[Infowarrior] - Why Google's Software Update Tool Is Evil

Richard Forno rforno at infowarrior.org
Tue Feb 17 12:14:13 UTC 2009 

Why Google's Software Update Tool Is Evil
By Scott Gilbertson EmailFebruary 13, 2009 | 1:42:20 PMCategories:  
Google

http://blog.wired.com/business/2009/02/why-googles-sof.html

The recently released desktop app Google Earth 5 contained a little  
surprise for many Mac OS X users — it installed Google's automated  
Update Engine without clearly asking.

Worse, the latest version of Google Earth won't work without the  
Update Engine running in the background.

We mentioned the new update policy in our initial review, but given  
Google's lack of transparency, or what users perceive as a lack of  
transparency about the update, it bears a closer look.

Sneaking an auto-updater into a software package without clearly  
pointing it out during the installation process is a bad idea, one  
that Google has promised to change with a new, more informative splash  
screen. But, offering no way to turn the update software off is  
downright evil, according to many upset users in the Google Earth Group.

Most of us have dozens of applications installed on our PCs, many of  
which check for updates when the application is active. So why does  
the Google Updater have to run all the time in the background?

Wil Shipley, a longtime Mac developer and author of the award-winning  
Delicious Library, says, "This is a classic case of designing like a  
computer scientist instead of like a user: 'Well, it seems cleaner  
architecturally for us to have a central update server, instead of the  
same update module in each program the user runs!'"

Shipley goes on to point out that "anything running in the background  
is a potential security risk." Shipley's own Delicious Library checks  
for updates when it launches, a system he calls "ideal."

A spokesperson for software maker Adobe confirmed the company's  
Creative Suite 4 also has no need for an always-running updater.  
Instead, Adobe's apps rely on a standalone updater that runs each time  
you launch one of the Creative Suite applications, like Photoshop or  
Illustrator.

Google is relatively new to the desktop software game, particularly  
the Mac side. And, despite plenty of best practice examples from those  
who came before, the company is repeating the same amateur mistakes  
that most desktop software makers have long since abandoned.

Here are a few reasons why an always-active daemon (software speak for  
a tiny app that runs in the background) for handling software updates  
is a bad idea:

    1. It opens up an always-on tunnel to Google. While Google may be  
confident its update servers will never be compromised, how confident  
are you? If a third party gains control of that server, it can inject  
nearly any code it wants into your machine.
    2. It’s always on, always looking for update. On an expensive, pay- 
by-the-megabyte EVDO network? Google Updater doesn’t care and will  
suck down any available updates without asking, costing you money.
    3. Google updates Google Earth or Picasa or Gtalk, but the update  
ends up having a bug that wipes data from your drive. Sorry, too late  
— the auto-updater already grabbed the latest version without asking.  
Kiss your data goodbye.
    4. Administering a large network that needs to be locked down and  
tightly controlled? Cross Google software off your list. All the above  
problems apply, but they're cascaded across your network for added  
headaches.

A Google spokesperson defended the Updater with a canned response,  
stating that "updates provide bug fixes, fix security vulnerabilities,  
ensure that applications are still compatible with other software  
updates."

But as Shipley says, "it's incredibly intrusive to have some idiotic  
daemon whose whole purpose is just to look for updates."

Comparing it to the real world, Shipley says an always-running  
background app is  "like having a person at your company whose full- 
time job is to see if there's, like, a new version of QuickBooks out  
yet."

There's an easy fix for this controversy: Just follow the standard  
best practices of desktop software. Have your updater check in with  
the server at each launch. It works for Microsoft, it works for Apple,  
it works for Adobe, it works for nearly every software maker on the  
market.

The audience of offended users may be small in the case of Google  
Earth, but it's safe to assume that a Mac version of Google's Chrome  
Browser will likely use the same update policy and that could hurt the  
browser’s ability to entice users into switching.

We hate to break it to you Google, but you aren't special, and your  
software updates are no more critical than anyone else's. At the very  
least, offer users a way to turn off auto-updates. The web may belong  
to Google, but your desktop and the applications running on it should  
remain in your control.

More information about the Infowarrior mailing list