PGP CTO Blog

"Well, then," replies the doctor dryly, "don't do that."

In the computer security biz, we often find ourselves in the role of the doctor, telling people not to do things when they hurt. The latest such situation involves Google Desktop Search (GDS) and its interactions with other systems, including PGP® Disk. [PGP Disk transparently creates volumes whose contents are encrypted when not in use, preventing unauthorized access.]

The Good
Those wonderful folks at Google have a knack for coming up with useful things that bring to light security situations that existed before, but we might not have been aware of, ignored, or just lived with. GDS is, as its name implies, Google searching for your personal computer. It's high time, too. I don't know about you, but I could use it.

The situation is that GDS indexes your hard disk and the resulting index it builds might have things in it that you didn't expect. Among these could be Web server pages coming from secure sites, the contents of any PGP Disks you might have, and so on, including anyone else's encrypted disk system.

I use the word " situation" here because this is a complex issue and not necessarily a problem. Many security people have been casting it as a problem, but I don't agree completely. Sure, there are things that are a bit disturbing, but are they wrong? If Google indexes the Web browser cache of secure pages you've been to, then it's possible that someone could use it to find details about your bank account or other sensitive information. On the other hand, that information was put into the cache by the Web browser, and if there were spyware on your system, it could rip it out of the cache and send it to who-knows-where. So in a sense, GDS is merely taking an existing vulnerability and conveniently exposing it for you and for anyone else who happens to be using the same computer. (Let me say, however, that I consider this to be undesirable behavior. I don't want my browser caching those pages. I'm alarmed, but in a way grateful that GDS makes this practice obvious. Nonetheless, I can see that some people might like to have protected data searchable even when not present.)

The Bad
In the case of GDS being able to search a PGP Disk, there isn't a lot PGP can do to prevent it at the moment. (We're in good company, however: Anyone with a virtual disk is in the same boat.) When a PGP Disk is mounted, it looks like a disk drive. In fact, that's what PGP Disk is - a virtual disk driver. PGP Disk is "underneath" the file system and merely presents a set of disk blocks that are encrypted when they are written to physical media and decrypted when read from that media. PGP Disk does not save anything: that function is accomplished by higher-level software. Nor does PGP Disk have the luxury of asking that higher-level software, "Hey, what are you going to do with that data? You aren't going to write it out unencrypted after I've gone to all this trouble to protect it, are you?" This is just as true with our new Whole Disk encryption as well as with traditional virtual volume encryption. The impact is less when it is your boot volume that is encrypted and indexed, however, because that volume is always present.

In the present release of GDS, Google has a number of options as to what it will index, and it also provides a way to list things you don't want indexed. If you put your PGP Disks onto the list of things not to be indexed, then you don't have data migrating off of them. That's not bad for an interim solution, as far as it goes, but it brings us back to Henny Youngman and his doctor.

That joke is funny in two ways. First, we all empathize with the doctor. We've all had people ask us for advice about some situation that hurts, where the easy, obvious way to ameliorate the situation is simply not to do it. However, the joke is also funny because the answer isn't that simple. Henny Youngman didn't go to the doctor just to be told, "Don't do that." He went to see if an expert could help him not hurt, only to have the doctor (as usual) not give him any respect. This is where all of us on the doctor side of this particular situation are falling down on our jobs. We mustn't lose sight of the fact that people come to us because they want to be able to move their arms without hurting.

The Ugly
Google's answer to protests about GDS searching an encrypted volume is, "Don't do that," and the company will even help you not do it. However, this solution misses the point about why a user wants to encrypt files in the first place and also why a user wants to be able to search them.

For example, I regularly use two PGP Disks. One of these is conceptually a "locking file cabinet" in which I keep my work-related documents. Most of these documents are sensitive, but not vital, such as the drafts of this article. It also has slide presentations, status reports, other papers and articles I've written, and so on. In short, it holds important business information. This volume is almost always open and mounted. The reason I encrypt this data on a PGP Disk as opposed to just keeping it in a folder is that it keeps it secure. Not secret, secure . If I upgrade my computer or send it to be repaired, I don't have to worry about this information wandering into who-knows-where. It also provides me an easy way to make a secure backup: I burn the PGP Disk to a CD, and poof, I have a secure backup of my usual business information.

Although the files in this volume are sensitive, they are also the files I most want to be searchable. I'm always wondering where I stored something, what I named it, and so on. If I could Google that volume and find the file I want, it would make my life much easier. What I don't want is for the indexes of those files to be separate from the files themselves, which would allow someone like a repair person, for example, to be able to see them.

My other PGP Disk contains business-related files that are more properly confidential. I mount that disk, use it, and then dismount it. It is conceptually a "safe" rather than a "file cabinet." However, the increased sensitivity of these files doesn't mean I don't want to search them. On the contrary, I want to be able to search them too, just not as often. If I forget which file has what in it, I want Google to be able to help me find it more , not less.

The Solution
This is why Henny Youngman's doctor is of no help and misses the point. Important information is often sensitive, but important, sensitive information is precisely the information over which I most want to be able to use powerful search. I simply do not want to give up the security of the information because it is sensitive. Google's suggestion, "If it's sensitive, don't search it" is maddeningly obtuse. It creates a false dilemma between the use of my data and that data's security.

I have technical advice on how this goal might be accomplished. It's not really that hard: If the indexes of all the words on the disk were on the removable volume itself instead of the main drive, then that would be a huge first step to an adequate solution to this problem. Of course, that's easier said than done. If there were a trivial solution, the Google programmers would already have put it in GDS. They're not stupid. They're quite the opposite, which is why I think they can handle the intricacies of this situation. An effective solution requires sensitivity to the way we use information and to the fact that a lot of our information is important and sensitive at the same time. We want to search important information, but we also want to protect it. It's not "either-or," it's "both-and."

I want complex search, but I also want complex search that follows some security rules more complex than those of Henny Youngman's doctor. I'm sure you do, too.

Background Reading

Dornfest, Rael, "Google Your Desktop," October 14, 2004

Google Desktop Search Beta

Orlowski, Andrew, "Google Desktop privacy branded 'unacceptable,'" October 15, 2004

Seltzer, Larry, "Google Desktop Search Doesn't Threaten Security," October 18, 2004

Spring, Tom, "Google Desktop Search: Security Threat?" October 15, 2004

Sullivan, Danny, "A Closer Look at Privacy & Desktop Search," October 14, 2004

Sullivan, Danny, "Google Desktop Search Launched," October 14, 2004

PGP News Feed