone trying to coordinate a project from different locations. Yet the idea of turning over private files to a public company is worrisome to privacy advocates. In fact, in a press release, the EFF has urged consumers to avoid the Search Across Computers feature because it would make consumers’ files more vulnerable to subpoenas from government investigators as well as private litigants.

Of course, it’s headlines news that Google (as well as its competitors) has already given in to pressure from a national government, by excluding censored content from its Chinese portal (Google.cn). Although so far the company has resisted a U.S. Department of Justice subpoena asking it to turn over logs for millions of recent search terms, smaller subpoenas — such as those for the search history of a particular user’s IP address — don’t make the news, because they’re often sealed.

EFF staff attorney Kevin Bankston says that files on a service provider’s computers, such as those stored by Google, would be easier for law enforcement to access because a subpoena would be issued to the provider, rather than the user. In some circumstances, as with Patriot Act requests, Google would not even be required to notify the user that their files were being turned over. Because of the secrecy of such investigations, it’s impossible to know how many such subpoenas have actually been issued. However, says Bankston, “It’s fair to assume that Google — and all the other search engines — have received and complied with this kind of request in the past.”

“This is every text document on your computer that you’ve set Google to index,” says Bankston. “Unless you’ve individually marked all of your private files [not to be indexed], you are going to be putting your most private data on Google’s servers.”

Google spokesperson Sonya Boralv counters that the company is taking measures to protect the security and privacy of individuals. For one thing, the Search Across Computer feature gives users control over what they upload to the Google servers, allowing people to exclude specific files or types of files. Furthermore, Google Desktop encrypts files before transmitting them to and from Google, and they’re stored in encrypted form on Google’s servers. In other words, they can’t be easily snooped in transit. Finally, Google deletes personal files from its servers as soon as they’re downloaded to a user’s computer; and if the files aren’t downloaded, Google deletes them after 30 days.

However, Bankston points out that, since Google Desktop uploads files whenever they’re accessed, frequent users will be continually refreshing Google’s servers with the latest copies of their personal files. Google provides a button for clearing all one’s personal files stored on its servers, but deleted files may reside there for as long as 30 days, according to Google’s Boralv.

To be fair, since Google Desktop is intended for power users, its Search Across Computers feature is not turned on until a user indicates his or her acceptance of the company’s privacy policy. “We’ve tried to take really proactive steps to make sure that people know where their data is going, and how it’s going to be handled,” says Boralv. “Our role as a service provider is to make it really easy for them to make an informed decision.”

Despite these controls, though, privacy advocates are concerned that most people won’t understand the implications of uploading their files to a public server. Boralv says that Google has a key to unlock the encrypted files stored on its servers. And, as its privacy policy states, the company will turn over personal information, including users’ stored files, to comply with law enforcement requests. And the ongoing controversy over the federal government’s secret surveillance of U.S. citizens makes such a possibility more than just theoretical.

“There’s a parade of horrible things that could happen” when files are stored on a service provider’s servers, says Jonathan Rosenoer, an attorney and author of Cyberlaw. “You’ll never know if you’re spuriously a target of investigation, and the government has gone fishing through your files.”

To its credit, in its privacy policy, Google informs users of its obligations to law enforcement and discloses how the Search Across Computers feature works — at least it explains it for those who understand it.

“We’re not blaming Google for the state of the law,” says Bankston. “[But] if they want to ‘not be evil,’ they should be mobilizing resources towards reforming the law and educating the public about its risks. And, until then, they should be designing around the law,” for example, by using peer-to-peer file-sharing technologies instead of storing files on Google’s own servers.

Google spokesperson Sonya Boralv counters that the company is taking measures to protect the security and privacy of individuals. For one thing, the Search Across Computer feature gives users control over what they upload to the Google servers, allowing people to exclude specific files or types of files. Furthermore, Google Desktop encrypts files before transmitting them to and from Google, and they’re stored in encrypted form on Google’s servers. In other words, they can’t be easily snooped in transit. Finally, Google deletes personal files from its servers as soon as they’re downloaded to a user’s computer; and if the files aren’t downloaded, Google deletes them after 30 days.

However, Bankston points out that, since Google Desktop uploads files whenever they’re accessed, frequent users will be continually refreshing Google’s servers with the latest copies of their personal files. Google provides a button for clearing all one’s personal files stored on its servers, but deleted files may reside there for as long as 30 days, according to Google’s Boralv.

To be fair, since Google Desktop is intended for power users, its Search Across Computers feature is not turned on until a user indicates his or her acceptance of the company’s privacy policy. “We’ve tried to take really proactive steps to make sure that people know where their data is going, and how it’s going to be handled,” says Boralv. “Our role as a service provider is to make it really easy for them to make an informed decision.”

Despite these controls, though, privacy advocates are concerned that most people won’t understand the implications of uploading their files to a public server. Boralv says that Google has a key to unlock the encrypted files stored on its servers. And, as its privacy policy states, the company will turn over personal information, including users’ stored files, to comply with law enforcement requests. And the ongoing controversy over the federal government’s secret surveillance of U.S. citizens makes such a possibility more than just theoretical.

“There’s a parade of horrible things that could happen” when files are stored on a service provider’s servers, says Jonathan Rosenoer, an attorney and author of Cyberlaw. “You’ll never know if you’re spuriously a target of investigation, and the government has gone fishing through your files.”

To its credit, in its privacy policy, Google informs users of its obligations to law enforcement and discloses how the Search Across Computers feature works — at least it explains it for those who understand it.

“We’re not blaming Google for the state of the law,” says Bankston. “[But] if they want to ‘not be evil,’ they should be mobilizing resources towards reforming the law and educating the public about its risks. And, until then, they should be designing around the law,” for example, by using peer-to-peer file-sharing technologies instead of storing files on Google’s own servers.

Link: Google’s Private Lives

Link broken? Try the Wayback Machine.