I love the idea of the Google Toolbar, especially the spell checker. But I had to wonder how it worked. Its not rocket science but it is a nice implantation of client/server code. The idea is that text is sent to Google via XML and returned to the toolbar via XML. For a moderately fast connection this is all very nice and can be extended to multiple operating systems easily.

The problem is that the text is sent clear-text to an organization that is not under the author’s control. I can just imagine an author entering a legal brief into carefully secured CMS (Content Management Entry) on an internal web site and having all that text being sent clear-text to Google. With so little understanding of computers, or technology in general, I suspect many people will be using remote spell checkers without any idea how they work.

So much for firewalls, encryption, access control etc. Anyone monitoring the outbound traffic (which often has WiFi points) can see the data! I also am not sure how far I trust Google to keep that data confidential, especially given the various legal maneuvers others could use force Google to release data.

I have no issue with Google offering this service, I think its great. But people need to have a better understanding of the basics of how things work. Security software and specialists can do only so much. One thing Google could do is check the current browser URL and if it is a secured site (https) offer a dialog box that warns the user about security issues and allows them to accept or deny the current site from the various services Google offers. But in the end it is the end user who must understand the risks and always question the tools they use.

In any case, it seems like a security breach just waiting to happen.

By the way I use FireFox and SpellBound to do local checking of my posts. Fast and secure.