Security of Google Calendar?

[brookeln]

In my office, we have been using Google Calendar to keep track of everyone's schedules. We all love it, except for our IT guy. He seems paranoid and says that using GCal for our schedules is a "huge security risk." I think that's just his paranoia and not backed up with any common sense. (Background: he has virtually no experience with any Google tools, and is a bit behind-the times.)

So what I am looking for is anything supporting my stance that GCal is perfectly secure... Our calendars are private, and not viewable to the public. The only way we access it is through our login and password.

Can anyone offer any links to articles or anecdotal evidence supporting the fact that IS secure?

Thank you!

[wige]

Well, first off, you are providing all of the data to a third party, and if their security is compromised in any way it could lead to the release of your data. (Remember the AOL Search data fiasco? And that was an intentional release of data!) Also, unless you have the https: connection set, your communications with Google's servers could be intercepted. In addition, use of certain technologies (such as to upload calendar data from Outlook) has been found to change the privacy settings on Google Calendar accounts.

Basically, when it comes to information security, paranoia doesn't exist - they really are out to get you.

To put it another way, is your data likely to get stolen if you put it on Google Calendars? No. Is it possible that someone will find a way to steal the information from there? Yes. Is it more likely to get stolen there than if it were on your own internal network? Probably.

[brookeln]

Thanks for your insight, wige. The data we put into the calendar is not sensitive. It's just for keeping track of who is taking vacation, who is in/out, etc. And doesn't even identify our business or our full names. So I can't understand his reaction. Also, our alternative is using the calendar in our version of Outlook (which is from 2000!!) It's really crappy.

I would like to suggest us using Mozilla Thunderbird for e-mail and calendar, but he's so behind the times that I am sure he would scoff at that too.

[niggles]

As a PHP coder I read a lot of security news and Google Desktop has featured a few times due to various hole found in it - generally XSS vulnerabilities.

Here's an article that discusses one that was discovered in February ->

Google shuts hole in desktop product - Gadgets - MSNBC.com

Cheers,
Niggles

[Orion]

The google calendar is available through google apps which is hopefully how you're using it. Provided you're at the premium level or above Google offers very good security. Here's some info from their site...

Google Apps

Also the enterprise level is used by many very large corporations with security in mind.

The collaboration options in the google docs and calendar are pretty awesome! You can share appointments only within your domain if you like too.

We use it for our small business here, and have some info public (I have a separate calendar set up for our Scout Group), and most of the rest of it private just for us.

As it is online you just need to be careful and make sure that the settings are set correctly, that's all.

[Dinghus]

Can information REALLY be intercepted? I've hacked and cracked in my time and actually physically intercepting information would require a wire tap and a heavy duty server to handle the data stream depending on where you tap.

I've never actually heard of anybody but law enforcement doing this because it isn't easy especially if the target is utilizing something like a T1 connection. Not like tapping a phone line for a single house.

I'd love to find out if there is really somebody out there intercepting emails from all over and sorting through them for interesting info.

I would say that if somebody REALLY wants your calendar information, they will get it by breaking into Google or (more likely) into your intranet.

[juliansr]

with awesome tools like ethereal, and any number of packet sniffers...data can be watced as interactions, and intercepted, although to intercept it you have to get between the host and client, and then filter it into something coherent.

In my firm the larger threat to data security are USB keys and the ilk. It's more likely that someone would just walk in and take it than either patch into our routers (which does some managed IP-specific usage logging) or catch a sniff of our wifi. Both networks are secured by passcodes and directory access, but as they say in the land of pirates: loose lips sink ships.

in any event, i'm the guy in the airport leaving "this folder is not secure" note an a copy of the "all your base are belong to us" jpeg in shared folders on poorly secured laptops, and I get to do that at least once every two trips..

[blitzen]

.

You have absolutely no control over it or the system it's on.

That should be good enough "proof".

Read their terms.

"Although we may attempt to notify you when major changes are made, you should visit this page periodically to review the terms. Google may, in its sole discretion, modify or revise these terms and conditions and policies at any time, and you agree to be bound by such modifications or revisions."

"the Service is provided on an AS IS and AS AVAILABLE basis. Google disclaims all responsibility and liability for the availability, timeliness, security or reliability of the Service. Google also reserves the right to modify, suspend or discontinue the Service with or without notice at any time and without any liability to you."

I would discourage using any third party hosting for anything valuable unless you have a solid contract that covers your interests.

What if it goes away suddenly and you'll need the information in the future?
.

[DrTandem1]

Well, Google did accidently publish confidential data on the internet. It was their own data, but it does show that even Google makes mistakes. Since you have an IT person, why isn't that IT person providing your company with an in-house calender?

[jordanmcclements]

I am a fan of Thunderbird.

But as far as calendars go - outlook 2000 is still much better (believe it or not)..

[mono]

It boils down to control and trust
Google is highly visible and works through the public network however you latch on at your end. Your IT guy is probably a control freak, most of us are. Google can screw up, or have holes, so can your corporate intranet. But if it's the latter heads can roll at your company. If it's Google's breach all you can do is wring your hands. It depends also on the sensitivity of your data.
You said it wasn't all that sensitive, but hackers can take apparently not-sensitive data (Joe Susy and Jim need to meet with Bob in confreence room A at 10:00) and use it to piece together intelligence about your company. Suppose the hacker routinely intercepts your google data and learns people's routines. He might conclude that Suzys workstation is always unattended between 10:00 and 11:00 on Thursdays and he might also know she is in cubicle 266E and he might know your IT meeting is about your CISCO xxxx router which helps him muster an attack. Depending on the amount of money to be made from hacking your company you should be concerned with potential leakage of these little humdrum things.

I know nothing about Google's premium services but you need to read the SLA (service level agreement) that you're paying for those services to see what it does and doesn't cover and your IT guy should not just say "It's unsafe it's unsafe" he should provide an example of a possible breach scenario to the decision makers.

[ronchalice]

Quote:

Originally Posted by blitzen

.

"Although we may attempt to notify you when major changes are made, you should visit this page periodically to review the terms. Google may, in its sole discretion, modify or revise these terms and conditions and policies at any time, and you agree to be bound by such modifications or revisions."

I think I find this phrase to be of more concern than the "no warranties of service" issue. What happens if it suddenly becomes profitable for this third party to pass your scheduling along to an event planning company for example? Or a meeting schedule to a repressive government? (not that that has been done before...)

[Orion]

Not sure if you all are aware.. here's what Microsoft says about using it's office products...

6. How We May Change This Contract
Microsoft may change this contract at any time without notice. If we make a material change to this contract, we will notify you at least 30 days before the change takes place. If you do not agree to the change, you must cancel and stop using the service before the change takes place. If you do not stop using the service, your continued use of the service will be under the changed contract.

It's the same thing ANY contract lawyer is going to tell you to put a similar disclaimer on your AUPs.

There is no guarantee, any software you use, they have the right to change their privacy policies, their usage policies and you can choose to stay with them or delete your account when they do.