The government, too, might like to see what's in your Gmail inbox and your Docs and Spreadsheets files, including when you created, accessed, or deleted the data. Since you identify yourself whenever you sign in to your account, Google could use logs for the originating IP address of account activity, combined with ISP logs, to help confirm that it really was you who updated that spreadsheet or wrote that e-mail.
Google must comply with search warrants and subpoenas in civil or criminal cases that target your data, just as you would if you stored your data on your own servers. The difference, however, is that Google has no obligation to inform you that it has received such a warrant and has turned over your files to the authorities. "You lose both factual and legal control over your documents if you use an online service like Google," says former Department of Justice computer crime unit head Mark Rasch, current managing director of technology for forensic consulting firm FTI in Washington, D.C.
"Google Apps makes [the situation] even worse," Rasch adds, explaining: "This is not just communications, it's all my documents and spreadsheets that are subject to subpoena, search warrant, or civil discovery. The hard part is that Google is under no legal obligation to notify me, and in particular kinds of investigations, they're going to be prohibited from notifying me."
Being left in the dark about these types of searches can also result in serious liabilities should your files contain sensitive client data and communications. "Let's say I'm a lawyer, and I've got privileged information that I store using a Gmail account," Rasch continues. "The government seizes that Gmail account and reads my files. Under the law, I must assert the attorney-Client privilege, or I have waived it," he explains.
In short, if Google chooses not to inform you of such searches, you have waived that privilege. Only strong encryption--a technology Google currently does not support--offers real privacy protection for documents kept online, according to Rasch.
Harvard's Edelman recommends using Google services just for specific business documents in which collaboration among geographically dispersed teams is unusually important. "I wouldn't move my whole business onto Google Apps," he counsels.
Google Apps and similar Web services certainly have appeal for many small and medium-size businesses. When San Francisco's SFBay Pediatrics, a midsize practice, went looking for an interoffice communications, scheduling, and calendaring system, CIO Andrew Johnson considered "a slew" of products, including Microsoft Exchange and other systems that he would have to install and maintain in-house.
He selected Google Apps Premier Edition (the ad-free commercial version of Google Apps) because of Google's good reputation and his staff's familiarity with Gmail. Also, the Google services free the practice from setting up a significant IT structure. "We don't want to spend the time tracking down server issues, maintaining servers, and paying up-front costs," Johnson says.
So far, SFBay has had a positive experience with Google Apps, which it uses for such tools as a shared phone-call log that receptionists, nurses, and physicians can view and update. Though core features are still being rolled out, Johnson has configured SFBay's Google Apps account to comply with the privacy rules of the Department of Health and Human Services's Health Insurance Portability and Accountability (HIPAA) regulations. "We're taking it in little baby steps," Johnson adds.