Risks of Google’s browser sync

June 8th, 2006

Google Labs
Google has released a Firefox extension that will synchronize the basic settings, including bookmarks, browsing history, persistent cookies, and saved passwords. We all live in our browsers these days and it’s annoying to have the environments differ between office, home and laptop computers. This will make it very convenient.

Note: I installed this on my home computer this morning but have not been able to sync yet. The process keeps timing out, no doubt due to the fact that millions of people have just installed it. Will Google be able to keep up? Each browser instance that has this extension will have to phone home to Google when it starts and exits, at least.

I’m a bit worried about the security and privacy risks. These browser setting reveal a lot about us — what sites we’ve visited and when, what we did on those sites, and passwords to all kinds of Web services. One issue that Google warns you about is that if anyone has access to your browser at home, say, they can see your browser information from work.

You can configure the extension to include or exclude any of the browser components in the sync data. That’s good. You can also decide which ones should be encrypted — by default cookies and passwords are encrypted. That’s even better. I’ve not seen any details on the encryption used, however and since I’ve not yet completed a sync operation am not sure which password is required for authentication (Google account? Firefox password?). The configuration dialog gives you the ability to stop syncing, but I don’t see a way you can delete the saved browser information that Google has.

The cautious among us may not want to give Google even more information about our private lives and activities. In the future, they may come under even more pressure from the US Government or courts to turn over data on their users, with or without a warrant.

Most of us, of course, choose convenience over security and privacy in the end.