Does Google Calendar Posts Your Schedule For The World To See?
Reports have come in from the respected Japanese news service, The Yomiuri Shimbun, that confidential information in certain Google Calendar accounts are viewable by the public, even when the owner intends the information to be kept private.
The issue appears to be related to how Google displays certain options within the calendar. If someone else knows your userID, and certain boxes are mistakenly checked by end users, confidential data can go public.
One doctor has revealed the name of a colostomy patient, a lawyer revealed client information, and one business exposed the “spin” they want employees to use with unhappy customers.
Here is one very revealing quote, “I meant to share the calendar only within our office,” said the lawyer, who works at a law firm in the Tohoku region. “Putting information up on the Net is dangerous.”
Yes, this quote is from a Google Apps user. So did this lawyer:
1. NOT know that ALL Google Apps are web apps? Did he think Google apps were just like Microsoft Exchange, or Lotus Notes (ie, private servers), but with a different name?
2. Did he know that Google Apps were web apps, but had the common attitude, “I am not the CIA/FBI/KGB/CTU, why would anyone care about my data?”
3. Did he not know, but didn’t care, since he let’s “IT deal with all that computer stuff.”?
I don’t know anything about Japanese law, but I would think that lawyers there need to be responsible to secure client data.
How many people do you know that are using Google Calendar, and have potentially confidential information on that system? We all know people that are using smart phones. Many of those smart phone users are skipping over BlackBerry Enterprise Server (BES) with and using Google Apps to store and access data from the web, smartphone, and the desktop. They often say to me, “Hey it’s free or nearly free, and I don’t really need to bother with the security on something like a BES.”
I have been a long-time advocate of using more secure systems and methods to secure personal information management (PIM) systems. That includes NOT using popular web-based PIMs, as security has never been a priority for these large firms. These large web app firms correctly, or incorrectly, think that most customer don’t care enough about security (see reason #2 above) to make these PIM apps more secure.
Most PIM data should be in a secured environment, within layers of security. Due to its superior security, my mobile device is BlackBerry, connected to a BlackBerry Enterprise Server. I know many people like to be seen using an iPhone so they can appear hip and cool. Very well, but one should secure it’s access to more secure PIM data with a digital certificate so there is some layer of multi-factor authentication.
It’s time for professionals to take all their data more seriously, and to understand that just because and applications is popular, it doesn’t mean it’s safe, or smart for the to use. Read more details in The Yomiuri Shimbun story. I talked more about this in Data Security Podcast Episode 40.