Privacy Group Asks FTC to Investigate Google
The privacy group Electronic Privacy Information Center (EPIC) has asked the Federal Trade Commission to investigate Google for privacy breaches related to Google Docs and other Google services --- and to ban Google from offering any cloud services, including Gmail, Google Docs and others until the company can prove it is capable of safeguarding people's privacy.
The complaint comes as a result of an incident in which people's private documents stored on Google Docs were shared with other users without their permission on March 7.
EPIC, though, says that the security breach was far from isolated, and claims it's part of an ongoing pattern at Google. It says that Google's security is inadequate, and that Google misleads people into believing that data stored with Google is secure. It's asking that the FTC investigate whether Google's security is adequate, and until that is determined, asks that any cloud-relating Google service be shut down. That means Gmail, Google Docs, Google Calendar, and others.
The complaint, available here, pulls no punches. It claims that Google assures people that their data is safe with the company, and that Google urges people to store their personal information on various Google services. Consider this, straight from the complaint:
"19. Google routinely represents to consumers that documents stored on Google servers are secure. For example, the homepage for Google Docs states 'Files are stored securely online' (emphasis in the original) and the accompanying video provides further assurances of the security of the Google Cloud Computing Service.
"20. Google also explicitly assures consumers that 'Google Docs saves to a secure online storage facility . . . without the need to save to your local hard drive.'
"21. Google encourages users to 'add personal information to their documents and spreadsheets,' and represents to consumers that 'this information is safely stored on Google's secure servers.' Google states that 'your data is private, unless you grant access to others and/or publish your information.'
"22. Google represents to consumers, 'Rest assured that your documents, spreadsheets and presentations will remain private unless you publish them to the Web or invite collaborators and/or viewers.' "
The complaint then details a series of what it calls security breaches:
"24. On March 7, 2009, Google disclosed user-generated documents saved on its Google Docs Cloud Computing Service to users of the service who lacked permission to view the files. (the 'Google Docs Data Breach') This is just one of many example of known flaws with Google’s Cloud Computing Services. For example:
"In January 2005, researchers identified several security flaws in Google's Gmail service. The flaws allowed theft of 'usernames and passwords for the "Google Accounts" centralised log-in service' and enabled outsiders tosnoop on users' email.
"In December 2005, researchers discovered a vulnerability in Google Desktop and the Internet Explorer web browser. The security flaw exposed Google users' personal data to malicious internet sites.
"In January 2007, security experts identified another security flaw in Google Desktop. The vulnerability 'could enable a malicious individual to achieve not only remote, persistent access to sensitive data, but in some conditions full system control.' "
The complaint goes on to say that Google's inadequate security is an unfair business practice and a deceptive business practice. It asks that the FTC investigate the privacy and security safeguards of Google's cloud services, that Google revise its Terms of Service to make clear its security and privacy practices. It also asks the FTC to
"Enjoin Google from offering Cloud Computing Services until safeguards are verifiably established."
In other words, ban Gmail, Google Docs, Google Calendar, and other cloud-based services. In addition, it asks that Google
"contribute $5,000,0000 to a public fund that will help support research concerning privacy enhancing technologies, including encryption, effective data anonymization, and mobile location privacy."
As a practical matter, don't expect the FTC to ban Google from offering Gmail and other services --- and, in fact, the FTC shouldn't do it. It would simply cause too much hardship for too many people who use the services. But the FTC should certainly launch an investigation, and Google should pay the $5 million for the fund.