Why? Because there isn't even a spec out, so why raise concerns in lieu thereof? Why not wait until there is something in black and white to take issue with? Yes?
Here's something that security-minded individuals ought to be pondering.
It's a spec that has been around for a LONG time that *everybody* uses on the Internet:
SMTP/MIME format.
Here's the crux of the security issue:
All email transits across all intermediaries, relays, MTAs as CLEAR TEXT.
How's that for insecure? Why not make a stink about Privacy issues over that?
After all, we put letters in envelopes do we not? Why?
Think about it.
There is a solution but I won't get into it.
You guys are funny without even trying.
Google’s plans to introduce a Cloud Print service that’s already being hailed as “printer voodoo” because it lets users print to any printer anywhere in the world, even from mobile phones.
However, there are some privacy and security implications that need to be fleshed out before end users rush to submit print jobs to Google’s cloud.
The service, which is now being baked in Google’s labs and will be featured in the company’s Chrome OS, uses a cloud service to submit and manage print jobs.
Here’s a bit from Google’s documentation:
Apps no longer rely on the local operating system (and drivers) to print. Instead, as shown in the diagram below, apps (whether they be a native desktop/mobile app or a web app) use Google Cloud Print to submit and manage print jobs. Google Cloud Print is then responsible for sending the print job to the appropriate printer, with the particular options the user selected, and providing job status to the app.
Google is promising full transparency during the baking of this project but from past experience, it’s hard to place blind trust with an organization that knows even what we’re thinking (thanks Moxie!).
Here are some things to ponder:
- Privacy concerns: Google has yet to announce the specifics of their Cloud Print service; however, it is reasonable to ask what kind of end-to-end security model will be put in place to ensure that confidential information is kept secure, and what kind of retention policy and safeguards will be put on information that is passed thru Google’s Cloud Print queues? Is Google going to reserve the right to keep users’ printouts forever like they do searches?
- Practical concerns: there is a lot of potential waste to this model, especially if the printer is literally sitting a few feet away from the user’s computer. For legacy printers (the vast majority of printers for years to come), Internet connectivity is required for printers to work, PCs with the print proxy software OS will need to be on full time, and to support many commonplace print jobs (for example, photo printing), a huge amount of bandwidth will be added to the Internet. Unique printer features - different levels of print quality, ink saving modes, choosing duplex functions or print trays, manual feeding of media (envelopes, etc.) - typically are enabled only with robust communication between the computer and printer - will the Cloud Print APIs be rich enough?
What if an error cause sensitive data in print job ends up on the wrong printer? What if hackers exploit weaknesses to persistently capture printer traffic?
Lots and lots of questions to ponder…
