Not really, because there are an awful lot of people committed to making sure that you do your computing remotely, but halfway reading this PC Magazine article (via Yahoo! News), I started thinking, “hey, this sounds like Dvorak.” No surprise, it was written by him. He’s been very, and loudly, critical of the Cloud over the years, and the Mass Sidekick Annihilation of 2009 is the perfect opportunity for him to take another swipe at it. As I am on the record as being pretty anti-Cloud, I of course like the article. But this post isn’t about his article (which even takes EULAs to task), but about the damned Cloud.
Today marks the beginning of HITBSecConf2009–the Hack in the Box Security Conference–being held in Malaysia. The topics sound threatening (“Clobbering the Cloud,” “Attacking Interoperability,” “Bugs and Kisses: Spying on BlackBerry Users for Fun,” and “Defeating Software Protection with Metasm“) but the conference is geared toward education and enhancement of security: “The main aim of our conference is to enable the dissemination, discussion and sharing of deep knowledge network security information.” And while a large part of the conference is devoted to attacking interconnected data, whether it is stored in “the Cloud,” or on seemingly more-secure local servers, there’s even a “lock picking village” that aims to show that even physical storage of data isn’t 100% secure.
It’s not like this is some sort of ultra-secret cabal (though some attendees are no doubt black hat); the conference has a plethora of big-name sponsors, including IBM, Microsoft, Mozilla, and Google. And the lessons learned from conferences like Hack in the Box and DefCon do have the tendency to create innovations which lead to greater security. At the same time, however, it is rather like trying to plug a dam, because once one security hole is fixed, another is discovered.
The Wall Street Journal, among other sources, tell me that Microsoft is jumping on the “Cloud” bandwagon, trying mightily to tap into a market that Amazon, Google and others think will lead to BIG! BIG! stuff.
Dubbed Azure Services Platform, the new technology is designed to allow large and small corporate customers to dramatically cut their information technology costs by centralizing their IT infrastructure on Microsoft’s “cloud.”
Microsoft is that latest tech giant to join this trend – and attempt to capitalize on it – by building huge data centers that will provide computing services to customers on a pay-as-you-go subscription basis.
I dunno, though. I’ve talked about Cloud concerns before, especially about data sensitivity, and I can vouch for the fact that drafting briefs and motions is very difficult, formatting-wise, using GoogleApps. Furthermore, given Microsoft’s massive target on its back, and its notorious security problems, I have a hard time thinking this is ultimately going to be successful for Microsoft.
After noticing that I had been getting a lot of traffic from people looking for GoogleUpdate.exe, I decided to go hunting for what all the fuss was about. From what I can gather, people aren’t thrilled that Google bundled a bit of software which ostensibly helps with the update process. Or something like that. It probably isn’t any different than any of the other stand-alone updaters that get installed on your machine, like the Java updater, the or the Logitech updater, or the Windows updater. Googleudate.exe, however, can be killed in the task manager without affecting anything, that I can tell, anyway, and using msconfig.exe to fiddle with startup processes can keep the program from running, period. Maybe. I’ve seen some people saying that it will come to life on its own. Don’t know about that; it hasn’t happened to me yet.
What’s got kdawson at Slashdot more worked up than googleupdate.exe, though, is the EULA. “By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any content which you submit, post or display on or through, the services.” Putting aside the question of whether Chrome is a good or a service, the EULA seems to have language that is one of two things. It could be boiler-plate from an already-existing EULA for Google services that is similar to EULAs from other websites, including Slashdot, as commentor RiotingPacifist pointed out:
are we talking about slashdot
With respect to text or data entered into and stored by publicly-accessible site features such as forums, comments and bug trackers (“SourceForge Public Content”), the submitting user retains ownership of such SourceForge Public Content; with respect to publicly-available statistical content which is generated by the site to monitor and display content activity, such content is owned by SourceForge. In each such case, the submitting user grants SourceForge the royalty-free, perpetual, irrevocable, non-exclusive, transferable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform, and display such Content (in whole or part) worldwide and/or to incorporate it in other works in any form, media, or technology now known or later developed, all subject to the terms of any applicable license.
By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any content which you submit, post or display on or through, the services. This license is for the sole purpose of enabling Google to display, distribute and promote the services and may be revoked for certain services as defined in the additional terms of those services.
I think it’s a fair question.
If it isn’t just the same-old same-old mumbo-jumbo EULA crap that either will or won’t be enforced, though, it’s a pretty serious overreach of control over user information, and it makes me recall something I was thinking about the other night as I was driving back from the grocery store. I had been thinking about the future of the Cloud, the fluffy land we’re all supposedly driving toward, Dvorak notwithstanding.
The Cloud poses all sorts of legal issues, and I’m just thinking for the moment about the legal practitioner. Assume arguendo that we all start having to use GoogleDocs in the future (or some other net app) and stand-alone word processors are killed off, along with local storage capabilities. That means that a lawyer, for example, might be forced to use a word processor to draft memoranda and store the documents in the Cloud. Now, if it’s just a motion that’s going to be filed and become part of the public record, maybe that’s not such a huge security concern in the event the Cloud gets breached, as it probably will at some point. But what if the lawyer represents someone who has decided to cooperate with the government, and now comes time for sentencing. The lawyer, no doubt, would want the court to know about the cooperation, so as to get the best sentence for his client, but he also doesn’t want everyone else knowing about it. Thus he would want to file the motion under seal, which presumably could still be done. The unsealed document, which would have previously resided in a local drive, however, would still be subject to only the strength of the Cloud’s security. And of course, too, the document would be scoured for ads, which is an invasion, perhaps, of the client’s privacy interests.
What if, however, the EULA on Chrome isn’t just cribbed language from the services side, but what if it’s really saying that the mere fact that you use Chrome, whether you are using a Google service or not, allows Google to do whatever it wants to do with what you put through the browser. That means that by agreeing to the EULA, you are theoretically allowing Google to monitor what you type into a non-gmail email, say through your company’s webmail application, and do with it as it will. Or if you enter a credit card number (surely that could be construed as content, n’est-ce pas?) at smithswidgets.com, Google is claiming the right to use that content as it wants. Again, this is taking things to the extreme, but it does bring up the question of how much information and rights people seem content to just give away in the name of free.