FTC urged to investigate Google's hosted services

Privacy in the cloud is questioned after bug reveals Google Docs information

A privacy group has asked the Federal Trade Commission to investigate whether Google Inc.'s cloud computing services, including the popular Gmail hosted e-mail service, Google Docs and the Picasa photo sharing service, adequately protect users privacy.

The complaint (download PDF) by the Electronic Privacy Information Center (EPIC), filed on Tuesday with the FTC, comes just weeks after a software bug in Google Docs had caused the files of some users to be improperly accessed by others not authorized to do so.

In a blog post yesterday, Google Docs product manager Jennifer Mazzon said the flaw is now fixed. She estimated that it affected about 0.5% of Google Docs documents.

The privacy group cited that breach in its request that the FTC look into whether security safeguards in the Google cloud products can sufficiently protect personal information. The group is also looking to force Google to make its security policies more transparent, and to revise its terms of service in order to meet its "obligations" to protect user information.

The group also wants the government to force Google to pay $5 million to help fund security research.

"Recent reports indicate that Google does not adequately safeguard the confidential information that it obtains," wrote the privacy group in the complaint. "The recent growth of cloud computing services signals an unprecedented shift of personal information from computers controlled by individuals to networks administered by corporations. Data breaches concerning cloud computing services can result in great harm, which arises from the centralized nature of the services and large volume of information stored 'in the cloud.'"

Calling cloud computing an "emerging network architecture," EPIC noted that as of last September, 69% of Americans were using webmail services, storing data online and using other cloud applications.

In a statement to Computerworld, a Google spokesman said: "We have received a copy of the complaint but have not yet reviewed it in detail. Many providers of cloud computing services, including Google, have extensive policies, procedures and technologies in place to ensure the highest levels of data protection. Indeed, cloud computing can be more secure than storing information on your own hard drive. We are highly aware of how important our users' data is to them and take our responsibility very seriously."

Dan Olds, an analyst at Gabriel Consulting Group Inc., said he wasn't surprised by EPIC's move to call in the FTC.

"A highly publicized breach will be seized upon by someone," he noted. "It will be embarrassing. The privacy group will get publicity for sure, but I don't think that the government will do anything or that a court case will go anywhere. You have to prove damages, and I haven't heard of any."

Olds called the complaint an attention-getting move for the Electronic Privacy Information Center.

"What's the point here? Well, it illustrates a privacy issue in a high-profile way," he added. "The FTC does have teeth, but the best [EPIC] can probably expect are some hearings if they are lucky."

The FTC held a two-day conference on Monday and Tuesday of this week on how companies can secure personal data.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies