It was only a few days after publishing last week’s “Are You Paranoid Enough?” Backup Reminder that I heard the sorry tale of G-Archiver, a program designed to back up your Gmail account. Or allegedly designed to back up your Gmail account, anyway. A programmer named Dustin Brooks discovered that G-Archiver did something else: it sent the Gmail IDs and passwords of everyone who had downloaded it to the Gmail account of one John Terry.
The G-Archiver website claims that this was a “coding mishap” and urges users to remove the old version and replace it with a new one. This strikes me as lame both as an apology and as an explanation (I have trouble imagining how such a “feature” could find its way into a program by mistake), but at least it’s better than pretending the problem never existed.
Still, I suspect that very few people who have read about said “mishap” are going to take a chance on G-Archiver again. They’re probably too busy changing the passwords for their Google accounts.
Neither flaws nor deliberate scams are necessarily obvious. If Dustin Brooks hadn’t decided to examine the source code using Reflector, we might all still be ignorant of the problem with G-Archiver. It takes a programmer to discover a problem at that level.
But it doesn’t take a programmer to run a product name through Google and Technorati and see whether someone else has found problems. And it doesn’t take a programmer to look for (or ask about) alternative ways to back up the specific data you’re looking to copy.
One commenter on the original post in Coding Horror made the following sensible point:
Why would anyone pay $30 to get a backup copy of their Gmail account when Thunderbird is free? Just connect to Gmail’s IMAP server, set TB to save all downloaded messages, and do a complete sync. Not only would you then have a complete backup, but you would also be able to read and send email from TB while having it synced with Gmail.
Just about any other mail client with IMAP support should also work.
Since I don’t use my Gmail account for mail, I’ve never bothered downloading the tiny handful of messages there into Outlook, but that’s probably what I’d do, since my Outlook .PST file already gets backed up at least once a day.
It seems obvious to me that an offline mail client would be the obvious way to backup an online e-mail account, but that might not occur to everyone. But if you type “backup Gmail” into Google’s search box, you’ll find lots of possibilities, including instructions from Google about backing up your mail with POP. (You’ll also find instructions for using your Gmail storage space to back up data from your hard drive, which brings it all full circle.)
So once again, the moral of the story is, don’t hand out your passwords to anyone you don’t have some reason to trust, and do your homework on new products before trying them. Backups are supposed to make your data safer, not more vulnerable.