As a Journalist....

I'm surprised at how many google data-mining apps you are running despite being a journalist. Given Google's track record (and content license) of sharing content with powerful organizations that are not known for their love of journalists (totalitarian governments) were I a journalist, I would stay away from Google.

ESPECIALLY Google Desktop - which gives Google access to ALL of what you keep on your machine - if Google or the PRC or GWB wants it.

You people need to give this FUD a rest. This claim has been discounted since day one. Read the privacy policy for Google Desktop Search.

"Your computer's content is not sent to Google without your explicit permission." <link>

Unless you explicitly opt-in to the Search Across Computers functionality, Google doesn't have access to any of your data.

If the totalitarian governments of which you speak wanted to clamp down on journalists they don't like, they would certainly use a tool other than Google Desktop to access your machine. You should be far more concerned about malware and rootkits accessing and controlling your machine than Google.

Yes it has been discounted. That's what the author is doing - discounting it.

Note that Google's privacy policy is simply an implied contract - the weakest of all forms of limitation. So tell me, what does Serge do when handed a warrant by the PRC? When the threat behind the warrant is that Google will be excluded from the PRC if they fail to comply with the LEGAL controls?

If the totalitarian governments of which you speak wanted to clamp down on journalists they don't like, they would certainly use a tool other than Google Desktop to access your machine

Hmm. that explains why the PRC does just that, and why they compromise pretty much every bit of hardware taken into the country including cell phones. And why they served warrants on Google, Yahoo and MSN.

Yup.

Feel free to discount it. But discreditted? Not in the slightest.

And no, its not FUD. its wise policy to consider it.

But the software doesn't send your stuff to Google -- even a warrant wouldn't be able to get your info from them, because they don't have it.

I'm guessing that PRC means "People's Republic of China". If you're living in China and doing something the government doesn't like, then yes, I agree you should be very careful and just encrypt your whole drive.

But I still think that in that situation Google is the least of your worries. They will find out about you in many, many other ways. Privacy and computer security in China really is a whole different story than in pretty much the entire rest of the world.

Gmail doesn't send your data to Google?

Google search doesn't generate a session unique cookie that has a copy stored on the Google Servers? A Cookie that can be mapped to the searches you have been making?

I think you need to look at the underlying protocols a bit more closely.

And your SLA that guarantees that the server your data resides on remains in the USA is exactly where?

And you understand Google's internal DB architecture well enough to know that that sort of data doesn't slosh between Data Centers in the PRC and the US?

The issue isn't just PRC. Warrant and search laws in many other parts of the world, England and Canada included, are much less protective than in the USA (and the Patriot Act eviscerates even many of those in the USA).

Yes "THEY" can find you if they really want to. But for an investigative journalist, who's job it is to poke at the powers that be, leaving data scattered throughout internet data centers seems like a less than wise notion.

They don't?? I think you need to listen to Desgme more closely.

Ok NOW It really is time for the ice skates!!!

I know that there are things that I have in common with conservatives that eventually we would hit on, But YOU Eignevector? posting something positive about one of my posts!!!

WOW! Time for the ice skates :-)

But seriously, I had exactly this conversation at lunch with some 'softies, earlier this week. And one of them who is totally "hooked up" with his Exchange, Gmail and everything else hooked up through his iPhone (yeah the irony) said he didn't care. He as too small a fish (security through obscurity) and the convenience was just too great....

I was talking about Desktop. Gmail does, of course, transfer your mail to its servers but that's true of any email service you use, whether at home or work. Everything I get at my slate address is subject to doj subpoena -- just ask Judy Miller. Any email you receive has gone through several servers that can all be gotten to by the government.

Ah but Slate has Atty's to protect their (and your incorporated) privacy interests. You have no such protection from Google. Google's usage agreement even stipulates they can share that data without notifying you. Only kindof so with Slate - where "reasonable expectations of privacy" apply.

As for Desktop - the software mechanism for uploading your data is already on your machine then. This dramatically increases your risk exposure not only to Google, but also to software that might compromise the Google Desktop (and google is no more nor less secure than anything Redhat, Oracle or Microsoft put out there).

Understand, my 9-5 job is to evaluate, assess and even promote the use of these technologies. Which is why I have more than a passing acquaintance with these issues.

You are putting yourself at pretty significant risk.

For the average person security through obscurity works pretty well. But consider the exampe of Joe Plumber and even Sarah Palin and her yahoo account. Sure you are more careful than Palin. And you are also a more valuable target.

A lot of this is a tradeoff. Do you use credit cards? I find the depth of the information contained in my credit report far more frightening than what a computer indexer might learn, but credit cards are too darn useful to give up. For some google desktop might also be such an asset. If you're smart about what you include and disclude from the index, you probably don't have that much to worry about, unless you live in China, or work for the government.

However, I'd agree if one is on a 'work' computer, extra rules apply, since one is taking responsibility for something bigger than ones self. Coworkers using gmail (even if the corporate system sucks to the point of unusabilty) is a major security risk with potential liability concerns.

Yup Credit Cards are a problem. And I use them as little as possible (I have only one outside my checking accnt debit cards and it has a minimal credit line for Internet purchases). The one nice thing about Credit Cards is that the ones linked to your bank accounts (debit/credit cards) are protected by stronger federal legislation than anything online SLAs will give you.

As for Google Desktop - absolutely its a tradeoff between benefit and perceived risk. But lets not pretend there isn't a risk exposure there.

Your point about GMail is particularly interesting WRT the author, since he clearly is using Gmail for business use..

Hello folks. As someone professionally involved with and in the PRC I can assure you that security is a huge concern for everyone, and not just the journalists. Clearly if you're digging into national secrets you're at incredible risk of being imprisoned, beaten, exiled, or what's worse - endangering the life of any Chinese person (and their family and friends) or China-based person who's ever helped you. But the security situation is frightening to the law abiding as well, since all of your interactions, web predilections, emails, calls to friends etc... can be mined for evidence when the state or a powerful interest within it decides to ruin or expel you. What suggestions do you security experts have? I run a mac, filevaulted, and when I'm in-country most of my websurfing and personal emailing takes place over a US based vpn. Still it's nothing near safe. Degsme is right that google, yahoo, msn have already capitulated on their values in the interest of getting a foot into China, but what alternatives are there? Dealing with all of my personal contacts over hushmail is impractical. So, Fray, what can I do? Suggestions? Software? I sound paranoid, but it's a simple reality, and suggestions on what a journalist would or should do for basic security in such a situation would be really helpful to me too.

I'm not sure why Hushmail isn't sufficient for your personal contacts. Email is email.

One way to deal with the issue in the PRC is to have 2 machines. Machine A is running EFS, has all networking turned off and has PGP installed as well. All files transfered in and out are transfered via CDRW.

Machine B is running PGP paired with Machine A. All documents being exchanged are first encrypted. Nothing of interest is stored on Machine B - which is reformatted and reinstalled monthly (or weekly if you are really paranoid). Essentially assume Machine B to be compromised the moment you connect it to the net.