Privacy rights organization EPIC, the Electronic Privacy Information Center, has asked the Federal Trade Commission (FTC) to shut down Google’s cloud services on grounds that the company is misleading consumers.
This follows a breach in Google Docs on March 7, which was caused by a software bug that led users to inadvertently share some of their files with others. Google has since fixed the bug.
EPIC’s formal letter of complaint says that Google promises users their documents are stored securely and assures them that their documents, spreadsheets and presentations will remain private unless they publish these to the Web, or invite viewing or collaboration.
On the other hand, it points out, Google’s Terms of Service explicitly disavow any warranty or liability for harm that might result “from Google’s negligence, recklessness, mal intent, or even purposeful disregard of existing legal obligations to protect the privacy and security of user data.”
Stop the Services?
EPIC wants the FTC to enjoin Google from offering cloud computing services until safeguards are verifiably established. It also wants the FTC to make Google revise its terms of service for its cloud computing services, make its information security policies more transparent, and disclose all incidents of data loss or breaches to the FTC.
Enjoin what? That means Google would have to stop providing access to its Docs, Calendar, Gmail and other apps. Won’t that impact millions of people and thousands of companies using these apps?
Yes, it could. But don’t reach for the smelling salts yet. “The likelihood of stopping access to Google apps is very small,” EPIC executive director Marc Rotenberg admitted. “What’s more important is to ensure they improve security.”
Nothing But the Truth
In essence, EPIC’s letter says that by promising security and privacy and failing to deliver, Google is subject to allegations of unfair or deceptive trade practices.
It calls on the FTC to open an investigation into Google’s cloud computing services, focusing on the adequacy of Google’s privacy and security safeguards in two areas: for storage of personal information, and in light of its assurances to consumers regarding its cloud computing services.
EPIC’s letter also points out that Google’s cloud computing services have known flaws. It cited the March 7 Google Docs data breach, and said that, in 2005, researchers identified several security flaws in Gmail and in Google Desktop.
“It’s obvious that we’ve become increasingly dependent on cloud computing services,” Rotenberg told the E-Commerce Times. “The benefits are clear, but what’s not so clear are the security and privacy risks. We think the FTC has a responsibility to investigate the reliability of these services, and that’s the reason for this complaint.”
“We have received a copy of the complaint but have not yet reviewed it in detail,” Kovacs said.
Google Docs and the Aftermath
Cloud computing can be more secure than storing information on users’ own hard drives,Google spokesperson Andrew Kovacs told the E-Commerce Times. “Many providers of cloud computing services, including Google, have extensive policies, procedures and technologies in place to ensure the highest levels of data protection.”
The Google Docs breach, caused by a bug, affected 0.05 percent of Google Docs users, Kovacs said. “The sharing was limited to people with whom the account owner, or a collaborator with sharing rights had previously shared a document.”
Google has since fixed the bug, and contacted the users who were affected to notify them of the bug and to identify which of their documents may have been affected, Kovacs said.
Still, the bug and its effects do point to concerns about cloud computing security, especially for public cloud services like Google’s.