Is Google security deceptive/inadequate?

The Electronic Privacy Information Center (EPIC) thinks so. It just issued a 15-page complaint to the U.S. Federal Trade Commission (FTC) urging it to launch an investigation into Google's cloud security/privacy practices. And the case may just force enterprise users to rethink their commitments to cloud-based services.

The complaint stems from the recent Google Docs bug that resulted in users unwittingly sharing documents with others. In its complaint, EPIC points to several areas in Google Docs' documentation where Google assures users of the security and privacy of information entered into the service. EPIC also ticks off a list of security/privacy breaches experienced by Google, including the latest Google Docs bug.

The complaint seems to hold two very strong arguments. First, Google doesn't follow "reasonable" security practices in that it doesn't encrypt user data and instead stores it in clear text--something even the simplest security audit is sure to have flagged.

The second is that Google's security assurances don't square well with its terms of service. New Google Docs users are told their data will be safely and securely stored on Google's servers. They are also assuaged this way:

Rest assured that your documents, spreadsheets and presentations will remain private unless you publish them to the Web or invite collaborators and/or viewers.

EPIC points out that such assurances aren't worth the virtual ink they're printed on, since Sections 14 and 15 of Google's terms of service agreement put the risk of using Google's service solely on the end-user's shoulders. EPIC sums it up this way:

Google's Terms of Service explicitly disavow any warranty or any liability for harm that might result from Google's negligence, recklessness, mal intent, or even purposeful disregard of existing legal obligations to protect the privacy and security of user data.

From an enterprise point of view, it all comes down to contracts--just as it does with any other outsourced service. Successful cloud vendors won't stop at providing strong SLAs and other service-based features. They'll also need to prove that they meet common, standard security requirements (like encryption of private data). While Google's begun offering the former, bolstering its enterprise cred, it has yet to step up to the plate on the latter, as EPIC's complaint plainly shows.

What do you think? Are Google's data security policies too lax, especially for enterprise environments?

* * *

Like this post? Visit the Google Subnet home page for more news, blogs and podcasts.

More blog posts from Google Subnet:

Sign up for the weekly Google newsletter. (Click on News/Google News Alert.)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.