A couple of weeks ago I posted a blog entry about a troubling request I received for my location information from an obscure URL. Turns out the request was coming from one of my iGoogle gadgets, though there was no way to tell that from the message itself, which read:
"http://lfkq9vbe9u4sg98ip8rfvfOOl7atcn3d.ig.ig.gmodules.com/ wants to track your physical location"
The only explanation I could find: It was coming from Google Latitude. Why didn’t Google just say that? Because the names of Gadgets can be spoofed, though their Web addresses cannot, so the best Google could do was display that insane URL.
[ See also: Why location privacy is important ]
Here’s the official statement, which I’ve been asked to attribute to a “Google spokesperson”:
"We render iGoogle gadgets in separate iframes and tie them to a specific web address. These web addresses are unique in order to help prevent gadgets from improperly accessing data from other gadgets or web pages that they should not be able to access.
iGoogle can blacklist bad gadgets, and users can report them for us to investigate. We also always advise users never to install gadgets that they don't trust.
Separately, these same unique web addresses appear in a notification bar in browsers like Chrome and Firefox when a gadget or web page requests access to a user's location. The requesting web address should be recognizable for most web pages, such as maps.google.com, but we are looking into how to better present unique web addresses for gadgets to users to help them discern which gadget is requesting their location."
Like any content on the Internet, Google Gadgets are only as trustworthy as the people who built ‘em. And since the Gadget marketplace, like the Android Market, is open to anyone willing to crank out and upload some code, that will vary greatly.
Like a lot of Web sites, Google relies on “community policing” to ferret out the bad actors. Each gadget gets a star rating, and malicious ones can be flagged. It’s the old ‘wisdom of the crowd’ at work again. Unfortunately, this only works when a) there’s a crowd, b) it happens to be wise, and c) it hasn’t been gamed.
There are other things you can do. For example, if you right click on a gadget it might display a menu that allows you to examine the frame information. Right clicking Google Latitude, for example, shows that same ridiculous URL – giving you a good clue which app is asking for your location info.
The problem? Right clicking on about half the gadgets I tested produces a different menu that doesn’t display frame info. And even for ones that display it, most of the time it merely says “The identity of this Web site has not been verified”—even for many of those created by Google itself, like Google Calendar. Pretty much if your connection to the gadget is not encrypted (like Gmail is), Google can’t tell you anything about it. Not very helpful.
Worse, a random perusal of the Google Gadget marketplace turns up several with no user ratings whatsoever, or only a handful. There are a number for live Web cams, weight loss cures and the like that try to get you to click through to a Web site – essentially, the iGoogle equivalent of spam. Some of them even ask you for the names of your friends and to share updates on your activities.
Though I didn’t find any malicious gadgets that try to steal your personal information, I’d be surprised if there weren’t any out there, which could exist long enough to do some damage before they’re booted from Google Gadgetland.
The moral here: Even the mighty Google can’t do much to combat spammy gadgets. And if they can’t stop ‘em, what chance do you have?